SlideShare uma empresa Scribd logo

Steve Werby's Bad Advice, Unintended Consequences, and Broken Paradigms at DerbyCon 2014

Transferir como PPTX, PDF
Steve Werby
Steve Werby

20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!

Tecnologia
1 de 83
Steve Werby DerbyCon 2014 Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different 1
Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different @stevewerby Steve Werby WerbyCon 2014 1
goto fail; goto fail;  Don’t have a strategy…or a [vision|mission|target state|roadmap]  Don’t understand risk  Serve as an obstacle…because we don’t align with the business  Don’t engage our stakeholders  Scream about irrelevant vulns  Want to solve everything with shiny things  Yet don’t know how are shiny things work  And only use a fraction of their capabilities  Can’t state how effective we are  But think we’re right and they’re wrong 2
We’re Doing it Wrong Insanity [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and expecting different results 3
We’re Doing it Wrong Infosec [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and expecting different results 4
Disclaimer “I am Jack’s raging bile duct.” 5 fbbba818c9dcdcbd9c6e2430f59871e8
Who am I?  I am not a rock star 6
What Information Security Is (Allegedly)  Information security is the practice of defending information against unauthorized access, use, disclosure, modification, or destruction 7
What Information Security Is (Really)  Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities 8
What Information Security Is (Really)  Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities  Breaking it Down • What information do we have? • What IT systems use it? • Who are stakeholders? • What are our risks? • What are our opportunities? 9
We’re Doing it Wrong 0 KPMG: Cyber Security: It’s Not Just About the Technology (http://www.kpmg.com/GI/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-security- not-just-about-technology.pdf)
The Stakeholder Immaturity Model How can we align with org’s objectives? What do you think we should do? What’s our risk for scenario I read about? Should we address this? How can we prevent this in the future? How did you let this happen!? 11
Bad Advice – Passwords  Make them complex  Memorize them  Change them regularly 12
Bad Advice – Passwords 12  Hard to guess  Protect them  Hard to crack the hash  Make them complex  Memorize them  Change them regularly
12 Unintended Consequences – Passwords  Hard to guess  Protect them  Hard to crack the hash  Make them complex  Memorize them  Change them regularly  Compliant, but weak, reused, and similar  Write them down, but poorly protected  Only if forced, increment/rotate
Think && Act Different – Passwords  Make it loooooooooooooong  Disallow common topologies1  Require a Unicode character  Audit them 13 1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
Think && Act Different – Passwords  Make it loooooooooooooong  Disallow common topologies1  Require a Unicode character  Audit them 13  thinkandactdifferentinfosec  ullllldd  passw⛽rd  If too easily guessed, force change 1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
Broken Paradigm – Policy  Legalese  Verbose  What to [not] do 14  Comprehensible  Retainable  What to [not] do and why  Great for CYA, but don’t understand it, can’t retain it  Don’t read it  Don’t know why and think we don’t get it
Think && Act Different – Policy  Keep traditional policy if you want, but translate and/or create cheat sheet Create a password which isn’t guessable by someone who knows you or is similar to one you currently or previously used here or anywhere else. Protect it by never sharing it with ANYONE, being wary of phishing attacks, and by memorizing it or writing it down in securely. Adversaries are good at tricking people and using their knowledge of typical approaches for constructing passwords. Don’t let them gain access to your personal accounts and info or the company information you have access to. 15
Broken Paradigm – CIA Triad 16
Broken Paradigm – CIA Triad 16
Werbian Quintet Level 1 • Utility • Availability Level 2 • Integrity Level 3 • Confidentiality/Possession • Authenticity 17
Broken Paradigm – The Quartet of Doom 18 Passwords Firewalls OS Patching Antivirus
“I am Jack’s cold sweat.” 19
If This is You, You’re Doing it Wrong! FUD: 005 (http://fearuncertaintydoubt.wordpress.com/2009/12/21/fud-005/) 20
If This is You, You’re Doing it Wrong! User Friendly: Please Create a Password (http://ars.userfriendly.org/cartoons/?id=20070929) 21
Broken Paradigm – Vulnerability Management  Unlocked, 20-year old, empty beaten up car in middle of full parking lot  Unlocked house with $10MM in diamonds in the middle of the desert and only 1 person knows it’s there 22
Broken Paradigm – Vulnerability Management  Unlocked, 20-year old, empty beaten up car in middle of full parking lot  Unlocked house with $10MM in diamonds in the middle of the desert and only 1 person knows it’s there 22  Insignificant impact  Improbable threat  Context is critical
Risk is This…Because Algebra  R = Threat * Vulnerability * Impact  R = Likelihood * Impact • Almost certainly a range of impact/likelihood scenarios • Likelihood of threat exploiting a vulnerability resulting in impact 23
“I am Jack’s wasted life.” 24
Risk Assessment Model and Infosec Lexicon 25  Iteration 1: Impacts and threats – impact, threat actor, likelihood  Iteration 2: Exploitation likelihood – attack vectors, likelihood  Iteration 3: Assessment of controls – controls, residual risk, risk appetite  Iteration 4: Controls architecture – define controls, residual risk, risk appetite
Threat Actor / Motivation Likelihood Matrix 26
Think && Act Different – Ask Questions (Direction)  Are we meeting stakeholder expectations? 27
