are you really doing them
play

Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right - PowerPoint PPT Presentation

Sep 15, 2023 •276 likes •618 views

Vulnerability Assessments: Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right Brain Sekurity http://rbsekurity.com +1-630-551-0740 Terminology Threat: Who might attack, why, when, how, with what probability, and with what

  1. Vulnerability Assessments: Are You REALLY Doing Them? Roger G. Johnston, Ph.D., CPP Right Brain Sekurity http://rbsekurity.com +1-630-551-0740

  2. Terminology Threat: Who might attack, why, when, how, with what probability, and with what resources. (Includes information on goals and attack modes.) Threat Assessment (TA): Attempting to identify threats.

  3. Terminology Vulnerability : Flaw or weakness that could be exploited to cause undesirable consequences. Vulnerability Assessment (VA): Creatively devising & discover- ing (and perhaps demonstrating) ways to defeat a security device, system, or program. Should include thinking like the bad guys, and also suggesting countermeasures and security improvements. mimics what the bad guys do!

  4. Threat vs. Vulnerability Threat: Adversaries might try to steal PII information (SSNs, credit card numbers, etc.) from our computer systems to commit crimes. Vulnerability: We don’t keep our anti -malware software up to date. 4

  5. Purpose The purpose of a VA is to improve security & minimize risk, NOT to: • Pass a test • “Test” security • Generate metrics • Justify the status quo • Praise or accuse anybody • Check against some standard • Claim there are no vulnerabilities • Engender warm & happy feelings • Determine who gets salary increases • Rationalize the research & development • Apply a mindless, bureaucratic stamp of approval • Endorse a security product/program or Certify it as “good” or “ready to use” 5

  6. A VA is Not…  pen testing  “Red Teaming”  feature analysis  security auditing  quality control  threat assessment  reliability testing  efficiency testing  software scanning  operational assessment  fault or event tree analysis  compliance testing  acceptance testing (from safety engineering)  ergonomics testing  Design Basis Threat  performance testing  a security survey  response time testing  gap analysis 6

  7. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments  Are vulnerabilities being confused with threats, assets needing protection, security or infrastructure features, or attack scenarios?  Are vulnerabilities being thought of as good news? (They should be!)  Are VAs being confused with other things like TAs or security “testing”?  Are they being done continuously, or at least frequently? 7

  8. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments (con’t)  Are the following kinds of employees (even if not security or cyber experts) drafted to help examine your security: trouble-makers, creative types, loophole finders, questioners of authority, skeptics/cynics, hackers, narcissists, hands-on enthusiasts, and puzzle solvers.  Resiliency & PR preparation for when security inevitably fails? 8

  9. Questions Vulnerability Assessors Ask And You Should, Too Vulnerability Assessments (con’t)  Do your VAs suffer from any of these problems? - sham rigor - the Fallacy of Precision - lack of imagination - reactive not proactive - done only be insiders - shooting-the-messenger - conflicts of interest - cognitive dissonance - focused only on high-tech attacks - artificial constraints (scope, time, effort, modules/components/disciplines) - letting the good guys and the current security infrastructure/strategy define the vulnerabilities & attacks 9

  10. Questions Vulnerability Assessors Ask And You Should, Too IoT Devices  Use hardware passwords & device IDs?  Have you changed the default password & device ID, and security settings?  Devices adhere to emerging security standards?  Do the devices follow Minimalist Principles?  range & power  duty cycle  bandwidth  data acquisition  data retention & duration 10

  11. Questions Vulnerability Assessors Ask And You Should, Too IoT Devices ( con’t )  Trusted manufacturers & vendors?  Is security built in from the start, or just a last minute afterthought?  Early & iterative VAs on the devices?  Secure chain of custody? 11

  12. Questions Vulnerability Assessors Ask And You Should, Too Chain of Custody for Devices*  Are your devices safe from physical/electronic tampering (~20 secs), counterfeiting, and backdoor insertion including • at vendor or factory? • during shipments? • on loading dock? • before installation? • after installation? 12

  13. Questions Vulnerability Assessors Ask And You Should, Too Chain of Custody for Devices (con’t)  Is there a lot of empty space inside your devices? Are they frequently opened up and examined for tampering and alien electronics? Do you know what the insides are supposed to look like? Can you spot a counterfeit device?  Are you under the mistaken impression that: - “anti - counterfeiting” tags (even if high -tech) are difficult to lift or counterfeit? - tamper-indicating seals or packaging (even if high-tech) are difficult to spoof, and trivial to use? - sticky labels (even if high tech) provide effective tamper detection? - a mechanical tamper switch is serious security? - cargo/shipment supply chains are secure? - engineers understand security? 13

