Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
The present study examined a selection of 76 ransomware splash screens collected from a variety of sources. These splash screens were analysed according to surface information, including aspects of visual appearance, the use of language, cultural icons, payment and payment types. The results from the current study showed that, whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims. There was the emergence of a sub-set of ransomware that, in the context of this report, was termed ‘Cuckoo’ ransomware. This type of attack often purported to be from an official source requesting payment for alleged transgressions.
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...IJNSA Journal
The prediction of attacks is essential for the prevention of potential risk. Therefore, risk forecasting contributes a lot to the optimization of the information security budget. This article focuses on the ontology and stages of a cyberattack. It introduces the main representatives of the attacking side and describes their motivation.
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
The present study examined a selection of 76 ransomware splash screens collected from a variety of sources. These splash screens were analysed according to surface information, including aspects of visual appearance, the use of language, cultural icons, payment and payment types. The results from the current study showed that, whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims. There was the emergence of a sub-set of ransomware that, in the context of this report, was termed ‘Cuckoo’ ransomware. This type of attack often purported to be from an official source requesting payment for alleged transgressions.
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...IJNSA Journal
The prediction of attacks is essential for the prevention of potential risk. Therefore, risk forecasting contributes a lot to the optimization of the information security budget. This article focuses on the ontology and stages of a cyberattack. It introduces the main representatives of the attacking side and describes their motivation.
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
A presentation about developing Cyber Risk Rating Tables and measuring how good they are at assessing your organization's risk. Covers the following:
1) Building a threat library and risk rating tables
2) Utilizing OSINT to evaluate forecasts
3) Reporting risk forecast accuracy
A predictive framework for cyber security analytics using attack graphsIJCNCJournal
Security metrics serve as a powerful tool for organizations to understand the effectiveness of protecting computer networks. However majority of these measurement techniques don’t adequately help corporations to make informed risk management decisions. In this paper we present a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
GENERATING REPRESENTATIVE ATTACK TEST CASES FOR EVALUATING AND TESTING WIRELE...IJNSA Journal
Openness of wireless communication medium and flexibility in dealing with wireless communication protocols and their vulnerabilities create a problem of poor security. Due to deficiencies in the security mechanisms of the first line of defense such as firewall and encryption, there are growing interests in detecting wireless attacks through a second line of defense in the form of Wireless Intrusion Detection System (WIDS). WIDS monitors the radio spectrum and system activities and detects attacks leaked from the first line of defense. Selecting a reliable WIDS system depends significantly on its functionality and performance evaluation. Comprehensive and credible evaluation of WIDSs necessitates taking into
account all possible attacks. While this is operationally impossible, it is necessary to select representative
attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, this paper proposes a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. This proposed taxonomy includes all relevant necessary and sufficient dimensions for wireless attacks classification and it helps in generating and extracting the representative attack test cases.
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
I examine the information security industry through the lens of behavioral models. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans have lots of quirks in their thinking that are the result of cognitive biases, and that lead to “irrational” behaviors.
The question therefore is: what biases do defenders and attackers have when they make decisions, and how can we leverage these insights to improve the efficacy of defense? In particular, I’ll discuss what implications theories such as Prospect Theory, time inconsistency, less-is-better effect, sunk cost fallacy, dual system theory and social biases such as fairness and trust have for why the industry dynamics are the way they are.
