SlideShare uma empresa Scribd logo

Social-Engineer Your Security Budget

Vlad Styran
Vlad Styran

My slides from UISGCON14 talk. Original video in Ukrainian: https://www.youtube.com/watch?v=7Mvhf_eAQks

Espiritual
1 de 53
Social-Engineer Your Security Budget Vlad Styran
Good afternoon. I’m Vlad
Plan 1. Rationale 2. Economics 3. Social Engineering 4. Influence
Part 1 Rationale for security budget
Ra#onale for security budget Expectations Corporate governance Risk management Market and government regulations
Rationale for security budget Reality Audit reports Security incidents Vendor pitches ”CEO have read a book” ©
IT (security) budge1ng process Expectations 1. Conduct a risk assessment 2. Quantify expected losses 3. Agree on risk appetite 4. Plan the controls 5. Implement the controls 6. Maintain the controls 7. Measure the controls
IT (security) budgeting process Reality 1. Plan the budget 2. Present the budget 3. Divide the budget in half 4. Defend the budget 5. Divide the budget in half 6. Get the budget approval 7. Try not to cry in public
Why IT budgets are cut?
But if it only worked… Expecta(ons Corporate governance Risk management Market and government regulations Reality IndustrialControlSystemsHealthcheck
Part 2 Cyber security economics
Cyber security economics Market challenges: Information asymmetry* Invisibility of prevented loss Lack of incidents disclosure Poor regulation _ * George Akerlof - The Market for Lemons
Why corporate security (normally) sucks “Best prac+ce” driven determinis+c approach The promised land of “Management commitment” Obsession with formal authority
“Best practice” vs Real security “Best prac+ce” security: Determinis+c & control-centric “When in doubt, look into the standard” © Security against liability Compliance ❤"#$ Delft University of Technology – Cyber Security Economics 101
“Best practice” vs Real security The Real security: Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers Delft University of Technology – Cyber Security Economics 101
Management commitment Expecta(on ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; …
Management commitment Expectation ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; … Reality
Obsession with authority Expectation CISO reports to CEO or directly to the Board of Directors ImagecourtesyofUSANetwork
Obsession with authority Reality “CISO” reports to the highest- ranking executive who knows what is the difference between a firewall and an antivirus ImagecourtesyofSca?Adamsh?p://dilbert.com
Cyber security business Paper tigers Blinking boxes Feynman threat Do it yourself attitude Evolution of “fair price”
Part 3 Social engineering
Social Engineering vs Human Hacking, Neurohacking and other bullsh1t
How it works
How it works
How it works
Plan A: let’s save 200 people! • All 600 will survive with P=33% • None will survive with P=66% Plan B: 400 people will die… • No one will die with P=33% • Everyone will die with P=66% Scenario: a virus outbreak is expected to kill 600 people. We have two treatment plans to choose from. Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458. How it works 78% 22%
Part 4 Influence strategy, tactics and ops
Influence strategy Formal power Expert power Social power
Formal power
Expert power An expert is a man who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
Expert power An expert is a human who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
Expert power Open Design Least Privilege Fail-Safe Defaults Defense in Depth Complete Mediation Separation of Privilege Economy of Mechanism Secure Weakest Link First Psychological Acceptability Least Common Mechanism Ross Anderson – Security Engineering
Social power University of Michigan – Influencing People
Social power University of Michigan – Influencing People
Social power Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018
Influence tactics Behavioral economics Social psychology Neuroscience Robert Cialdini – Influence
Influence ops Oren Klaff – Pitch Anything
Step 1: Introduction of self Define yourself via your background and brief history Name top-3 or top-2 cool things you did professionally State the purpose of your pitch
Step 2: The “Why now?” frame Recent changes by economic, social, and technological forces: factual and external to the company Backstory of the idea: important changes in the business, forecast of trends, impact on cost and demand, and the opening window of opportunity
Step 3: Idea introduc1on pa2ern “For [the beneficiary], Who are dissatisfied with [the current situation], My proposed idea/product/project is a [new thing], That provides [key problem-solving solution], Unlike [the alternative(s)]. My idea/product/project/solution is: [describe key features]”
Good evening. I’m Vlad
I spent 16 years in IT infrastructure, Information Security Management, IT Audit, Application Security, and Security consulting for the largest banking, telecom, software development and professional services companies in Ukraine.
I am one of the ”founding fathers” of UISG, co-founder of OWASP Kyiv, NoNameCon security conference, and my own consulCng company Berezha Security.
Today I am here to help you secure adequate budget for your cyber security program.
All of you are aware of 1. increase in frequency and financial impact of cyber attacks, 2. strengthening of government and market regulations, 3. and inability of traditional IT security solutions to thwart the permanent threat of state-sponsored hacking backed by Russia. In the face of 1. poor InfoSec market conditions that will not improve in the nearest future, 2. and the inevitable period of increased geopolitical tension caused by the upcoming presidential elections; You shall not miss the opportunity to secure the funding required to implement adequate safeguards as soon as possible.
For your security organiza0on, that is poorly funded in line with “tradi0onal” corporate budge0ng process that creates a disbalance of es0mated goals and assigned costs, my proposed method is a tool for leveraging natural human features, beliefs, and aspira0ons, that provides tangible percep0on of “fair amount” of cyber security spending to all stakeholders, unlike the tradi0onal “risk assessment” approach that is inherently prone to error and doesn’t fully cover the ever- changing threat landscape.
My proposed method uses current body of knowledge in psychology, social sciences, and cyber security economics to help security leaders • obtain necessary resources, • deal with cyber security market challenges, • build and maintain influence power in the organization, • and take well-deserved place in the business hierarchy.
How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker
References George Akerlof - The Market for Lemons Del6 University of Technology – Cyber Security Economics 101 Ross Anderson – Security Engineering University of Michigan – Influencing People Robert Cialdini – Influence Oren Klaff – Pitch Anything CulMvaMng Compassionate Tech CommuniMes - April Wensel - AnxietyTech 2018
Recommendations Introduction to Psychology, University of Toronto Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st Edition Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised Edition Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The Hidden Forces That Shape Our Decisions Social Engineer Podcast

