The document discusses the importance of threat intelligence reports for informing security strategies and justifying security budgets. However, it notes that many reports contain "fear, uncertainty and doubt" (FUD) that does not provide meaningful guidance. It is important for security professionals to separate fact from hype in these reports to make effective risk management and proactive defense decisions. The document advocates teaching security professionals to better understand evolving threat landscapes and assess the quality of threat intelligence data.
The difference between the Reality and Feeling of SecurityAnup Narayanan
A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.
Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"
The difference between the Reality and Feeling of SecurityAnup Narayanan
A presentation that I took recently for a top management group that focuses on the human factor in information security. The presentation focuses on why people make security mistakes by analyzing various factors involving perception, how people make security decisions and how people are influenced by their feeling of security.
Do drop me a note if you wish to discuss this further at "anup at isqworld dot com"
Abstract: This presentation discusses multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 vendors, it is not easy to select the best solution for your needs. The goal of this presentation is to arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Panel 4: Beyond Bugs: Embracing Security Features
How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TLS, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.
Moderator:
Katherine McCarron
Division of Privacy and Identity Protection, FTC
Panelists:
Robert Hansen
Vice President of WhiteHat Labs
WhiteHat Security
Clare Nelson
CEO
ClearMark Consulting
Caleb Queern
Manager
KPMG Cyber
OWASP AppSec USA 2015, San Francisco
How do you stump a multi-factor authentication vendor? Ask for a threat model.
This talk will help developers as well as CISOs make better authentication decisions. When we raise the bar, everyone wins.
How to keep your head (and your job) when the worse case scenario happens.
Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.
Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:
- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docxalinainglis
54 Chapter 1 • The Threat Environment
FIGURE 1-18 Cyberwar and Cyberterror (Study Figure)
Nightmare Threats
Potential for far greater attacks than those caused by criminal attackers
Cyberwar
Computer-based attacks by national governments
Espionage
Cyber-only attacks to damage financial and communication infrastructure
To augment conventional physical attacks
Attack IT infrastructure along with physical attacks (or in place of physical attacks)
Paralyze enemy command and control
Engage in propaganda attacks
Cyberterror
Attacks by terrorists or terrorist groups
May attack IT resources directly
Use the Internet for recruitment and coordination
Use the Internet to augment physical attacks
Disrupt communication among first responders
Use cyberattacks to increase terror in physical attacks
Turn to computer crime to fund their attacks
espionage.87 Cyber espionage from China has been a serious problem since 1999.88
The Chinese government has been involved in, or sponsored, attacks aimed at the State
Department, Commerce Department, Senators, Congressmen, and US military labs.89
Cyberwar attacks can be launched without engaging in physical hostilities and still do
tremendous damage. Countries can use cyberwar attacks to do massive damage to one
another’s financial infrastructures, to disrupt one another’s communication infrastructures,
and to damage the country’s IT infrastructure all as precursors to actual physical hostilities.
Cyberterror
Another nightmare scenario is cyberterror, in which the attacker is a terrorist or group of
terrorists.90 Of course, cyberterrorists can attack information technology resources directly.
They can damage a country’s financial, communication, and utilities infrastructure.91
87 Dawn S. Onley and Patience Wait, “Red Storm Rising,” GCN.com, August 21, 2006. Keith Epstein, “China
Stealing U.S. Computer Data, Says Commission,” Business Week, November 21, 2008. http://www.businessweek.
com/bwdaily/dnflash/content/nov2008/db20081121_440892.htm.
88 Daniel Verton and L. Scott Tillett, “DOD Confirms Cyberattack ‘Something New’,” Cnn.com, March 6, 1999.
89 Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” ForeignPolicy.com, January 22, 2010.
90 Although organized terrorist groups are very serious threats, a related group of attackers is somewhat dan-
gerous. These are hacktivists, who attack based on political beliefs. During tense periods between the United
States and China, for instance, hacktivists on both sides have attacked the IT resources of the other country.
91 In 2008, the CIA revealed that attacks over the Internet had cut off electrical power in several cities. Robert
McMillan, PC World, January 19, 2008. http://www.pcworld.com/article/id,141564/article.htm?tk=nl_dnxnws.
Chapter 1 • The Threat Environment 55
Most commonly, cyberterrorists use the Internet as a recruitment tool through
websites and to coordinate their activities.92 They can also use cyberterror in conjunc-
tion with .
Attacks are evolving and so must the response – but how? This presentation explores how you get beyond the APT hype and strike a sensible balance between security expenditure and commercial risk. We explain what do you need to just keep doing, what’s new and what’s no longer effective.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
deep links! Firetown run by Michael Dammann is an illegal operation registered in the United States of America by a known disinformation agent and FRAUD. The Firetown News Network is farce. INTELLECTUAL PROPERTY 101. I want my shit back! Let the record show, you can delete a post but there is a always a trace. #InfoSec
Nominum Data Science Security Report, Fall 2016Brian Metzger
Nominum’s “Data Revelations” analyzes some of the biggest cyberthreats impacting organizations and individuals today, including ransomware, DDoS, mobile malware and IoT-based attacks. Since DNS is the launch point for over 90% of cyberattacks, it offers a superior vantage point from which to examine, understand, thwart and proactively prevent threats. By applying machine learning, artificial intelligence, natural language processing and neural networks, Nominum Data Science is able to predict and prevent some of the most sophisticated and dangerous cyberthreats to ever hit the internet.
Kaspersky North American Virus Analyst SummitPR Americas
Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.
