SlideShare a Scribd company logo
1 of 14
Download to read offline
Sensible defence 
kmar@baleo.be 
1. Abstract: Sensible defence .......................................................................................... 3 
2. Introduction................................................................................................................. 4 
3. How risk mitigation works.......................................................................................... 5 
3.1. Detection ............................................................................................................. 5 
3.2. Prevention ........................................................................................................... 5 
3.3. Response ............................................................................................................. 5 
4. Risk management concept today ................................................................................ 6 
4.1. The process ......................................................................................................... 6 
4.1.1. Governance ................................................................................................. 6 
4.1.2. Context ........................................................................................................ 
6 
4.1.3. Identification ............................................................................................... 6 
4.2. Risk analysis ....................................................................................................... 7 
4.2.1. Key terms .................................................................................................... 7 
4.2.2. Quantitative risk analysis ............................................................................ 
8 
4.2.3. Qualitative risk analysis .............................................................................. 
8 
4.3. Pitfalls ................................................................................................................. 8 
5. Sensible defence.......................................................................................................... 9 
5.1. Economic incentives and security failure ........................................................... 9 
5.2. Liability, regulation and compliance ................................................................ 10 
5.3. Due care and due diligence ............................................................................... 11 
5.4. Technology ....................................................................................................... 11 
5.5. Awareness campaign and training .................................................................... 12 
6. Conclusion ................................................................................................................ 14
7. References ................................................................................................................. 
15
1. Abstract: Sensible defence 
Security is not product related only, improving your products and manage your risk is 
mandatory to keep up with the latest threats. However some basic tools do increase your 
security but it is debatable if all these tools enhance your security in the way you expect 
perhaps they just give you a false sense of security. A false sense of security is the best 
cure for your conscious yet less effective against a real attack. 
Security is about risks and how you manage it, if you like to build good security you need 
to perform risk management and periodically measure risk against your security template. 
Attacks shift and so does your budget assignment. Simple questions can reveal more 
needs and address security in those areas of importance. 
Quote from Bruce Schneier 
• What are we trying to protect? 
• What risks to these assets? 
• How well is the solution in mitigating those risks? 
• What other risks does the solution cause? 
• What costs and trade-off does the solution impose? 
Risk Management an excellent mediator to gain an objective view on your security 
strategy. However it consumes a lot of valuable time and resources. But wasn't it 
important to implement security in the beginning of a project? Exactly, when your project 
is defined and you know more or less your destination risk management can be your 
guide to find the way. 
By starting to integrate your security request as early as possible in a project life cycle 
you increase the security as such and you reduce costs on a long term perspective. 
Remember you have to sell your security, at the end it is politics. It comes down to the 
weight you have in the decision and the motivation you used in the selling process. 
To integrate successfully your risk management result you should define where what to 
invest. Managing risks is more than just integrate technology controls. In security we 
protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms. 
The four basic elements are prevention, detection, response and sometimes prediction, the 
latter is probably the hardest one to achieve. 
Balancing out these four will give you a sensible security mechanism which align with 
budget restraints and complies with your regulatory obligations.
2. Introduction 
The security field undergoes a lot of changes at a rapid pace making technology old 
fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if we 
may believe consultants and product vendors. But on what are these statements based? 
This paper shows how risk management is used today and what the pitfalls are. A lot of 
CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gaps 
and is based on to much intangible facts. 
This document outlines the problems security people encounter today. Over the recent 
years we can see an increased awareness about security issues however being aware there 
is problem is not much of a value if countermeasures are not appropriate to the risk 
In this paper you can find the basic concept of risk management used today, it will not 
explain in detail or how you should integrate it in your environment. It is included as 
reference to compare on how I and many others think it could be done instead. It is my 
personal belief that today’s concept is failing and more reasonable strategies should be 
applied to get the necessary support from your management. 
The risk management process in its entirety has its limits; more specific is the analysis 
that is insufficient to provide the required proof. 
3. How risk mitigation works 
Security is not about technology but about risks and how you manage them. Covering a 
risk in its entirety is not an easy thing and accepting the risk could at the end the only 
solution. 
Managing risk is based on different pillars; these pillars have each an important function 
but are rendered useless if they are not weaved in together. 
3.1. Detection 
Detection is a passive security measure which is an outstanding solution to fraud 
detection for example, but less effective in protection of corporate networks. Detection is 
common and used in our every day life, the new radar system deployed in the UK to bill 
people going for work by car is a perfect example. It does not prevent your from driving 
in the city, it does not prevent you from not paying the bill especially for foreigner but it 
does detect you. No matter where you’re from and what type of vehicle you drive you 