Recomendados

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
Vlad Styran
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
Vlad Styran
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
Vlad Styran
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
Vlad Styran
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
Vlad Styran
 

Recomendados

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
Vlad Styran
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
Vlad Styran
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
Vlad Styran
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
Vlad Styran
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
Vlad Styran
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
Vlad Styran
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
Vlad Styran
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
Vlad Styran
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
Vlad Styran
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
Vlad Styran
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
Vlad Styran
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
Vlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Vlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
Vlad Styran
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
Vlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
Vlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
Vlad Styran
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
Vlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБ
Vlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Vlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеров
Vlad Styran
 
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
baharayali
 
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdfEmails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
OH TEIK BIN
 
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsPathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Deepika Singh
 

Mais conteúdo relacionado

Mais de Vlad Styran

Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
Vlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
Vlad Styran
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
Vlad Styran
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБ
Vlad Styran
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Vlad Styran
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеров
Vlad Styran
 

Mais de Vlad Styran (19)

BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
 
правда про ложь
правда про ложьправда про ложь
правда про ложь
 
Социальные аспекты ИБ
Социальные аспекты ИБСоциальные аспекты ИБ
Социальные аспекты ИБ
 
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камниПроцедура внедрения СУИБ в банке: основные шаги и подводные камни
Процедура внедрения СУИБ в банке: основные шаги и подводные камни
 
Социальная инженерия для инженеров
Социальная инженерия для инженеровСоциальная инженерия для инженеров
Социальная инженерия для инженеров
 

Último

Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
baharayali
 
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
makhmalhalaaay
 
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
No -1 Astrologer ,Amil Baba In Australia | Uk | Usa | Canada | Pakistan
 
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
No -1 Astrologer ,Amil Baba In Australia | Uk | Usa | Canada | Pakistan
 
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
baharayali
 
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
baharayali
 
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
Amil Baba Naveed Bangali
 
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
baharayali
 
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
baharayali
 

Último (20)

Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
Popular Kala Jadu, Kala jadu Expert in Islamabad and Kala jadu specialist in ...
 
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdfEmails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
Emails, Facebook, WhatsApp and the Dhamma (English and Chinese).pdf
 
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsPathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Pathankot Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
St. Louise de Marillac and Care of the Sick Poor
St. Louise de Marillac and Care of the Sick PoorSt. Louise de Marillac and Care of the Sick Poor
St. Louise de Marillac and Care of the Sick Poor
 
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
Professional Amil baba, Kala jadu specialist in Multan and Kala ilam speciali...
 
