20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
This document discusses unintended consequences that can arise from new technologies. It notes that unintended consequences occur because of ignorance of potential effects, errors in problem analysis, focus on immediate interests over long-term impacts, and values that require or prohibit certain actions. The document provides examples of recent technologies that led to unintended consequences, such as social media increasing isolation. It considers potential unintended consequences of autonomous vehicles, such as increased vehicle miles leading to more accidents overall. The document urges considering how changes might cause further changes, being careful with large-scale projects, mapping out impacted systems, and expecting surprises.
What is in your Organizational DNA?
1. There are only a few organizational personality TYPES (even though each organization is unique).
2. Companies are mosaics of personalities (AND so are teams ;-).
3. High performance can’t be isolated (Think collaboration and teamwork – organization-wide).
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Tim Kasse
The document discusses various product development lifecycle models and how they relate to stage gate processes. It provides high-level definitions and diagrams of common models including waterfall, V-model, incremental development, spiral development, and evolutionary development. It also summarizes typical models used for smaller, less complex, or safety critical projects such as agile software development, prototyping, and concurrent engineering lifecycles. Contact information is provided for Tim Kasse, the principal consultant.
This document discusses systems archetypes, which are generic systems structures that represent common patterns of behavior. It provides examples of five archetypes - shifting the burden, fixes that fail, tragedy of the commons, limits to growth, and shifting the burden. It then shows how these archetypes can be applied to different aspects of tourism development and management on Cat Ba Island, Vietnam. The document concludes by encouraging students to study additional archetypes and provide their own examples.
The document summarizes key findings from the OECD's Innovation Strategy report. It finds that innovation involves interactions across an entire system beyond just R&D. Countries need strategies that link different elements like education, infrastructure, markets, and collaboration. New players like emerging economies and young firms are contributing more to innovation. Innovation is already a major economic driver and investment, responsible for much of productivity growth. Countries are encouraged to continue supporting innovation to address challenges and fuel long-term growth.
This document discusses three dimensions of foresight: difference, depth, and diversity.
Difference refers to the idea that the future context will not be the same as the present. Depth emphasizes experiencing hypothetical futures viscerally. Diversity acknowledges that there are multiple possible futures rather than a single future. Examples like experiential scenarios and games aim to illustrate these dimensions and help people navigate change. Foresight practices incorporating difference, depth and diversity can help design preferable alternatives and make wise choices.
This document outlines an agenda for a hands-on workshop on systemic design. The workshop will introduce participants to the systemic design toolkit and have them work through cases. It will include presentations on systemic design and the toolkit, identifying leverage points in a food waste system case, developing intervention strategies, and creating generic and contextual intervention models. Participants will present their models and discuss how the toolkit and approach could be applied and improved. The goal is to help participants solve complex challenges using a solution-oriented systemic design process.
This document discusses unintended consequences that can arise from new technologies. It notes that unintended consequences occur because of ignorance of potential effects, errors in problem analysis, focus on immediate interests over long-term impacts, and values that require or prohibit certain actions. The document provides examples of recent technologies that led to unintended consequences, such as social media increasing isolation. It considers potential unintended consequences of autonomous vehicles, such as increased vehicle miles leading to more accidents overall. The document urges considering how changes might cause further changes, being careful with large-scale projects, mapping out impacted systems, and expecting surprises.
What is in your Organizational DNA?
1. There are only a few organizational personality TYPES (even though each organization is unique).
2. Companies are mosaics of personalities (AND so are teams ;-).
3. High performance can’t be isolated (Think collaboration and teamwork – organization-wide).
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Tim Kasse
The document discusses various product development lifecycle models and how they relate to stage gate processes. It provides high-level definitions and diagrams of common models including waterfall, V-model, incremental development, spiral development, and evolutionary development. It also summarizes typical models used for smaller, less complex, or safety critical projects such as agile software development, prototyping, and concurrent engineering lifecycles. Contact information is provided for Tim Kasse, the principal consultant.
This document discusses systems archetypes, which are generic systems structures that represent common patterns of behavior. It provides examples of five archetypes - shifting the burden, fixes that fail, tragedy of the commons, limits to growth, and shifting the burden. It then shows how these archetypes can be applied to different aspects of tourism development and management on Cat Ba Island, Vietnam. The document concludes by encouraging students to study additional archetypes and provide their own examples.
The document summarizes key findings from the OECD's Innovation Strategy report. It finds that innovation involves interactions across an entire system beyond just R&D. Countries need strategies that link different elements like education, infrastructure, markets, and collaboration. New players like emerging economies and young firms are contributing more to innovation. Innovation is already a major economic driver and investment, responsible for much of productivity growth. Countries are encouraged to continue supporting innovation to address challenges and fuel long-term growth.
This document discusses three dimensions of foresight: difference, depth, and diversity.
Difference refers to the idea that the future context will not be the same as the present. Depth emphasizes experiencing hypothetical futures viscerally. Diversity acknowledges that there are multiple possible futures rather than a single future. Examples like experiential scenarios and games aim to illustrate these dimensions and help people navigate change. Foresight practices incorporating difference, depth and diversity can help design preferable alternatives and make wise choices.
This document outlines an agenda for a hands-on workshop on systemic design. The workshop will introduce participants to the systemic design toolkit and have them work through cases. It will include presentations on systemic design and the toolkit, identifying leverage points in a food waste system case, developing intervention strategies, and creating generic and contextual intervention models. Participants will present their models and discuss how the toolkit and approach could be applied and improved. The goal is to help participants solve complex challenges using a solution-oriented systemic design process.
The document discusses the concepts of disruptive innovation and how industries are resistant to change. It provides examples throughout history where new technologies were dismissed but later disrupted industries. The document introduces the concepts of sustaining versus disruptive innovation and how disruptors can take market share by targeting customer needs in a new way. Finally, it discusses how to identify disruption opportunities using tools like the strategy canvas and blue ocean strategy, noting that the best ideas for disruption often seem stupid at first.