will be noticed and receive a bill. The same goes for credit card companies; a lot of their 
security is based on detection. 
Detection might not be your Swiss knife to solve security however it is less expensive 
and in some cases the most acceptable measure to enhance security in your environment. 
Logging (un)authorized connections on a preventative measure can be considered a way 
of detection, logging these events can be used afterwards to detect anomalies. 
3.2. Prevention 
Prevention is an active security measure able to deny or allow access; decisions are made 
based on an integrated policy. Prevention stops certain attacks immediately, one of the 
biggest advantages compared with detection or response which react once the event has
passed. Technologies providing prevention techniques are not waterproof either; 
prevention does what it says as long as the device, software or even the human being acts 
in a proper way. A flaw in the procedure or software can render it useless. Prevention 
technology is definitely the most expensive way to secure your environment. One should 
weight the benefits against the costs and explore other measures before putting the eggs 
in one basket. Firewalls were thought to be the answer for network security, however 
there are so many firewalls badly configured that it is sometimes better not to have any. 
False sense of security can be worse than no security at all. 
3.3. Response 
Incident response is important in many aspects. Response shows how the attack took 
place, how it has been detected and how it can be prevented in the future. Often response 
is put aside due to time and cost restrictions but many companies doing incident response 
realise that it saves a lot of valuable time whenever a similar attack occurs. Incident 
response helps to recover quickly, efficiently and provides visibility on the events 
happening during a defined period of time.
4. Risk management concept today 
Security relies on the management and the reduction of risk by assessing, reporting and 
controlling the risk. It encompasses a number of activities which constitutes a systematic 
process that aims to optimize the decision making process and improve the results. 
The identification of risk to an organization entails defining the four following basic 
elements: 
• The actual threat 
• The possible consequences of the realized threat (impact) 
• The probable frequency of the occurrence of a threat (frequency) 
• The extent of how confident we are that the threat will happen (probability) 
4.1. The process 
Some crucial steps are mandatory to enhance your risk management process. These 
simple identifiers enable you to control the complete cycle of the risk you like to 
measure. 
4.1.1. Governance 
Good governance establishes a repeatable and auditable methodology for integration of 
the risk management process across the enterprise. The governance process outlines 
what, how and by whom the risk management activities are performed. 
Clearly, a risk management team must aim to develop and establish commitment; support 
a participation of top management to succeed in their mission. 
4.1.2. Context 
The context determines the company's relationship with its environment. It consists of 
two important influencers which shape the design of your risk management strategy. 
External factors could be anything like cultural, commercial or regulatory influences. 
Internal factors would be governance, reporting, business structure etc... 
4.1.3. Identification 
Determine and identify the risks that your company is exposed to be perhaps the most 
important step in being successful at risk management. Focusing on tangible result only is 
a common mistake, clearly intangible values are harder to measure but therefore as 
important. 
Risk identification in your enterprise entails four basic principles: 
• The actual threat 
• The possible consequences when a threat materializes 
• Probable frequency of occurrence of a threat 
• The probability a threat will occur 
4.2. Risk analysis 
Risk analysis is a process to ensure that security measures for an environment are 
adequate to reduce the risks. By applying risk analysis you determine the risks and
develop a plan on how to deal with the risks. Analysing the identified risks gives you a 
better understanding of the likelihood and potential outcome of an event impacting your 
company. 
The main purpose of risk analysis is to quantify the impact of a potential risk. The goal is 
to put a price or value on the loss. 
The main results of risk analysis are 
• Identification of the current risks 
• The cost/benefit justification of the countermeasures 
• Influences the decision making process on hardware, etc? 
• Focus on security resources where they are needed most 
This chapter provides you with a brief outline of how risk analysis works. These are not 
invented by the author and are only here as reference. 
4.2.1. Key terms 
Scientifically a risk is defined as the product of the threat and vulnerability. But in risk 
management we identify the risk as the probability a threat will materialize. Risk can be 
considered potential harm or loss to a system. 
The risk management triple: 
• Asset: A resource, process, product, system etc… The value equals the cost of 
the creation, development, license, support, replacement, credibility, lost if IP 
is disclosed, ownership values. The asset the precious item you are trying to 
protect 
• Threat: Any event that causes an undesirable impact on your organization 
• Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability 
is a threat that circumvents or makes use of weakness in your safeguard. 
The terms 
Safeguard: A control or countermeasure to reduce the risk associated with a threat. 
Exposure Factor (EF): EF represents the percentage of loss a realized threat event 
would have on a specific asset. EF differs from high to low percentage, catastrophic loss 
or just the loss of a single PC. 
Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single 
event. 
Asset Value ($) x Exposure Factor (EF) = SLE
Annualized Rate of Occurrence (ARO): Represents the number on how many times an 
event could happen on a per year basis. 
Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALE 
can be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate of 
Occurrence (ARO) = ALE 
4.2.2. Quantitative risk analysis 
Quantitative risk analysis aim is to assign concrete probability percentages; for example 
real money values to the loss of an asset. As it might look fairly simple however the 
complete process should be considered as a major project within your organization. 
Be aware that you cannot apply quantitative analysis only because it relies on qualitative 
analysis data. 
Process of quantitative risk analysis 
• Estimate potential losses to the assets by defining their losses 
• Analyze potential threats to the assets 
• Define the ALE 
4.2.3. Qualitative risk analysis 
Qualitative risk analysis is a scenario-oriented approach; in contrast to quantitative 
analysis a purely qualitative analysis is always possible. Instead of assigning pure 
dollar figures you rank threats on a scale to evaluate their risks, costs and outcome. 
The seriousness of threats and the sensitivity of the assets are ranked or graded by using a 
scenario approach. For each scenario you need to create an exposure rating scale and 
match the various threats to the identified assets. Type of threat and the potential loss to 