Abstract: This presentation discusses multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 vendors, it is not easy to select the best solution for your needs. The goal of this presentation is to arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Panel 4: Beyond Bugs: Embracing Security Features
How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TLS, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.
Moderator:
Katherine McCarron
Division of Privacy and Identity Protection, FTC
Panelists:
Robert Hansen
Vice President of WhiteHat Labs
WhiteHat Security
Clare Nelson
CEO
ClearMark Consulting
Caleb Queern
Manager
KPMG Cyber
OWASP AppSec USA 2015, San Francisco
How do you stump a multi-factor authentication vendor? Ask for a threat model.
This talk will help developers as well as CISOs make better authentication decisions. When we raise the bar, everyone wins.
How to keep your head (and your job) when the worse case scenario happens.
Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.
Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:
- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself
54 Chapter 1 • The Threat EnvironmentFIGURE 1-18 Cyberwar .docxalinainglis
54 Chapter 1 • The Threat Environment
FIGURE 1-18 Cyberwar and Cyberterror (Study Figure)
Nightmare Threats
Potential for far greater attacks than those caused by criminal attackers
Cyberwar
Computer-based attacks by national governments
Espionage
Cyber-only attacks to damage financial and communication infrastructure
To augment conventional physical attacks
Attack IT infrastructure along with physical attacks (or in place of physical attacks)
Paralyze enemy command and control
Engage in propaganda attacks
Cyberterror
Attacks by terrorists or terrorist groups
May attack IT resources directly
Use the Internet for recruitment and coordination
Use the Internet to augment physical attacks
Disrupt communication among first responders
Use cyberattacks to increase terror in physical attacks
Turn to computer crime to fund their attacks
espionage.87 Cyber espionage from China has been a serious problem since 1999.88
The Chinese government has been involved in, or sponsored, attacks aimed at the State
Department, Commerce Department, Senators, Congressmen, and US military labs.89
Cyberwar attacks can be launched without engaging in physical hostilities and still do
tremendous damage. Countries can use cyberwar attacks to do massive damage to one
another’s financial infrastructures, to disrupt one another’s communication infrastructures,
and to damage the country’s IT infrastructure all as precursors to actual physical hostilities.
Cyberterror
Another nightmare scenario is cyberterror, in which the attacker is a terrorist or group of
terrorists.90 Of course, cyberterrorists can attack information technology resources directly.
They can damage a country’s financial, communication, and utilities infrastructure.91
87 Dawn S. Onley and Patience Wait, “Red Storm Rising,” GCN.com, August 21, 2006. Keith Epstein, “China
Stealing U.S. Computer Data, Says Commission,” Business Week, November 21, 2008. http://www.businessweek.
com/bwdaily/dnflash/content/nov2008/db20081121_440892.htm.
88 Daniel Verton and L. Scott Tillett, “DOD Confirms Cyberattack ‘Something New’,” Cnn.com, March 6, 1999.
89 Josh Rogin, “The Top 10 Chinese Cyber Attacks (that we know of),” ForeignPolicy.com, January 22, 2010.
90 Although organized terrorist groups are very serious threats, a related group of attackers is somewhat dan-
gerous. These are hacktivists, who attack based on political beliefs. During tense periods between the United
States and China, for instance, hacktivists on both sides have attacked the IT resources of the other country.
91 In 2008, the CIA revealed that attacks over the Internet had cut off electrical power in several cities. Robert
McMillan, PC World, January 19, 2008. http://www.pcworld.com/article/id,141564/article.htm?tk=nl_dnxnws.
Chapter 1 • The Threat Environment 55
Most commonly, cyberterrorists use the Internet as a recruitment tool through
websites and to coordinate their activities.92 They can also use cyberterror in conjunc-
tion with .
Attacks are evolving and so must the response – but how? This presentation explores how you get beyond the APT hype and strike a sensible balance between security expenditure and commercial risk. We explain what do you need to just keep doing, what’s new and what’s no longer effective.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
deep links! Firetown run by Michael Dammann is an illegal operation registered in the United States of America by a known disinformation agent and FRAUD. The Firetown News Network is farce. INTELLECTUAL PROPERTY 101. I want my shit back! Let the record show, you can delete a post but there is a always a trace. #InfoSec
Nominum Data Science Security Report, Fall 2016Brian Metzger
Nominum’s “Data Revelations” analyzes some of the biggest cyberthreats impacting organizations and individuals today, including ransomware, DDoS, mobile malware and IoT-based attacks. Since DNS is the launch point for over 90% of cyberattacks, it offers a superior vantage point from which to examine, understand, thwart and proactively prevent threats. By applying machine learning, artificial intelligence, natural language processing and neural networks, Nominum Data Science is able to predict and prevent some of the most sophisticated and dangerous cyberthreats to ever hit the internet.
Kaspersky North American Virus Analyst SummitPR Americas
Kaspersky Lab analysts are seeing over 50,000 new malware threats per day in the lab. The best defense against these threats is knowledge. Our Global Research and Analysis Team provided succinct presentations and discussion about the latest Internet threats that exist today, and offered tips to protect attendees from cybercriminals. These presentations provided a greater understanding of the threat landscape and what to expect throughout the rest of 2010.
Gartner Security & Risk Management Summit Brochuretrunko
The 2011 Gartner Security & Risk Management brochure is now available. Featuring more than 100+ sessions, 4 complete programs including Security, Risk/Compliance, CISO and Business Continuity Management. For details, please visit www.gartner.com/us/securityrisk
The Future of Security: How Artificial Intelligence Will Impact UsPECB
For decades, the security profession has relied on the best technology we had at the time to deflect the onslaught of what we faced daily in the way of virus and malware attacks. Now, as predicted by Thomas Kuhn in his book “The Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advanced mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99%. This session will explore this new paradigm and how it will impact our future.