This document introduces Systematic Inventive Thinking (SIT), a method for structured innovation. It discusses limitations of traditional brainstorming and how SIT addresses issues like cognitive fixedness. SIT tools like division, functional fixedness, and contradiction are presented to help break mental blocks. Examples demonstrate how applying these principles to existing components in a "closed world" can generate new ideas and functions. The goal is to teach that creativity can be learned and applied systematically to produce breakthrough results.
CHAT-GPT Prompts for Grant Writing, Fundraising, and Marketing.pdfTechSoup
In this webinar, nonprofits learned how ChatGPT can revolutionize your grant writing, fundraising, and marketing endeavors. From understanding the AI’s capabilities to crafting compelling grant applications, this webinar offers a comprehensive look at cutting-edge techniques.
The document discusses the differences between creativity and innovation, as well as project and portfolio management. It outlines nine basic steps for innovation, from problem identification to implementation. It then presents the innovation project portfolio concept, which involves defining a portfolio, developing a strategy, ensuring the right blend and balance of projects, and engaging leadership. The key points are that innovation requires managing tasks and resources like projects, and that combining project management skills with idea generation can increase innovative success.
System Thinking: Design Tools to Drive Innovation Processes Roberta Tassi
The document describes Roberta Tassi's work as a designer who uses system thinking and design tools to drive innovation processes. It provides examples of how she uses tools like user research, participatory design, and visual frameworks to understand problems, collaborate with stakeholders, and translate insights. The goal of her work is to develop systemic solutions through human-centered design processes. She believes design tools have potential to accelerate innovation when dealing with complex services involving many actors and channels.
Towards a Systemic Design Toolkit: A Practical Workshop - #RSD5 Workshop, Tor...Koen Peters
Namahn (BE), a human-centred design agency, and shiftN (BE), a futures and systems thinking studio from Brussels, are developing a Systemic Design Toolkit combining the methodologies of both practices. The toolkit is currently piloted with the EU Policy Lab of the European Commission’s Joint Research Centre. The toolkit is structured as a suite of discrete thinking-and-doing instruments, to be applied selectively, sequentially and iteratively. The purpose of this toolkit is to enable co-analyses of complex challenges and co-creation of systemic solutions mode with users and other stakeholders This workshop aims to exchange insights between participants and facilitators in a hands-on, case-based format.
Workshop presenters are: Philippe Vandenbroeck, Kristel Van Ael, Clementina Gentile (@clementina_g) and Koen Peters (@2pk_koen)
This document discusses critically appraised topics (CATs) and rapid evidence assessments (REAs) as tools for evidence-based practice in management. It provides an overview of what CATs and REAs are, which are shorter versions of systematic literature reviews. The document outlines the core principles of CATs, REAs, and systematic reviews, including being systematic, transparent, replicable, and synthesizing evidence. It also discusses how to structure a CAT and provides examples of CAT topics. Finally, it discusses how CATs and REAs can be used to inform decision making by considering practitioners' expertise, organizational data, scientific literature, and stakeholder values when identifying problems and solutions.
This document discusses Systematic Inventive Thinking (SIT), a methodology for creativity, innovation, and problem solving derived from TRIZ. SIT uses thinking tools to stimulate ideas, including removing components, assigning new tasks, multiplying components, dividing/rearranging components, and changing relationships. The document provides examples of SIT tools used by cosmetics company AHAVA in developing new products like a body exfoliator that uses body moisture and a mud mask that becomes a skin peel. It compares AHAVA's successful use of SIT to another company's unsuccessful application, showing how organizational factors impact whether ideas reach the market.
Inside The Box Thinking (Thanks to Drew Boyd for his wonderful coaching and g...Deepak Soni
Thanks to Drew Boyd - A global leader in creativity and innovation, teaches us how he learned about Systematic Inventive Thinking and why he feels S.I.T. is the only innovation method that produces breakthrough results for individuals, corporations and governments.
I am really appreciating him and this ppt is made out of his teaching and book i gone through
Innomantra - The Functional Innovation MethodologyInnomantra
The Functional Innovation Methodology
The Functional Innovation is an integrated approach to creative ideation and problem solving which incorporates aspects from several well-known ideation and problem solving techniques. FI developed out of a research study that involved analyzing 30,000+ recent innovations and 10,000+ highly cited patents in order to identify common patterns and develop useful heuristics.
In the 1960s, Swiss Physicist Fritz Zwicky developed the method of ‘Morphological Analysis’ for complex problems. Around the same time, Soviet Scientist Genrich Altshuller formulated a method for systematic problem solving after reviewing more than 40,000 patent abstracts. FI methodology includes elements derived from these two approaches. It has also been influenced by the ‘Design Thinking' process introduced by Herbert Simon and the ‘Creative Problem Solving’ method pioneered by Alex Osborn.
The Functional Innovation™ Methodology is customized to the products, process and business model that will enable participants to systematically generate ideas towards achieving innovation objectives identified by the client organization.
Innovation can be learned – with the most effective creativity methodology out there: SIT.
'Ideen finden' kann man lernen - Systematic Inventive Thinking
For more information and case studies, please visit: www.bold.group
In an increasingly competitive market, we believe that businesses will no longer be able to rely on external partners alone to drive innovation. By bringing design capabilities in-house, brands will have the ability to respond rapidly to a world changing around them, adapting constantly to remain fresh and bring relevant innovation to market – becoming what we call a ‘Living Business’.
Our ‘Design from Within’ report describes three distinct approaches businesses can take in order to design and innovate internally. Each approach shares common goals - such as creating a culture which inspires creativity, and enabling the business to scale ideas from the drawing board to the marketplace –but the models differ according to the extent of a company’s involvement in them.
This document discusses using storytelling as a tool for systems design. It argues that storytelling can help communicate complex, intangible system data by embedding context, perspectives, and interconnections. Storytelling stimulates interpretation of complexity, unlocks imagination, and fosters collaboration across disciplines. The document introduces the concept of "systemic storytelling" using parallel, intersecting storylines to represent a system. It provides examples of using roleplaying and visual story maps to understand collaboration dynamics within an organization and communicate sustainability transformations. The conclusion states that systemic storytelling can help gather system data, facilitate understanding of perspectives, represent complex systems, and ideate on future states, but more validation and practical tools are needed.