Given at NCC Group's Security Open Forum on August 17, 2016
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
A presentation about developing Cyber Risk Rating Tables and measuring how good they are at assessing your organization's risk. Covers the following:
1) Building a threat library and risk rating tables
2) Utilizing OSINT to evaluate forecasts
3) Reporting risk forecast accuracy
A predictive framework for cyber security analytics using attack graphsIJCNCJournal
Security metrics serve as a powerful tool for organizations to understand the effectiveness of protecting computer networks. However majority of these measurement techniques don’t adequately help corporations to make informed risk management decisions. In this paper we present a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
GENERATING REPRESENTATIVE ATTACK TEST CASES FOR EVALUATING AND TESTING WIRELE...IJNSA Journal
Openness of wireless communication medium and flexibility in dealing with wireless communication protocols and their vulnerabilities create a problem of poor security. Due to deficiencies in the security mechanisms of the first line of defense such as firewall and encryption, there are growing interests in detecting wireless attacks through a second line of defense in the form of Wireless Intrusion Detection System (WIDS). WIDS monitors the radio spectrum and system activities and detects attacks leaked from the first line of defense. Selecting a reliable WIDS system depends significantly on its functionality and performance evaluation. Comprehensive and credible evaluation of WIDSs necessitates taking into
account all possible attacks. While this is operationally impossible, it is necessary to select representative
attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, this paper proposes a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. This proposed taxonomy includes all relevant necessary and sufficient dimensions for wireless attacks classification and it helps in generating and extracting the representative attack test cases.
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
I examine the information security industry through the lens of behavioral models. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans have lots of quirks in their thinking that are the result of cognitive biases, and that lead to “irrational” behaviors.
The question therefore is: what biases do defenders and attackers have when they make decisions, and how can we leverage these insights to improve the efficacy of defense? In particular, I’ll discuss what implications theories such as Prospect Theory, time inconsistency, less-is-better effect, sunk cost fallacy, dual system theory and social biases such as fairness and trust have for why the industry dynamics are the way they are.
Given at NCC Group's Security Open Forum on August 17, 2016
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Internet of Things (IoT) devices are everywhere, and they're not going away any time soon.Here are some Security Challenges of IoT. #ChromeInfotech
1. How does IoT works?
2. What are the top security challenges that a mobile application developers face?
3. What are the challenges that IoT brings to mobile developers?
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
Safety is not a good basis for security, but the reverse may not be true. This paper discusses using the techniques of security vulnerability assessments to improve safety.
Explain the differences between a threat assessment- a vulnerability a.docxjames876543264
Explain the differences between a threat assessment, a vulnerability assessment, and an exploit assessment.
Solution
Some of the most commonly used security are misunderstood or used as if they were synonymous. Certain of these security terms are so closely related that it\'s worth examining these together. Today, we\'ll look at several related terms – threat, vulnerability, and exploit
Threats:-
These are generally can NOT be controlled.
Security considers several kinds of threats. A threat may be an expressed or demonstrated intent to harm an asset or cause it to become unavailable.
Hostile acts that target an asset, irrespective of the motive, are considered threats
Acts of nature, human error or negligence are also considered threats.
Someone or some thing must express or pose a threat. These are threat actors
vulnerability :-
A vulnerability is a flaw in the measures you take to secure an asset.
which considers only flaws or weaknesses in systems or networks
For example, if you do not run antivirus and antimalware software, your laptop or mobile device is vulnerable to infections.
How you configure software, hardware and even email or social media accounts can also create vulnerabilities.
exploit :-
The term exploit is commonly used to describe a software program that has been developed to attack an asset by taking advantage of a vulnerability.
The objective of many exploits is to gain control over an asset.
a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrate all the records from that database.
The successful use of exploits of this kind is called a data breach.
.
Proactive Security - Principled Aspiration or Marketing Buzzword?nathan816428
Whenever a new cybersecurity acronym or term starts gaining momentum, it is usually met with two distinct and opposite reactions: vendors jump on the bandwagon and claim it while security professionals try to decipher whether there’s substance and value or just a new buzzword. In this presentation, we will attempt to take an objective and critical look at a term that is quickly becoming today’s “zero trust”.
Module 3 - Information Assurance Concepts.pdfPercivalAdao7
The 19th century military strategist Helmuth von Moltke is
right, he could discourage even the best planner with his
aphorism of “No plan survives contact with the enemy.”
Once engaged, attackers have the advantage: They know
what they are going to do and what their objective is. To
provide an effective defense, each layer must be
composed of multiple countermeasures of varying
complexity, application, and rigor; this is defense-in-depth
Threat hunters are security professionals who proactively search for threats and vulnerabilities in an organization's systems and networks. They use a variety of tools and techniques to identify potential threats, investigate suspicious activity, and respond to security incidents.