the assets and selection of safeguards to reduce the risk should be included in the 
description of your scenario. 
4.3. Pitfalls 
This model of risk management has its pro’s and con’s; the reliance on probability and 
impact factors is a mayor downfall for this concept. The foundation for your security is 
based on guess work; it can be very effective by using only the worst case scenarios to 
cover all risks but will give you a budget outlook that looks grim. The contrary leaves 
your budget in the green zone but can make your security poor. Other approaches 
described in the next chapter could provide more realistic views on which security we 
need and to what level we need to bring it. Anticipating the unknown, providing an 
answer to vectors of attack we do not yet know about is impossible. 
5. Sensible defence 
Information security is hard to understand and even harder to successfully integrate. 
Insecurity is not caused by today’s risk management concept. Economic gain or 
loss, legislation, regulation and so on are also important vectors. 
1) Security is a trade-off. We need to make trade-offs, cost is one but there are more 
trade-offs to make, convenience, liberty, functionality, time etc…
I think the previous chapter has strong and weak points, using the risk management triple 
is extremely valuable but trying to transform risk into numbers by using hefty formulas 
and relying on to much intangible values is for sure not a reliable way to integrate 
sensible and well thought security. 
This chapter will outline some of the problems and how it could be improved. There is no 
clear cut solution to all the issues but improving the existing by relying more on 
measurable values do provide better end results. 
5.1. Economic incentives and security failure 
Economic incentives, profitability, market gain, etc… are important vectors in the 
decision process. Security risks and business risks are quite different; forecasting how the 
economic landscape evolves based on the investment of new resources to increase profit 
is completely different than forecasting probabilities of IT risks. Evaluating risks and 
how much risks are reduced by integrating new technology is as easy as playing the 
Russian roulette. Even if you have all those statistics and numbers, if there is no 
legislation and no direct economic consequence you will not succeed in your job. This is 
plain business logic; managers deal with risk every day and are used to accept certain 
levels of risk. 
Example: 
In a distributed denial of service attack it is very expensive to use measures to protect 
your web servers from it. Your can spend thousands of euros to increase protection and it 
still would fail in certain circumstances. However, home users who are being used as 
ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves from 
threats. But they rarely would spend the same amount to prevent their machines from 
being used. 
In the economics world this would be a “Tragedy of commons”, these situations should 
rather be solved on a legislative way to put pressure on those who can fix the issue 
instead of investing too much money in a solution that is not providing the necessary 
protection. Over the years we have been witness of the fact that often bad security wins 
over good security, it can be explained rationally; popularity of system or service is 
related to other factors than security. If people use the less secure system more, your 
good system is doomed to failure. If you do not have a good economic reason why 
security should be a priority you do not have a good chance in succeeding. Unfortunately 
today business looks at security as a cost enabler instead of looking at it as cost reduction.
But an economic drive or market reaction sometimes forces a company to tackle security 
issues. When this happens management does not have the burden to deal with any type of 
risk assessment. Today companies are often confronted with reactions as such from 
customers, auditors and other regulatory bodies. 
5.2. Liability, regulation and compliance 
This is an ongoing debate and a very hard one. 
Imposing laws to make better products, provide secure services, conduct audits, carry 
responsibility etc… will definitely improve security in some way. All of this sound easy 
and achievable but the pitfalls are numerous and peopled against plenary. 
Security has technological components but business regards to security, in terms of risk 
management, as they do with any other risk. Business aims to reduce costs and improve 
production. Why bother with improving the network security if business survives after 
defacement, denial of service, reputation damage, and network downtime. 
The point is that if your force companies to make their products secure their economical 
gain could decline. And what about the brakes you put on the creative mind and 
development of new ideas. A company making a new product has its focus on gaining 
money and reply to unanswered issue in the market which does not necessarily require 
advanced security in the initial stage. 
If your government provides services on the internet you better be sure it is secure, if 
there are no regulatory incentives why shouldn’t they opt for the cheaper less secure 
option? By enforcing rules via laws, regulation or company policies we impose liability 
and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one 
helping you out in difficult times but it can push industry to improve security. Some 
types of industry start with security and build their services inside the security 
boundaries. 
We have different compliance bodies that are well developed and pushing managers, 
companies and even governmental organizations to a better and more secure 
environment. SOX, HIPAA, BASEL II, etc… do push to create a better and safer 
environment by motivating managers to pay attention to issues that were ignored before. 
As time goes by and maturity develops legislation will improve and regulatory bodies can 
impose penalties to keep the motivation alive. 
Example: 
Power plants for example live up to high security standards regarding their personnel. We 
can be delighted that they did not use the same approach as often used in the computer 
industry. Such approach makes managers aware that risks cannot be accepted because of 
the high costs involved with it. 
5.3. Due care and due diligence 
2) Due care means that a company did all that it could have reasonably done to try and 
prevent security breaches, and also took the necessary steps to ensure that if a security 
breach did take place, the damages were reduced because of the controls or 
countermeasures that existed. Due care means that a company practiced common sense 
and prudent management practices with responsible actions.
Due diligence means that a company properly investigated all of their possible 
weaknesses and vulnerabilities before carrying out due care practices. 
Due care and due diligence, both require to be present to successfully integrate a certain 
level of security in your environment. To convince management we should take distance 
of examples and results (from threat and vulnerability assessment) that are based on 
hypothetical values. It is almost impossible to convince people on a subject that has not 
yet materialised. Replacing those intangible values can be achieved by using real life 