This document provides an overview of Systematic Inventive Thinking (SIT), an innovation methodology developed by SIT, a privately owned innovation company. SIT uses a set of unique thinking tools and principles to systematically generate ideas and helps companies integrate innovation into their organizational culture and processes. The methodology includes five thinking tools, principles for applying the tools effectively, facilitation skills for group work, project management processes, and organizational structures to sustain a culture of innovation. Over 850 companies in more than 60 countries have used SIT to achieve their innovation goals.
The document discusses Geoffrey Moore's book "Crossing the Chasm". The book focuses on 3 main themes: 1) the technology adoption life cycle, 2) the problem of crossing the chasm between early adopters and the early majority, and 3) solutions for how to cross the chasm. It also discusses the different customer types along the adoption curve and strategies for targeting customers, assembling resources, positioning products, and launching attacks to help cross the chasm from early adopters to the early majority.
Socialization of new members (chapter 8)HelvieMason
The document discusses organizational socialization and how it is an interactive process where both the individual and organization influence each other. It defines organizational socialization as the process by which an individual acquires the social knowledge and skills necessary to assume an organizational role. A successful socialization process can lead to outcomes like loyalty and a sense of congruency between one's own values and the organization's values. The key phases of socialization are anticipatory socialization, encounter, and metamorphosis. Throughout, both the individual and organization engage in active agency that shapes the socialization experience.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
Regarded as one of the world’s foremost experts on counter threat intelligence within the Information security industry, Chris Roberts constructs and directs a portfolio of defense services designed to improve the physical and digital security posture of both enterprise and government clients. With increasingly sophisticated attacks on targets of opportunity, Roberts’ unique methods of addressing the evolving threat matrix and experience with all information systems make him an indispensable partner to clients and industries that demand protection of financials, intellectual property, customer data and other protected information from attack.
The document discusses the concepts of disruptive innovation and how industries are resistant to change. It provides examples throughout history where new technologies were dismissed but later disrupted industries. The document introduces the concepts of sustaining versus disruptive innovation and how disruptors can take market share by targeting customer needs in a new way. Finally, it discusses how to identify disruption opportunities using tools like the strategy canvas and blue ocean strategy, noting that the best ideas for disruption often seem stupid at first.
This document introduces Systematic Inventive Thinking (SIT), a method for structured innovation. It discusses limitations of traditional brainstorming and how SIT addresses issues like cognitive fixedness. SIT tools like division, functional fixedness, and contradiction are presented to help break mental blocks. Examples demonstrate how applying these principles to existing components in a "closed world" can generate new ideas and functions. The goal is to teach that creativity can be learned and applied systematically to produce breakthrough results.
CHAT-GPT Prompts for Grant Writing, Fundraising, and Marketing.pdfTechSoup
In this webinar, nonprofits learned how ChatGPT can revolutionize your grant writing, fundraising, and marketing endeavors. From understanding the AI’s capabilities to crafting compelling grant applications, this webinar offers a comprehensive look at cutting-edge techniques.
The document discusses the differences between creativity and innovation, as well as project and portfolio management. It outlines nine basic steps for innovation, from problem identification to implementation. It then presents the innovation project portfolio concept, which involves defining a portfolio, developing a strategy, ensuring the right blend and balance of projects, and engaging leadership. The key points are that innovation requires managing tasks and resources like projects, and that combining project management skills with idea generation can increase innovative success.
System Thinking: Design Tools to Drive Innovation Processes Roberta Tassi
The document describes Roberta Tassi's work as a designer who uses system thinking and design tools to drive innovation processes. It provides examples of how she uses tools like user research, participatory design, and visual frameworks to understand problems, collaborate with stakeholders, and translate insights. The goal of her work is to develop systemic solutions through human-centered design processes. She believes design tools have potential to accelerate innovation when dealing with complex services involving many actors and channels.
Towards a Systemic Design Toolkit: A Practical Workshop - #RSD5 Workshop, Tor...Koen Peters
Namahn (BE), a human-centred design agency, and shiftN (BE), a futures and systems thinking studio from Brussels, are developing a Systemic Design Toolkit combining the methodologies of both practices. The toolkit is currently piloted with the EU Policy Lab of the European Commission’s Joint Research Centre. The toolkit is structured as a suite of discrete thinking-and-doing instruments, to be applied selectively, sequentially and iteratively. The purpose of this toolkit is to enable co-analyses of complex challenges and co-creation of systemic solutions mode with users and other stakeholders This workshop aims to exchange insights between participants and facilitators in a hands-on, case-based format.
Workshop presenters are: Philippe Vandenbroeck, Kristel Van Ael, Clementina Gentile (@clementina_g) and Koen Peters (@2pk_koen)
This document discusses critically appraised topics (CATs) and rapid evidence assessments (REAs) as tools for evidence-based practice in management. It provides an overview of what CATs and REAs are, which are shorter versions of systematic literature reviews. The document outlines the core principles of CATs, REAs, and systematic reviews, including being systematic, transparent, replicable, and synthesizing evidence. It also discusses how to structure a CAT and provides examples of CAT topics. Finally, it discusses how CATs and REAs can be used to inform decision making by considering practitioners' expertise, organizational data, scientific literature, and stakeholder values when identifying problems and solutions.
This document discusses Systematic Inventive Thinking (SIT), a methodology for creativity, innovation, and problem solving derived from TRIZ. SIT uses thinking tools to stimulate ideas, including removing components, assigning new tasks, multiplying components, dividing/rearranging components, and changing relationships. The document provides examples of SIT tools used by cosmetics company AHAVA in developing new products like a body exfoliator that uses body moisture and a mud mask that becomes a skin peel. It compares AHAVA's successful use of SIT to another company's unsuccessful application, showing how organizational factors impact whether ideas reach the market.
Inside The Box Thinking (Thanks to Drew Boyd for his wonderful coaching and g...Deepak Soni
Thanks to Drew Boyd - A global leader in creativity and innovation, teaches us how he learned about Systematic Inventive Thinking and why he feels S.I.T. is the only innovation method that produces breakthrough results for individuals, corporations and governments.