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
famous No 1 astrologer / Best No 1 Amil baba in UK, Australia, Germany, USA, ...
 
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
Famous No -1 amil baba in Hyderabad ! Best No _ Astrologer in Pakistan, UK, A...
 
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
Famous kala ilam, Kala jadu specialist in Multan and Kala ilam specialist in ...
 
Legends of the Light v2.pdf xxxxxxxxxxxxx
Legends of the Light v2.pdf xxxxxxxxxxxxxLegends of the Light v2.pdf xxxxxxxxxxxxx
Legends of the Light v2.pdf xxxxxxxxxxxxx
 
Human Design Gates Cheat Sheet | Kabastro.com
Human Design Gates Cheat Sheet | Kabastro.comHuman Design Gates Cheat Sheet | Kabastro.com
Human Design Gates Cheat Sheet | Kabastro.com
 
Amil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
Amil baba in Lahore /Amil baba in Karachi /Amil baba in PakistanAmil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
Amil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
 
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
Famous kala ilam, Black magic specialist in Pakistan Or Kala jadu expert in E...
 
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
Top 10 Amil baba list Famous Amil baba In Pakistan Amil baba Kala jadu in Raw...
 
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
Popular Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi...
 
From The Heart v8.pdf xxxxxxxxxxxxxxxxxxx
From The Heart v8.pdf xxxxxxxxxxxxxxxxxxxFrom The Heart v8.pdf xxxxxxxxxxxxxxxxxxx
From The Heart v8.pdf xxxxxxxxxxxxxxxxxxx
 
Peaceful Meditation | Peaceful Way by Kabastro
Peaceful Meditation | Peaceful Way by KabastroPeaceful Meditation | Peaceful Way by Kabastro
Peaceful Meditation | Peaceful Way by Kabastro
 
About Kabala (English) | Kabastro.com | Kabala.vn
About Kabala (English) | Kabastro.com | Kabala.vnAbout Kabala (English) | Kabastro.com | Kabala.vn
About Kabala (English) | Kabastro.com | Kabala.vn
 
Genesis 1:5 - Meditate the Scripture Daily bit by bit
Genesis 1:5 - Meditate the Scripture Daily bit by bitGenesis 1:5 - Meditate the Scripture Daily bit by bit
Genesis 1:5 - Meditate the Scripture Daily bit by bit
 
Amil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
Amil baba in Lahore /Amil baba in Karachi /Amil baba in PakistanAmil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
Amil baba in Lahore /Amil baba in Karachi /Amil baba in Pakistan
 
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
Certified Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialis...
 