This is the June 2022 issue of the Journal of Physical Security. In addition to the usual editor’s rants and news about security, this issue has papers about ZigBee vulnerabilities, practical password cracking, humor & security, the costs of police body camera video storage, tips for reducing security guard turnover, and FDA & DHS blessing of security technologies.
Back issues of the Journal can be found at http://jps.rbseurity.com
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
Vulnerability Assessment: The Missing Manual for the Missing Link. Now available as an ebook, paperback, or hardcover.
This book is written by a Vulnerability Assessor with 35+ years of experience. The book covers the common misconceptions and problems with how Security Vulnerability Assessments are thought of and done. Various security tips and advice are also offered. If you do or think about security, you need this book!
This March 2021 issue of the Journal of Physical Security has papers on:
• tax credits for physical security R&D
• pinhole cameras for surreptitious surveillance
• insider threat issues
• tamper-indicating seals for fast food in the era of Covid
• security for sealed radiological sources
Back issues are available for free at https://jps.rbsekurity.com
This is the Oct 2020 issue with the usual security news and editor's rants, plus Viewpoint papers on Security Assurance and Election Security.
Back issues are available at http://jps.rbsekurity.com
A New Approach to Vulnerability AssessmentRoger Johnston
Most organizations don't do Vulnerability Assessment, or confuse them with something else, or do them but not very effectively, imaginatively, or proactively, thinking like the bad guys. Here is some practical advice for how to do better from a Vulnerability Assessor with 35+ years of experience.
We can't test our way to good #security. Why? Because we can't test—or prevent—what we have not envisioned. (Think 9/11.) Effective, imaginative vulnerability assessments are essential. This book explains how to do them based on the 35+ years experience of a Vulnerability Assessor.
This book is the missing manual for the missing link: It provides practical advice on how to do effective, imaginative, proactive Vulnerability Assessments based on the authors 30+ years of experience as a vulnerability assessor.
In addition to the usual security news and editor's rants about security, this issue (Volume 12, Issue 3) has papers about:
• automatic vehicle security gates
• 3D magnetometer arrays as a more secure replacement for BMS
• best practices in physical security
• design reviews vs. vulnerability assessments
JPS, a peer reviewed journal, is hosted by Right Brain Sekurity as a free public service. See http://jps.rbsekurity.com
In addition to the usual security news and editor’s rants about security, this (August 2019) issue has papers about security by design,defeating electronic locks with radio frequency attack tools, poor seal practice with pressure-sensitive adhesive label seals, wargaming Brexit, and a revised and updated list of popular (mostly smart ass) security maxims.
This is the August 2018 issue of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security, this issue has papers on
• election security
• physical security networks
• technology for tracking sealed radiological sources
• an analysis of active shooter training videos
• whether security belongs under Facility Management (Operations)
JPS is hosted as a public service by Right Brain Sekurity, a small company devoted to vulnerability assessments, security consulting, and R&D.
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
Canadian Immigration Tracker March 2024 - Key SlidesAndrew Griffith
Highlights
Permanent Residents decrease along with percentage of TR2PR decline to 52 percent of all Permanent Residents.
March asylum claim data not issued as of May 27 (unusually late). Irregular arrivals remain very small.
Study permit applications experiencing sharp decrease as a result of announced caps over 50 percent compared to February.
Citizenship numbers remain stable.
Slide 3 has the overall numbers and change.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
Up the Ratios Bylaws - a Comprehensive Process of Our Organizationuptheratios
Up the Ratios is a non-profit organization dedicated to bridging the gap in STEM education for underprivileged students by providing free, high-quality learning opportunities in robotics and other STEM fields. Our mission is to empower the next generation of innovators, thinkers, and problem-solvers by offering a range of educational programs that foster curiosity, creativity, and critical thinking.