I am really appreciating him and this ppt is made out of his teaching and book i gone through
Innomantra - The Functional Innovation MethodologyInnomantra
The Functional Innovation Methodology
The Functional Innovation is an integrated approach to creative ideation and problem solving which incorporates aspects from several well-known ideation and problem solving techniques. FI developed out of a research study that involved analyzing 30,000+ recent innovations and 10,000+ highly cited patents in order to identify common patterns and develop useful heuristics.
In the 1960s, Swiss Physicist Fritz Zwicky developed the method of ‘Morphological Analysis’ for complex problems. Around the same time, Soviet Scientist Genrich Altshuller formulated a method for systematic problem solving after reviewing more than 40,000 patent abstracts. FI methodology includes elements derived from these two approaches. It has also been influenced by the ‘Design Thinking' process introduced by Herbert Simon and the ‘Creative Problem Solving’ method pioneered by Alex Osborn.
The Functional Innovation™ Methodology is customized to the products, process and business model that will enable participants to systematically generate ideas towards achieving innovation objectives identified by the client organization.
Innovation can be learned – with the most effective creativity methodology out there: SIT.
'Ideen finden' kann man lernen - Systematic Inventive Thinking
For more information and case studies, please visit: www.bold.group
In an increasingly competitive market, we believe that businesses will no longer be able to rely on external partners alone to drive innovation. By bringing design capabilities in-house, brands will have the ability to respond rapidly to a world changing around them, adapting constantly to remain fresh and bring relevant innovation to market – becoming what we call a ‘Living Business’.
Our ‘Design from Within’ report describes three distinct approaches businesses can take in order to design and innovate internally. Each approach shares common goals - such as creating a culture which inspires creativity, and enabling the business to scale ideas from the drawing board to the marketplace –but the models differ according to the extent of a company’s involvement in them.
This document discusses using storytelling as a tool for systems design. It argues that storytelling can help communicate complex, intangible system data by embedding context, perspectives, and interconnections. Storytelling stimulates interpretation of complexity, unlocks imagination, and fosters collaboration across disciplines. The document introduces the concept of "systemic storytelling" using parallel, intersecting storylines to represent a system. It provides examples of using roleplaying and visual story maps to understand collaboration dynamics within an organization and communicate sustainability transformations. The conclusion states that systemic storytelling can help gather system data, facilitate understanding of perspectives, represent complex systems, and ideate on future states, but more validation and practical tools are needed.
This document provides an overview of Systematic Inventive Thinking (SIT), an innovation methodology developed by SIT, a privately owned innovation company. SIT uses a set of unique thinking tools and principles to systematically generate ideas and helps companies integrate innovation into their organizational culture and processes. The methodology includes five thinking tools, principles for applying the tools effectively, facilitation skills for group work, project management processes, and organizational structures to sustain a culture of innovation. Over 850 companies in more than 60 countries have used SIT to achieve their innovation goals.
The document discusses Geoffrey Moore's book "Crossing the Chasm". The book focuses on 3 main themes: 1) the technology adoption life cycle, 2) the problem of crossing the chasm between early adopters and the early majority, and 3) solutions for how to cross the chasm. It also discusses the different customer types along the adoption curve and strategies for targeting customers, assembling resources, positioning products, and launching attacks to help cross the chasm from early adopters to the early majority.
Socialization of new members (chapter 8)HelvieMason
The document discusses organizational socialization and how it is an interactive process where both the individual and organization influence each other. It defines organizational socialization as the process by which an individual acquires the social knowledge and skills necessary to assume an organizational role. A successful socialization process can lead to outcomes like loyalty and a sense of congruency between one's own values and the organization's values. The key phases of socialization are anticipatory socialization, encounter, and metamorphosis. Throughout, both the individual and organization engage in active agency that shapes the socialization experience.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
Regarded as one of the world’s foremost experts on counter threat intelligence within the Information security industry, Chris Roberts constructs and directs a portfolio of defense services designed to improve the physical and digital security posture of both enterprise and government clients. With increasingly sophisticated attacks on targets of opportunity, Roberts’ unique methods of addressing the evolving threat matrix and experience with all information systems make him an indispensable partner to clients and industries that demand protection of financials, intellectual property, customer data and other protected information from attack.
This document summarizes the key points from a security presentation given by John "geekspeed" Stauffacher and Matthew "mattrix" Hoy. The presentation discusses how relying too heavily on automated detection tools has weakened many organizations' security posture and response capabilities. It advocates adopting a "Cleaner" approach that goes beyond just reimaging systems to identify threats, attackers' capabilities, and actions to stop attackers. Key areas that need improvement are outlined such as inadequate preparation, treating security as an afterthought, and failing to understand attackers' motives and methods in order to better defend against future incidents. Specific tools and techniques are also provided that can help with tasks like identifying attackers, containing compromises, and learning lessons to strengthen defenses going
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini
As many enterprises begin their journey to innovate and differentiate their products through the use of technology built in Devops mindsets and Agile methods and head down the road to “Application Economy”, this drives a high velocity of changes for application security, how can we get ahead?
Join Capgemini to learn how the byproduct of IoT is a more connected enterprise and nation that will require new secure and resilient ways of software design, coding, testing (SLDC) and new frameworks to secure and make an attack resilient IoT ecosystem.
Presented at HPE Discover Las Vegas 2016.
This webinar discusses how social engineers and scammers are able to achieve their goals by manipulating people's decision making processes. It will cover the OODA (Observe, Orient, Decide, Act) loop model and how attackers can hijack this loop to bypass critical thinking. Attendees will learn techniques like manipulating facts, context, attention and emotions to subvert the OODA loop. The webinar will also provide strategies for defending against manipulation and improving security awareness in organizations.
