Richard Stiennon, profile picture
Uploaded byRichard Stiennon
PPT, PDF3,159 views

Why Risk Management is Impossible

The document critiques traditional risk management strategies in cybersecurity, arguing that they often have unachievable goals and focus on random events rather than targeted attacks. It suggests a shift towards threat-based security, emphasizing the need for understanding specific threats and employing intelligence for effective threat management. Additionally, it highlights the inadequacies of assessing IT assets, vulnerabilities, and their potential value accurately.

Embed presentation

Downloaded 43 times
Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
International Cybersecurity Dialogue What is risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
International Cybersecurity Dialogue Risk Management 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
International Cybersecurity Dialogue • • • • • • • • • • What is an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
International Cybersecurity Dialogue What is the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
International Cybersecurity Dialogue Can you really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
International Cybersecurity Dialogue Risk Manage This:
International Cybersecurity Dialogue Or this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
International Cybersecurity Dialogue Or this: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
International Cybersecurity Dialogue Trading losses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
International Cybersecurity Dialogue Or this: • Saudi Aramco, August 2012 • South Korea, March 2013
International Cybersecurity Dialogue Or this: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
International Cybersecurity Dialogue Risk management is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
International Cybersecurity Dialogue Targeted Attacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
International Cybersecurity Dialogue So, if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
International Cybersecurity Dialogue Some scenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
International Cybersecurity Dialogue Cyber kill chain
International Cybersecurity Dialogue Security Intelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
International Cybersecurity Dialogue The Cyber Defense Team Operations Analysts Red Team Cyber Commander
International Cybersecurity Dialogue Let’s be honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.

More Related Content

PDF
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
byHITCON GIRLS
 
PPTX
Deception technology for advanced detection
byJisc
 
PDF
SACON - Deception Technology (Sahir Hidayatullah)
byPriyanka Aash
 
PPTX
24 Hours After a Breach
byLIFARS
 
PDF
Why Risk Management Fails
byRichard Stiennon
 
PDF
Threat Deception - Counter Techniques from the Defenders League
byAvkash Kathiriya
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
byHITCON GIRLS
 
Deception technology for advanced detection
byJisc
 
SACON - Deception Technology (Sahir Hidayatullah)
byPriyanka Aash
 
24 Hours After a Breach
byLIFARS
 
Why Risk Management Fails
byRichard Stiennon
 
Threat Deception - Counter Techniques from the Defenders League
byAvkash Kathiriya
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 

What's hot

PPTX
Cyber Security: Strategies, Defence and what’s not working
byJonathan Sinclair
 
PDF
Cyber espionage - Tinker, taylor, soldier, spy
byb coatesworth
 
PPTX
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
byFidelis Cybersecurity
 
PPTX
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
byCODE BLUE
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PDF
Ransomware ly
byLisa Young
 
PDF
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
PPTX
Six steps for securing offshore development
bygmaran23
 
PDF
Part 1: Identifying Insider Threats with Fidelis EDR Technology
byFidelis Cybersecurity
 
PDF
The State of Threat Detection 2019
byFidelis Cybersecurity
 
PDF
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
PDF
Threat Activity Groups - Dragos
byDragos, Inc.
 
PPTX
APT in the Financial Sector
byLIFARS
 
PDF
Drooger, jack cyber security
byHagerstown Chamber Business Expo
 
PDF
Today's Breach Reality, The IR Imperative, And What You Can Do About It
byResilient Systems
 
PPTX
Cyber Security
byfrcarlson
 
PDF
2015 Global APT Summit Matthew Rosenquist
byMatthew Rosenquist
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
PDF
Andrew kozma - security 101 - atlseccon2011
byAtlantic Security Conference
 
PPTX
Cyber war or business as usual
byEnclaveSecurity
 
Cyber Security: Strategies, Defence and what’s not working
byJonathan Sinclair
 
Cyber espionage - Tinker, taylor, soldier, spy
byb coatesworth
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
byFidelis Cybersecurity
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
byCODE BLUE
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
Ransomware ly
byLisa Young
 
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
Six steps for securing offshore development
bygmaran23
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
byFidelis Cybersecurity
 
The State of Threat Detection 2019
byFidelis Cybersecurity
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
byDragos, Inc.
 
Threat Activity Groups - Dragos
byDragos, Inc.
 