  14. Questions Vulnerability Assessors Ask And You Should, Too Physical Access Control for Cyber  Are your physical access control systems designed by the sales guy, amateurs, or your cyber security people?  Do your locked doors have hinges on the outside?  Can someone open the door without using the access control system and without it knowing?  Does your physical access control system know when an employee has left the control area?  Are you under the mistaken impression that biometric access control devices can’t be easily defeated? That biometric signatures can’t be easily counterfeited? 14

  15. Questions Vulnerability Assessors Ask And You Should, Too General Access Control  Do you have Role-Based Access Control , so that access is halted INSTANTLY when someone is promoted, given a new assignment, or terminated?  Do you periodically review access control privileges for all employees? 15

  16. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation  Is HR’s role in security objectively evaluated at least annually? Does HR harm security instead of helping it?  If HR is indeed evil (likely), do managers, supervisors, & security managers try to compensate?  Do you rely on the 80% rule (“listen, empathize, validate”) to mitigate insider threats?  Do narcissists get their ego stroked on a regular basis?  Are there constraints on bully/harassing bosses?  Are retiring and terminated employees treated well? Is there a perp-walk for terminated employees? Is there considerable HR glee at firing employees? 16

  17. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation (con’t)  Are background checks on key personnel done periodically and thoroughly, including interviewing acquaintances?  Do you do bribery anti-stings? 17

  18. Questions Vulnerability Assessors Ask And You Should, Too HR & Insider Threat Mitigation (con’t)  Do you exploit psychology research?  Sign a pledge of honesty at the top of documents, not the bottom.  Angry eye posters in critical areas.  Warn well-paid employees of the risk to themselves if they do something unethical, but warn low-paid employees of the potential harm to others.  Social influence for better security  Sunk-cost bias  Countermeasures to groupthink & to cognitive dissonance  Research on creativity  If someone has a security concern, including about a fellow employee, can they submit it anonymously? Does everybody know how? Is it safe? Does anybody do it? What happens when they do? 18

  19. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management  Is Security getting confused with  Control  Hassling/Threating Employees  Privacy or Safety  Inventory Management  Compliance & Auditing  Is high-tech confused with high-security?  Is your security awareness & social engineering training effective? One-size-fits-all? 19

  20. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management (con’t )  Do you warn employees about what happened elsewhere after a serious security incident?  Do people affected by security rules have input about them?  Do security rules get reviewed often?  Is there unwarranted faith in “layered security”? 20

  21. Questions Vulnerability Assessors Ask And You Should, Too Security Culture & Management (con’t)  Are employees told what security attacks look like, or just given an unmotivated list of “things not to do”?  Are security rules and procedures motivated and justified?  Is security “accountability” mostly through disciplining, firing, or scapegoating people?  Are awards and recognition given for good security practices, or is security only about bad news? 21

  22. Questions Vulnerability Assessors Ask And You Should, Too Cyber Specific Issues  Have a cyber monoculture?  Overlook the security benefits of OpenBSD, Linux, Mac OS X, and iOS, especially for routine use?  Is your SOC your NOC?  How do regular employees recognize legitimate IT personnel and instructions?  Use of 2-Factor Authentication? 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WORKPLACE WELLBEING TEAM NUMBER: 19 Workplace Wellbeing Assumptions Given the catastrophic loss

WORKPLACE WELLBEING TEAM NUMBER: 19 Workplace Wellbeing Assumptions Given the catastrophic loss

WORKPLACE WELLBEING TEAM NUMBER: 19 Workplace Wellbeing Assumptions Given the catastrophic loss of life from 1. Organizations will continue to operate to generate profits and benefits to all COVID-19, will wellbeing no longer be a stakeholders

944 views • 10 slides
The Business of Bus Busin ines ess s is is Business Milton Friedman The Business of

The Business of Bus Busin ines ess s is is Business Milton Friedman The Business of

The Business of Bus Busin ines ess s is is Business Milton Friedman The Business of Business They did not teach you how to run a business in law school or medical school Two foundational concepts for success:

486 views • 15 slides
Ubiquitous and Mobile Computing CS 528: The Effect of Developer Specified Explanations for

Ubiquitous and Mobile Computing CS 528: The Effect of Developer Specified Explanations for