Think && Act Different – Ask Questions (Direction)  Are we meeting stakeholder expectations? • Who are our stakeholders? • What are their goals and concerns? • Are we helping them achieve their goals? • Are we reporting our progress? • Do they understand what we’re telling them? • What has their feedback been? 27
Think && Act Different – Ask Questions (Risk Scenarios)  What if someone stole the CEO’s laptop while he was using it at the park? 28
Think && Act Different – Ask Questions (Risk Scenarios)  What if someone stole the CEO’s laptop while he was using it at the park? • Are there preventive or detective controls in place? • Does he know who to contact? • Do you know what info and systems are accessible? • Is there an incident response plan for this scenario? • How long will the incident take to contain? 28
Think && Act Different – Ask Questions (Capabilities)  What percentage of critical vulnerabilities for systems in our environment are exploited in the wild before we’ve remediated them? Exploited in our environment? 29
Think && Act Different – Ask Questions (Capabilities)  What percentage of critical vulnerabilities for systems in our environment are exploited in the wild before we’ve remediated them? Exploited in our environment? • How does this compare to the previous quarter? • Patch frequency? • Target (and actual) turnaround between patch release and implementation? • How might we reduce this from X% to Y%? 29
Think && Act Different – Ask Questions (Assessment of Controls)  What if an attacker enumerated all of our AD accounts to intentionally lock them out? 30
Think && Act Different – Ask Questions (Assessment of Controls)  What if an attacker enumerated all of our AD accounts to intentionally lock them out? • Are there preventive or detective controls in place? • Do you know what the impact would be? • Is there an incident response plan for this scenario? • How long will the incident take to contain? • What was the objective of the control and is the objective being met? 30
Think && Act Different – Attack Trees  How can we better protect our CEO’s devices when he travels to China? • Assumption: Threat actor = competitor, motivation = espionage, skills = high • Goal: Acquire trade secrets 31
Think && Act Different – Attack Trees  How can we better protect our CEO’s devices when he travels to China? • Assumption: Threat actor = competitor, motivation = espionage, skills = high • Goal: Acquire trade secrets 31
Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32
Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32  How might we: • Mitigate a HW modification? • Detect a HW installation? • Mitigate the risk after CEO’s return?
Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32  How might we: • Mitigate a HW modification? • Detect a HW installation? • Mitigate the risk after CEO’s return? • Tamper-proof tape • Weigh the laptop • Destroy laptop or sanitize and sell
Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33
Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33  How might we: • Prevent it or mitigate it?
Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33  How might we: • Prevent it or mitigate it? • Not use it in public • Stay-alive code • Proximity device to trigger logout
“I am Jack’s epiphany.” 34
Think && Act Different – Assume Failure  Before a project, initiative, or major change, assume it will fail • Do individually, more than one individual, discuss 35
Think && Act Different – Metrics 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year
Think && Act Different – Metrics  % of vulns patched after threshold & median days > threshold  % of users exhibiting undesired phishing response by awareness status  % of web apps with VAs having repeat OWASP Top 10 findings 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year
Think && Act Different – Metrics  % of vulns patched after threshold & median days > threshold  % of users exhibiting undesired phishing response by awareness status  % of web apps with VAs having repeat OWASP Top 10 findings 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year  Describe outcomes, capabilities, or progress towards target state  Answer questions or allow you to formulate new questions  Are meaningful and actionable
Think && Act Different – Understand Stakeholders 37  Identify stakeholders  Define roles  Understand goals/needs
Think && Act Different – Understand Stakeholders 37  Identify stakeholders  You, CFO, CIO, Audit, Law, Owner, User  Define roles  Understand goals/needs
Think && Act Different – Understand Stakeholders 37  You, CFO, CIO, Audit, Law, Owner, User  RACI model  CFO – fiscal responsibility, ROI CIO – deliver value, cut costs Audit – assurance of controls User – effectiveness, efficiency  Identify stakeholders  Define roles  Understand goals/needs
Think && Act Different – Communicate with Stakeholders 38  Establish channels  Speak their language  Educate them  Concise, defensible  Choices
Think && Act Different – Communicate with Stakeholders 38  Establish channels  Speak their language  Educate them  Concise, defensible  Choices  Formal group, leverage group, survey  ! [0-day|worm|insecure]  Lexicon, role, bidirectional collaboration  Strategy, roadmap, progress, risk environ  Menu, considerations, likely outcomes
Think && Act Different – Get What You Want 39  Make it benefit them
Think && Act Different – Get What You Want 39  Make it benefit them  Longer password by giving up expiration
Think && Act Different – Gorge on Data 40  You’ll find: • Baselines • Patterns • Correlations • New questions to ask
Think && Act Different – Gorge on Data 40  You’ll find: • Baselines • Patterns • Correlations • New questions to ask • ECM documents accessed daily by user • 19% of users’ passwords are ULLLLLLNS • 317% more likely to forget password if changed entering weekend, holiday, or vacation • What are USB flash drives being used for?