At Up the Ratios, we believe that every student, regardless of their socio-economic background, should have access to the tools and knowledge needed to succeed in today's technology-driven world. To achieve this, we host a variety of free classes, workshops, summer camps, and live lectures tailored to students from underserved communities. Our programs are designed to be engaging and hands-on, allowing students to explore the exciting world of robotics and STEM through practical, real-world applications.
Our free classes cover fundamental concepts in robotics, coding, and engineering, providing students with a strong foundation in these critical areas. Through our interactive workshops, students can dive deeper into specific topics, working on projects that challenge them to apply what they've learned and think creatively. Our summer camps offer an immersive experience where students can collaborate on larger projects, develop their teamwork skills, and gain confidence in their abilities.
In addition to our local programs, Up the Ratios is committed to making a global impact. We take donations of new and gently used robotics parts, which we then distribute to students and educational institutions in other countries. These donations help ensure that young learners worldwide have the resources they need to explore and excel in STEM fields. By supporting education in this way, we aim to nurture a global community of future leaders and innovators.
Our live lectures feature guest speakers from various STEM disciplines, including engineers, scientists, and industry professionals who share their knowledge and experiences with our students. These lectures provide valuable insights into potential career paths and inspire students to pursue their passions in STEM.
Up the Ratios relies on the generosity of donors and volunteers to continue our work. Contributions of time, expertise, and financial support are crucial to sustaining our programs and expanding our reach. Whether you're an individual passionate about education, a professional in the STEM field, or a company looking to give back to the community, there are many ways to get involved and make a difference.
We are proud of the positive impact we've had on the lives of countless students, many of whom have gone on to pursue higher education and careers in STEM. By providing these young minds with the tools and opportunities they need to succeed, we are not only changing their futures but also contributing to the advancement of technology and innovation on a broader scale.
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
What is the point of small housing associations.pptxPaul Smith
Given the small scale of housing associations and their relative high cost per home what is the point of them and how do we justify their continued existance
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
1. Journal of Physical Security 4(2), 30‐34 (2010)
30
Viewpoint Paper
Being Vulnerable to the Threat
of Confusing Threats with Vulnerabilities*
Roger G. Johnston
Vulnerability Assessment Team
Nuclear Engineering Division
Argonne National Laboratory
The following ideas are common, but I think quite wrong and thus myths:
(1) A Threat without a mitigation is a Vulnerability.
(2) A Threat Assessment (TA) is a Vulnerability Assessment (VA).
(3) Threats are more important to understand than Vulnerabilities.
(4) Many of the most common tools used for “Vulnerability Assessments”
(whether true VAs or actually TAs) are good at finding Vulnerabilities.
First some definitions. Most security professionals would probably more or
less agree with the following definitions:
Threat: Who might attack against what assets, using what resources, with
what goal in mind, when/where/why, and with what probability. There might
also be included some general aspect of the nature of the attack (e.g., car
bombing, theft of equipment, etc.), but not details about the attack or the
security measures that must be defeated and the Vulnerabilities to be exploited.
Threat Assessment (TA): Attempting to predict the Threats. This may
involve using intelligence data and information on past security incidents (at
this building, facility, or infrastructure or ones like it.) To have proactive (not
just reactive) security, however, a valid TA requires anticipating Threats that
have not yet materialized.
________________________________________________
*Editor’s Note: This paper was not peer-reviewed. This work was performed under the auspices of the
United States Department of Energy (DOE) under contract DE-AC02-06CH11357. The views expressed
here are those of the author and should not necessarily be ascribed to Argonne National Laboratory or
DOE. Jon Warner provided useful suggestions.
2. Journal of Physical Security 4(2), 30‐34 (2010)
31
Vulnerability: a specific weakness in security (or a lack of security measures)
that typically could be exploited by multiple adversaries having a range of
motivations and interest in a lot of different assets.
Vulnerability Assessment (VA): Attempting to discover (and perhaps
demonstrate) security Vulnerabilities that could be exploited by an adversary.