examples of the existence of vulnerability and what solutions are available and who 
integrated them already. Remember the approach, we are protecting against known 
threats and not trying to increase budgets based on the unknown. 
If management still decides to accept the risk, which is completely normal in certain 
cases, we document it and motivate with the business reasons; this is done to limit 
liability. The ultimate goal is to achieve good due diligence practise this reduces 
ignorance and negligence. Due diligence result are not subject to be proven valid, the 
result itself shows the good or bad experience. Whereas solutions never come directly 
from an assessment but are chosen regarding the assessment results by means of due 
diligence. One can argue if fortune telling is a better strategy compared to await results 
from what actually is achieved. 
5.4. Technology 
The problem we have today with technology is that at a certain point it does provide a 
protection but can create numerous other problems. Integrating additional tools software 
or hardware does not imply that you improve security. An entire process of mechanisms 
that interact is needed to provide robust security. As shown in chapter 3 you need to rely 
on different techniques to create a secure environment. None of those concepts survives 
an attack without the support of the others. Over the years we have been overwhelmed by 
constructors providing us with the market leading product and still our networks are at 
stake. 
Does it mean that the products are bad? 
Honestly, I don’t think products are bad, the way they interact is perhaps not ideal. For 
years we have been focusing on prevention and less on detection and response. A good 
prevention tool is worthless without detection, and detection has no value if there is no 
response process involved; most of the time these functions are included in a good 
prevention product. During my career I had often discussions on what to log and what 
not; logging everything does not increase your detection. It increases data you gather but 
decreases the accuracy.
To make a safeguard valuable it requires interaction with other processes, systems or 
people. A good interaction occurs on different layers, logging the issue is the first but 
informing there as an issue is mandatory to make the logging useful. After the alert a 
manual interference might be required, again this should be logged in a sensible way to 
have good change management. 
All these features are available on the market; unfortunately interaction between them is 
still on a low level. 
Example: 
Wiretapping the mass public didn’t proof to be useful yet, data mining or correlation on 
the data is even harder. It does work once there is a lead or a clue; unless you have some 
predefined known information your correlation will not have much of a value and could 
miss those parts of data crucial to identify the attack. Using detection only to prevent 
issues is just not the right way to solve a security issue. 
Security budgets for government issues do increase however people tend to feel less safe. 
In Belgium the police force is increased significantly but reducing crime is harder as ever 
before. Prevention and detection capabilities are sufficient but response (court) is not at 
the same pace. 
Another big debate is functionality vs. security. Frankly I think this is bad trade-off. 
Testing functionality is fairly easy. Functionality is whether or not something works 
when it is being used as planned. But if you test security you are trying to find out how a 
system behaves when placed under unanticipated circumstances with an adversary trying 
to subvert the system. It will be very hard to test security like you do with functionality if 
not impossible. 
5.5. Awareness campaign and training 
Awareness and training are mandatory to enhance your security. A good distinction 
between training and awareness should be made. 
Awareness campaign: A campaign for awareness explains you the “what is it”, it shows 
you what are the dangers or benefits of certain tool, system or environment. 
Training: A training informs you about the “how does it work”, how do I use it, how do I 
integrate it, how do I get the most out of it. 
Awareness increases security on a human level, human intelligence is irreplaceable by 
technology. But equal to technology we need to make our staff aware about risks 
involved in their job. Today many companies understood they need awareness, some 
because of regulation some because of campaigns launched by governmental 
organisation. As risks and technology evolve at a rapid pace, we need to conduct 
awareness on a regular basis to make it effective. Any means are good to make people 
aware about the risks. In our daily life we are confronted with several awareness 
campaigns which are time or event specific. 
Example: 
The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
how to respond in case of emergency. The results of the campaign were clear, panic was 
reduced to a minimum and casualties could be rescued with a respectable time frame. 
Training is equally important; knowing that there is risk is just one part of the solution. 
How do you protect and how do you use the provided tools is an important step and 
might be more difficult to achieve. It is clear that in certain cases and on certain subjects 
those two aspects are weaved together. Explaining why one needs a password is one 
thing but might be useless without explaining how to make a strong password. 
6. Conclusion 
Regardless which model of risk management one uses, you are still using hypothetical 
data. Today there are no valid frequency and impact data available to provide you with 
valid and sensible results. It might be possible to guess the impact or frequency of an 
unusual incident. An unknown event or enemy can have an important effect on the risk 
which makes the current security solution obsolete. I doubt that this will have a positive 
change in the future due to the rapid changing technology of today. 
Managing risk by tangible values like outlined in the previous chapter is maybe an 
answer to this complex subject. Continuing with intangible risk assessment result is 
expensive and does not necessarily improve your current security; this does not mean you 
do not have to integrate it. Regulation and legislation can be met by doing high level risk 
assessment outlining the dangers and the caveats of the unknown. 
This is not a plea to abandon the current way of handling risk; I just share my and other 
security professionals’ view on the topic. As a consultant I have been confronted with 
many aspects of security and saw that some try to protect to things that are not yet 
realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integration 
of security measures, often these are not the solution to the problem. 
Without Donn B. Parker’s help I would not have been able to make this document. I got 
the authorisation to quote his article but I tried to write some of his ideas in my own 
words.
7. References 
1 Bruce Schneier : Beyond Fear 
2 Shon Harris : CISSP certification All-in-one Exam guide 
Books & articles: 
Bruce Schneier: Beyond Fear 
Economics and information security 
Regulation, liability and computer security 
Donn Parker: Making the case for replacing risk-based security 
Ross Anderson: Why information security is hard –an economic perspective- 
Shon Harris: CISSP certification All-in-one Exam guide