Social-Engineer Your Security Budget

  • 3.
  • 4.
  • 5.
  • 6. Plan 1. Rationale 2. Economics 3. Social Engineering 4. Influence
  • 7. Part 1 Rationale for security budget
  • 8. Ra#onale for security budget Expectations Corporate governance Risk management Market and government regulations
  • 9. Rationale for security budget Reality Audit reports Security incidents Vendor pitches ”CEO have read a book” ©
  • 10. IT (security) budge1ng process Expectations 1. Conduct a risk assessment 2. Quantify expected losses 3. Agree on risk appetite 4. Plan the controls 5. Implement the controls 6. Maintain the controls 7. Measure the controls
  • 11. IT (security) budgeting process Reality 1. Plan the budget 2. Present the budget 3. Divide the budget in half 4. Defend the budget 5. Divide the budget in half 6. Get the budget approval 7. Try not to cry in public
  • 12. Why IT budgets are cut?
  • 13. But if it only worked… Expecta(ons Corporate governance Risk management Market and government regulations Reality IndustrialControlSystemsHealthcheck
  • 15. Cyber security economics Market challenges: Information asymmetry* Invisibility of prevented loss Lack of incidents disclosure Poor regulation _ * George Akerlof - The Market for Lemons
  • 16. Why corporate security (normally) sucks “Best prac+ce” driven determinis+c approach The promised land of “Management commitment” Obsession with formal authority
  • 17. “Best practice” vs Real security “Best prac+ce” security: Determinis+c & control-centric “When in doubt, look into the standard” © Security against liability Compliance ❤"#$ Delft University of Technology – Cyber Security Economics 101
  • 18. “Best practice” vs Real security The Real security: Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers Delft University of Technology – Cyber Security Economics 101
  • 19. Management commitment Expecta(on ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; …
  • 20. Management commitment Expectation ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; … Reality
  • 21. Obsession with authority Expectation CISO reports to CEO or directly to the Board of Directors ImagecourtesyofUSANetwork
  • 22. Obsession with authority Reality “CISO” reports to the highest- ranking executive who knows what is the difference between a firewall and an antivirus ImagecourtesyofSca?Adamsh?p://dilbert.com
  • 23. Cyber security business Paper tigers Blinking boxes Feynman threat Do it yourself attitude Evolution of “fair price”
  • 25. Social Engineering vs Human Hacking, Neurohacking and other bullsh1t
  • 29. Plan A: let’s save 200 people! • All 600 will survive with P=33% • None will survive with P=66% Plan B: 400 people will die… • No one will die with P=33% • Everyone will die with P=66% Scenario: a virus outbreak is expected to kill 600 people. We have two treatment plans to choose from. Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458. How it works 78% 22%
  • 30. Part 4 Influence strategy, tactics and ops
  • 33. Expert power An expert is a man who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  • 34. Expert power An expert is a human who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  • 35. Expert power Open Design Least Privilege Fail-Safe Defaults Defense in Depth Complete Mediation Separation of Privilege Economy of Mechanism Secure Weakest Link First Psychological Acceptability Least Common Mechanism Ross Anderson – Security Engineering
  • 36. Social power University of Michigan – Influencing People
  • 37. Social power University of Michigan – Influencing People
  • 38. Social power Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018
  • 39. Influence tactics Behavioral economics Social psychology Neuroscience Robert Cialdini – Influence
  • 40. Influence ops Oren Klaff – Pitch Anything
  • 41. Step 1: Introduction of self Define yourself via your background and brief history Name top-3 or top-2 cool things you did professionally State the purpose of your pitch
  • 42. Step 2: The “Why now?” frame Recent changes by economic, social, and technological forces: factual and external to the company Backstory of the idea: important changes in the business, forecast of trends, impact on cost and demand, and the opening window of opportunity
  • 43. Step 3: Idea introduc1on pa2ern “For [the beneficiary], Who are dissatisfied with [the current situation], My proposed idea/product/project is a [new thing], That provides [key problem-solving solution], Unlike [the alternative(s)]. My idea/product/project/solution is: [describe key features]”
  • 45. I spent 16 years in IT infrastructure, Information Security Management, IT Audit, Application Security, and Security consulting for the largest banking, telecom, software development and professional services companies in Ukraine.
  • 46. I am one of the ”founding fathers” of UISG, co-founder of OWASP Kyiv, NoNameCon security conference, and my own consulCng company Berezha Security.
  • 47. Today I am here to help you secure adequate budget for your cyber security program.
  • 48. All of you are aware of 1. increase in frequency and financial impact of cyber attacks, 2. strengthening of government and market regulations, 3. and inability of traditional IT security solutions to thwart the permanent threat of state-sponsored hacking backed by Russia. In the face of 1. poor InfoSec market conditions that will not improve in the nearest future, 2. and the inevitable period of increased geopolitical tension caused by the upcoming presidential elections; You shall not miss the opportunity to secure the funding required to implement adequate safeguards as soon as possible.
  • 49. For your security organiza0on, that is poorly funded in line with “tradi0onal” corporate budge0ng process that creates a disbalance of es0mated goals and assigned costs, my proposed method is a tool for leveraging natural human features, beliefs, and aspira0ons, that provides tangible percep0on of “fair amount” of cyber security spending to all stakeholders, unlike the tradi0onal “risk assessment” approach that is inherently prone to error and doesn’t fully cover the ever- changing threat landscape.
  • 50. My proposed method uses current body of knowledge in psychology, social sciences, and cyber security economics to help security leaders • obtain necessary resources, • deal with cyber security market challenges, • build and maintain influence power in the organization, • and take well-deserved place in the business hierarchy.
  • 51. How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker
  • 52. References George Akerlof - The Market for Lemons Del6 University of Technology – Cyber Security Economics 101 Ross Anderson – Security Engineering University of Michigan – Influencing People Robert Cialdini – Influence Oren Klaff – Pitch Anything CulMvaMng Compassionate Tech CommuniMes - April Wensel - AnxietyTech 2018
  • 53. Recommendations Introduction to Psychology, University of Toronto Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st Edition Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised Edition Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The Hidden Forces That Shape Our Decisions Social Engineer Podcast