Main points covered:
• How did our profession change in the world of reactive detection?
• How to escape the inertia that held us, prisoners?
• What is the power of AI and machine learning?
• What are the risks of this new technology?
Presenter:
Our presenter for this webinar, John McClurg serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts. Prior to Cylance, he served as the CSO of Dell, Honeywell, and Lucent and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation (FBI). He also served as a Deputy Branch Chief of CIA where he helped to establish the new Counterespionage Group and was responsible for the management of complex counterespionage investigations. McClurg was voted one of America’s 25 most influential security professionals.
Organizer: Ardian Berisha
Date: October 25th, 2018
Recorded webinar link:
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.
After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.
Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.
According to Matthew Green, Zero-Knowledge Proofs are the most powerful tool cryptographers have ever devised. Find out why. Find out how ZKPs apply to identity proofing and authentication.
Presentation for September 2017 ISC2 Security Congress
Biometric Recognition for Multi-Factor Authentication
- Biological and Behavioral Biometrics
- Benefits and Issues
- What Every CISO Should Know
- Laws, Standards, and Guidelines
- How to Measure Biometric Recognition
- Attack Vectors
- Multimodal Biometric Recognition
- Continuous Authentication with Biometrics
- Face ID Update
- The Future
In the near future, privacy-preserving authentication methods will flood the market, and they will be based on Zero-Knowledge Proofs. IBM and Microsoft invested in these solutions many years ago.
Talk for Austin ISSA
What’s more accurate, face or iris?
What’s more secure, password or biometrics?
Is the US legal system up to the challenge?
Impact of EU GDPR and PSD2
Does NIST provide quantitative anti-spoofing requirements?
Will ISO/IEC define how to evaluate anti-spoofing for mobile devices?
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Normal Labour/ Stages of Labour/ Mechanism of Labour
HackFormers Talk: Beware Wolves in Sheep's Clothing
1. www.hackformers.org
Beware
Wolves
in
Sheep’s
Clothing:
Informa9on
Security
Threat
Reports,
Separa9ng
Fact
from
FUD
Clare
Nelson,
CISSP
CEO,
ClearMark
Consul9ng
January
11,
2013
“…just
because
it's
true
doesn't
make
it
not
FUD”1
-‐
Rafal
Los
1Source:
HP
Enterprise
Security
Blog:
h=p://h30499.www3.hp.com/t5/Following-‐the-‐Wh1t3-‐Rabbit/Abandon-‐FUD-‐scare-‐taMcs-‐and-‐markeMng-‐hype-‐to-‐sell-‐
informaMon/ba-‐p/5551189
2. Speaker
Background
• 30+
years
in
high
tech,
startups
and
Fortune
100
companies:
– GM
(Space
ShuZle
subcontractor
for
Boeing),
ACC
(now
Ericcson),
CMC
(now
Rockwell),
DEC
(now
HP),
EMC,
Dazel
(now
HP),
Dell,
TeaLeaf
Technology
(now
IBM),
Novell
(now
The
AZachmate
Group),
ClearMark
Consul9ng
• ClearMark
Consul9ng:
business
development
for
Secure
Mentem,
Blue
Coat
spinout
Quarri
Technologies,
SGI
• Technical
background,
Sales
&
Marke9ng
– Soaware
development
(Unix
device
drivers,
encrypted
TCP/IP
variants,
Space
ShuZle
test
soaware)
– System
management,
Product
management,
Marke9ng,
Sales
(Asia,
Europe),
Global
Alliances,
Business
Development,
IAM
• First
female
director
in
Dell’s
Server
and
Storage
division
• CISSP,
Member
Aus9n
ISSA
Board
• Publica9ons
include
“Security
Metrics,”
ISSA
Journal,
August
2010
• BS
Mathema9cs,
Tuas
University
• @Safe_SaaS
• clare_nelson@clearmark.biz
3. Beware
Wolves
in
Sheep’s
Clothing
Informa9on
Security
Threat
Reports,
Separa9ng
Fact
from
FUD
HackFormers
Mission
1. Teach
Security
2. Teach
Christ
3. Teach
Security
in
Christ
5. www.hackformers.org
Scope
• InformaMon
Security
Threat
Reports
• Free
• Download
with
or
without
registraMon
• Sources
– Government,
Industry,
IT
Companies
6. www.hackformers.org
What
is
a
Threat?
“Threat:
The
poten9al
for
a
threat-‐source
to
exercise
(accidentally
trigger
or
inten9onally
exploit)
a
specific
vulnerability.”
Source:
Diagram
a=ributed
to
Rassmussen,
h=p://www.gideonrasmussen.com/arMcle-‐24.html
Source:
Threat
definiMon
a=ributed
to
NIST,
SP800-‐30-‐2,
“Risk
Management
Guide
for
InformaMon
Technology
Systems,”
July
2002,
page
19
7. www.hackformers.org
What
is
a
Threat,
Really?
Risk
Threats
Source:
Marinus
van
Aswegen,
Security
Architect,
Telic
ConsulMng,
January
4,
2013
blog
entry,
h=p://telicthoughts.blogspot.com/2009/02/threats-‐vulnerabiliMes-‐and-‐risk.html?m=1
8. www.hackformers.org
What
Is
a
Threat
Landscape?
Source:
ForMnet,
h=p://www.forMnet.com/aboutus/aboutus.html
9. www.hackformers.org
What
Is
Your
Threat
Landscape
IQ?
Understanding
Of
Threat
You
Landscape
10. www.hackformers.org
Threat
Landscape:
Knowing
What
You
Don’t
Know
Unclassified
Classified
Unknown
unknowns…
Iceberg
metaphor
a=ributed
to
Shawn
Henry,
President
Services
for
CrowdStrike,
from
DEF
CON
talk
11. www.hackformers.org
What
Is
at
Stake?
Risk,
Loss
Exposure1
“One
company
that
was
recently
the
vic3m
of
an
intrusion
determined
it
had
lost
10
years
worth
of
research
and
development—valued
at
$1
billion—virtually
overnight.”2
Shawn
Henry
ExecuMve
Assistant
Director
Federal
Bureau
of
InvesMgaMon
ISSA
Interna9onal
Conference
BalMmore,
Maryland
October
20,
2011
1
Source:
ConSec
2012,
AusMn,
Texas:
Jack
Jones
on
Risk,
he
prefers
the
term,
“Loss
Exposure”
2Source:
h=p://www.bi.gov/news/speeches/responding-‐to-‐the-‐cyber-‐threat
12. The
Problem
AZacks
evolve,
morph
and
improve.
Limited
9me
and
resources
for
tracking,
understanding
threat
landscape.
15. Threat
Intelligence
Hype
How
to
measure
the
IQ
of
the
data
you're
being
fed
“It's
not
enough
just
to
tell
you
in
detail
what
has
already
happened.
If
it's
not
helping
you
make
decisions,
or
be
proacMve,
then
it's
not
worth
paying
extra
for
it.”
Wendy
Nather
Research
Director
of
the
Enterprise
Security
Prac3ce,
451
Research
Source:
Dark
Reading,
November
16,
2012;
h=p://www.darkreading.com/security-‐monitoring/167901086/security/news/240142229/threat-‐intelligence-‐
hype.html
17. www.hackformers.org
“Threat
Intelligence
Reports
Play
Key
Role
In
Security
Strategies”1
Threat
Intelligence
Reports
are
used
to:
1.
Shape
Security
Strategies
2.
Jus9fy
Security
Resource
and
Budget
Requests
3.
Execs
want
more
"acAonable
intelligence"
and
"defense
recommendaAons”2
Solu9onary
Survey:
n
=
178
“Security
has
evolved
from
a
tacAcal
IT
concern
to
boardroom-‐level
dilemma.
This
transiAon
has
challenged
many
execuAves
who
are
now
obligated
to
protect
their
organizaAon's
criAcal
assets.”3
1
Source:
Dark
Reading
h=p://www.darkreading.com/threat-‐intelligence/167901121/security/vulnerabiliMes/240144404/survey-‐threat-‐intelligence-‐reports-‐play-‐key-‐
role-‐in-‐security-‐strategies.html?cid=nl_DR_daily_2012-‐12-‐14_html&elq=224c4f1f11cd499a806bf687f64ec08a
2Source:
SoluMonary,
h=p://www.soluMonary.com/index/intelligence-‐center/press-‐releases/Threat-‐Intelligence-‐Survey.php
3Source:
Security
Ba=leground:
An
ExecuMve
Field
Manual
(book)
by
Michael
Fey,
et
al
(March
2012)
18. www.hackformers.org
Beware
the
Survey
and
other
Jabberwocks
Look
for
reports
based
on
first-‐hand
evidence
collected
during
forensics
inves9ga9ons
19. www.hackformers.org
Example
1:
August
2012
Press
Release
“Independent
study
finds
that
financial
ins9tu9ons
are
losing
clients
as
a
result
of
a
single
fraud
aZack”
“Third
annual
Guardian
Analy3cs
and
Ponemon
Ins3tute
'Business
Banking
Trust
Study'
detects
widespread
fraud
and
loss
of
funds”
2Source:
h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php
20. www.hackformers.org
Example
1
(con9nued):
Fact
or
FUD?
• Guardian
paid
Ponemon
to
conduct
the
independent
survey
– 998
SMBs
in
the
US
• Guardian
sells:
Behavior-‐based
anomaly
detecAon
soluAons
to
prevent
banking
fraud
2Source:
h=p://www.guardiananalyMcs.com/newsandevents/press_08062012.php
21. www.hackformers.org
Example
2:
Fact
or
FUD?
• McAfee
quarterly
threat
report
• “…
the
reports
exaggerated
mobile
malware…”
• "Virus
companies
are
playing
on
your
fears
to
try
to
sell
you
[…bleeped
word…]
protecMon
soqware
for
Android,
RIM,
and,
iOS,"
DiBona
said.
• "They
are
charlatans
and
scammers.
If
you
work
for
a
company
selling
virus
protecMon
for
[them],
you
should
be
ashamed
of
yourself.”
