SlideShare a Scribd company logo

Sensible defence

Koen Maris
Koen Maris

A false sense of security is the best cure for your conscious yet less effective against a real attack. Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more needs and address security in those areas of importance.

Technology
1 of 14
Download to read offline
Sensible defence kmar@baleo.be 1. Abstract: Sensible defence .......................................................................................... 3 2. Introduction................................................................................................................. 4 3. How risk mitigation works.......................................................................................... 5 3.1. Detection ............................................................................................................. 5 3.2. Prevention ........................................................................................................... 5 3.3. Response ............................................................................................................. 5 4. Risk management concept today ................................................................................ 6 4.1. The process ......................................................................................................... 6 4.1.1. Governance ................................................................................................. 6 4.1.2. Context ........................................................................................................ 6 4.1.3. Identification ............................................................................................... 6 4.2. Risk analysis ....................................................................................................... 7 4.2.1. Key terms .................................................................................................... 7 4.2.2. Quantitative risk analysis ............................................................................ 8 4.2.3. Qualitative risk analysis .............................................................................. 8 4.3. Pitfalls ................................................................................................................. 8 5. Sensible defence.......................................................................................................... 9 5.1. Economic incentives and security failure ........................................................... 9 5.2. Liability, regulation and compliance ................................................................ 10 5.3. Due care and due diligence ............................................................................... 11 5.4. Technology ....................................................................................................... 11 5.5. Awareness campaign and training .................................................................... 12 6. Conclusion ................................................................................................................ 14
7. References ................................................................................................................. 15
1. Abstract: Sensible defence Security is not product related only, improving your products and manage your risk is mandatory to keep up with the latest threats. However some basic tools do increase your security but it is debatable if all these tools enhance your security in the way you expect perhaps they just give you a false sense of security. A false sense of security is the best cure for your conscious yet less effective against a real attack. Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more needs and address security in those areas of importance. Quote from Bruce Schneier • What are we trying to protect? • What risks to these assets? • How well is the solution in mitigating those risks? • What other risks does the solution cause? • What costs and trade-off does the solution impose? Risk Management an excellent mediator to gain an objective view on your security strategy. However it consumes a lot of valuable time and resources. But wasn't it important to implement security in the beginning of a project? Exactly, when your project is defined and you know more or less your destination risk management can be your guide to find the way. By starting to integrate your security request as early as possible in a project life cycle you increase the security as such and you reduce costs on a long term perspective. Remember you have to sell your security, at the end it is politics. It comes down to the weight you have in the decision and the motivation you used in the selling process. To integrate successfully your risk management result you should define where what to invest. Managing risks is more than just integrate technology controls. In security we protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms. The four basic elements are prevention, detection, response and sometimes prediction, the latter is probably the hardest one to achieve. Balancing out these four will give you a sensible security mechanism which align with budget restraints and complies with your regulatory obligations.
2. Introduction The security field undergoes a lot of changes at a rapid pace making technology old fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if we may believe consultants and product vendors. But on what are these statements based? This paper shows how risk management is used today and what the pitfalls are. A lot of CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gaps and is based on to much intangible facts. This document outlines the problems security people encounter today. Over the recent years we can see an increased awareness about security issues however being aware there is problem is not much of a value if countermeasures are not appropriate to the risk In this paper you can find the basic concept of risk management used today, it will not explain in detail or how you should integrate it in your environment. It is included as reference to compare on how I and many others think it could be done instead. It is my personal belief that today’s concept is failing and more reasonable strategies should be applied to get the necessary support from your management. The risk management process in its entirety has its limits; more specific is the analysis that is insufficient to provide the required proof. 3. How risk mitigation works Security is not about technology but about risks and how you manage them. Covering a risk in its entirety is not an easy thing and accepting the risk could at the end the only solution. Managing risk is based on different pillars; these pillars have each an important function but are rendered useless if they are not weaved in together. 3.1. Detection Detection is a passive security measure which is an outstanding solution to fraud detection for example, but less effective in protection of corporate networks. Detection is common and used in our every day life, the new radar system deployed in the UK to bill people going for work by car is a perfect example. It does not prevent your from driving in the city, it does not prevent you from not paying the bill especially for foreigner but it does detect you. No matter where you’re from and what type of vehicle you drive you will be noticed and receive a bill. The same goes for credit card companies; a lot of their security is based on detection. Detection might not be your Swiss knife to solve security however it is less expensive and in some cases the most acceptable measure to enhance security in your environment. Logging (un)authorized connections on a preventative measure can be considered a way of detection, logging these events can be used afterwards to detect anomalies. 3.2. Prevention Prevention is an active security measure able to deny or allow access; decisions are made based on an integrated policy. Prevention stops certain attacks immediately, one of the biggest advantages compared with detection or response which react once the event has
passed. Technologies providing prevention techniques are not waterproof either; prevention does what it says as long as the device, software or even the human being acts in a proper way. A flaw in the procedure or software can render it useless. Prevention technology is definitely the most expensive way to secure your environment. One should weight the benefits against the costs and explore other measures before putting the eggs in one basket. Firewalls were thought to be the answer for network security, however there are so many firewalls badly configured that it is sometimes better not to have any. False sense of security can be worse than no security at all. 3.3. Response Incident response is important in many aspects. Response shows how the attack took place, how it has been detected and how it can be prevented in the future. Often response is put aside due to time and cost restrictions but many companies doing incident response realise that it saves a lot of valuable time whenever a similar attack occurs. Incident response helps to recover quickly, efficiently and provides visibility on the events happening during a defined period of time.
