SlideShare a Scribd company logo

Rischi o vulnerabilità?

Alessio Pennasilico
Alessio Pennasilico

Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011

Technology
1 of 25
Download to read offline
Rischi o vulnerabilità? Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
$ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
Rischi o vulnerabilità?
Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the Threats Rischi o vulnerabilità? mayhem@alba.st 11
if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in. Rischi o vulnerabilità? mayhem@alba.st 12
Cognitive Biases
Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias. Rischi o vulnerabilità? mayhem@alba.st 16
Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
Conclusioni
Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico

Recommended

Agent handling
Agent handlingAgent handling
Agent handlingStudying at SSCT Surigao City
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecuritySpark Security
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraAlessio Pennasilico
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedAlessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPAlessio Pennasilico
 
Consagração
ConsagraçãoConsagração
Consagraçãojoyceslideshare
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoAlessio Pennasilico
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneAlessio Pennasilico
 

Recommended

Agent handling
Agent handlingAgent handling
Agent handlingStudying at SSCT Surigao City
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecuritySpark Security
 
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraSmau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura
Smau 2010 MIlano: Seminario AIPSI Virtualizzazione SicuraAlessio Pennasilico
 
Linux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedLinux Day 2010: Linux Security Demystified
Linux Day 2010: Linux Security DemystifiedAlessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPSmau 2010 Milano: Seminario AIPSI Sicurezza del VoIP
Smau 2010 Milano: Seminario AIPSI Sicurezza del VoIPAlessio Pennasilico
 
Consagração
ConsagraçãoConsagração
Consagraçãojoyceslideshare
 
Come il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoCome il Cloud Computing può salvare l'analogico
Come il Cloud Computing può salvare l'analogicoAlessio Pennasilico
 
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneSeminario Clusit Security Summit 2010: Minacce per la virtualizzazione
Seminario Clusit Security Summit 2010: Minacce per la virtualizzazioneAlessio Pennasilico
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgmentSanjay Bakshi
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .txheaven
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017Rui Martins PR & Marketing Strategy
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
Cognitive bias
Cognitive biasCognitive bias
Cognitive biasDominique Mangiatordi
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierLarry Taylor Ph.D.
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 
Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs HackerAlessio Pennasilico
 

More Related Content

Similar to Rischi o vulnerabilità?

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityAnup Narayanan
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgmentSanjay Bakshi
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden PotentialEricaCiko
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .txheaven
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment MythsRoger Johnston
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierLarry Taylor Ph.D.
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 

Similar to Rischi o vulnerabilità? (20)

Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
The psychology of human misjudgment
The psychology of human misjudgmentThe psychology of human misjudgment
The psychology of human misjudgment
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
Unlocking the Hidden Potential
Unlocking the Hidden PotentialUnlocking the Hidden Potential
Unlocking the Hidden Potential
 
To ERR is Human, But . . .
To ERR is Human, But . . .To ERR is Human, But . . .
To ERR is Human, But . . .
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 
An Underground education
An Underground educationAn Underground education
An Underground education
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
 
EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017EACD Antonio Rodrigues 2017
EACD Antonio Rodrigues 2017
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Cognitive bias
Cognitive biasCognitive bias
Cognitive bias
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce Schneier
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability Assessor
 

More from Alessio Pennasilico

Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliAlessio Pennasilico
 
Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteAlessio Pennasilico
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliAlessio Pennasilico
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieAlessio Pennasilico
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZAlessio Pennasilico
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Alessio Pennasilico
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoveryAlessio Pennasilico
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securityAlessio Pennasilico
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le Alessio Pennasilico
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryAlessio Pennasilico
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityAlessio Pennasilico
 
Next Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyNext Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyAlessio Pennasilico
 

More from Alessio Pennasilico (18)

Perchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminaliPerchè il tuo tablet interessa ai criminali
Perchè il tuo tablet interessa ai criminali
 
RSA vs Hacker
RSA vs HackerRSA vs Hacker
RSA vs Hacker
 
Odio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritteOdio le mie applicazioni web e chi le ha scritte
Odio le mie applicazioni web e chi le ha scritte
 
All your bases belong to us
All your bases belong to usAll your bases belong to us
All your bases belong to us
 
Sistemi SCADA e profili criminali
Sistemi SCADA e profili criminaliSistemi SCADA e profili criminali
Sistemi SCADA e profili criminali
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Linux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZLinux Day 2010: Virtualizzare con OpenVZ
Linux Day 2010: Virtualizzare con OpenVZ
 
Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?Linux Day 2010: Mi hanno installato Linux... ed ora?
Linux Day 2010: Mi hanno installato Linux... ed ora?
 