2Source:
h=p://www.csoonline.com/arMcle/715489/threat-‐reports-‐finger-‐android-‐again
22. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Good,
Bad,
Ugly
Organization Threat Report
AVG Threat Labs AVG Threat Labs Website Reports
Insider Threat Study: Illicit Cyber Activity Involving Fraud in the
CERT, CMU (DHS S&T, USSS)
U.S. Financial Services Sector, July 2012
Cisco Cisco 2Q 2011 Global Threat Report
Commtouch Internet Threat Trends Report, October 2012
Deloitte 2012 Deloitte-NASCIO Cybersecurity Study
ESET Global Threat Report: November 2012
FBI, National White Collar Crime Center 2011 Internet Crime Report
FireEye Advanced Threat Report 1H 2012
F-Secure Mobile Threat Report Q3/2012
Georgia Tech Information Security
Emerging Cyber Threats Report 2013
Center
HP 2011 Top Cyber Security Risks Report
IBM IBM X-Force Mid-Year Trend and Risk Report, September 2012
Mandiant M-Trends 2012: An Evolving Threat
McAfee McAfee Threats Report: Third Quarter 2012
Microsoft Security Intelligence Report, (Includes Worldwide
Microsoft
Threat Assessment), Volume 13
Sophos Security Threat Report 2013
Symantec Internet Security Threat Report, Volume 17
Trustwave Trustwave 2012 Global Security Report
US Government Accountability Office
Cybersecurity Threats Impacting the Nation
(GAO)
Verizon Verizon Data Breach Investigations Report (DBIR) 2012
Verizon Verizon 2011 Investigative Response Caseload Review
Websense Websense 2012 Threat Report
WhiteHat Security WhiteHat Security Website Statistics Report, Summer 2012
23. www.hackformers.org
2012
Verizon
DBIR
• 855
incidents,
174
million
compromised
records
– Verizon
– United
States
Secret
Service
(USSS)
– Dutch
NaMonal
High
Tech
Crime
Unit
(NHTCU)
– Australian
Federal
Police
(AFP)
– Irish
ReporMng
&
InformaMon
Security
Service
(IRISS)
– Police
Central
eCrimes
Unit
(PCeU)
of
the
London
Metropolitan
Police
• Summary
Sta9s9cs
– 85%
of
breaches
took
weeks
or
more
to
discover
– 97%
of
breaches
were
avoidable
through
simple
or
intermediate
controls
Source:
h=p://www.verizonbusiness.com/about/events/2012dbir/
24. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Who
Tells
Congress
What
to
Read?
Cybersecurity
AuthoritaAve
Reports
and
Resources
Tehan,
R.,
(lastest
version,
December
2012)
Congressional
Research
Service
Prepared
for
Members
of
Congress
7-‐5700,
www.crs.gov,
R42507
25. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
M-‐Trends:
The
One
Threat
Report
You
Need
to
Read
If
you're
not
paying
for
something,
you're
not
the
customer;
you're
the
product
being
sold.
-‐
Andrew
Lewis
Source:
h=ps://www.mandiant.com/blog/archives/2326
26. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
“Annual
security
threat
reports
are
expected
from
security
companies,
while
security
professionals
chomp
at
the
bit
to
read
the
research
findings.”
-‐
David
Schwartzberg,
SophosLabs
Source:
h=p://www.darkreading.com/blog/240143806/android-‐riskier-‐than-‐pcs-‐sophos-‐security-‐threat-‐report-‐2013.html
27. www.hackformers.org
That
Giant
Sucking
Sound1
“I
wish
more
IT
Security
people
would
take:
[Econ
101,
Stats
101,
Formal
Logic,
and
Survey
101]
(all
people
really)”
-‐-‐
@joshcorman,
Tweeted
January
7,
2013
1Source:
h=p://en.wikipedia.org/wiki/Giant_sucking_sound,
The
"giant
sucking
sound"
was
United
States
PresidenMal
candidate
Ross
Perot's
colorful
phrase
for
what
he
believed
would
be
the
negaMve
effects
of
the
North
American
Free
Trade
Agreement
(NAFTA),
which
he
opposed.
28. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Are
They
a
Form
of
Marke9ng?
Websense
Security
Labs
discovers
and
inves3gates
today’s
advanced
security
threats
and
publishes
its
findings.
Download
report,
get
email,
get
phone
call
...all
within
30
minutes
Source:
Websense,
h=p://www.websense.com/content/websense-‐2012-‐threat-‐report-‐download.aspx
29. www.hackformers.org
What
Are
“Authorita9ve”
Reports?
Lies,
Damned
Lies
and
Sta9s9cs
McAfee
Explains
The
Dubious
Math
Behind
Its
‘Unscien3fic'
$1
Trillion
Data
Loss
Claim
-‐
August
3,
2012
Forbes.com
No,
the
staAsAc
was
not
simply
made
up.
Yes,
it’s
just
a
“ballpark
figure”
and
an
“unscienAfic”
one,
the
company
admits.
But
despite
Pro
Publica’s
criAcisms
and
its
own
rather
fuzzy
math,
the
company
stands
by
its
trillion-‐dollar
conclusion
as
a
(very)
rough
esAmate.
Source:
Tehan,
R.,
(July
2012)
Cybersecurity
Authorita3ve
Reports
and
Resources,
Congressional
Research
Service,
Prepared
for
Members
of
Congress,
7-‐5700,
www.crs.gov,
R42507.
30. www.hackformers.org
What
Are
“Authorita9ve”
Threat
Reports?
Art
or
Science?
“Threat
analysis,
in
many
ways,
is
equal
parts
art
and
science.”
Source:
McAfee
Threats
Report:
Third
Quarter
2012
31. www.hackformers.org
What
Are
“Authorita9ve”
Reports?
“There
Are
No
Facts,
Only
InterpretaAons”
“At
McAfee
Labs
we
try
to
apply
as
much
math
and
analyMcal
rigor
to
our
analysis
as
we
can,
but
we
oqen
cannot
see
the
whole
picture.
We
must
also
interpret
and
surmise
many
things.
German
philosopher
Friedrich
Nietzsche
wrote
“ There
are
no
facts,
only
interpreta9ons.”