4. Risk management concept today Security relies on the management and the reduction of risk by assessing, reporting and controlling the risk. It encompasses a number of activities which constitutes a systematic process that aims to optimize the decision making process and improve the results. The identification of risk to an organization entails defining the four following basic elements: • The actual threat • The possible consequences of the realized threat (impact) • The probable frequency of the occurrence of a threat (frequency) • The extent of how confident we are that the threat will happen (probability) 4.1. The process Some crucial steps are mandatory to enhance your risk management process. These simple identifiers enable you to control the complete cycle of the risk you like to measure. 4.1.1. Governance Good governance establishes a repeatable and auditable methodology for integration of the risk management process across the enterprise. The governance process outlines what, how and by whom the risk management activities are performed. Clearly, a risk management team must aim to develop and establish commitment; support a participation of top management to succeed in their mission. 4.1.2. Context The context determines the company's relationship with its environment. It consists of two important influencers which shape the design of your risk management strategy. External factors could be anything like cultural, commercial or regulatory influences. Internal factors would be governance, reporting, business structure etc... 4.1.3. Identification Determine and identify the risks that your company is exposed to be perhaps the most important step in being successful at risk management. Focusing on tangible result only is a common mistake, clearly intangible values are harder to measure but therefore as important. Risk identification in your enterprise entails four basic principles: • The actual threat • The possible consequences when a threat materializes • Probable frequency of occurrence of a threat • The probability a threat will occur 4.2. Risk analysis Risk analysis is a process to ensure that security measures for an environment are adequate to reduce the risks. By applying risk analysis you determine the risks and
develop a plan on how to deal with the risks. Analysing the identified risks gives you a better understanding of the likelihood and potential outcome of an event impacting your company. The main purpose of risk analysis is to quantify the impact of a potential risk. The goal is to put a price or value on the loss. The main results of risk analysis are • Identification of the current risks • The cost/benefit justification of the countermeasures • Influences the decision making process on hardware, etc? • Focus on security resources where they are needed most This chapter provides you with a brief outline of how risk analysis works. These are not invented by the author and are only here as reference. 4.2.1. Key terms Scientifically a risk is defined as the product of the threat and vulnerability. But in risk management we identify the risk as the probability a threat will materialize. Risk can be considered potential harm or loss to a system. The risk management triple: • Asset: A resource, process, product, system etc… The value equals the cost of the creation, development, license, support, replacement, credibility, lost if IP is disclosed, ownership values. The asset the precious item you are trying to protect • Threat: Any event that causes an undesirable impact on your organization • Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability is a threat that circumvents or makes use of weakness in your safeguard. The terms Safeguard: A control or countermeasure to reduce the risk associated with a threat. Exposure Factor (EF): EF represents the percentage of loss a realized threat event would have on a specific asset. EF differs from high to low percentage, catastrophic loss or just the loss of a single PC. Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single event. Asset Value ($) x Exposure Factor (EF) = SLE
Annualized Rate of Occurrence (ARO): Represents the number on how many times an event could happen on a per year basis. Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALE can be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = ALE 4.2.2. Quantitative risk analysis Quantitative risk analysis aim is to assign concrete probability percentages; for example real money values to the loss of an asset. As it might look fairly simple however the complete process should be considered as a major project within your organization. Be aware that you cannot apply quantitative analysis only because it relies on qualitative analysis data. Process of quantitative risk analysis • Estimate potential losses to the assets by defining their losses • Analyze potential threats to the assets • Define the ALE 4.2.3. Qualitative risk analysis Qualitative risk analysis is a scenario-oriented approach; in contrast to quantitative analysis a purely qualitative analysis is always possible. Instead of assigning pure dollar figures you rank threats on a scale to evaluate their risks, costs and outcome. The seriousness of threats and the sensitivity of the assets are ranked or graded by using a scenario approach. For each scenario you need to create an exposure rating scale and match the various threats to the identified assets. Type of threat and the potential loss to the assets and selection of safeguards to reduce the risk should be included in the description of your scenario. 4.3. Pitfalls This model of risk management has its pro’s and con’s; the reliance on probability and impact factors is a mayor downfall for this concept. The foundation for your security is based on guess work; it can be very effective by using only the worst case scenarios to cover all risks but will give you a budget outlook that looks grim. The contrary leaves your budget in the green zone but can make your security poor. Other approaches described in the next chapter could provide more realistic views on which security we need and to what level we need to bring it. Anticipating the unknown, providing an answer to vectors of attack we do not yet know about is impossible. 5. Sensible defence Information security is hard to understand and even harder to successfully integrate. Insecurity is not caused by today’s risk management concept. Economic gain or loss, legislation, regulation and so on are also important vectors. 1) Security is a trade-off. We need to make trade-offs, cost is one but there are more trade-offs to make, convenience, liberty, functionality, time etc…
I think the previous chapter has strong and weak points, using the risk management triple is extremely valuable but trying to transform risk into numbers by using hefty formulas and relying on to much intangible values is for sure not a reliable way to integrate sensible and well thought security. This chapter will outline some of the problems and how it could be improved. There is no clear cut solution to all the issues but improving the existing by relying more on measurable values do provide better end results. 5.1. Economic incentives and security failure Economic incentives, profitability, market gain, etc… are important vectors in the decision process. Security risks and business risks are quite different; forecasting how the economic landscape evolves based on the investment of new resources to increase profit is completely different than forecasting probabilities of IT risks. Evaluating risks and how much risks are reduced by integrating new technology is as easy as playing the Russian roulette. Even if you have all those statistics and numbers, if there is no legislation and no direct economic consequence you will not succeed in your job. This is plain business logic; managers deal with risk every day and are used to accept certain levels of risk. Example: In a distributed denial of service attack it is very expensive to use measures to protect your web servers from it. Your can spend thousands of euros to increase protection and it still would fail in certain circumstances. However, home users who are being used as ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves from threats. But they rarely would spend the same amount to prevent their machines from being used. In the economics world this would be a “Tragedy of commons”, these situations should rather be solved on a legislative way to put pressure on those who can fix the issue instead of investing too much money in a solution that is not providing the necessary protection. Over the years we have been witness of the fact that often bad security wins over good security, it can be explained rationally; popularity of system or service is related to other factors than security. If people use the less secure system more, your good system is doomed to failure. If you do not have a good economic reason why security should be a priority you do not have a good chance in succeeding. Unfortunately today business looks at security as a cost enabler instead of looking at it as cost reduction.