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster RecoverySmau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
Smau 2010 Milano: Seminario AIPSI Business Continuity e Disaster Recovery
 
Smau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla securitySmau 2010 Milano: Seminario Clusit per Intel sulla security
Smau 2010 Milano: Seminario Clusit per Intel sulla security
 
e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le e-mail Power: 2010: servono ancora le
e-mail Power: 2010: servono ancora le
 
OpenOffice
OpenOfficeOpenOffice
OpenOffice
 
Vpn Mobility VoIP
Vpn Mobility VoIPVpn Mobility VoIP
Vpn Mobility VoIP
 
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster RecoveryPorte aperte alla tecnologia: Creare una strategia di Disaster Recovery
Porte aperte alla tecnologia: Creare una strategia di Disaster Recovery
 
Paranoia is a virtue
Paranoia is a virtueParanoia is a virtue
Paranoia is a virtue
 
ESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)securityESC 2010: Virtualizzazione (in)security
ESC 2010: Virtualizzazione (in)security
 
Internet (in)sicuro
Internet (in)sicuroInternet (in)sicuro
Internet (in)sicuro
 
Next Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case historyNext Hope New York 2010: Bakeca.it DDoS case history
Next Hope New York 2010: Bakeca.it DDoS case history
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Rischi o vulnerabilità?

  • 1. Rischi o vulnerabilità? Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico
  • 2. $ whois mayhem Security Evangelist @ Board of Directors: CLUSIT, Associazione Informatici Professionisti, Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group, Hacker’s Profiling Project Rischi o vulnerabilità? mayhem@alba.st 2
  • 3. Credits Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf Rischi o vulnerabilità? mayhem@alba.st 3
  • 5. Malware Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for purposes of identity theft. Vulnerability:The computers in the Personnel Department do not have up to date virus definitions for their anti-malware software. Rischi o vulnerabilità? mayhem@alba.st 5
  • 6. Ladri Threat: Thieves could break into our facility and steal our equipment. Vulnerability: The lock we are using on the building doors is easy to pick or bump. Rischi o vulnerabilità? mayhem@alba.st 6
  • 7. Social Engineering Threat: Nefarious insiders might release confidential information to adversaries. Vulnerability: Employees don’t currently have a good understanding of what information is sensitive/confidential and what is not, so they can’t do a good job of protecting it. Rischi o vulnerabilità? mayhem@alba.st 7
  • 8. Myth #1 “a Threat without a mitigation is a Vulnerability” makes no sense because (a) a Threat is not a Vulnerability (b) security is a continuum and 100% elimination of a Vulnerability is rarely possible (c) adversaries may not automatically recognize a Vulnerability so mitigating it may be irrelevant for that specific Threat Rischi o vulnerabilità? mayhem@alba.st 8
  • 9. Myth #2 “Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets, and resources if they do exist. Vulnerabilities are more concrete and right in front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people. Rischi o vulnerabilità? mayhem@alba.st 9
  • 10. Passato vs Futuro Some people claim that past security incidents can tell us all we need to know about Threats, but that is just being reactive, not proactive, and misses rare but very catastrophic attacks. Rischi o vulnerabilità? mayhem@alba.st 10
  • 11. If you understand and take some reasonable effort to mitigate your security Vulnerabilities, you are probably in fairly good shape regardless of the Threats Rischi o vulnerabilità? mayhem@alba.st 11
  • 12. if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be very secure because the adversaries will have many different ways in. Rischi o vulnerabilità? mayhem@alba.st 12
  • 14. Optimism Bias the demonstrated systematic tendency for people to be over-optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. It is one of several kinds of positive illusion to which people are generally susceptible. Rischi o vulnerabilità? mayhem@alba.st 14
  • 15. Optimism Bias Optimistic overconfidence bias can induce people to underinvest in primary and preventive care and other risk-reducing behaviors. Rischi o vulnerabilità? mayhem@alba.st 15
  • 16. A brain-imaging study found that, when imagining negative future events, signals in the amygdala, an emotion centre of the brain, are weaker than when remembering past negative events. This weakened consideration of possible negative outcomes is one possible mechanism for optimism bias. Rischi o vulnerabilità? mayhem@alba.st 16
  • 17. Heuristic experience-based techniques that help in problem solving, learning and discovery "rule of thumb", an educated guess, an intuitive judgment or simply common sense Rischi o vulnerabilità? mayhem@alba.st 17
  • 18. Availability heuristic estimating what is more likely by what is more available in memory, which is biased toward vivid, unusual, or emotionally charged examples Rischi o vulnerabilità? mayhem@alba.st 18
  • 19. Representativeness heuristic judging probabilities on the basis of resemblance Rischi o vulnerabilità? mayhem@alba.st 19
  • 20. Affect heuristic basing a decision on an emotional reaction rather than a calculation of risks and benefits Rischi o vulnerabilità? mayhem@alba.st 20
  • 21. Donald Norman Rischi o vulnerabilità? mayhem@alba.st 21
  • 23. Conclusioni Ci dobbiamo occupare delle minacce Ci dobbiamo occupare delle vulnerabilità Rischi o vulnerabilità? mayhem@alba.st 23
  • 24. Conclusioni Siamo umani, possiamo sbagliare Tentare di gestire le cause di errore di valutazione aiuta Rischi o vulnerabilità? mayhem@alba.st 24
  • 25. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution- ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :) Domande? Grazie per l’attenzione! Alessio L.R. Pennasilico Roma, 7 Aprile 2011 mayhem@alba.st twitter: mayhemspp FaceBook: alessio.pennasilico