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Given at the BugCrowd conference in January 2019, this was the first time for doing this deck.:
For 25 years or more we have fought the battle of passwords and patches while all around us, the world has developed, data has exponentially increased, attack surfaces are everywhere and technology had quite simply forced the human race to consider the evolution cycle in single lifespans as opposed to millennia. During the last 25 years we have done little to protect the charges we are responsible for, we have failed to secure systems, allowed financial attacks, infrastructure attacks, and now attacks directly against humans. At what point will we be able to stem the bleeding and actually take charge of our realm? Have we left it too late, or are we still able to claw back out of the abyss and face our adversary in a more asymmetrical defensive manner? Can we actually provide safety and security to our charges or will we continue to fail? And, critically, how do we communicate this, and educate a population that is content to watch from the sidelines, while they are being digitally eviscerated.
Collaboration through Conflict - Orlando Code Camp March 2014Mark Kilby
The document provides an overview of a presentation by Mark Kilby on collaboration through conflict and evolving better teams. The presentation aims to help attendees better understand the relationship between conflict and collaboration, and provide teams with tools to navigate through conflict. The agenda includes understanding different types of conflict and collaboration, discussing values and conflict, and what to do when things still go wrong with teams.
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
The document discusses cybersecurity risks and how developers can help address them. It notes that cybercriminals target developers because they have privileged access and knowledge of systems. Developers are often too trusting and ignore security, installing software without checking for malware or disabling certificate validation. The talk urges developers to take security more seriously by keeping systems updated, using strong authentication, and being wary of suspicious network connections and downloads from untrusted sources. Developers must help address the growing problem of cybercrime by promoting secure development best practices.
Every decision we make is one made on behalf of your user. How do we know the decisions we make are the right ones? It is time we initiate a conversation: About where we are and where we want to go, about how we define and measure goodness and rightness in the digital realm, about responsibility, about decisions and consequences, about building something bigger than our own apps. It is time we talk about the ethics of web design. This talk introduces a method for ethical decision making in web design and tech. Rather than a wet moralistic blanket covering the fires of creativity, ethics can be the hearth that makes our creative fires burn brighter without burning down the house.
Presented at WordCamp Europe 2018: https://2018.europe.wordcamp.org/session/the-ethics-of-web-design/
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...Santhosh Tuppad
As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security".
In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more.
Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software.
From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCapgemini
Andy Powell will provide an overview of the General Data Protection Regulation (GDPR) and an approach for organizations to address its requirements through principles of "Build, Watch, Proact and React" modeled after medieval warfare strategies. GDPR compliance requires a balanced program across people, processes, and tools rather than a single solution. The presentation will simplify GDPR, explain the threats it addresses beyond just hackers, and how taking a common sense approach to prioritizing efforts can help organizations be ready to meet its obligations.
The document discusses various risks facing organizations with a web presence and provides recommendations to address those risks. It identifies issues such as security vulnerabilities, privacy concerns, social media risks, and analytics inaccuracies. It recommends that organizations conduct security audits, monitor their websites for hackability, disclose any required information, and stay aware of their site's performance, uptime, and what search engines are indexing about them.
Presentation to Lonetree PMI Roundtable on August 27, 2008.
Abstract:
According to the Wall Street Journal agile development has "crossed the chasm." Why then are there still strong pockets of intense resistance to agile? This presentation takes a look at some of the most common misconceptions about agile development. It exposes the truth behind the myths and backs up many of the points with actual industry data. In the process, a basic business case for agility is created. The goal of this session is for all participants to leave with the knowledge necessary to answer the question "Why Agile?" In addition, participants will gain a deeper understanding of the realities of agile development and how it can help organizations.
The document discusses preparing for a major cybersecurity incident and how management may react. It suggests training management on worst-case scenarios to avoid overreactions like scapegoating IT staff. The author recommends having management participate in mock cyber attacks to discuss response plans in advance and make pre-decisions. By preparing management, the impact of a real breach may be lessened through a coordinated response rather than panic or blaming others.
The document discusses designing eLearning solutions to achieve business results. It outlines a 5-step process for designing training, beginning with defining the target business problem and desired outcomes. The steps include understanding the audience through creating user personas, identifying specific performance goals and barriers to achieving those goals, considering constraints, and envisioning the learning experience. An example is provided of going through the steps to address the problem of employees falling for phishing emails. Key aspects covered include defining the business problem and desired outcomes, creating a user persona for a marketing employee, and identifying specific situations where employees may fail to properly handle phishing emails and the corresponding desired actions. The document advocates for focusing first on the desired business results when designing training rather than beginning with
Completing the Risk Picture: Adding a business intelligence and collaborative...SurfWatch Labs
The document discusses improving cybersecurity risk assessment by taking a business intelligence and collaborative approach. It argues that single perspectives are limited and that understanding external context is important. It promotes learning from, sharing with, and collaborating with others to improve cyber risk management, as staying silent only helps bad actors. The document introduces SurfWatch Labs, which takes such an intelligence-led, risk-sensing approach to cybersecurity using large data analytics.
Architecting a Post Mortem - Velocity 2018 San Jose TutorialWill Gallego
Engineers are frequently tasked with being front and center in intense, highly demanding situations that require clear lines of communication. Our systems fail not because of a lack of attention or laziness but due to cognitive dissonance between what we believe about our environments and the objective interactions both internal and external to them.
It’s time to revisit your established beliefs surrounding failure scenarios, with an emphasis not on the “who” in decision making but instead on the “why” behind those decisions. With attention to growth mindset, you can encourage your teams to reject shallow explanations of human error for said failures and focus on how to gain greater understanding of these complexities and push the boundaries on what you believe to be static, unchanging context outside your sphere of influence.
Will Gallego walks you through the structure of postmortems used at large tech companies with real-world examples of failure scenarios and debunks myths regularly attributed to failures. You’ll learn how to incorporate open dialogue within and between teams to bridge these gaps in understanding.
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
Our security experts present how to step up your cyber hygiene best practice to prevent targeted hacking attempts from remote code execution to network exploitation.