But an economic drive or market reaction sometimes forces a company to tackle security issues. When this happens management does not have the burden to deal with any type of risk assessment. Today companies are often confronted with reactions as such from customers, auditors and other regulatory bodies. 5.2. Liability, regulation and compliance This is an ongoing debate and a very hard one. Imposing laws to make better products, provide secure services, conduct audits, carry responsibility etc… will definitely improve security in some way. All of this sound easy and achievable but the pitfalls are numerous and peopled against plenary. Security has technological components but business regards to security, in terms of risk management, as they do with any other risk. Business aims to reduce costs and improve production. Why bother with improving the network security if business survives after defacement, denial of service, reputation damage, and network downtime. The point is that if your force companies to make their products secure their economical gain could decline. And what about the brakes you put on the creative mind and development of new ideas. A company making a new product has its focus on gaining money and reply to unanswered issue in the market which does not necessarily require advanced security in the initial stage. If your government provides services on the internet you better be sure it is secure, if there are no regulatory incentives why shouldn’t they opt for the cheaper less secure option? By enforcing rules via laws, regulation or company policies we impose liability and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one helping you out in difficult times but it can push industry to improve security. Some types of industry start with security and build their services inside the security boundaries. We have different compliance bodies that are well developed and pushing managers, companies and even governmental organizations to a better and more secure environment. SOX, HIPAA, BASEL II, etc… do push to create a better and safer environment by motivating managers to pay attention to issues that were ignored before. As time goes by and maturity develops legislation will improve and regulatory bodies can impose penalties to keep the motivation alive. Example: Power plants for example live up to high security standards regarding their personnel. We can be delighted that they did not use the same approach as often used in the computer industry. Such approach makes managers aware that risks cannot be accepted because of the high costs involved with it. 5.3. Due care and due diligence 2) Due care means that a company did all that it could have reasonably done to try and prevent security breaches, and also took the necessary steps to ensure that if a security breach did take place, the damages were reduced because of the controls or countermeasures that existed. Due care means that a company practiced common sense and prudent management practices with responsible actions.
Due diligence means that a company properly investigated all of their possible weaknesses and vulnerabilities before carrying out due care practices. Due care and due diligence, both require to be present to successfully integrate a certain level of security in your environment. To convince management we should take distance of examples and results (from threat and vulnerability assessment) that are based on hypothetical values. It is almost impossible to convince people on a subject that has not yet materialised. Replacing those intangible values can be achieved by using real life examples of the existence of vulnerability and what solutions are available and who integrated them already. Remember the approach, we are protecting against known threats and not trying to increase budgets based on the unknown. If management still decides to accept the risk, which is completely normal in certain cases, we document it and motivate with the business reasons; this is done to limit liability. The ultimate goal is to achieve good due diligence practise this reduces ignorance and negligence. Due diligence result are not subject to be proven valid, the result itself shows the good or bad experience. Whereas solutions never come directly from an assessment but are chosen regarding the assessment results by means of due diligence. One can argue if fortune telling is a better strategy compared to await results from what actually is achieved. 5.4. Technology The problem we have today with technology is that at a certain point it does provide a protection but can create numerous other problems. Integrating additional tools software or hardware does not imply that you improve security. An entire process of mechanisms that interact is needed to provide robust security. As shown in chapter 3 you need to rely on different techniques to create a secure environment. None of those concepts survives an attack without the support of the others. Over the years we have been overwhelmed by constructors providing us with the market leading product and still our networks are at stake. Does it mean that the products are bad? Honestly, I don’t think products are bad, the way they interact is perhaps not ideal. For years we have been focusing on prevention and less on detection and response. A good prevention tool is worthless without detection, and detection has no value if there is no response process involved; most of the time these functions are included in a good prevention product. During my career I had often discussions on what to log and what not; logging everything does not increase your detection. It increases data you gather but decreases the accuracy.
To make a safeguard valuable it requires interaction with other processes, systems or people. A good interaction occurs on different layers, logging the issue is the first but informing there as an issue is mandatory to make the logging useful. After the alert a manual interference might be required, again this should be logged in a sensible way to have good change management. All these features are available on the market; unfortunately interaction between them is still on a low level. Example: Wiretapping the mass public didn’t proof to be useful yet, data mining or correlation on the data is even harder. It does work once there is a lead or a clue; unless you have some predefined known information your correlation will not have much of a value and could miss those parts of data crucial to identify the attack. Using detection only to prevent issues is just not the right way to solve a security issue. Security budgets for government issues do increase however people tend to feel less safe. In Belgium the police force is increased significantly but reducing crime is harder as ever before. Prevention and detection capabilities are sufficient but response (court) is not at the same pace. Another big debate is functionality vs. security. Frankly I think this is bad trade-off. Testing functionality is fairly easy. Functionality is whether or not something works when it is being used as planned. But if you test security you are trying to find out how a system behaves when placed under unanticipated circumstances with an adversary trying to subvert the system. It will be very hard to test security like you do with functionality if not impossible. 5.5. Awareness campaign and training Awareness and training are mandatory to enhance your security. A good distinction between training and awareness should be made. Awareness campaign: A campaign for awareness explains you the “what is it”, it shows you what are the dangers or benefits of certain tool, system or environment. Training: A training informs you about the “how does it work”, how do I use it, how do I integrate it, how do I get the most out of it. Awareness increases security on a human level, human intelligence is irreplaceable by technology. But equal to technology we need to make our staff aware about risks involved in their job. Today many companies understood they need awareness, some because of regulation some because of campaigns launched by governmental organisation. As risks and technology evolve at a rapid pace, we need to conduct awareness on a regular basis to make it effective. Any means are good to make people aware about the risks. In our daily life we are confronted with several awareness campaigns which are time or event specific. Example: The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
how to respond in case of emergency. The results of the campaign were clear, panic was reduced to a minimum and casualties could be rescued with a respectable time frame. Training is equally important; knowing that there is risk is just one part of the solution. How do you protect and how do you use the provided tools is an important step and might be more difficult to achieve. It is clear that in certain cases and on certain subjects those two aspects are weaved together. Explaining why one needs a password is one thing but might be useless without explaining how to make a strong password. 6. Conclusion Regardless which model of risk management one uses, you are still using hypothetical data. Today there are no valid frequency and impact data available to provide you with valid and sensible results. It might be possible to guess the impact or frequency of an unusual incident. An unknown event or enemy can have an important effect on the risk which makes the current security solution obsolete. I doubt that this will have a positive change in the future due to the rapid changing technology of today. Managing risk by tangible values like outlined in the previous chapter is maybe an answer to this complex subject. Continuing with intangible risk assessment result is expensive and does not necessarily improve your current security; this does not mean you do not have to integrate it. Regulation and legislation can be met by doing high level risk assessment outlining the dangers and the caveats of the unknown. This is not a plea to abandon the current way of handling risk; I just share my and other security professionals’ view on the topic. As a consultant I have been confronted with many aspects of security and saw that some try to protect to things that are not yet realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integration of security measures, often these are not the solution to the problem. Without Donn B. Parker’s help I would not have been able to make this document. I got the authorisation to quote his article but I tried to write some of his ideas in my own words.
7. References 1 Bruce Schneier : Beyond Fear 2 Shon Harris : CISSP certification All-in-one Exam guide Books & articles: Bruce Schneier: Beyond Fear Economics and information security Regulation, liability and computer security Donn Parker: Making the case for replacing risk-based security Ross Anderson: Why information security is hard –an economic perspective- Shon Harris: CISSP certification All-in-one Exam guide