Ubiquitous and Mobile Computing CS 528: The Effect of Developer Specified Explanations for Permission Requests on Smartphone User Behavior Chu Xu Computer Science Dept. Worcester Polytechnic Institute (WPI) Introduction/Motivation

555 views • 18 slides
Develop Your Data Mindset Module 3 - Aligning Answerable Questions With School Initiatives Part

Develop Your Data Mindset Module 3 - Aligning Answerable Questions With School Initiatives Part

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Develop Your Data Mindset Module 3 - Aligning Answerable Questions With School Initiatives Part 1 - Aligning Answerable Questions

757 views • 41 slides
Your Washington State Department of Veterans Affairs Spokane County Regional Veterans Services,

Your Washington State Department of Veterans Affairs Spokane County Regional Veterans Services,

Cat Nichols Strategic Operations Manager Your Washington State Department of Veterans Affairs Spokane County Regional Veterans Services, Director What is Emotional Intelligence? Self-awareness Self-regulation Motivation Empathy

539 views • 26 slides
Agenda Beach Cities Health District (BCHD) Overview Docent Responsibilities Lesson

Agenda Beach Cities Health District (BCHD) Overview Docent Responsibilities Lesson

LiveWell Kids Nutrition Kickoff, Modules 1 & 2 Training Agenda Beach Cities Health District (BCHD) Overview Docent Responsibilities Lesson Reporting & Tracking Food Safety and Allergies Classroom Management Program

842 views • 48 slides
Introductions Introductions Cognitive Load and Neuro-Economics: Implications for Food

Introductions Introductions Cognitive Load and Neuro-Economics: Implications for Food

8/15/2016 Introductions Introductions Cognitive Load and Neuro-Economics: Implications for Food Consumption and No Alisha Health George Elena George Davis and Elena Serrano You Virginia Tech Practitioners EFNEP

370 views • 11 slides
The Gift of Cultural Hurricanes: How to Build Bridges that Empower Parents and Transform Catholic

The Gift of Cultural Hurricanes: How to Build Bridges that Empower Parents and Transform Catholic

The Gift of Cultural Hurricanes: How to Build Bridges that Empower Parents and Transform Catholic Families Worcester, MA June 14, 2016 Tim Hogan, PsyD, CIRT DrTimHogan.com @DrTimHogan Contributor, RCLB Family Life Series So whats the

766 views • 45 slides
Desperately Needed Remedies File: Boulder Version dated August 15, 2011 6:47 am

Desperately Needed Remedies File: Boulder Version dated August 15, 2011 6:47 am

Desperately Needed Remedies File: Boulder Version dated August 15, 2011 6:47 am Desperately Needed Remedies for the Undebuggability of Large Floating-Point Computations in Science and Engineering W. Kahan, Prof. Emeritus Math. Dept.,

907 views • 73 slides
Emerging Market (esp. India) and COVID-19 Introductory remarks by Raghuram Markus Rajan

Emerging Market (esp. India) and COVID-19 Introductory remarks by Raghuram Markus Rajan

ebinar PRINCETON B C arkus UNIVERSITY F Emerging Market (esp. India) and COVID-19 Introductory remarks by Raghuram Markus Rajan Brunnermeier Chicago Booth Princeton Past and Future Speakers Past Related Richard Zeckhauser

526 views • 52 slides
SETI and Consciousness Dr. Matthew Colborn The Drake Equation Does the Drake Equation need an

SETI and Consciousness Dr. Matthew Colborn The Drake Equation Does the Drake Equation need an

SETI and Consciousness Dr. Matthew Colborn The Drake Equation Does the Drake Equation need an additional factor? Currently no generalizable metric rating for intelligence. Intelligence not defined with reference to consciousness.

607 views • 15 slides
Tuning in and Embracing the Challenging Toddler November 7, 2016 Holly Hatton-Bowers, PhD

Tuning in and Embracing the Challenging Toddler November 7, 2016 Holly Hatton-Bowers, PhD

11/4/2016 Tuning in and Embracing the Challenging Toddler November 7, 2016 Holly Hatton-Bowers, PhD hattonb@unl.edu Practice using the chat area Please type your name and location Please send to ALL Participants 1 11/4/2016 During the

484 views • 15 slides
South Asian relative-correlatives and unexpected particles Benjamin Slade [ b.slade@utah.edu ]

South Asian relative-correlatives and unexpected particles Benjamin Slade [ b.slade@utah.edu ]