More Related Content

What's hot

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Alex Yates
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk judythornell
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 

What's hot (20)

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
The human factor
The human factorThe human factor
The human factor
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management Planning
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Security Maxim
Security MaximSecurity Maxim
Security Maxim
 
securitymaxims
securitymaximssecuritymaxims
securitymaxims
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 Brochure
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 

Viewers also liked

โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4somjaibio003
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Positive Power Sp. z o.o
 
Advertising Presentation
Advertising PresentationAdvertising Presentation
Advertising Presentationramsharma9696
 
Direct Red 254, Pigment Dispersions
Direct Red 254, Pigment DispersionsDirect Red 254, Pigment Dispersions
Direct Red 254, Pigment Dispersionsshreem industries
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4somjaibio003
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiJusteat India
 

Viewers also liked (20)

Basketball
BasketballBasketball
Basketball
 
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
 
Css
CssCss
Css
 
Rafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAPRafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAP
 
RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?
 
About schroeder
About schroederAbout schroeder
About schroeder
 
R.moucka ecommerce standard
R.moucka   ecommerce standardR.moucka   ecommerce standard
R.moucka ecommerce standard
 
ปก
ปกปก
ปก
 
The human factor
The human factorThe human factor
The human factor
 
Positive Power na Boss Festiwalu
Positive Power na Boss FestiwaluPositive Power na Boss Festiwalu
Positive Power na Boss Festiwalu
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach
 
บทที่ 2
บทที่ 2บทที่ 2
บทที่ 2
 
Advertising Presentation
Advertising PresentationAdvertising Presentation
Advertising Presentation
 
Direct Red 254, Pigment Dispersions
Direct Red 254, Pigment DispersionsDirect Red 254, Pigment Dispersions
Direct Red 254, Pigment Dispersions
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4
 
Rafael Moucka na Freelance Camp o RWD
Rafael Moucka na Freelance Camp o RWDRafael Moucka na Freelance Camp o RWD
Rafael Moucka na Freelance Camp o RWD
 
ปก
ปกปก
ปก
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
 
Rafael Moucka wśród Mentorów E-biznesu
Rafael Moucka wśród Mentorów E-biznesuRafael Moucka wśród Mentorów E-biznesu
Rafael Moucka wśród Mentorów E-biznesu
 
Company Presentation
Company PresentationCompany Presentation
Company Presentation
 

Similar to Sensible defence

Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?nathan816428
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROISiemplify
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docxgilbertkpeters11344
 
Top-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfTop-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfprivate security
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCiente
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfCecilSu
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfPractical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldTEWMAGAZINE
 

Similar to Sensible defence (20)

Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROI
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx
 
Top-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfTop-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdf
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdf
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfPractical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Sensible defence