This
bit
of
wisdom
strikes
us
as
quite
relevant
to
analyzing
threats.
Depending
on
one’s
perspec9ve,
threats
can
mean
many
things.
Spam,
for
example,
looks
like
it’s
on
a
steady
decline
when
viewed
globally,
but
when
looked
at
locally
or
by
country
we
see
tremendous
varia9ons.
The
same
can
be
said
of
many
threat
vectors
we
analyze…”
Source:
McAfee
Threats
Report:
Third
Quarter
2012
32. What
is
the
Geographic
Coverage?
F-‐Secure,
Shadowserver
and
Conficker
Working
Group,
“Conficker
World
Map.”
Source:
h=p://www.f-‐secure.com/weblog/archives/00001646.html
(September
3,
2012).
33. Why
Do
Some
Reports
Conflict?
Le
Penseur,
by
Auguste
Rodin
Who
Sponsors
the
Reports?
What
is
the
Methodology?
34. Methodology
MSSP
and
Product
Data
Collec9on
• Customer
profile,
installed
base
sampling,
geography
• Filtering,
default
versus
unique
sewngs
• Compare
with
previous
reports,
not
apples-‐to-‐apples
• Data
aggregaMon
methods
• Time:
what
period
does
the
Surveys
report
cover?
• UnrepresentaMve
samples
• Does
the
report
clearly
state
• Measurement
error
the
date
of
publicaAon?
– Leading
quesMons
– Social
desirability
• Sampling
error
and
survey
bias
35. Sponsorship
Who
Funded
the
Report?
• Spread
misleading
informaMon
• Spread
FUD
• Skewed
toward
latest
product
or
service
37. FUD
or
Not?
“Advanced
malware
con3nues
to
grow
and
in
the
first
half
of
2012
is
up
nearly
400%
versus
the
first
half
of
2011.”
Source:
h=p://blog.fireeye.com/research/2012/08/just-‐released-‐fireeye-‐advanced-‐threat-‐report-‐1h-‐2012.html
(November
1,
2012)
39. www.hackformers.org
Sermon
on
the
Mount
Beware
of
false
prophets,
which
come
to
you
in
sheep's
clothing,
but
inwardly
they
are
ravening
wolves.
MaZhew
7:15
40. What
is
a
False
Prophet?
Ma=hew
Henry's
Commentary
Mahew
7:15-‐20
Nothing
so
much
prevents
men
from
entering
the
strait
gate,
and
becoming
true
followers
of
Christ,
as
the
carnal,
soothing,
fla=ering
doctrines
of
those
who
oppose
the
truth.
They
may
be
known
by
the
driq
and
effects
of
their
doctrines.
Some
part
of
their
temper
and
conduct
is
contrary
to
the
mind
of
Christ.
Those
opinions
come
not
from
God
and
lead
to
sin.
Source:
h=p://bible.cc/ma=hew/7-‐15.htm
41. www.hackformers.org
Sermon
on
the
Mount
Jesus
concludes
the
sermon
by
warning
against
false
prophets,
and
emphasizes
that
humans
are
unable
to
do
right
("bear
fruit")
apart
from
God.
42. www.hackformers.org
MaZhew
7:15-‐20
15
Beware
of
false
prophets,
which
come
to
you
in
sheep's
clothing,
but
inwardly
they
are
ravening
wolves.
16
Ye
shall
know
them
by
their
fruits.
Do
men
gather
grapes
of
thorns,
or
figs
of
thistles?
17
Even
so
every
good
tree
bringeth
forth
good
fruit;
but
a
corrupt
tree
bringeth
forth
evil
fruit.
18
A
good
tree
cannot
bring
forth
evil
fruit,
neither
can
a
corrupt
tree
bring
forth
good
fruit.
19
Every
tree
that
bringeth
not
forth
good
fruit
is
hewn
down,
and
cast
into
the
fire.
20
Wherefore
by
their
fruits
ye
shall
know
them.
MaZhew
7
,
King
James
Version
(KJV),
h=p://www.biblegateway.com/passage/?search=Ma=hew+7&version=KJV
43. Why
Warn
about
False
Prophets?
Many
warnings
in
Bible
For
false
Christs
and
false
prophets
shall
rise,
and
shall
shew
signs
and
wonders,
to
seduce,
if
it
were
possible,
even
the
elect.
Mark
13:22
But
there
were
false
prophets
also
among
the
people,
even
as
there
shall
be
false
teachers
among
you,
who
privily
shall
bring
in
damnable
heresies,
even
denying
the
Lord
that
bought
them,
and
bring
upon
themselves
swiq
destrucMon.
2
Peter
2:1
Woe
unto
you,
when
all
men
shall
speak
well
of
you!
for
so
did
their
fathers
to
the
false
prophets.
Luke
6:26
And
he
said,
Take
heed
that
ye
be
not
deceived:
for
many
shall
come
in
my
name,
saying,
I
am
Christ;
and
the
Mme
draweth
near:
go
ye
not
therefore
aqer
them.
Luke
21:8
For
many
shall
come
in
my
name,
saying,
I
am
Christ;
and
shall
deceive
many.
MaZhew
24:5
And
many
false
prophets
shall
rise,
and
shall
deceive
many.
MaZhew
24:11
Source:
h=p://bible.cc/ma=hew/7-‐15.htm,
h=p://bible.cc/ma=hew/24-‐5.htm,
etc.
45. Who
Influences
Your
Faith?
InfoSec
Ques9ons
• What
are
the
data
sources?
• What
geographies
are
covered?
