Top Banner
Alessio L.R. Pennasilico [email protected] twitter: mayhemspp FaceBook: alessio.pennasilico Roma, 7 Aprile 2011 Rischi o vulnerabilità?
25

Rischi o vulnerabilità?

Dec 21, 2014

Download

Technology

Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Rischi o vulnerabilità?

Alessio L.R. [email protected]: mayhemsppFaceBook: alessio.pennasilico

Roma, 7 Aprile 2011

Rischi o vulnerabilità?

Page 2: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

$ whois mayhem

Board of Directors:CLUSIT, Associazione Informatici Professionisti,

Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group,

Hacker’s Profiling Project

2

Security Evangelist @

Page 3: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Credits

Roger G. Johnston

Vulnerability Assessment Team

Nuclear Engineering Division Argonne National Laboratory

http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf

3

Page 4: Rischi o vulnerabilità?

Rischi o vulnerabilità?

Page 5: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Malware

Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for

purposes of identity theft.

Vulnerability:The computers in the Personnel Department do not have up to date virus

definitions for their anti-malware software.

5

Page 6: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Ladri

Threat: Thieves could break into our facility and steal our equipment.

Vulnerability: The lock we are using on the building doors is easy to pick or bump.

6

Page 7: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Social Engineering

Threat: Nefarious insiders might release confidential information to adversaries.

Vulnerability: Employees don’t currently have a good understanding of what information is

sensitive/confidential and what is not, so they can’t do a good job of protecting it.

7

Page 8: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Myth #1

“a Threat without a mitigation is a Vulnerability” makes no sense because

(a) a Threat is not a Vulnerability(b) security is a continuum and 100%

elimination of a Vulnerability is rarely possible(c) adversaries may not automatically recognize

a Vulnerability so mitigating it may be irrelevant for that specific Threat

8

Page 9: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Myth #2

“Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly

speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets,

and resources if they do exist. Vulnerabilities are more concrete and right in

front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people.

9

Page 10: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Passato vs Futuro

Some people claim that past security incidents can tell us all we need to know

about Threats, but that is just being reactive, not proactive, and misses rare but

very catastrophic attacks.

10

Page 11: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

If you understand and take some reasonable effort to mitigate your security

Vulnerabilities, you are probably in fairly good shape regardless of the Threats

11

Page 12: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be

very secure because the adversaries will have many different ways in.

12

Page 13: Rischi o vulnerabilità?

Cognitive Biases

Page 14: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Optimism Bias

the demonstrated systematic tendency for people to be over-optimistic about the

outcome of planned actions. This includes over-estimating the likelihood of positive

events and under-estimating the likelihood of negative events. It is one of several

kinds of positive illusion to which people are generally susceptible.

14

Page 15: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Optimism Bias

Optimistic overconfidence bias can induce people to underinvest in primary and

preventive care and other risk-reducing behaviors.

15

Page 16: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

A brain-imaging study found that, when imagining negative future events, signals in

the amygdala, an emotion centre of the brain, are weaker than when remembering

past negative events. This weakened consideration of possible negative

outcomes is one possible mechanism for optimism bias.

16

Page 17: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Heuristic

experience-based techniques that help in problem solving, learning and discovery

"rule of thumb", an educated guess, an intuitive judgment or simply common sense

17

Page 18: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Availability heuristic

estimating what is more likely by what is more available in memory, which is biased

toward vivid, unusual, or emotionally charged examples

18

Page 20: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Affect heuristic

basing a decision on an emotional reaction rather than a calculation of risks and

benefits

20

Page 21: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Donald Norman

21

Page 22: Rischi o vulnerabilità?

Conclusioni

Page 23: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Conclusioni

Ci dobbiamo occupare delle minacce

Ci dobbiamo occupare delle vulnerabilità

23

Page 24: Rischi o vulnerabilità?

Rischi o vulnerabilità? [email protected]

Conclusioni

Siamo umani, possiamo sbagliare

Tentare di gestire le cause di errore di valutazione aiuta

24

Page 25: Rischi o vulnerabilità?

Alessio L.R. [email protected]: mayhemsppFaceBook: alessio.pennasilico

Roma, 7 Aprile 2011

Domande?

These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)

Grazie per l’attenzione!