  • 1. Sensible defence kmar@baleo.be 1. Abstract: Sensible defence .......................................................................................... 3 2. Introduction................................................................................................................. 4 3. How risk mitigation works.......................................................................................... 5 3.1. Detection ............................................................................................................. 5 3.2. Prevention ........................................................................................................... 5 3.3. Response ............................................................................................................. 5 4. Risk management concept today ................................................................................ 6 4.1. The process ......................................................................................................... 6 4.1.1. Governance ................................................................................................. 6 4.1.2. Context ........................................................................................................ 6 4.1.3. Identification ............................................................................................... 6 4.2. Risk analysis ....................................................................................................... 7 4.2.1. Key terms .................................................................................................... 7 4.2.2. Quantitative risk analysis ............................................................................ 8 4.2.3. Qualitative risk analysis .............................................................................. 8 4.3. Pitfalls ................................................................................................................. 8 5. Sensible defence.......................................................................................................... 9 5.1. Economic incentives and security failure ........................................................... 9 5.2. Liability, regulation and compliance ................................................................ 10 5.3. Due care and due diligence ............................................................................... 11 5.4. Technology ....................................................................................................... 11 5.5. Awareness campaign and training .................................................................... 12 6. Conclusion ................................................................................................................ 14
  • 3. 1. Abstract: Sensible defence Security is not product related only, improving your products and manage your risk is mandatory to keep up with the latest threats. However some basic tools do increase your security but it is debatable if all these tools enhance your security in the way you expect perhaps they just give you a false sense of security. A false sense of security is the best cure for your conscious yet less effective against a real attack. Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more needs and address security in those areas of importance. Quote from Bruce Schneier • What are we trying to protect? • What risks to these assets? • How well is the solution in mitigating those risks? • What other risks does the solution cause? • What costs and trade-off does the solution impose? Risk Management an excellent mediator to gain an objective view on your security strategy. However it consumes a lot of valuable time and resources. But wasn't it important to implement security in the beginning of a project? Exactly, when your project is defined and you know more or less your destination risk management can be your guide to find the way. By starting to integrate your security request as early as possible in a project life cycle you increase the security as such and you reduce costs on a long term perspective. Remember you have to sell your security, at the end it is politics. It comes down to the weight you have in the decision and the motivation you used in the selling process. To integrate successfully your risk management result you should define where what to invest. Managing risks is more than just integrate technology controls. In security we protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms. The four basic elements are prevention, detection, response and sometimes prediction, the latter is probably the hardest one to achieve. Balancing out these four will give you a sensible security mechanism which align with budget restraints and complies with your regulatory obligations.
  • 4. 2. Introduction The security field undergoes a lot of changes at a rapid pace making technology old fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if we may believe consultants and product vendors. But on what are these statements based? This paper shows how risk management is used today and what the pitfalls are. A lot of CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gaps and is based on to much intangible facts. This document outlines the problems security people encounter today. Over the recent years we can see an increased awareness about security issues however being aware there is problem is not much of a value if countermeasures are not appropriate to the risk In this paper you can find the basic concept of risk management used today, it will not explain in detail or how you should integrate it in your environment. It is included as reference to compare on how I and many others think it could be done instead. It is my personal belief that today’s concept is failing and more reasonable strategies should be applied to get the necessary support from your management. The risk management process in its entirety has its limits; more specific is the analysis that is insufficient to provide the required proof. 3. How risk mitigation works Security is not about technology but about risks and how you manage them. Covering a risk in its entirety is not an easy thing and accepting the risk could at the end the only solution. Managing risk is based on different pillars; these pillars have each an important function but are rendered useless if they are not weaved in together. 3.1. Detection Detection is a passive security measure which is an outstanding solution to fraud detection for example, but less effective in protection of corporate networks. Detection is common and used in our every day life, the new radar system deployed in the UK to bill people going for work by car is a perfect example. It does not prevent your from driving in the city, it does not prevent you from not paying the bill especially for foreigner but it does detect you. No matter where you’re from and what type of vehicle you drive you will be noticed and receive a bill. The same goes for credit card companies; a lot of their security is based on detection. Detection might not be your Swiss knife to solve security however it is less expensive and in some cases the most acceptable measure to enhance security in your environment. Logging (un)authorized connections on a preventative measure can be considered a way of detection, logging these events can be used afterwards to detect anomalies. 3.2. Prevention Prevention is an active security measure able to deny or allow access; decisions are made based on an integrated policy. Prevention stops certain attacks immediately, one of the biggest advantages compared with detection or response which react once the event has
  • 5. passed. Technologies providing prevention techniques are not waterproof either; prevention does what it says as long as the device, software or even the human being acts in a proper way. A flaw in the procedure or software can render it useless. Prevention technology is definitely the most expensive way to secure your environment. One should weight the benefits against the costs and explore other measures before putting the eggs in one basket. Firewalls were thought to be the answer for network security, however there are so many firewalls badly configured that it is sometimes better not to have any. False sense of security can be worse than no security at all. 3.3. Response Incident response is important in many aspects. Response shows how the attack took place, how it has been detected and how it can be prevented in the future. Often response is put aside due to time and cost restrictions but many companies doing incident response realise that it saves a lot of valuable time whenever a similar attack occurs. Incident response helps to recover quickly, efficiently and provides visibility on the events happening during a defined period of time.
