SlideShare une entreprise Scribd logo

Why Risk Management is Impossible

Télécharger en tant que PPT, PDF
Richard Stiennon
Richard Stiennon

It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013

BusinessTechnologie
1  sur  20
Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
International Cybersecurity Dialogue What is risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
International Cybersecurity Dialogue Risk Management 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
International Cybersecurity Dialogue • • • • • • • • • • What is an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
International Cybersecurity Dialogue What is the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
International Cybersecurity Dialogue Can you really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
International Cybersecurity Dialogue Risk Manage This:
International Cybersecurity Dialogue Or this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
International Cybersecurity Dialogue Or this: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
International Cybersecurity Dialogue Trading losses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
International Cybersecurity Dialogue Or this: • Saudi Aramco, August 2012 • South Korea, March 2013
International Cybersecurity Dialogue Or this: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
International Cybersecurity Dialogue Risk management is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
International Cybersecurity Dialogue Targeted Attacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
International Cybersecurity Dialogue So, if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
International Cybersecurity Dialogue Some scenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
International Cybersecurity Dialogue Cyber kill chain
International Cybersecurity Dialogue Security Intelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
International Cybersecurity Dialogue The Cyber Defense Team Operations Analysts Red Team Cyber Commander
International Cybersecurity Dialogue Let’s be honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.

Recommandé

Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management FailsRichard Stiennon
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
24 Hours After a Breach
24 Hours After a Breach 24 Hours After a Breach
24 Hours After a Breach LIFARS
 
Threat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueThreat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueAvkash Kathiriya
 

Recommandé

Why Risk Management Fails
Why Risk Management FailsWhy Risk Management Fails
Why Risk Management FailsRichard Stiennon
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
24 Hours After a Breach
24 Hours After a Breach 24 Hours After a Breach
24 Hours After a Breach LIFARS
 
Threat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueThreat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueAvkash Kathiriya
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 
APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial SectorLIFARS
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber securityHagerstown Chamber Business Expo
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore developmentgmaran23
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew RosenquistMatthew Rosenquist
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Atlantic Security Conference
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 

Contenu connexe

Tendances

APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial SectorLIFARS
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore developmentgmaran23
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew RosenquistMatthew Rosenquist
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 

Tendances (20)

Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial Sector
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not working
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber security
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
 

Similaire à Why Risk Management is Impossible

DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Information security in the starbucks generation
Information security in the starbucks generationInformation security in the starbucks generation
Information security in the starbucks generationTony Lauro
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer securityPrajktaGN
 
Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?ThinAir
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyGabor Szathmari
 
KeystrokeGuard_Presentation_20141024
KeystrokeGuard_Presentation_20141024KeystrokeGuard_Presentation_20141024
KeystrokeGuard_Presentation_20141024Frank Maiorca
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and EthicsMohsin Riaz
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Vibrant Event
 
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...Pro Mrkt
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 

Similaire à Why Risk Management is Impossible (20)

DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Information security in the starbucks generation
Information security in the starbucks generationInformation security in the starbucks generation
Information security in the starbucks generation
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Basic practices for information & computer security
Basic practices for information & computer securityBasic practices for information & computer security
Basic practices for information & computer security
 
Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?Insider Threat: How Does Your Security Stack Measure Up?
Insider Threat: How Does Your Security Stack Measure Up?
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
KeystrokeGuard_Presentation_20141024
KeystrokeGuard_Presentation_20141024KeystrokeGuard_Presentation_20141024
KeystrokeGuard_Presentation_20141024
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015
 

Plus de Richard Stiennon

Cyber security industry trends
Cyber security industry trendsCyber security industry trends
Cyber security industry trendsRichard Stiennon
 
The Internet of Military Things: There Will Be Cyberwar
The Internet of Military Things: There Will Be CyberwarThe Internet of Military Things: There Will Be Cyberwar
The Internet of Military Things: There Will Be CyberwarRichard Stiennon
 
How the Revolution in Military Affairs has set the stage for future cyberwars
How the Revolution in Military Affairs has set the stage for future cyberwarsHow the Revolution in Military Affairs has set the stage for future cyberwars
How the Revolution in Military Affairs has set the stage for future cyberwarsRichard Stiennon
 
Stiennon Keynote at Trusted Computing Conference 2013, Orlando
Stiennon Keynote at Trusted Computing Conference 2013, OrlandoStiennon Keynote at Trusted Computing Conference 2013, Orlando
Stiennon Keynote at Trusted Computing Conference 2013, OrlandoRichard Stiennon
 