Similar to Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Different, Presented by Steve Werby at DerbyCon 4 in 2014 (20)
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...Steve Werby
Malicious URLs have been plaguing users for years. Leveraging of shortened URLs, redirect exploits, and other techniques have made detection of malicious links a much tougher problem for users who have to make a decision and for technical controls. This has gotten worse with the proliferation of QR codes and NFC tags. In this talk, I'll discuss research I conducted concerning the effectiveness of attacks using malicious QR codes, issues with mobile device QR code readers, an education campaign that resulted, and recommendations for users, publishers, app developers, and information security practitioners.
Information Security Threat Level Snapshot Template by Steve Werby 2014Steve Werby
I created this template for displaying a snapshot of the current information security threat level as it pertains to my organization. Technically, its current use is to represent threat actors, attack vectors, vulnerabilities, and additional context.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...Steve Werby
By aggregating and creating new dictionaries and manipulating them to guess plaintext and hashed passwords in high profile password exposures, I'll demonstrate which dictionary attacks and password cracking strategies are the most effective. I will also discuss the building of passphrase dictionaries. The password and passphrase cracking will be performed primarily using Amazon EC2 and the time, cost, and resource constraints of EC2 and other options will be analyzed.
Versions of this talk were also presented at Hack3rCon, DerbyCon, and SOURCE Seattle.
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...Steve Werby
Your organization has invested in a variety of tools to manage its information technology and the security of its systems. But it's a nightmare to synthesize this information so non-technical decision makers can make informed decisions and so information security and IT management can manage security effectively. We developed and implemented a web-based tool which has been integrated with numerous data sources to address this business need across our large, decentralized organization with a heterogeneous IT environment. Now non-technical staff who previously knew little about their technology can easily view information about their assets and how they.re being managed and information security staff have access to the information they need in a centralized tool. The tool will be demonstrated and the technology, implementation, management and usage of the system will be covered in order to share successes and lessons learned.
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Steve Werby
A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and unpaid volunteers. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...Steve Werby
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Different, Presented by Steve Werby at DerbyCon 4 in 2014
1. Steve Werby
DerbyCon 2014
Bad Advice,
Unintended Consequences,
and
Broken Paradigms:
Think and
Act Different
1
2. Bad Advice,
Unintended Consequences,
and
Broken Paradigms:
Think and
Act Different
@stevewerby
Steve Werby
WerbyCon 2014
1
3. goto fail; goto fail;
Don’t have a strategy…or a [vision|mission|target state|roadmap]
Don’t understand risk
Serve as an obstacle…because we don’t align with the business
Don’t engage our stakeholders
Scream about irrelevant vulns
Want to solve everything with shiny things
Yet don’t know how are shiny things work
And only use a fraction of their capabilities
Can’t state how effective we are
But think we’re right and they’re wrong
2
4. We’re Doing it Wrong
Insanity [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and
expecting different results
3
5. We’re Doing it Wrong
Infosec [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and
expecting different results
4
6. Disclaimer
“I am Jack’s raging bile duct.”
5
fbbba818c9dcdcbd9c6e2430f59871e8
8. What Information Security Is (Allegedly)
Information security is the practice of defending information against
unauthorized access, use, disclosure, modification, or destruction
7
9. What Information Security Is (Really)
Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
8
10. What Information Security Is (Really)
Information security is the defense of information and IT systems in
alignment with stakeholders' direction for addressing risk and
opportunities
Breaking it Down
• What information do we have?
• What IT systems use it?
• Who are stakeholders?
• What are our risks?
• What are our opportunities?
9
11. We’re Doing it Wrong
0
KPMG: Cyber Security: It’s Not Just About the Technology (http://www.kpmg.com/GI/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-security-
not-just-about-technology.pdf)
12. The Stakeholder Immaturity Model
How can we align with org’s objectives?
What do you think we should do?
What’s our risk for scenario I read
about?
Should we address this?
How can we prevent this in the future?
How did you let this happen!?
11
13. Bad Advice – Passwords
Make them complex
Memorize them
Change them regularly
12
14. Bad Advice – Passwords
12
Hard to guess
Protect them
Hard to crack the hash
Make them complex
Memorize them
Change them regularly
15. 12
Unintended Consequences – Passwords
Hard to guess
Protect them
Hard to crack the hash
Make them complex
Memorize them
Change them regularly
Compliant, but weak, reused, and similar
Write them down, but poorly protected
Only if forced, increment/rotate
16. Think && Act Different – Passwords
Make it loooooooooooooong
Disallow common topologies1
Require a Unicode character
Audit them
13
1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
17. Think && Act Different – Passwords
Make it loooooooooooooong
Disallow common topologies1
Require a Unicode character
Audit them
13
thinkandactdifferentinfosec
ullllldd
passw⛽rd
If too easily guessed, force change
1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
18. Broken Paradigm – Policy
Legalese
Verbose
What to [not] do
14
Comprehensible
Retainable
What to [not] do and why
Great for CYA, but don’t understand it, can’t retain it
Don’t read it
Don’t know why and think we don’t get it
19. Think && Act Different – Policy
Keep traditional policy if you want, but translate and/or create cheat sheet
Create a password which isn’t guessable by someone who knows you or
is similar to one you currently or previously used here or anywhere else.
Protect it by never sharing it with ANYONE, being wary of phishing
attacks, and by memorizing it or writing it down in securely.
Adversaries are good at tricking people and using their knowledge of
typical approaches for constructing passwords.
Don’t let them gain access to your personal accounts and info or the
company information you have access to.
15
25. If This is You, You’re Doing it Wrong!
FUD: 005 (http://fearuncertaintydoubt.wordpress.com/2009/12/21/fud-005/) 20
26. If This is You, You’re Doing it Wrong!
User Friendly: Please Create a Password (http://ars.userfriendly.org/cartoons/?id=20070929) 21
27. Broken Paradigm – Vulnerability Management
Unlocked, 20-year old, empty
beaten up car in middle of full
parking lot
Unlocked house with $10MM
in diamonds in the middle of
the desert and only 1 person
knows it’s there
22
28. Broken Paradigm – Vulnerability Management
Unlocked, 20-year old, empty
beaten up car in middle of full
parking lot
Unlocked house with $10MM
in diamonds in the middle of
the desert and only 1 person
knows it’s there
22
Insignificant impact
Improbable threat
Context is critical
29. Risk is This…Because Algebra
R = Threat * Vulnerability * Impact
R = Likelihood * Impact
• Almost certainly a range of impact/likelihood scenarios
• Likelihood of threat exploiting a vulnerability
resulting in impact
23
33. Think && Act Different – Ask Questions (Direction)
Are we meeting stakeholder expectations?