A good VA also often suggests practical countermeasures or improvements in
security to eliminate or mitigate the Vulnerability, or to aid in resiliency and
recovery after an attack.
Risk Management: Attempting to minimize (security) hazards by deciding
intelligently how to deploy, modify, or re-assign security resources. Involves the
following inputs: TA results, VA results, assets to be protected, consequences
of successful attacks, and the resources (time, funding, personnel) available to
provide security.
Attack: An attempt by an adversary to cause harm to valuable assets, usually
by trying to exploit one or more Vulnerabilities. The harm may include theft,
sabotage, destruction, espionage, tampering, or adulteration.
Some examples of Threats and Vulnerabilities.
Threat: Adversaries might install malware in the computers in our Personnel
Department so they can steal social security numbers for purposes of identity
theft.
Vulnerability: The computers in the Personnel Department do not have up to
date virus definitions for their anti-malware software.
Threat: Thieves could break into our facility and steal our equipment.
Vulnerability: The lock we are using on the building doors is easy to pick or
bump.
Threat: Nefarious insiders might release confidential information to adversaries.
Vulnerability: Employees don’t currently have a good understanding of what
information is sensitive/confidential and what is not, so they can’t do a good
job of protecting it.
Threat: Disgruntled employees could sabotage our facility.
Vulnerability: The organization lacks effective Insider Threat countermeasures
like background checks and disgruntlement mitigation (fair treatment of
3. Journal of Physical Security 4(2), 30‐34 (2010)
32
employees, legitimate complaint resolution processes, employee assistance
programs, no tolerance for bully bosses, etc.)
Threat: Extremists want to discredit our organization.
Vulnerability: It is easy for them to dump hazardous chemicals on our property
or pour them down our drains, and then fraudulently report us to the authorities
as polluters.
With these definitions, it should be clear that myth #1 above (“a Threat
without a mitigation is a Vulnerability”) makes no sense because (a) a Threat is
not a Vulnerability, (b) security is a continuum and 100% elimination of a
Vulnerability is rarely possible, (c) adversaries may not automatically recognize
a Vulnerability so mitigating it may be irrelevant for that specific Threat, and (d)
Vulnerabilities don’t define Threats, i.e., terrorists don’t exist because buildings
and people can be blown up.
The commonly held myth #2 (TAs are VAs) is untrue because Threats are
not the same thing as Vulnerabilities. Both TAs and VAs are needed, however,
for good Risk Management, and they both depend on each other to some
extent. Adversaries typically seek to exploit Vulnerabilities. Indeed, if there
were no Vulnerabilities, the adversaries won’t succeed. And if there were no
Threats, any existing security Vulnerabilities would be irrelevant.
Note that Vulnerabilities don’t map one-to-one onto Threats. Many different
kinds of adversaries with very different agendas can potentially exploit the same
Vulnerability for very different reasons. Thus a lock that is easy to pick permits
attacks involving theft, espionage, or vandalism. Computers lacking up to date
virus checkers can be exploited for lots of different nefarious purposes. Of
course, Threats don’t map one-to-one onto Vulnerabilities, either. An adversary
can potentially pick and choose which Vulnerability or Vulnerabilities to exploit
for any given goal.
In thinking about Myth #3 (Threats are more important than Vulnerabilities)
we need to consider that a TA involves mostly speculating about people who
are not in front of us, and who might not even exist, but who have complex
motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are
more concrete and right in front of us (if we’re clever and imaginative enough
to see them). They are discovered by doing an analysis of actual infrastructure
and its security—not speculating about people. Thus, getting Threats right is
typically a lot harder than getting Vulnerabilities right. [Some people claim that
4. Journal of Physical Security 4(2), 30‐34 (2010)
33
past security incidents can tell us all we need to know about Threats, but that is
just being reactive, not proactive, and misses rare but very catastrophic
attacks.]