How the Surveillance State Changes IT Security Forever
How the Surveillance State Changes IT Security ForeverHow the Surveillance State Changes IT Security Forever
How the Surveillance State Changes IT Security ForeverRichard Stiennon
 
Cybercrime and Business Process Hacking
Cybercrime and Business Process HackingCybercrime and Business Process Hacking
Cybercrime and Business Process HackingRichard Stiennon
 
Post Apocalyptic Cyber Realism
Post Apocalyptic Cyber RealismPost Apocalyptic Cyber Realism
Post Apocalyptic Cyber RealismRichard Stiennon
 
What makes the IT industry tick?
What makes the IT industry tick? What makes the IT industry tick?
What makes the IT industry tick? Richard Stiennon
 
Surviving Cyber War April09
Surviving Cyber War April09Surviving Cyber War April09
Surviving Cyber War April09Richard Stiennon
 

Plus de Richard Stiennon (14)

Cyber security industry trends
Cyber security industry trendsCyber security industry trends
Cyber security industry trends
 
The Internet of Military Things: There Will Be Cyberwar
The Internet of Military Things: There Will Be CyberwarThe Internet of Military Things: There Will Be Cyberwar
The Internet of Military Things: There Will Be Cyberwar
 
There WIll Be Cyberwar
There WIll Be Cyberwar There WIll Be Cyberwar
There WIll Be Cyberwar
 
How the Revolution in Military Affairs has set the stage for future cyberwars
How the Revolution in Military Affairs has set the stage for future cyberwarsHow the Revolution in Military Affairs has set the stage for future cyberwars
How the Revolution in Military Affairs has set the stage for future cyberwars
 
Stiennon Keynote at Trusted Computing Conference 2013, Orlando
Stiennon Keynote at Trusted Computing Conference 2013, OrlandoStiennon Keynote at Trusted Computing Conference 2013, Orlando
Stiennon Keynote at Trusted Computing Conference 2013, Orlando
 
How the Surveillance State Changes IT Security Forever
How the Surveillance State Changes IT Security ForeverHow the Surveillance State Changes IT Security Forever
How the Surveillance State Changes IT Security Forever
 
Cybercrime and Business Process Hacking
Cybercrime and Business Process HackingCybercrime and Business Process Hacking
Cybercrime and Business Process Hacking
 
Post Apocalyptic Cyber Realism
Post Apocalyptic Cyber RealismPost Apocalyptic Cyber Realism
Post Apocalyptic Cyber Realism
 
What makes the IT industry tick?
What makes the IT industry tick? What makes the IT industry tick?
What makes the IT industry tick?
 
New definition for APT
New definition for APTNew definition for APT
New definition for APT
 
Titan Rain
Titan RainTitan Rain
Titan Rain
 
Cyberwar Update2010
Cyberwar Update2010Cyberwar Update2010
Cyberwar Update2010
 
Surviving Cyber War April09
Surviving Cyber War April09Surviving Cyber War April09
Surviving Cyber War April09
 
Surviving Cyber War
Surviving Cyber WarSurviving Cyber War
Surviving Cyber War
 

Dernier

MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 

Dernier (20)

MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 

Why Risk Management is Impossible

  • 1. Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
  • 2. International Cybersecurity Dialogue What is risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
  • 3. International Cybersecurity Dialogue Risk Management 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
  • 4. International Cybersecurity Dialogue • • • • • • • • • • What is an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
  • 5. International Cybersecurity Dialogue What is the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
  • 6. International Cybersecurity Dialogue Can you really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
  • 8. International Cybersecurity Dialogue Or this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
  • 9. International Cybersecurity Dialogue Or this: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
  • 10. International Cybersecurity Dialogue Trading losses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
  • 11. International Cybersecurity Dialogue Or this: • Saudi Aramco, August 2012 • South Korea, March 2013
  • 12. International Cybersecurity Dialogue Or this: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
  • 13. International Cybersecurity Dialogue Risk management is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
  • 14. International Cybersecurity Dialogue Targeted Attacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
  • 15. International Cybersecurity Dialogue So, if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
  • 16. International Cybersecurity Dialogue Some scenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
  • 18. International Cybersecurity Dialogue Security Intelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
  • 19. International Cybersecurity Dialogue The Cyber Defense Team Operations Analysts Red Team Cyber Commander
  • 20. International Cybersecurity Dialogue Let’s be honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.