• Who
funded
the
report?
• Why
was
the
report
published?
• When
was
the
report
published?
• What
are
the
report
biases?
• Who
wrote
the
report?
• Is
the
report
methodology
documented?
• Are
trends
tracked
over
Mme?
46. www.hackformers.org
Beware
“How
to
use
Internet
security
threat
reports”
• “…read
the
threat
reports
with
cauMon.
They
are
vendor
markeMng
documents
designed
to
posiMon
vendor
research
teams
as
industry
experts
that
bring
the
vendor
a
compeMMve
advantage.”
• “The
reports'
findings
only
represent
what
the
vendor
is
looking
for
along
with
a
natural
bias
towards
the
vendor's
business.”
• “Security
pros
can
do
beZer
by
examining
mul9ple
vendor
threat
reports
to
get
a
more
complete
picture
and
map
the
threat
classes
to
the
business.”
Author:
Eric
Ogren,
founder
and
Principal
Analyst
of
the
Ogren
Group,
formerly
with
RSA,
etc.
Source:
h=p://searchsecurity.techtarget.com/news/1373865/How-‐to-‐use-‐Internet-‐security-‐threat-‐reports
47. What
is
Decep9on?
Deceive
de·∙ceive
(d-‐sv)v.
de·∙ceived,
de·∙ceiv·∙ing,
de·∙ceives
v.tr.
1.
To
cause
to
believe
what
is
not
true;
mislead.
2.
Archaic
To
catch
by
guile;
ensnare.
v.intr.
1.
To
pracMce
deceit.
2.
To
give
a
false
impression:
appearances
can
deceive.
[Middle
English
deceiven,
from
Old
French
deceveir,
from
Vulgar
LaMn
*dcipre,
from
LaMn
dcipere,
to
ensnare,
deceive
:
d-‐,
de-‐
+
capere,
to
seize;
see
kap-‐
in
Indo-‐European
roots.]
Source:
h=p://www.thefreedicMonary.com/deceive
(November
2,
2012).
48. Discriminate
InfoSec
Strategy
• QuesMon
presenters
and
ask
them
to
cite
their
sources
• PowerPoint
defect:
no
“Insert”
footnote
funcAon
• Plan
your
report
reading
• Don’t
just
read
latest
inbox
delivery
• Create
your
own
top
ten
report
list
49. What
Does
This
Mean
Today?
“The
salva9on
promised
is
more
than
deliverance
from
evil,
it
is
everlas9ng
blessedness.”1
1Source:
h=p://bible.cc/mark/13-‐13.htm,
Ma=hew
Henry
commentary
on
Mark
13:13
50. Addi9onal
References
1. Tehan,
R.,
(July
2012)
Cybersecurity
Authorita3ve
Reports
and
Resources,
Congressional
Research
Service,
Prepared
for
Members
of
Congress,
7-‐5700,
www.crs.gov,
R42507
2. Ma=hew
7:15,
Online
Parallel
Bible,
Retrieved
December
1,
2012,
from
h=p://bible.cc/ma=hew/7-‐15.htm
3. The
Holy
Bible,
King
James
Version
4. Tripwire
blog,
State
of
Security,
“ The
Four
Horsemen
of
the
Apocalypse:
Security
Soqware
FUD”
by
Kevin
Weston,
November
9,
2012,
h=p://www.tripwire.com/state-‐of-‐security/off-‐topic/the-‐four-‐horsemen-‐of-‐the-‐cyber-‐apocalypse-‐fud-‐in-‐
security-‐soqware-‐markeMng/
5. Rafal
Los,
“Abandon
FUD,
Scare
TacMcs
and
MarkeMng
Hype,”
February
26,
2012;
h=p://www.infosecisland.com/blogview/20397-‐Abandon-‐FUD-‐Scare-‐TacMcs-‐and-‐MarkeMng-‐Hype.html
6. Gal
Shpantzer,
“Showcasing
Fear,
Uncertainty
and
Doubt
from
the
InformaMon
Security
Industry,”
May
14,
2010,
h=p://fudsec.com/scsovlf-‐aka-‐the-‐shpantzer-‐coma-‐scale-‐of-‐vendo
7. InformaMon
Security,
ReputaMon
and
FUD,
July
17,
2012,
h=p://makeitcompliant.blogspot.com/2012/07/informaMon-‐security-‐reputaMon-‐and-‐fud.html
8. “Just
Say
No
to
FUD,”
October
30,
2009;
h=p://newschoolsecurity.com/2009/10/just-‐say-‐no-‐to-‐fud/,
Featuring
Dr.
Anton
Chuvakin”
9. CSO
Online,
“Cybersecurity
Expert
Argues
FUD
Can
Be
EffecMve,”
June
11,
2012;
Taylor
Armerding,
h=p://www.csoonline.com/arMcle/708215/cybersecurity-‐expert-‐argues-‐fud-‐can-‐be-‐effecMve
10. Richard
Bejtlich’s
blog,
Monday,
October
27,
2003,
The
Dynamic
Duo
Discuss
Digital
Risk,
h=p://taosecurity.blogspot.com/2003/10/dynamic-‐duo-‐discuss-‐digital-‐risk.html?m=0
52. What
is
the
Geographic
Coverage?
Each
country
lists
6
contribuAng
factors,
share
of
malicious
computer
acAvity,
malicious
code
rank,
spam
zombies
rank,
phishing
web
site
hosts
rank,
bot
rank
and
a`ack
origin,
to
substanAate
its
cybercrime
ranking.