27
34. Think && Act Different – Ask Questions (Direction)
Are we meeting stakeholder expectations?
• Who are our stakeholders?
• What are their goals and concerns?
• Are we helping them achieve their goals?
• Are we reporting our progress?
• Do they understand what we’re telling them?
• What has their feedback been?
27
35. Think && Act Different – Ask Questions (Risk Scenarios)
What if someone stole the CEO’s laptop while he was using it at the park?
28
36. Think && Act Different – Ask Questions (Risk Scenarios)
What if someone stole the CEO’s laptop while he was using it at the park?
• Are there preventive or detective controls in place?
• Does he know who to contact?
• Do you know what info and systems are accessible?
• Is there an incident response plan for this scenario?
• How long will the incident take to contain?
28
37. Think && Act Different – Ask Questions (Capabilities)
What percentage of critical vulnerabilities for systems in our environment
are exploited in the wild before we’ve remediated them? Exploited in our
environment?
29
38. Think && Act Different – Ask Questions (Capabilities)
What percentage of critical vulnerabilities for systems in our environment
are exploited in the wild before we’ve remediated them? Exploited in our
environment?
• How does this compare to the previous quarter?
• Patch frequency?
• Target (and actual) turnaround between patch release and implementation?
• How might we reduce this from X% to Y%?
29
39. Think && Act Different – Ask Questions (Assessment of Controls)
What if an attacker enumerated all of our AD accounts to intentionally lock
them out?
30
40. Think && Act Different – Ask Questions (Assessment of Controls)
What if an attacker enumerated all of our AD accounts to intentionally lock
them out?
• Are there preventive or detective controls in place?
• Do you know what the impact would be?
• Is there an incident response plan for this scenario?
• How long will the incident take to contain?
• What was the objective of the control and is the objective being met?
30
41. Think && Act Different – Attack Trees
How can we better protect our CEO’s devices when he travels to China?
• Assumption: Threat actor = competitor, motivation = espionage, skills = high
• Goal: Acquire trade secrets
31
42. Think && Act Different – Attack Trees
How can we better protect our CEO’s devices when he travels to China?
• Assumption: Threat actor = competitor, motivation = espionage, skills = high
• Goal: Acquire trade secrets
31
43. Think && Act Different – How Might We?
Install RF hardware in laptop (or modify BIOS or modify a component)
Ask yourself “How might we?”
32
44. Think && Act Different – How Might We?
Install RF hardware in laptop (or modify BIOS or modify a component)
Ask yourself “How might we?”
32
How might we:
• Mitigate a HW modification?
• Detect a HW installation?
• Mitigate the risk after CEO’s
return?
45. Think && Act Different – How Might We?
Install RF hardware in laptop (or modify BIOS or modify a component)
Ask yourself “How might we?”
32
How might we:
• Mitigate a HW modification?
• Detect a HW installation?
• Mitigate the risk after CEO’s
return?
• Tamper-proof tape
• Weigh the laptop
• Destroy laptop or sanitize and sell
46. Think && Act Different – How Might We?
Steal in-use laptop
Ask yourself “How might we?”
33
47. Think && Act Different – How Might We?
Steal in-use laptop
Ask yourself “How might we?”
33
How might we:
• Prevent it or mitigate it?
48. Think && Act Different – How Might We?
Steal in-use laptop
Ask yourself “How might we?”
33
How might we:
• Prevent it or mitigate it? • Not use it in public
• Stay-alive code
• Proximity device to trigger logout
50. Think && Act Different – Assume Failure
Before a project, initiative, or major change, assume it will fail
• Do individually, more than one individual, discuss
35
51. Think && Act Different – Metrics
36
Average # of days to patch a
vulnerability
# of people who opened phishing
security awareness communication
% of web apps with VAs performed
last year
52. Think && Act Different – Metrics
% of vulns patched after threshold &
median days > threshold
% of users exhibiting undesired phishing
response by awareness status
% of web apps with VAs having repeat
OWASP Top 10 findings
36
Average # of days to patch a
vulnerability
# of people who opened phishing
security awareness communication
% of web apps with VAs performed
last year
53. Think && Act Different – Metrics
% of vulns patched after threshold &
median days > threshold
% of users exhibiting undesired phishing
response by awareness status
% of web apps with VAs having repeat
OWASP Top 10 findings
36
Average # of days to patch a
vulnerability
# of people who opened phishing
security awareness communication
% of web apps with VAs performed
last year
Describe outcomes, capabilities, or progress towards target state
Answer questions or allow you to formulate new questions
Are meaningful and actionable
56. Think && Act Different – Understand Stakeholders
37
You, CFO, CIO, Audit, Law, Owner, User
RACI model
CFO – fiscal responsibility, ROI
CIO – deliver value, cut costs
Audit – assurance of controls
User – effectiveness, efficiency
Identify stakeholders
Define roles
Understand goals/needs
57. Think && Act Different – Communicate with Stakeholders
38
Establish channels
Speak their language
Educate them
Concise, defensible
Choices
58. Think && Act Different – Communicate with Stakeholders
38
Establish channels
Speak their language
Educate them
Concise, defensible
Choices
Formal group, leverage group, survey
! [0-day|worm|insecure]
Lexicon, role, bidirectional collaboration
Strategy, roadmap, progress, risk environ
Menu, considerations, likely outcomes
59. Think && Act Different – Get What You Want
39
Make it benefit them
60. Think && Act Different – Get What You Want
39
Make it benefit them Longer password by giving up expiration
61. Think && Act Different – Gorge on Data
40
You’ll find:
• Baselines
• Patterns
• Correlations
• New questions to ask
62. Think && Act Different – Gorge on Data
40
You’ll find:
• Baselines
• Patterns
• Correlations
• New questions to ask
• ECM documents accessed daily by user
• 19% of users’ passwords are ULLLLLLNS
• 317% more likely to forget password if changed
entering weekend, holiday, or vacation
• What are USB flash drives being used for?