Recommended

React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
The Cyber First Responder and the Hospital Incident Command System
The Cyber First Responder and the Hospital Incident Command SystemThe Cyber First Responder and the Hospital Incident Command System
The Cyber First Responder and the Hospital Incident Command SystemDavid Sweigert
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
Cyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationCyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationDavid X Martin
 

Recommended

React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
The Cyber First Responder and the Hospital Incident Command System
The Cyber First Responder and the Hospital Incident Command SystemThe Cyber First Responder and the Hospital Incident Command System
The Cyber First Responder and the Hospital Incident Command SystemDavid Sweigert
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
Cyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationCyber risk management and the benefits of quantification
Cyber risk management and the benefits of quantificationDavid X Martin
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Alex Yates
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Security Maxim
Security MaximSecurity Maxim
Security Maximguest57ee2a2
 
securitymaxims
securitymaximssecuritymaxims
securitymaximsguest61f9c1
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom92pawansingh
 
when minutes counts
when minutes countswhen minutes counts
when minutes countsMartin Lindgren
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk judythornell
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 BrochureOCTF Industry Engagement
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Basketball
BasketballBasketball
Basketballaggelosk13
 
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4somjaibio003
 

More Related Content

What's hot

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Alex Yates
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk judythornell
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsDavid X Martin
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 

What's hot (20)

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
The human factor
The human factorThe human factor
The human factor
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management Planning
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Security Maxim
Security MaximSecurity Maxim
Security Maxim
 
securitymaxims
securitymaximssecuritymaxims
securitymaxims
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
 
when minutes counts
when minutes countswhen minutes counts
when minutes counts
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Cyber999 Brochure
Cyber999 BrochureCyber999 Brochure
Cyber999 Brochure
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 

Viewers also liked

โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4somjaibio003
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Positive Power Sp. z o.o
 
Advertising Presentation
Advertising PresentationAdvertising Presentation
Advertising Presentationramsharma9696
 
Direct Red 254, Pigment Dispersions
Direct Red 254, Pigment DispersionsDirect Red 254, Pigment Dispersions
Direct Red 254, Pigment Dispersionsshreem industries
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4somjaibio003
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiJusteat India
 

Viewers also liked (20)

Basketball
BasketballBasketball
Basketball
 
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
โครงงานเรื่องไวรัสคอมพิวเตอร์ 5.4
 
Css
CssCss
Css
 
Rafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAPRafael Moucka na konferencji InternetASAP
Rafael Moucka na konferencji InternetASAP
 
RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?RWD: przyszłością m.commerce?
RWD: przyszłością m.commerce?
 
