Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Rischi o vulnerabilità?
1. Rischi o vulnerabilità?
Alessio L.R. Pennasilico Roma, 7 Aprile 2011
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico
2. $ whois mayhem
Security Evangelist @
Board of Directors:
CLUSIT, Associazione Informatici Professionisti,
Associazione Italiana Professionisti Sicurezza Informatica,
Italian Linux Society, OpenBSD Italian User Group,
Hacker’s Profiling Project
Rischi o vulnerabilità? mayhem@alba.st 2
3. Credits
Roger G. Johnston
Vulnerability Assessment Team
Nuclear Engineering Division Argonne
National Laboratory
http://jps.anl.gov/Volume4_iss2/Paper3-RGJohnston.pdf
Rischi o vulnerabilità? mayhem@alba.st 3
5. Malware
Threat: Adversaries might install malware in
the computers in our Personnel Department
so they can steal social security numbers for
purposes of identity theft.
Vulnerability:The computers in the Personnel
Department do not have up to date virus
definitions for their anti-malware software.
Rischi o vulnerabilità? mayhem@alba.st 5
6. Ladri
Threat: Thieves could break into our facility
and steal our equipment.
Vulnerability: The lock we are using on the
building doors is easy to pick or bump.
Rischi o vulnerabilità? mayhem@alba.st 6
7. Social Engineering
Threat: Nefarious insiders might release
confidential information to adversaries.
Vulnerability: Employees don’t currently have
a good understanding of what information is
sensitive/confidential and what is not, so
they can’t do a good job of protecting it.
Rischi o vulnerabilità? mayhem@alba.st 7
8. Myth #1
“a Threat without a mitigation is a Vulnerability”
makes no sense because
(a) a Threat is not a Vulnerability
(b) security is a continuum and 100%
elimination of a Vulnerability is rarely possible
(c) adversaries may not automatically recognize
a Vulnerability so mitigating it may be
irrelevant for that specific Threat
Rischi o vulnerabilità? mayhem@alba.st 8
9. Myth #2
“Threats are more important than Vulnerabilities”
we need to consider that a TA involves mostly
speculating about people who are not in front
of us, and who might not even exist, but who
have complex motivations, goals, mindsets,
and resources if they do exist.
Vulnerabilities are more concrete and right in
front of us (if we’re clever and imaginative
enough to see them). They are discovered by
doing an analysis of actual infrastructure and
its security—not speculating about people.
Rischi o vulnerabilità? mayhem@alba.st 9
10. Passato vs Futuro
Some people claim that past security
incidents can tell us all we need to know
about Threats, but that is just being
reactive, not proactive, and misses rare but
very catastrophic attacks.
Rischi o vulnerabilità? mayhem@alba.st 10
11. If you understand and take some reasonable
effort to mitigate your security
Vulnerabilities, you are probably in fairly
good shape regardless of the Threats
Rischi o vulnerabilità? mayhem@alba.st 11
12. if you understand the Threats but are ignorant
of the Vulnerabilities, you are not likely to be
very secure because the adversaries will
have many different ways in.
Rischi o vulnerabilità? mayhem@alba.st 12
14. Optimism Bias
the demonstrated systematic tendency for
people to be over-optimistic about the
outcome of planned actions. This includes
over-estimating the likelihood of positive
events and under-estimating the likelihood
of negative events. It is one of several
kinds of positive illusion to which people
are generally susceptible.
Rischi o vulnerabilità? mayhem@alba.st 14
15. Optimism Bias
Optimistic overconfidence bias can induce
people to underinvest in primary and
preventive care and other risk-reducing
behaviors.
Rischi o vulnerabilità? mayhem@alba.st 15
16. A brain-imaging study found that, when
imagining negative future events, signals in
the amygdala, an emotion centre of the
brain, are weaker than when remembering
past negative events. This weakened
consideration of possible negative
outcomes is one possible mechanism for
optimism bias.
Rischi o vulnerabilità? mayhem@alba.st 16
17. Heuristic
experience-based techniques that help in
problem solving, learning and discovery
"rule of thumb", an educated guess, an
intuitive judgment or simply common sense
Rischi o vulnerabilità? mayhem@alba.st 17
18. Availability heuristic
estimating what is more likely by what is
more available in memory, which is biased
toward vivid, unusual, or emotionally
charged examples
Rischi o vulnerabilità? mayhem@alba.st 18
19. Representativeness heuristic
judging probabilities on the basis of
resemblance
Rischi o vulnerabilità? mayhem@alba.st 19
20. Affect heuristic
basing a decision on an emotional reaction
rather than a calculation of risks and
benefits
Rischi o vulnerabilità? mayhem@alba.st 20
23. Conclusioni
Ci dobbiamo occupare delle minacce
Ci dobbiamo occupare delle vulnerabilità
Rischi o vulnerabilità? mayhem@alba.st 23
24. Conclusioni
Siamo umani, possiamo sbagliare
Tentare di gestire le cause di errore di
valutazione aiuta
Rischi o vulnerabilità? mayhem@alba.st 24
25. These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-
ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)
Domande?
Grazie per l’attenzione!
Alessio L.R. Pennasilico Roma, 7 Aprile 2011
mayhem@alba.st
twitter: mayhemspp
FaceBook: alessio.pennasilico