  • 6. 4. Risk management concept today Security relies on the management and the reduction of risk by assessing, reporting and controlling the risk. It encompasses a number of activities which constitutes a systematic process that aims to optimize the decision making process and improve the results. The identification of risk to an organization entails defining the four following basic elements: • The actual threat • The possible consequences of the realized threat (impact) • The probable frequency of the occurrence of a threat (frequency) • The extent of how confident we are that the threat will happen (probability) 4.1. The process Some crucial steps are mandatory to enhance your risk management process. These simple identifiers enable you to control the complete cycle of the risk you like to measure. 4.1.1. Governance Good governance establishes a repeatable and auditable methodology for integration of the risk management process across the enterprise. The governance process outlines what, how and by whom the risk management activities are performed. Clearly, a risk management team must aim to develop and establish commitment; support a participation of top management to succeed in their mission. 4.1.2. Context The context determines the company's relationship with its environment. It consists of two important influencers which shape the design of your risk management strategy. External factors could be anything like cultural, commercial or regulatory influences. Internal factors would be governance, reporting, business structure etc... 4.1.3. Identification Determine and identify the risks that your company is exposed to be perhaps the most important step in being successful at risk management. Focusing on tangible result only is a common mistake, clearly intangible values are harder to measure but therefore as important. Risk identification in your enterprise entails four basic principles: • The actual threat • The possible consequences when a threat materializes • Probable frequency of occurrence of a threat • The probability a threat will occur 4.2. Risk analysis Risk analysis is a process to ensure that security measures for an environment are adequate to reduce the risks. By applying risk analysis you determine the risks and
  • 7. develop a plan on how to deal with the risks. Analysing the identified risks gives you a better understanding of the likelihood and potential outcome of an event impacting your company. The main purpose of risk analysis is to quantify the impact of a potential risk. The goal is to put a price or value on the loss. The main results of risk analysis are • Identification of the current risks • The cost/benefit justification of the countermeasures • Influences the decision making process on hardware, etc? • Focus on security resources where they are needed most This chapter provides you with a brief outline of how risk analysis works. These are not invented by the author and are only here as reference. 4.2.1. Key terms Scientifically a risk is defined as the product of the threat and vulnerability. But in risk management we identify the risk as the probability a threat will materialize. Risk can be considered potential harm or loss to a system. The risk management triple: • Asset: A resource, process, product, system etc… The value equals the cost of the creation, development, license, support, replacement, credibility, lost if IP is disclosed, ownership values. The asset the precious item you are trying to protect • Threat: Any event that causes an undesirable impact on your organization • Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability is a threat that circumvents or makes use of weakness in your safeguard. The terms Safeguard: A control or countermeasure to reduce the risk associated with a threat. Exposure Factor (EF): EF represents the percentage of loss a realized threat event would have on a specific asset. EF differs from high to low percentage, catastrophic loss or just the loss of a single PC. Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single event. Asset Value ($) x Exposure Factor (EF) = SLE
  • 8. Annualized Rate of Occurrence (ARO): Represents the number on how many times an event could happen on a per year basis. Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALE can be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = ALE 4.2.2. Quantitative risk analysis Quantitative risk analysis aim is to assign concrete probability percentages; for example real money values to the loss of an asset. As it might look fairly simple however the complete process should be considered as a major project within your organization. Be aware that you cannot apply quantitative analysis only because it relies on qualitative analysis data. Process of quantitative risk analysis • Estimate potential losses to the assets by defining their losses • Analyze potential threats to the assets • Define the ALE 4.2.3. Qualitative risk analysis Qualitative risk analysis is a scenario-oriented approach; in contrast to quantitative analysis a purely qualitative analysis is always possible. Instead of assigning pure dollar figures you rank threats on a scale to evaluate their risks, costs and outcome. The seriousness of threats and the sensitivity of the assets are ranked or graded by using a scenario approach. For each scenario you need to create an exposure rating scale and match the various threats to the identified assets. Type of threat and the potential loss to the assets and selection of safeguards to reduce the risk should be included in the description of your scenario. 4.3. Pitfalls This model of risk management has its pro’s and con’s; the reliance on probability and impact factors is a mayor downfall for this concept. The foundation for your security is based on guess work; it can be very effective by using only the worst case scenarios to cover all risks but will give you a budget outlook that looks grim. The contrary leaves your budget in the green zone but can make your security poor. Other approaches described in the next chapter could provide more realistic views on which security we need and to what level we need to bring it. Anticipating the unknown, providing an answer to vectors of attack we do not yet know about is impossible. 5. Sensible defence Information security is hard to understand and even harder to successfully integrate. Insecurity is not caused by today’s risk management concept. Economic gain or loss, legislation, regulation and so on are also important vectors. 1) Security is a trade-off. We need to make trade-offs, cost is one but there are more trade-offs to make, convenience, liberty, functionality, time etc…
  • 9. I think the previous chapter has strong and weak points, using the risk management triple is extremely valuable but trying to transform risk into numbers by using hefty formulas and relying on to much intangible values is for sure not a reliable way to integrate sensible and well thought security. This chapter will outline some of the problems and how it could be improved. There is no clear cut solution to all the issues but improving the existing by relying more on measurable values do provide better end results. 5.1. Economic incentives and security failure Economic incentives, profitability, market gain, etc… are important vectors in the decision process. Security risks and business risks are quite different; forecasting how the economic landscape evolves based on the investment of new resources to increase profit is completely different than forecasting probabilities of IT risks. Evaluating risks and how much risks are reduced by integrating new technology is as easy as playing the Russian roulette. Even if you have all those statistics and numbers, if there is no legislation and no direct economic consequence you will not succeed in your job. This is plain business logic; managers deal with risk every day and are used to accept certain levels of risk. Example: In a distributed denial of service attack it is very expensive to use measures to protect your web servers from it. Your can spend thousands of euros to increase protection and it still would fail in certain circumstances. However, home users who are being used as ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves from threats. But they rarely would spend the same amount to prevent their machines from being used. In the economics world this would be a “Tragedy of commons”, these situations should rather be solved on a legislative way to put pressure on those who can fix the issue instead of investing too much money in a solution that is not providing the necessary protection. Over the years we have been witness of the fact that often bad security wins over good security, it can be explained rationally; popularity of system or service is related to other factors than security. If people use the less secure system more, your good system is doomed to failure. If you do not have a good economic reason why security should be a priority you do not have a good chance in succeeding. Unfortunately today business looks at security as a cost enabler instead of looking at it as cost reduction.