63. Broken Paradigm – The Quartet of Doom
41
Passwords Firewalls
OS Patching Antivirus
64. Broken Paradigm – The Quartet of Doom
42
Passwords Firewalls
OS Patching Antivirus
Prevent
unauthorized access
Reduce
exploitation
Barricade
vulnerable systems
Detect
malicious code
65. The Quartet of Potential Hope and Lower Discontent
OTPs Anomaly Detection
43
Passwords Firewalls
OS Patching Antivirus
Prevent
unauthorized access
Reduce
exploitation
Barricade
vulnerable systems
Detect
malicious code
Mitigate Java Malware Sandboxing
66. Broken Paradigm – The Quartet of Doom
44
Control Success
Confidence
Risk
Mitigation
User
Friction
Implement
Burden
Govern/Admin
Burden
Org
Friction
Cost
Passwords 2* 3 3 - 1 3 1
OTPs 4 4 2 3 4 4 4
Firewalls 1 2 5 - 1 1 1
Anomaly Detection 2 4 3 5 1 4 2
OS Patching 3 1 3 - 3 3 2
Mitigate Java 5 5 5 2 5 5 1
Antivirus 2 1 3 - 2 4 2
Malware Sandbox 3 3 5 2 4 5 3
✓
✓
* 1 is the least desirable, 5 is the most desirable
67. Yes, You Can Tame Java
45
Deployment Rule Sets (then you can actually patch too!)
Block User Agent for Java at proxy
Microsoft EMET
68. Yes, You Can Tame Java
45
Deployment Rule Sets (then you can actually patch too!)
• Install multiple versions of Java per device
• Limit which applets and applications end user can execute
• Limit which version of Java is associated with each
69. Yes, You Can Tame Java
45
Deployment Rule Sets (then you can actually patch too!)
• Install multiple versions of Java per device
• Limit which applets and applications end user can execute
• Limit which version of Java is associated with each
Block User Agent for Java at proxy
• Query proxy logs for visited hosts that used Java user agent
• Aggregate by host, sort by frequency, analyze
• Generate exclusions
• Attacker can not modify the user agent before exploit attempt
• Prevents web-based attacks against all operating systems
70. Yes, You Can Tame Java
45
Deployment Rule Sets (then you can actually patch too!)
• Install multiple versions of Java per device
• Limit which applets and applications end user can execute
• Limit which version of Java is associated with each
Block User Agent for Java at proxy
• Query proxy logs for visited hosts that used Java user agent
• Aggregate by host, sort by frequency, analyze
• Generate exclusions
• Attacker can not modify the user agent before exploit attempt
• Prevents web-based attacks against all operating systems
Microsoft EMET
71. Yes, You Can Tame Java
46
Option Risk
Mitigation
Implement
Burden
Govern/Admin
Burden
User
Friction
Deployment Rule Sets H M L L
Patch Acceleration M M M M
Block Java at Proxy H L L L
EMET to Protect Java H L L L
Implementation order
• Block Java at proxy
• EMET to project Java
• Deployment Rule Sets
• Patch acceleration
72. Think && Act Different – Start *Somewhere*
47
Where?
• Easiest? Highest value? With person who raises hand?
• May not be your call
• Could be based on surprise opportunity
Be prepared
• Incident in your environment
• Incident elsewhere
• Inquiry from stakeholder
Crawl, walk, run – gain experience and learn lessons
73. Think && Act Different – Start *Somewhere* (Local Admin PW)
48
Scenario: Single enterprise-wide weak Local Admin password (LA PW)
which hasn’t been changed in years and was poorly controlled
Document risk, share options with stakeholders
Change it to an acceptable password && implement governance
Create unique LA PW for segments of population
Create unique LA PW for each device based on root + device attribute
Create unique random LA PW for each device via PW escrow tool
Eliminate use of the LA PW
74. Think && Act Different – Go Against the Grain
49
Get a Mac campaigns from 2006 to 2009
Higher the penetration of a technology or tool, the more likely it will be
targeted
• If you use tools with high penetration
- How quickly can your use of it be discovered?
- Do you have compensating controls?
- How quickly can you remediate vulnerabilities?
Consider technologies, tools, and configurations that reduce exploitation
likelihood
75. Think && Act Different – Step Out of the Echo Chamber
50
Infosec is a field compromised of numerous disciplines
Social engineering => psychology, marketing, data analytics
Infosec
• Risk mgmt
• Strategy
• Negotiation
• Statistics
• Probability
• Data analytics
• Psychology
• Marketing
• Education
• Law
• Privacy
• Fraud prevention
• Finance
• Human factors engr
• Operations research
• Military science
• Safety
76. Think && Act Different – Equal Treatment Not Required
51
Some people are riskier
• Based on system/data access
• Role/visibility
• Security hygiene
• Disgruntled/disciplined/separating
• Internet presence
77. Think && Act Different – Equal Treatment Not Required
51
Some people are riskier
• Based on system/data access
• Role/visibility
• Security hygiene
• Disgruntled/disciplined/separating
• Internet presence
It’s OK to treat them differently
• Different training
• Different detective and preventive controls
• If a systems’ users are higher risk, so is the system (inherited risk)
78. If This is You, You’re Doing it Wrong!
Dilbert: Mordac, the Preventer of Information Services (http://dilbert.com/strips/comic/2007-11-16/) 52
80. The Challenge
53
Think and act different.
Share your experiences.
81. The Challenge
53
Think and act different.
Share your experiences.
Do infosec better.
82. The Challenge
53
Think and act different.
Share your experiences.
Do infosec better.
Get better infosec outcomes.
83. Bad Advice,
Unintended Consequences,
and
Broken Paradigms:
Think and
Act Different
@stevewerby
Steve Werby
Questions? Ideas? Thoughts? WerbyCon 2014
54