About schroeder
About schroederAbout schroeder
About schroeder
 
R.moucka ecommerce standard
R.moucka ecommerce standardR.moucka ecommerce standard
R.moucka ecommerce standard
 
ปก
ปกปก
ปก
 
The human factor
The human factorThe human factor
The human factor
 
Positive Power na Boss Festiwalu
Positive Power na Boss FestiwaluPositive Power na Boss Festiwalu
Positive Power na Boss Festiwalu
 
Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach Jak być interaktywnym? Pozytywnie o agencjach
Jak być interaktywnym? Pozytywnie o agencjach
 
บทที่ 2
บทที่ 2บทที่ 2
บทที่ 2
 
Advertising Presentation
Advertising PresentationAdvertising Presentation
Advertising Presentation
 
Direct Red 254, Pigment Dispersions
Direct Red 254, Pigment DispersionsDirect Red 254, Pigment Dispersions
Direct Red 254, Pigment Dispersions
 
โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4โครงงานไวรัสคอมพิวเตอร์ 5.4
โครงงานไวรัสคอมพิวเตอร์ 5.4
 
Rafael Moucka na Freelance Camp o RWD
Rafael Moucka na Freelance Camp o RWDRafael Moucka na Freelance Camp o RWD
Rafael Moucka na Freelance Camp o RWD
 
ปก
ปกปก
ปก
 
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-DelhiHoneymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
Honeymoon in nainital | Honeymoon in Nainital From Mumbai-Delhi
 
Rafael Moucka wśród Mentorów E-biznesu
Rafael Moucka wśród Mentorów E-biznesuRafael Moucka wśród Mentorów E-biznesu
Rafael Moucka wśród Mentorów E-biznesu
 
Company Presentation
Company PresentationCompany Presentation
Company Presentation
 

Similar to Sensible defence

Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?nathan816428
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROISiemplify
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docxgilbertkpeters11344
 
Top-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfTop-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfprivate security
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCiente
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfCecilSu
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfPractical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldTEWMAGAZINE
 

Similar to Sensible defence (20)

Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?Proactive Security - Principled Aspiration or Marketing Buzzword?
Proactive Security - Principled Aspiration or Marketing Buzzword?
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROI
 
4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx4A Prevention SystemOverviewDefining the Overall Se.docx
4A Prevention SystemOverviewDefining the Overall Se.docx
 
Top-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdfTop-Rated Professional Security Services for Comprehensive Protection.pdf
Top-Rated Professional Security Services for Comprehensive Protection.pdf
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdf
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdfPractical Guide to Managing Incidents Using LLM's and NLP.pdf
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Sensible defence