  • 10. But an economic drive or market reaction sometimes forces a company to tackle security issues. When this happens management does not have the burden to deal with any type of risk assessment. Today companies are often confronted with reactions as such from customers, auditors and other regulatory bodies. 5.2. Liability, regulation and compliance This is an ongoing debate and a very hard one. Imposing laws to make better products, provide secure services, conduct audits, carry responsibility etc… will definitely improve security in some way. All of this sound easy and achievable but the pitfalls are numerous and peopled against plenary. Security has technological components but business regards to security, in terms of risk management, as they do with any other risk. Business aims to reduce costs and improve production. Why bother with improving the network security if business survives after defacement, denial of service, reputation damage, and network downtime. The point is that if your force companies to make their products secure their economical gain could decline. And what about the brakes you put on the creative mind and development of new ideas. A company making a new product has its focus on gaining money and reply to unanswered issue in the market which does not necessarily require advanced security in the initial stage. If your government provides services on the internet you better be sure it is secure, if there are no regulatory incentives why shouldn’t they opt for the cheaper less secure option? By enforcing rules via laws, regulation or company policies we impose liability and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one helping you out in difficult times but it can push industry to improve security. Some types of industry start with security and build their services inside the security boundaries. We have different compliance bodies that are well developed and pushing managers, companies and even governmental organizations to a better and more secure environment. SOX, HIPAA, BASEL II, etc… do push to create a better and safer environment by motivating managers to pay attention to issues that were ignored before. As time goes by and maturity develops legislation will improve and regulatory bodies can impose penalties to keep the motivation alive. Example: Power plants for example live up to high security standards regarding their personnel. We can be delighted that they did not use the same approach as often used in the computer industry. Such approach makes managers aware that risks cannot be accepted because of the high costs involved with it. 5.3. Due care and due diligence 2) Due care means that a company did all that it could have reasonably done to try and prevent security breaches, and also took the necessary steps to ensure that if a security breach did take place, the damages were reduced because of the controls or countermeasures that existed. Due care means that a company practiced common sense and prudent management practices with responsible actions.
  • 11. Due diligence means that a company properly investigated all of their possible weaknesses and vulnerabilities before carrying out due care practices. Due care and due diligence, both require to be present to successfully integrate a certain level of security in your environment. To convince management we should take distance of examples and results (from threat and vulnerability assessment) that are based on hypothetical values. It is almost impossible to convince people on a subject that has not yet materialised. Replacing those intangible values can be achieved by using real life examples of the existence of vulnerability and what solutions are available and who integrated them already. Remember the approach, we are protecting against known threats and not trying to increase budgets based on the unknown. If management still decides to accept the risk, which is completely normal in certain cases, we document it and motivate with the business reasons; this is done to limit liability. The ultimate goal is to achieve good due diligence practise this reduces ignorance and negligence. Due diligence result are not subject to be proven valid, the result itself shows the good or bad experience. Whereas solutions never come directly from an assessment but are chosen regarding the assessment results by means of due diligence. One can argue if fortune telling is a better strategy compared to await results from what actually is achieved. 5.4. Technology The problem we have today with technology is that at a certain point it does provide a protection but can create numerous other problems. Integrating additional tools software or hardware does not imply that you improve security. An entire process of mechanisms that interact is needed to provide robust security. As shown in chapter 3 you need to rely on different techniques to create a secure environment. None of those concepts survives an attack without the support of the others. Over the years we have been overwhelmed by constructors providing us with the market leading product and still our networks are at stake. Does it mean that the products are bad? Honestly, I don’t think products are bad, the way they interact is perhaps not ideal. For years we have been focusing on prevention and less on detection and response. A good prevention tool is worthless without detection, and detection has no value if there is no response process involved; most of the time these functions are included in a good prevention product. During my career I had often discussions on what to log and what not; logging everything does not increase your detection. It increases data you gather but decreases the accuracy.
  • 12. To make a safeguard valuable it requires interaction with other processes, systems or people. A good interaction occurs on different layers, logging the issue is the first but informing there as an issue is mandatory to make the logging useful. After the alert a manual interference might be required, again this should be logged in a sensible way to have good change management. All these features are available on the market; unfortunately interaction between them is still on a low level. Example: Wiretapping the mass public didn’t proof to be useful yet, data mining or correlation on the data is even harder. It does work once there is a lead or a clue; unless you have some predefined known information your correlation will not have much of a value and could miss those parts of data crucial to identify the attack. Using detection only to prevent issues is just not the right way to solve a security issue. Security budgets for government issues do increase however people tend to feel less safe. In Belgium the police force is increased significantly but reducing crime is harder as ever before. Prevention and detection capabilities are sufficient but response (court) is not at the same pace. Another big debate is functionality vs. security. Frankly I think this is bad trade-off. Testing functionality is fairly easy. Functionality is whether or not something works when it is being used as planned. But if you test security you are trying to find out how a system behaves when placed under unanticipated circumstances with an adversary trying to subvert the system. It will be very hard to test security like you do with functionality if not impossible. 5.5. Awareness campaign and training Awareness and training are mandatory to enhance your security. A good distinction between training and awareness should be made. Awareness campaign: A campaign for awareness explains you the “what is it”, it shows you what are the dangers or benefits of certain tool, system or environment. Training: A training informs you about the “how does it work”, how do I use it, how do I integrate it, how do I get the most out of it. Awareness increases security on a human level, human intelligence is irreplaceable by technology. But equal to technology we need to make our staff aware about risks involved in their job. Today many companies understood they need awareness, some because of regulation some because of campaigns launched by governmental organisation. As risks and technology evolve at a rapid pace, we need to conduct awareness on a regular basis to make it effective. Any means are good to make people aware about the risks. In our daily life we are confronted with several awareness campaigns which are time or event specific. Example: The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
  • 13. how to respond in case of emergency. The results of the campaign were clear, panic was reduced to a minimum and casualties could be rescued with a respectable time frame. Training is equally important; knowing that there is risk is just one part of the solution. How do you protect and how do you use the provided tools is an important step and might be more difficult to achieve. It is clear that in certain cases and on certain subjects those two aspects are weaved together. Explaining why one needs a password is one thing but might be useless without explaining how to make a strong password. 6. Conclusion Regardless which model of risk management one uses, you are still using hypothetical data. Today there are no valid frequency and impact data available to provide you with valid and sensible results. It might be possible to guess the impact or frequency of an unusual incident. An unknown event or enemy can have an important effect on the risk which makes the current security solution obsolete. I doubt that this will have a positive change in the future due to the rapid changing technology of today. Managing risk by tangible values like outlined in the previous chapter is maybe an answer to this complex subject. Continuing with intangible risk assessment result is expensive and does not necessarily improve your current security; this does not mean you do not have to integrate it. Regulation and legislation can be met by doing high level risk assessment outlining the dangers and the caveats of the unknown. This is not a plea to abandon the current way of handling risk; I just share my and other security professionals’ view on the topic. As a consultant I have been confronted with many aspects of security and saw that some try to protect to things that are not yet realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integration of security measures, often these are not the solution to the problem. Without Donn B. Parker’s help I would not have been able to make this document. I got the authorisation to quote his article but I tried to write some of his ideas in my own words.
  • 14. 7. References 1 Bruce Schneier : Beyond Fear 2 Shon Harris : CISSP certification All-in-one Exam guide Books & articles: Bruce Schneier: Beyond Fear Economics and information security Regulation, liability and computer security Donn Parker: Making the case for replacing risk-based security Ross Anderson: Why information security is hard –an economic perspective- Shon Harris: CISSP certification All-in-one Exam guide