BusinessWeek,
Symantec:
Cybercrime:
Top
20
Countries,
h=p://www.enigmasoqware.com/top-‐20-‐countries-‐the-‐most-‐cybercrime/
(September
3,
2012).
54. www.hackformers.org
On
FUD
(From
Tripwire
Blog)
• …Some
soqware
security
vendors
create
sensaMonalisMc
reports
or
claims,
these
false
or
exaggerated
stories
are
then
fed
to
the
media.
The
media
propagate
the
story
without
fact
checking
and
someMmes
embellishing
it
further
to
increase
the
likelihood
that
readers
will
click
on
and
share
links
to
the
story
making
it
go
viral.
For
example
the
threat
of
mobile
malware
has
been
overinflated
by
several
vendors
who
sell
mobile
anM-‐virus
products
who
offer
marginal
levels
of
protecMon
if
any
at
all.
• It
is
important
to
remember
that
many
tech
blogs
make
money
based
on
the
number
of
ad
impressions
they
have
on
their
site,
not
the
factual
integrity
of
the
story
they
are
reporMng.
Pair
the
revenue
model
with
the
number
of
stories
a
professional
blogger
needs
to
post
in
a
day
and
you
can
pre=y
much
guarantee
some
writers
will
not
actually
fact
check,
or
test
the
product
they
are
wriMng
about.
MisinformaMon
travels
just
as
fast
if
not
faster
than
truth.
By
the
Mme
the
story
has
hit
mainstream
media
the
conquest
is
complete,
even
if
there
are
correcMons
to
a
story,
once
it
goes
viral
the
truth
becomes
irrelevant.
Source:
h=p://www.tripwire.com/state-‐of-‐security/off-‐topic/the-‐four-‐horsemen-‐of-‐the-‐cyber-‐apocalypse-‐fud-‐in-‐security-‐soqware-‐markeMng/
55. www.hackformers.org
Showcasing
Fear,
Uncertainty
and
Doubt
from
the
Informa9on
Security
Industry
Since
the
founding
of
Fudsec
we've
looked
to
expose
FUD,
but
unMl
today
it's
been
a
li=le
like
JusMce
Stewart's
definiMon
of
obscenity
-‐
I
can't
define
it,
but
"I
know
it
when
I
see
it."
Source:
h=p://fudsec.com/scsovlf-‐aka-‐the-‐shpantzer-‐coma-‐scale-‐of-‐vendo
56. www.hackformers.org
Showcasing
Fear,
Uncertainty
and
Doubt
from
the
Informa9on
Security
Industry
• FUD
is
the
tool
of
choice
for
bad
sales
people
in
the
informaMon
security
world,
"you
might
be
subject
to
this,
This
or
even
THIS!!".
•
If
you
hear
these
cries
you
are
probably
talking
to
a
bad
sales
person.
• Honest
consultants
will
help
you
manage
and
understand
informaMon
security
risks.
They
may
even
get
to
the
point
where
they
tell
you
that
some
risks
can't
be
quanMfied
using
tradiMonal
methods
and
then
frame
advice
using
good
pracMce
references.
Source:
h=p://makeitcompliant.blogspot.com/2012/07/informaMon-‐security-‐reputaMon-‐and-‐fud.html
57. www.hackformers.org
FUD
Origin
• The
term
“FUD”
originated
in
the
1970s
to
describe
some
of
IBM’s
selling
tacMcs
against
compeMtors
(who
had
be=er
price/performance,
etc.).
• The
FUD
technique
was
used
by
IBM
sales
people
to
destabilize
the
decision-‐maker’s
thinking
process.
FUD
issues
raised
could
not
really
be
answered
by
the
decision-‐maker
or
the
compeMtor,
and
so
nagged
at
the
back
of
the
mind.
They
had
the
effect
of
causing
the
decision-‐maker
to
retreat
to
the
safe
decision,
which
was
IBM.
“Nobody
ever
got
fired
for
buying
IBM”.
Source:
h=p://newschoolsecurity.com/2009/10/just-‐say-‐no-‐to-‐fud/
58. www.hackformers.org
Cybersecurity
Expert
Argues
FUD
Can
Be
Effec9ve
• …she
does
not
advocate
sowing
panic.
But
she
believes
FUD
-‐-‐
especially
doubt
-‐-‐
"may
make
people
quesMon
things.”
• "It
wouldn't
take
a
hell
of
a
lot
to
do
damage.
Our
SCADA
(supervisory
control
and
data
acquisiMon)
systems
have
been
penetrated
before.”
• …biggest
concern
is
that
nobody
yet
understands
the
long-‐term
consequences
of
cyber
conflict.
"When
the
atomic
bomb
was
was
developed,
only
a
few
people
saw
the
long-‐term
consequences.
This
is
really
no
different.
We
don't
have
a
handle
on
it,"
she
said.
-‐
Sharon
Nelson,
an
a=orney
and
president
of
the
informaMon
security,
digital
forensics
and
IT
consulMng
firm
Sensei
Enterprises
Source:
h=p://www.csoonline.com/arMcle/708215/cybersecurity-‐expert-‐argues-‐fud-‐can-‐be-‐effecMve
59. www.hackformers.org
Are
Threat
Reports
a
Crude
Form
of
Sharing?
• “Enterprises
are
restricted
by
legal
issues,
compe33ve
considera3ons,
and
fears
of
reputa3on
loss.”
• “Government
agencies
are
restricted
by
classifica3on
requirements
and
na3onal
security
concerns.”
Source:
RSA
“Security
for
Business
InnovaMon
Council”
report,
2012.