  • 1. Sensible defence kmar@baleo.be 1. Abstract: Sensible defence .......................................................................................... 3 2. Introduction................................................................................................................. 4 3. How risk mitigation works.......................................................................................... 5 3.1. Detection ............................................................................................................. 5 3.2. Prevention ........................................................................................................... 5 3.3. Response ............................................................................................................. 5 4. Risk management concept today ................................................................................ 6 4.1. The process ......................................................................................................... 6 4.1.1. Governance ................................................................................................. 6 4.1.2. Context ........................................................................................................ 6 4.1.3. Identification ............................................................................................... 6 4.2. Risk analysis ....................................................................................................... 7 4.2.1. Key terms .................................................................................................... 7 4.2.2. Quantitative risk analysis ............................................................................ 8 4.2.3. Qualitative risk analysis .............................................................................. 8 4.3. Pitfalls ................................................................................................................. 8 5. Sensible defence.......................................................................................................... 9 5.1. Economic incentives and security failure ........................................................... 9 5.2. Liability, regulation and compliance ................................................................ 10 5.3. Due care and due diligence ............................................................................... 11 5.4. Technology ....................................................................................................... 11 5.5. Awareness campaign and training .................................................................... 12 6. Conclusion ................................................................................................................ 14
  • 3. 1. Abstract: Sensible defence Security is not product related only, improving your products and manage your risk is mandatory to keep up with the latest threats. However some basic tools do increase your security but it is debatable if all these tools enhance your security in the way you expect perhaps they just give you a false sense of security. A false sense of security is the best cure for your conscious yet less effective against a real attack. Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more needs and address security in those areas of importance. Quote from Bruce Schneier • What are we trying to protect? • What risks to these assets? • How well is the solution in mitigating those risks? • What other risks does the solution cause? • What costs and trade-off does the solution impose? Risk Management an excellent mediator to gain an objective view on your security strategy. However it consumes a lot of valuable time and resources. But wasn't it important to implement security in the beginning of a project? Exactly, when your project is defined and you know more or less your destination risk management can be your guide to find the way. By starting to integrate your security request as early as possible in a project life cycle you increase the security as such and you reduce costs on a long term perspective. Remember you have to sell your security, at the end it is politics. It comes down to the weight you have in the decision and the motivation you used in the selling process. To integrate successfully your risk management result you should define where what to invest. Managing risks is more than just integrate technology controls. In security we protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms. The four basic elements are prevention, detection, response and sometimes prediction, the latter is probably the hardest one to achieve. Balancing out these four will give you a sensible security mechanism which align with budget restraints and complies with your regulatory obligations.
  • 4. 2. Introduction The security field undergoes a lot of changes at a rapid pace making technology old fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if we may believe consultants and product vendors. But on what are these statements based? This paper shows how risk management is used today and what the pitfalls are. A lot of CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gaps and is based on to much intangible facts. This document outlines the problems security people encounter today. Over the recent years we can see an increased awareness about security issues however being aware there is problem is not much of a value if countermeasures are not appropriate to the risk In this paper you can find the basic concept of risk management used today, it will not explain in detail or how you should integrate it in your environment. It is included as reference to compare on how I and many others think it could be done instead. It is my personal belief that today’s concept is failing and more reasonable strategies should be applied to get the necessary support from your management. The risk management process in its entirety has its limits; more specific is the analysis that is insufficient to provide the required proof. 3. How risk mitigation works Security is not about technology but about risks and how you manage them. Covering a risk in its entirety is not an easy thing and accepting the risk could at the end the only solution. Managing risk is based on different pillars; these pillars have each an important function but are rendered useless if they are not weaved in together. 3.1. Detection Detection is a passive security measure which is an outstanding solution to fraud detection for example, but less effective in protection of corporate networks. Detection is common and used in our every day life, the new radar system deployed in the UK to bill people going for work by car is a perfect example. It does not prevent your from driving in the city, it does not prevent you from not paying the bill especially for foreigner but it does detect you. No matter where you’re from and what type of vehicle you drive you will be noticed and receive a bill. The same goes for credit card companies; a lot of their security is based on detection. Detection might not be your Swiss knife to solve security however it is less expensive and in some cases the most acceptable measure to enhance security in your environment. Logging (un)authorized connections on a preventative measure can be considered a way of detection, logging these events can be used afterwards to detect anomalies. 3.2. Prevention Prevention is an active security measure able to deny or allow access; decisions are made based on an integrated policy. Prevention stops certain attacks immediately, one of the biggest advantages compared with detection or response which react once the event has
  • 5. passed. Technologies providing prevention techniques are not waterproof either; prevention does what it says as long as the device, software or even the human being acts in a proper way. A flaw in the procedure or software can render it useless. Prevention technology is definitely the most expensive way to secure your environment. One should weight the benefits against the costs and explore other measures before putting the eggs in one basket. Firewalls were thought to be the answer for network security, however there are so many firewalls badly configured that it is sometimes better not to have any. False sense of security can be worse than no security at all. 3.3. Response Incident response is important in many aspects. Response shows how the attack took place, how it has been detected and how it can be prevented in the future. Often response is put aside due to time and cost restrictions but many companies doing incident response realise that it saves a lot of valuable time whenever a similar attack occurs. Incident response helps to recover quickly, efficiently and provides visibility on the events happening during a defined period of time.
