SlideShare a Scribd company logo

Rischi o vulnerabilità?

Alessio Pennasilico
Alessio Pennasilico

Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011

Technology
1 of 25
Download to read offline
Rischi o vulnerabilità? Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
$ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
Rischi o vulnerabilità?
Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the Threats Rischi o vulnerabilità? mayhem@alba.st 11
if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in. Rischi o vulnerabilità? mayhem@alba.st 12
Cognitive Biases
Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias. Rischi o vulnerabilità? mayhem@alba.st 16
Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
Conclusioni
Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico

Recommended

Agent handling
Agent handlingAgent handling
Agent handlingStudying at SSCT Surigao City
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecuritySpark Security
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraAlessio Pennasilico
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedAlessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPAlessio Pennasilico
 
Consagração
ConsagraçãoConsagração
Consagraçãojoyceslideshare
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoAlessio Pennasilico
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneAlessio Pennasilico
 

Recommended

Agent handling
Agent handlingAgent handling
Agent handlingStudying at SSCT Surigao City
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecuritySpark Security
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraAlessio Pennasilico
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedAlessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPAlessio Pennasilico
 
Consagração
ConsagraçãoConsagração
Consagraçãojoyceslideshare
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoAlessio Pennasilico
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneAlessio Pennasilico
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgmentSanjay Bakshi
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .txheaven
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017Rui Martins PR & Marketing Strategy
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Cognitive bias
Cognitive biasCognitive bias
Cognitive biasDominique Mangiatordi
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierLarry Taylor Ph.D.
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 
Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs HackerAlessio Pennasilico
 

More Related Content

Similar to Rischi o vulnerabilità?

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgmentSanjay Bakshi
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .txheaven
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierLarry Taylor Ph.D.
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 

Similar to Rischi o vulnerabilità? (20)

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgment
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden Potential
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 
An Underground education
An Underground educationAn Underground education
An Underground education
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
 
EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Cognitive bias
Cognitive biasCognitive bias
Cognitive bias
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce Schneier
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability Assessor
 

More from Alessio Pennasilico

Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteAlessio Pennasilico
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliAlessio Pennasilico
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieAlessio Pennasilico
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZAlessio Pennasilico
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Alessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoveryAlessio Pennasilico
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securityAlessio Pennasilico
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le Alessio Pennasilico
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryAlessio Pennasilico
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityAlessio Pennasilico
 
Next Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyNext Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyAlessio Pennasilico
 

More from Alessio Pennasilico (18)

Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminali
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs Hacker
 
Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritte
 
All your bases belong to us
All your bases belong to usAll your bases belong to us
All your bases belong to us
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminali
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZ
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla security
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le
 
OpenOffice
OpenOfficeOpenOffice
OpenOffice
 
Vpn Mobility VoIP
Vpn Mobility VoIPVpn Mobility VoIP
Vpn Mobility VoIP
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
 
Paranoia is a virtue
Paranoia is a virtueParanoia is a virtue
Paranoia is a virtue
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)security
 
Internet (in)sicuro
Internet (in)sicuroInternet (in)sicuro
Internet (in)sicuro
 
Next Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyNext Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case history
 

Recently uploaded

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Rischi o vulnerabilità?

  • 1. Rischi o vulnerabilità? Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
  • 2. $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
  • 3. Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
  • 5. Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
  • 6. Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
  • 7. Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
  • 8. Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
  • 9. Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
  • 10. Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
  • 11. If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the Threats Rischi o vulnerabilità? mayhem@alba.st 11
  • 12. if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in. Rischi o vulnerabilità? mayhem@alba.st 12
  • 14. Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
  • 15. Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
  • 16. A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias. Rischi o vulnerabilità? mayhem@alba.st 16
  • 17. Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
  • 18. Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
  • 19. Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
  • 20. Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
  • 21. Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
  • 23. Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
  • 24. Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
  • 25. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico