Upload
alessio-pennasilico
View
472
Download
0
Embed Size (px)
DESCRIPTION
Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011
Citation preview
Alessio L.R. [email protected]: mayhemsppFaceBook: alessio.pennasilico
Roma, 7 Aprile 2011
Rischi o vulnerabilità?
Rischi o vulnerabilità? [email protected]
$ whois mayhem
Board of Directors:CLUSIT, Associazione Informatici Professionisti,
Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group,
Hacker’s Profiling Project
2
Security Evangelist @
Rischi o vulnerabilità? [email protected]
Credits
Roger G. Johnston
Vulnerability Assessment Team
Nuclear Engineering Division Argonne National Laboratory
http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf
3
Rischi o vulnerabilità?
Rischi o vulnerabilità? [email protected]
Malware
Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for
purposes of identity theft.
Vulnerability:The computers in the Personnel Department do not have up to date virus
definitions for their anti-malware software.
5
Rischi o vulnerabilità? [email protected]
Ladri
Threat: Thieves could break into our facility and steal our equipment.
Vulnerability: The lock we are using on the building doors is easy to pick or bump.
6
Rischi o vulnerabilità? [email protected]
Social Engineering
Threat: Nefarious insiders might release confidential information to adversaries.
Vulnerability: Employees don’t currently have a good understanding of what information is
sensitive/confidential and what is not, so they can’t do a good job of protecting it.
7
Rischi o vulnerabilità? [email protected]
Myth #1
“a Threat without a mitigation is a Vulnerability” makes no sense because
(a) a Threat is not a Vulnerability(b) security is a continuum and 100%
elimination of a Vulnerability is rarely possible(c) adversaries may not automatically recognize
a Vulnerability so mitigating it may be irrelevant for that specific Threat
8
Rischi o vulnerabilità? [email protected]
Myth #2
“Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly
speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets,
and resources if they do exist. Vulnerabilities are more concrete and right in
front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people.
9
Rischi o vulnerabilità? [email protected]
Passato vs Futuro
Some people claim that past security incidents can tell us all we need to know
about Threats, but that is just being reactive, not proactive, and misses rare but
very catastrophic attacks.
10
Rischi o vulnerabilità? [email protected]
If you understand and take some reasonable effort to mitigate your security
Vulnerabilities, you are probably in fairly good shape regardless of the Threats
11
Rischi o vulnerabilità? [email protected]
if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be
very secure because the adversaries will have many different ways in.
12
Cognitive Biases
Rischi o vulnerabilità? [email protected]
Optimism Bias
the demonstrated systematic tendency for people to be over-optimistic about the
outcome of planned actions. This includes over-estimating the likelihood of positive
events and under-estimating the likelihood of negative events. It is one of several
kinds of positive illusion to which people are generally susceptible.
14
Rischi o vulnerabilità? [email protected]
Optimism Bias
Optimistic overconfidence bias can induce people to underinvest in primary and
preventive care and other risk-reducing behaviors.
15
Rischi o vulnerabilità? [email protected]
A brain-imaging study found that, when imagining negative future events, signals in
the amygdala, an emotion centre of the brain, are weaker than when remembering
past negative events. This weakened consideration of possible negative
outcomes is one possible mechanism for optimism bias.
16
Rischi o vulnerabilità? [email protected]
Heuristic
experience-based techniques that help in problem solving, learning and discovery
"rule of thumb", an educated guess, an intuitive judgment or simply common sense
17
Rischi o vulnerabilità? [email protected]
Availability heuristic
estimating what is more likely by what is more available in memory, which is biased
toward vivid, unusual, or emotionally charged examples
18
Rischi o vulnerabilità? [email protected]
Representativeness heuristic
judging probabilities on the basis of resemblance
19
Rischi o vulnerabilità? [email protected]
Affect heuristic
basing a decision on an emotional reaction rather than a calculation of risks and
benefits
20
Conclusioni
Rischi o vulnerabilità? [email protected]
Conclusioni
Ci dobbiamo occupare delle minacce
Ci dobbiamo occupare delle vulnerabilità
23
Rischi o vulnerabilità? [email protected]
Conclusioni
Siamo umani, possiamo sbagliare
Tentare di gestire le cause di errore di valutazione aiuta
24
Alessio L.R. [email protected]: mayhemsppFaceBook: alessio.pennasilico
Roma, 7 Aprile 2011
Domande?
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)
Grazie per l’attenzione!