  • 6. 4. Risk management concept today Security relies on the management and the reduction of risk by assessing, reporting and controlling the risk. It encompasses a number of activities which constitutes a systematic process that aims to optimize the decision making process and improve the results. The identification of risk to an organization entails defining the four following basic elements: • The actual threat • The possible consequences of the realized threat (impact) • The probable frequency of the occurrence of a threat (frequency) • The extent of how confident we are that the threat will happen (probability) 4.1. The process Some crucial steps are mandatory to enhance your risk management process. These simple identifiers enable you to control the complete cycle of the risk you like to measure. 4.1.1. Governance Good governance establishes a repeatable and auditable methodology for integration of the risk management process across the enterprise. The governance process outlines what, how and by whom the risk management activities are performed. Clearly, a risk management team must aim to develop and establish commitment; support a participation of top management to succeed in their mission. 4.1.2. Context The context determines the company's relationship with its environment. It consists of two important influencers which shape the design of your risk management strategy. External factors could be anything like cultural, commercial or regulatory influences. Internal factors would be governance, reporting, business structure etc... 4.1.3. Identification Determine and identify the risks that your company is exposed to be perhaps the most important step in being successful at risk management. Focusing on tangible result only is a common mistake, clearly intangible values are harder to measure but therefore as important. Risk identification in your enterprise entails four basic principles: • The actual threat • The possible consequences when a threat materializes • Probable frequency of occurrence of a threat • The probability a threat will occur 4.2. Risk analysis Risk analysis is a process to ensure that security measures for an environment are adequate to reduce the risks. By applying risk analysis you determine the risks and
  • 7. develop a plan on how to deal with the risks. Analysing the identified risks gives you a better understanding of the likelihood and potential outcome of an event impacting your company. The main purpose of risk analysis is to quantify the impact of a potential risk. The goal is to put a price or value on the loss. The main results of risk analysis are • Identification of the current risks • The cost/benefit justification of the countermeasures • Influences the decision making process on hardware, etc? • Focus on security resources where they are needed most This chapter provides you with a brief outline of how risk analysis works. These are not invented by the author and are only here as reference. 4.2.1. Key terms Scientifically a risk is defined as the product of the threat and vulnerability. But in risk management we identify the risk as the probability a threat will materialize. Risk can be considered potential harm or loss to a system. The risk management triple: • Asset: A resource, process, product, system etc… The value equals the cost of the creation, development, license, support, replacement, credibility, lost if IP is disclosed, ownership values. The asset the precious item you are trying to protect • Threat: Any event that causes an undesirable impact on your organization • Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability is a threat that circumvents or makes use of weakness in your safeguard. The terms Safeguard: A control or countermeasure to reduce the risk associated with a threat. Exposure Factor (EF): EF represents the percentage of loss a realized threat event would have on a specific asset. EF differs from high to low percentage, catastrophic loss or just the loss of a single PC. Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single event. Asset Value ($) x Exposure Factor (EF) = SLE
  • 8. Annualized Rate of Occurrence (ARO): Represents the number on how many times an event could happen on a per year basis. Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALE can be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = ALE 4.2.2. Quantitative risk analysis Quantitative risk analysis aim is to assign concrete probability percentages; for example real money values to the loss of an asset. As it might look fairly simple however the complete process should be considered as a major project within your organization. Be aware that you cannot apply quantitative analysis only because it relies on qualitative analysis data. Process of quantitative risk analysis • Estimate potential losses to the assets by defining their losses • Analyze potential threats to the assets • Define the ALE 4.2.3. Qualitative risk analysis Qualitative risk analysis is a scenario-oriented approach; in contrast to quantitative analysis a purely qualitative analysis is always possible. Instead of assigning pure dollar figures you rank threats on a scale to evaluate their risks, costs and outcome. The seriousness of threats and the sensitivity of the assets are ranked or graded by using a scenario approach. For each scenario you need to create an exposure rating scale and match the various threats to the identified assets. Type of threat and the potential loss to the assets and selection of safeguards to reduce the risk should be included in the description of your scenario. 4.3. Pitfalls This model of risk management has its pro’s and con’s; the reliance on probability and impact factors is a mayor downfall for this concept. The foundation for your security is based on guess work; it can be very effective by using only the worst case scenarios to cover all risks but will give you a budget outlook that looks grim. The contrary leaves your budget in the green zone but can make your security poor. Other approaches described in the next chapter could provide more realistic views on which security we need and to what level we need to bring it. Anticipating the unknown, providing an answer to vectors of attack we do not yet know about is impossible. 5. Sensible defence Information security is hard to understand and even harder to successfully integrate. Insecurity is not caused by today’s risk management concept. Economic gain or loss, legislation, regulation and so on are also important vectors. 1) Security is a trade-off. We need to make trade-offs, cost is one but there are more trade-offs to make, convenience, liberty, functionality, time etc…
  • 9. I think the previous chapter has strong and weak points, using the risk management triple is extremely valuable but trying to transform risk into numbers by using hefty formulas and relying on to much intangible values is for sure not a reliable way to integrate sensible and well thought security. This chapter will outline some of the problems and how it could be improved. There is no clear cut solution to all the issues but improving the existing by relying more on measurable values do provide better end results. 5.1. Economic incentives and security failure Economic incentives, profitability, market gain, etc… are important vectors in the decision process. Security risks and business risks are quite different; forecasting how the economic landscape evolves based on the investment of new resources to increase profit is completely different than forecasting probabilities of IT risks. Evaluating risks and how much risks are reduced by integrating new technology is as easy as playing the Russian roulette. Even if you have all those statistics and numbers, if there is no legislation and no direct economic consequence you will not succeed in your job. This is plain business logic; managers deal with risk every day and are used to accept certain levels of risk. Example: In a distributed denial of service attack it is very expensive to use measures to protect your web servers from it. Your can spend thousands of euros to increase protection and it still would fail in certain circumstances. However, home users who are being used as ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves from threats. But they rarely would spend the same amount to prevent their machines from being used. In the economics world this would be a “Tragedy of commons”, these situations should rather be solved on a legislative way to put pressure on those who can fix the issue instead of investing too much money in a solution that is not providing the necessary protection. Over the years we have been witness of the fact that often bad security wins over good security, it can be explained rationally; popularity of system or service is related to other factors than security. If people use the less secure system more, your good system is doomed to failure. If you do not have a good economic reason why security should be a priority you do not have a good chance in succeeding. Unfortunately today business looks at security as a cost enabler instead of looking at it as cost reduction.