I would go even further and argue that understanding Vulnerabilities is more
powerful than understanding Threats—regardless of the relative difficulty of
TAs vs. VAs. If you understand and take some reasonable effort to mitigate
your security Vulnerabilities, you are probably in fairly good shape regardless of
the Threats (which you are likely to get wrong anyway). On the other hand, if
you understand the Threats but are ignorant of the Vulnerabilities, you are not
likely to be very secure because the adversaries will have many different ways
in.
Myth #4 (existing tools are effective at finding Vulnerabilities) is quite
prevalent, especially for infrastructure security. This is perhaps because there
are such a staggering number of Vulnerabilities in any large, complex system
(especially compared to Threats) that dealing with the Vulnerabilities is
daunting. Also, finding Vulnerabilities takes a lot of careful thinking, on the
ground investigation, hands-on analysis, and imagination/creativity. Threat
Assessments, in contrast, often (unfortunately) involve relatively easy and
simple-minded use of check lists, security surveys, compliance audits,
guidelines, software programs, boilerplates, compliance requirements, databases
of past security incidents, and “cookie cutter” approaches. There is, of course,
no reason why a TA can’t or shouldn’t involve profound, critical, original, and
creative thinking about security issues, it’s just that is so often does not.
I break down the so-called “Vulnerability Assessment” methods into 4 general
categories:
1. Tools that can help find vulnerabilities but aren’t typically very good at it
because they do not encourage thinking creatively like the bad guys about
actual, local vulnerabilities and/or they make invalid assumptions: Security
Surveys, Compliance Audits, boilerplate Software Programs, Tree Analysis, “Red
Team” exercises.
2. Tools that are good at finding Vulnerability Assessments: Adversarial
Vulnerability Assessments (thinking about the security problem from the
perspective of the bad guys, not the good guys and the existing security
implementation), intrusion testing programs (for cyber security), critical
security design reviews early in the design process for new security devices,
systems, or programs.
5. Journal of Physical Security 4(2), 30‐34 (2010)
34
3. Misnamed “Vulnerability Assessment” tools that are really techniques for
helping to decide how to allocate security resources, i.e., more like overall Risk
Management than VAs per se: CARVER Method, Delphi Method.
4. Tools that (despite the claims) are actually TA methods, not VA methods:
Design Basis Threat, Compliance Audits, boilerplate Software Programs.
One litmus test to tell if somebody claiming to do a Vulnerability Assessment
is really doing a Threat Assessment is if they have identified a relatively small
number of "Threats/vulnerabilities" (which they typically put in a table with
made up rankings or probabilities), and if mitigating them is a major
undertaking. If they are really doing a VA, they will have identified and maybe
demonstrated dozens or hundreds of very specific vulnerabilities, and many of
the countermeasures for mitigating them will be cheap and relatively painless,
e.g., install anti-virus software in the Personnel Department computers that
automatically updates virus definitions.
Another sort of related problem commonly found in infrastructure security
assessments is confusing features with vulnerabilities. Thus, a public road that
travels close to the facility is often considered a Vulnerability. It is not,
however; it is only an attribute. Only when coupled with an attack scenario
(truck bomb, the road makes visual and electronic surveillance easier for
espionage, assets can be thrown over the fence by insiders to the bad guy's
parked truck, etc.) does a feature become a Vulnerability. The reason this is
important is that different kinds of security countermeasures will typically be
needed for different combinations of feature + attack. Without the context of
attack scenarios, the only apparent countermeasure is to eliminate the feature;
this may be expensive, impractical, and/or total overkill.
Finally, we should not get confused about the purpose of a TA or VA.
Neither a Threat Assessment or a Vulnerability Assessment is something we
test against, some kind of “certification”, a standard, a metric for how good our
security is, or a technique for finding out if our security mangers or frontline
personnel are screwing up. The purpose of a VA is to improve security. The
purpose of a TA is to help us decide (in conjunction with Risk Management)
what and how much security we need. It doesn’t make any sense to talk about
“passing” a TA or VA. This certainly cannot mean all Threats have been
recognized or neutralized, or that there are zero Vulnerabilities or even that all
Vulnerabilities are known and mitigated. Such things are not possible, and not
provably true even if they were possible.