South Asian relative-correlatives and unexpected particles Benjamin Slade [ b.slade@utah.edu ] Dept. of Linguistics University of Utah Annual Conference on South Asia Madison, Wisconsin Perspectives on South Asian Syntax: A panel in honor of

949 views • 56 slides
Paul s halftime talk 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1

Paul s halftime talk 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1

1 Corinthians Paul s halftime talk 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1 Corinthians Paul s halftime talk 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 1 Corinthians 3 Paul s halftime talk Paul

410 views • 16 slides
Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is

Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is

Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is derived from MANDIANT observations in non-classified environments. Information has been sanitized where necessary to protect our clients

471 views • 30 slides
Embracing the Challenging Behaviors of Toddlers June 27 th , 2018 Holly Hatton-Bowers, PhD,

Embracing the Challenging Behaviors of Toddlers June 27 th , 2018 Holly Hatton-Bowers, PhD,

6/18/2018 Embracing the Challenging Behaviors of Toddlers June 27 th , 2018 Holly Hatton-Bowers, PhD, hattonb@unl.edu Wh What at we we wi will di discuss scuss toda today: Describe challe challengin nging beha behavior viors dem demons

425 views • 21 slides
5G As A User-Centric Network Xiao-Feng Qi Contents 5G at Huawei 5G Vision and Viewpoints A

5G As A User-Centric Network Xiao-Feng Qi Contents 5G at Huawei 5G Vision and Viewpoints A

5G As A User-Centric Network Xiao-Feng Qi Contents 5G at Huawei 5G Vision and Viewpoints A User-Centric View Huawei Began 5G Research since 2009 9 300+ $600m Research Centers Experts For 5G Research 2013~2018 By 2014 By 2014 Virtualized

390 views • 15 slides
Open Science Grid: A Year in Review Kyle Gross - OSG Operations Pervasive Technology Institute -

Open Science Grid: A Year in Review Kyle Gross - OSG Operations Pervasive Technology Institute -

Open Science Grid: A Year in Review Kyle Gross - OSG Operations Pervasive Technology Institute - Indiana University Events of Importance OSG Area Successes Mindless Musings or Down The Rabbit Hole LIGO LIGO came home and

444 views • 29 slides
File: UnumSORN vs . Unums & SORNs for ARITH 23

File: UnumSORN vs . Unums & SORNs for ARITH 23

File: UnumSORN vs . Unums & SORNs for ARITH 23 Version dated July 10, 2016 1:29 pm A Critique of John L. Gustafsons THE END of ERROR Unum Computation and his A Radical Approach to

409 views • 26 slides
Observational Probabilities in Quantum Cosmology Don N. Page University of Alberta 2014 August

Observational Probabilities in Quantum Cosmology Don N. Page University of Alberta 2014 August

Observational Probabilities in Quantum Cosmology Don N. Page University of Alberta 2014 August 12 The Measure Problem of Cosmology The measure problem of cosmology is how to obtain probabilities of observations from the quantum state of the

651 views • 27 slides
K. The witnesses John 5:31 40 1. John 5:31 Jesus anticipated that people might object

K. The witnesses John 5:31 40 1. John 5:31 Jesus anticipated that people might object

K. The witnesses John 5:31 40 1. John 5:31 Jesus anticipated that people might object to His claim to be God, saying He based His claim solely on His own authority. (See Deuteronomy 19:15 for the Biblical rules of evidence.) 2. John

544 views • 29 slides
Slime moulds as architectural-biological sensors of environmental change Co-investigators: Dr

Slime moulds as architectural-biological sensors of environmental change Co-investigators: Dr

Slime moulds as architectural-biological sensors of environmental change Co-investigators: Dr Sylvia Nagl, Head of Complex Systems Science, Cancer Institute Dr Rachel Armstrong, Researcher, AVATAR Group, Bartlett School of Architecture In

201 views • 8 slides
Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items

Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items

Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items Section 1: 4. Ordering items for presentation Design 5. Judgment Tasks 6. Recruiting participants 7. Pre-processing data (if necessary) 8.

358 views • 31 slides
Comparison/Contrast Patu ern 07.07.10 | | English 1301: Com position & Rhetoric I || D. Glen

Comparison/Contrast Patu ern 07.07.10 | | English 1301: Com position & Rhetoric I || D. Glen

Comparison/Contrast Patu ern 07.07.10 | | English 1301: Com position & Rhetoric I || D. Glen Sm ith, instructor 1 Com parison / Contrast Portrait of Pope Innocent X by Velazquez. Portrait of Cardinal Filippo Archinto attributed to Titian.

306 views • 17 slides

More recommend