APT in the Financial Sector
byLIFARS
 
Drooger, jack cyber security
byHagerstown Chamber Business Expo
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
byResilient Systems
 
Cyber Security
byfrcarlson
 
2015 Global APT Summit Matthew Rosenquist
byMatthew Rosenquist
 
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
Andrew kozma - security 101 - atlseccon2011
byAtlantic Security Conference
 
Cyber war or business as usual
byEnclaveSecurity
 

Similar to Why Risk Management is Impossible

PDF
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
PPTX
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
PPTX
Cyber Security # Lec 3
byKabul Education University
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PPTX
Assess risks to IT security.pptx
bylochanrajdahal
 
PPTX
Risky Business
byMichael Scheidell
 
PPT
Challenges in implementating cyber security
byInderjeet Singh
 
PDF
Risk management for ICT Technology Dept.
byNahidHasan6141
 
PDF
Information Security Risk Management
byErsoy AKSOY
 
PPT
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
PPTX
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
PPT
Risk management Risk managementRisk managementRisk managementRisk managementR...
byShanmuganathan C
 
PPT
ENTERPRISE risk management AWARENESS.ppt
byshiva3305
 
PDF
A-Practical-Guide-to-IT-Risk-Management.pdf
bypatriciajulienetolen2
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PDF
info sys risk management.pdf
byssuser2209e8
 
PPT
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
DOCX
case studies on risk management in IT enabled organisation(vadodara)
byishan parikh production
 
PPTX
Security risk management
byPrachi Gulihar
 
PDF
Risk bridges business and security
byM. Isaiah McGowan
 
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
Cyber Security # Lec 3
byKabul Education University
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
Assess risks to IT security.pptx
bylochanrajdahal
 
Risky Business
byMichael Scheidell
 
Challenges in implementating cyber security
byInderjeet Singh
 
Risk management for ICT Technology Dept.
byNahidHasan6141
 
Information Security Risk Management
byErsoy AKSOY
 
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
Risk management Risk managementRisk managementRisk managementRisk managementR...
byShanmuganathan C
 
ENTERPRISE risk management AWARENESS.ppt
byshiva3305
 
A-Practical-Guide-to-IT-Risk-Management.pdf
bypatriciajulienetolen2
 
Information Security and Risk Management.pptx
byprembasnet12
 
info sys risk management.pdf
byssuser2209e8
 
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
case studies on risk management in IT enabled organisation(vadodara)
byishan parikh production
 
Security risk management
byPrachi Gulihar
 
Risk bridges business and security
byM. Isaiah McGowan
 

More from Richard Stiennon

PPTX
The Internet of Military Things: There Will Be Cyberwar
byRichard Stiennon
 
PDF
How the Revolution in Military Affairs has set the stage for future cyberwars
byRichard Stiennon
 
PPTX
Cyber security industry trends
byRichard Stiennon
 
PPT
Titan Rain
byRichard Stiennon
 
KEY
Post Apocalyptic Cyber Realism
byRichard Stiennon
 
PDF
How the Surveillance State Changes IT Security Forever
byRichard Stiennon
 
PPT
New definition for APT
byRichard Stiennon
 
KEY
What makes the IT industry tick?
byRichard Stiennon
 
KEY
Cybercrime and Business Process Hacking
byRichard Stiennon
 
PDF
Stiennon Keynote at Trusted Computing Conference 2013, Orlando
byRichard Stiennon
 
PPT
Surviving Cyber War April09
byRichard Stiennon
 
PPT
Cyberwar Update2010
byRichard Stiennon
 
PPTX
There WIll Be Cyberwar
byRichard Stiennon
 
PPT
Surviving Cyber War
byRichard Stiennon
 
The Internet of Military Things: There Will Be Cyberwar
byRichard Stiennon
 
How the Revolution in Military Affairs has set the stage for future cyberwars
byRichard Stiennon
 
Cyber security industry trends
byRichard Stiennon
 
Titan Rain
byRichard Stiennon
 
Post Apocalyptic Cyber Realism
byRichard Stiennon
 
How the Surveillance State Changes IT Security Forever
byRichard Stiennon
 
New definition for APT
byRichard Stiennon
 
What makes the IT industry tick?
byRichard Stiennon
 
Cybercrime and Business Process Hacking
byRichard Stiennon
 
Stiennon Keynote at Trusted Computing Conference 2013, Orlando
byRichard Stiennon
 
Surviving Cyber War April09
byRichard Stiennon
 
Cyberwar Update2010
byRichard Stiennon
 
There WIll Be Cyberwar
byRichard Stiennon
 
Surviving Cyber War
byRichard Stiennon
 

Recently uploaded

PDF
Buy Twitter Accounts and Platforms account in 2026.,..pdf
byh3lfp4332e3gctbnm22w
 
PDF
How to Master Any Skill for Free with AI: The 4-Step Roadmap to $1,000/Month
byAeafat Ahmed Mubin
 
PPTX
CMMI Consulting & Implementation Services.pptx
bySunil Yadav
 
PDF
Mobile and Online Banking_ Open an Account Today.pdf
bykmn4gloa39pwajpujj
 
PDF
Where to Buy Verified Cash App Accounts for Long-term ... (1).pdf
byh55oga0kd25m12iaza2
 