  • 10. But an economic drive or market reaction sometimes forces a company to tackle security issues. When this happens management does not have the burden to deal with any type of risk assessment. Today companies are often confronted with reactions as such from customers, auditors and other regulatory bodies. 5.2. Liability, regulation and compliance This is an ongoing debate and a very hard one. Imposing laws to make better products, provide secure services, conduct audits, carry responsibility etc… will definitely improve security in some way. All of this sound easy and achievable but the pitfalls are numerous and peopled against plenary. Security has technological components but business regards to security, in terms of risk management, as they do with any other risk. Business aims to reduce costs and improve production. Why bother with improving the network security if business survives after defacement, denial of service, reputation damage, and network downtime. The point is that if your force companies to make their products secure their economical gain could decline. And what about the brakes you put on the creative mind and development of new ideas. A company making a new product has its focus on gaining money and reply to unanswered issue in the market which does not necessarily require advanced security in the initial stage. If your government provides services on the internet you better be sure it is secure, if there are no regulatory incentives why shouldn’t they opt for the cheaper less secure option? By enforcing rules via laws, regulation or company policies we impose liability and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one helping you out in difficult times but it can push industry to improve security. Some types of industry start with security and build their services inside the security boundaries. We have different compliance bodies that are well developed and pushing managers, companies and even governmental organizations to a better and more secure environment. SOX, HIPAA, BASEL II, etc… do push to create a better and safer environment by motivating managers to pay attention to issues that were ignored before. As time goes by and maturity develops legislation will improve and regulatory bodies can impose penalties to keep the motivation alive. Example: Power plants for example live up to high security standards regarding their personnel. We can be delighted that they did not use the same approach as often used in the computer industry. Such approach makes managers aware that risks cannot be accepted because of the high costs involved with it. 5.3. Due care and due diligence 2) Due care means that a company did all that it could have reasonably done to try and prevent security breaches, and also took the necessary steps to ensure that if a security breach did take place, the damages were reduced because of the controls or countermeasures that existed. Due care means that a company practiced common sense and prudent management practices with responsible actions.
  • 11. Due diligence means that a company properly investigated all of their possible weaknesses and vulnerabilities before carrying out due care practices. Due care and due diligence, both require to be present to successfully integrate a certain level of security in your environment. To convince management we should take distance of examples and results (from threat and vulnerability assessment) that are based on hypothetical values. It is almost impossible to convince people on a subject that has not yet materialised. Replacing those intangible values can be achieved by using real life examples of the existence of vulnerability and what solutions are available and who integrated them already. Remember the approach, we are protecting against known threats and not trying to increase budgets based on the unknown. If management still decides to accept the risk, which is completely normal in certain cases, we document it and motivate with the business reasons; this is done to limit liability. The ultimate goal is to achieve good due diligence practise this reduces ignorance and negligence. Due diligence result are not subject to be proven valid, the result itself shows the good or bad experience. Whereas solutions never come directly from an assessment but are chosen regarding the assessment results by means of due diligence. One can argue if fortune telling is a better strategy compared to await results from what actually is achieved. 5.4. Technology The problem we have today with technology is that at a certain point it does provide a protection but can create numerous other problems. Integrating additional tools software or hardware does not imply that you improve security. An entire process of mechanisms that interact is needed to provide robust security. As shown in chapter 3 you need to rely on different techniques to create a secure environment. None of those concepts survives an attack without the support of the others. Over the years we have been overwhelmed by constructors providing us with the market leading product and still our networks are at stake. Does it mean that the products are bad? Honestly, I don’t think products are bad, the way they interact is perhaps not ideal. For years we have been focusing on prevention and less on detection and response. A good prevention tool is worthless without detection, and detection has no value if there is no response process involved; most of the time these functions are included in a good prevention product. During my career I had often discussions on what to log and what not; logging everything does not increase your detection. It increases data you gather but decreases the accuracy.
  • 12. To make a safeguard valuable it requires interaction with other processes, systems or people. A good interaction occurs on different layers, logging the issue is the first but informing there as an issue is mandatory to make the logging useful. After the alert a manual interference might be required, again this should be logged in a sensible way to have good change management. All these features are available on the market; unfortunately interaction between them is still on a low level. Example: Wiretapping the mass public didn’t proof to be useful yet, data mining or correlation on the data is even harder. It does work once there is a lead or a clue; unless you have some predefined known information your correlation will not have much of a value and could miss those parts of data crucial to identify the attack. Using detection only to prevent issues is just not the right way to solve a security issue. Security budgets for government issues do increase however people tend to feel less safe. In Belgium the police force is increased significantly but reducing crime is harder as ever before. Prevention and detection capabilities are sufficient but response (court) is not at the same pace. Another big debate is functionality vs. security. Frankly I think this is bad trade-off. Testing functionality is fairly easy. Functionality is whether or not something works when it is being used as planned. But if you test security you are trying to find out how a system behaves when placed under unanticipated circumstances with an adversary trying to subvert the system. It will be very hard to test security like you do with functionality if not impossible. 5.5. Awareness campaign and training Awareness and training are mandatory to enhance your security. A good distinction between training and awareness should be made. Awareness campaign: A campaign for awareness explains you the “what is it”, it shows you what are the dangers or benefits of certain tool, system or environment. Training: A training informs you about the “how does it work”, how do I use it, how do I integrate it, how do I get the most out of it. Awareness increases security on a human level, human intelligence is irreplaceable by technology. But equal to technology we need to make our staff aware about risks involved in their job. Today many companies understood they need awareness, some because of regulation some because of campaigns launched by governmental organisation. As risks and technology evolve at a rapid pace, we need to conduct awareness on a regular basis to make it effective. Any means are good to make people aware about the risks. In our daily life we are confronted with several awareness campaigns which are time or event specific. Example: The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
  • 13. how to respond in case of emergency. The results of the campaign were clear, panic was reduced to a minimum and casualties could be rescued with a respectable time frame. Training is equally important; knowing that there is risk is just one part of the solution. How do you protect and how do you use the provided tools is an important step and might be more difficult to achieve. It is clear that in certain cases and on certain subjects those two aspects are weaved together. Explaining why one needs a password is one thing but might be useless without explaining how to make a strong password. 6. Conclusion Regardless which model of risk management one uses, you are still using hypothetical data. Today there are no valid frequency and impact data available to provide you with valid and sensible results. It might be possible to guess the impact or frequency of an unusual incident. An unknown event or enemy can have an important effect on the risk which makes the current security solution obsolete. I doubt that this will have a positive change in the future due to the rapid changing technology of today. Managing risk by tangible values like outlined in the previous chapter is maybe an answer to this complex subject. Continuing with intangible risk assessment result is expensive and does not necessarily improve your current security; this does not mean you do not have to integrate it. Regulation and legislation can be met by doing high level risk assessment outlining the dangers and the caveats of the unknown. This is not a plea to abandon the current way of handling risk; I just share my and other security professionals’ view on the topic. As a consultant I have been confronted with many aspects of security and saw that some try to protect to things that are not yet realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integration of security measures, often these are not the solution to the problem. Without Donn B. Parker’s help I would not have been able to make this document. I got the authorisation to quote his article but I tried to write some of his ideas in my own words.
  • 14. 7. References 1 Bruce Schneier : Beyond Fear 2 Shon Harris : CISSP certification All-in-one Exam guide Books & articles: Bruce Schneier: Beyond Fear Economics and information security Regulation, liability and computer security Donn Parker: Making the case for replacing risk-based security Ross Anderson: Why information security is hard –an economic perspective- Shon Harris: CISSP certification All-in-one Exam guide