PDF
How to Buy Twitter Accounts in 2026 .pdf
bywc0fr9qf43i5qo5kn3
 
PDF
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byh55oga0kd25m12iaza2
 
PDF
How to Buy Twitter Accounts in 2026 (1).pdf
bywc0fr9qf43i5qo5kn3
 
PDF
How to Buy Snapchat Accounts in 2026 first year .pdf
bywc0fr9qf43i5qo5kn3
 
PDF
24 Best Tiktok Seller Center Services To Buy Online.pdf
byidc1w3adizw383go
 
PDF
How to Buy Snapchat Account A Step-by-Step Guide..pdf
byidc1w3adizw383go
 
PDF
Chris Elwell Woburn - A Seasoned IT Executive
byChris Elwell Woburn
 
PDF
How to Buy a USA Facebook Accounts Safely.pdf
byyl62ghphl9tyxn3q8lv5
 
PDF
How to Buy Instagram Accounts in 2026.pdf
byh55oga0kd25m12iaza2
 
PDF
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
PDF
Co-operative and Mutual Economy 2025.pdf
byHenry Tapper
 
PDF
Back to the future - the return of DB surpluses (slides) - 9 December 2025.pdf
byHenry Tapper
 
PDF
Best Platforms to Buy Verified Wise Accounts in the USA.pdf
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
PDF
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
PDF
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 
Buy Twitter Accounts and Platforms account in 2026.,..pdf
byh3lfp4332e3gctbnm22w
 
How to Master Any Skill for Free with AI: The 4-Step Roadmap to $1,000/Month
byAeafat Ahmed Mubin
 
CMMI Consulting & Implementation Services.pptx
bySunil Yadav
 
Mobile and Online Banking_ Open an Account Today.pdf
bykmn4gloa39pwajpujj
 
Where to Buy Verified Cash App Accounts for Long-term ... (1).pdf
byh55oga0kd25m12iaza2
 
How to Buy Twitter Accounts in 2026 .pdf
bywc0fr9qf43i5qo5kn3
 
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byh55oga0kd25m12iaza2
 
How to Buy Twitter Accounts in 2026 (1).pdf
bywc0fr9qf43i5qo5kn3
 
How to Buy Snapchat Accounts in 2026 first year .pdf
bywc0fr9qf43i5qo5kn3
 
24 Best Tiktok Seller Center Services To Buy Online.pdf
byidc1w3adizw383go
 
How to Buy Snapchat Account A Step-by-Step Guide..pdf
byidc1w3adizw383go
 
Chris Elwell Woburn - A Seasoned IT Executive
byChris Elwell Woburn
 
How to Buy a USA Facebook Accounts Safely.pdf
byyl62ghphl9tyxn3q8lv5
 
How to Buy Instagram Accounts in 2026.pdf
byh55oga0kd25m12iaza2
 
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
Co-operative and Mutual Economy 2025.pdf
byHenry Tapper
 
Back to the future - the return of DB surpluses (slides) - 9 December 2025.pdf
byHenry Tapper
 
Best Platforms to Buy Verified Wise Accounts in the USA.pdf
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 

Why Risk Management is Impossible

  • 1.
    Risk Management: AFailed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
  • 2.
    International Cybersecurity Dialogue Whatis risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
  • 3.
    International Cybersecurity Dialogue RiskManagement 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
  • 4.
    International Cybersecurity Dialogue • • • • • • • • • • Whatis an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
  • 5.
    International Cybersecurity Dialogue Whatis the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
  • 6.
    International Cybersecurity Dialogue Canyou really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
  • 7.
  • 8.
    International Cybersecurity Dialogue Orthis: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
  • 9.
    International Cybersecurity Dialogue Orthis: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
  • 10.
    International Cybersecurity Dialogue Tradinglosses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
  • 11.
    International Cybersecurity Dialogue Orthis: • Saudi Aramco, August 2012 • South Korea, March 2013
  • 12.
    International Cybersecurity Dialogue Orthis: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
  • 13.
    International Cybersecurity Dialogue Riskmanagement is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
  • 14.
    International Cybersecurity Dialogue TargetedAttacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
  • 15.
    International Cybersecurity Dialogue So,if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
  • 16.
    International Cybersecurity Dialogue Somescenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
  • 17.
  • 18.
    International Cybersecurity Dialogue SecurityIntelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
  • 19.
    International Cybersecurity Dialogue TheCyber Defense Team Operations Analysts Red Team Cyber Commander
  • 20.
    International Cybersecurity Dialogue Let’sbe honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.