Broken Paradigm – The Quartet of Doom 41 Passwords Firewalls OS Patching Antivirus
Broken Paradigm – The Quartet of Doom 42 Passwords Firewalls OS Patching Antivirus Prevent unauthorized access Reduce exploitation Barricade vulnerable systems Detect malicious code
The Quartet of Potential Hope and Lower Discontent OTPs Anomaly Detection 43 Passwords Firewalls OS Patching Antivirus Prevent unauthorized access Reduce exploitation Barricade vulnerable systems Detect malicious code Mitigate Java Malware Sandboxing
Broken Paradigm – The Quartet of Doom 44 Control Success Confidence Risk Mitigation User Friction Implement Burden Govern/Admin Burden Org Friction Cost Passwords 2* 3 3 - 1 3 1 OTPs 4 4 2 3 4 4 4 Firewalls 1 2 5 - 1 1 1 Anomaly Detection 2 4 3 5 1 4 2 OS Patching 3 1 3 - 3 3 2 Mitigate Java 5 5 5 2 5 5 1 Antivirus 2 1 3 - 2 4 2 Malware Sandbox 3 3 5 2 4 5 3 ✓ ✓ * 1 is the least desirable, 5 is the most desirable
Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!)  Block User Agent for Java at proxy  Microsoft EMET
Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each
Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each  Block User Agent for Java at proxy • Query proxy logs for visited hosts that used Java user agent • Aggregate by host, sort by frequency, analyze • Generate exclusions • Attacker can not modify the user agent before exploit attempt • Prevents web-based attacks against all operating systems
Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each  Block User Agent for Java at proxy • Query proxy logs for visited hosts that used Java user agent • Aggregate by host, sort by frequency, analyze • Generate exclusions • Attacker can not modify the user agent before exploit attempt • Prevents web-based attacks against all operating systems  Microsoft EMET
Yes, You Can Tame Java 46 Option Risk Mitigation Implement Burden Govern/Admin Burden User Friction Deployment Rule Sets H M L L Patch Acceleration M M M M Block Java at Proxy H L L L EMET to Protect Java H L L L  Implementation order • Block Java at proxy • EMET to project Java • Deployment Rule Sets • Patch acceleration
Think && Act Different – Start *Somewhere* 47  Where? • Easiest? Highest value? With person who raises hand? • May not be your call • Could be based on surprise opportunity  Be prepared • Incident in your environment • Incident elsewhere • Inquiry from stakeholder  Crawl, walk, run – gain experience and learn lessons
Think && Act Different – Start *Somewhere* (Local Admin PW) 48  Scenario: Single enterprise-wide weak Local Admin password (LA PW) which hasn’t been changed in years and was poorly controlled  Document risk, share options with stakeholders  Change it to an acceptable password && implement governance  Create unique LA PW for segments of population  Create unique LA PW for each device based on root + device attribute  Create unique random LA PW for each device via PW escrow tool  Eliminate use of the LA PW
Think && Act Different – Go Against the Grain 49  Get a Mac campaigns from 2006 to 2009  Higher the penetration of a technology or tool, the more likely it will be targeted • If you use tools with high penetration - How quickly can your use of it be discovered? - Do you have compensating controls? - How quickly can you remediate vulnerabilities?  Consider technologies, tools, and configurations that reduce exploitation likelihood
Think && Act Different – Step Out of the Echo Chamber 50  Infosec is a field compromised of numerous disciplines  Social engineering => psychology, marketing, data analytics  Infosec • Risk mgmt • Strategy • Negotiation • Statistics • Probability • Data analytics • Psychology • Marketing • Education • Law • Privacy • Fraud prevention • Finance • Human factors engr • Operations research • Military science • Safety
Think && Act Different – Equal Treatment Not Required 51  Some people are riskier • Based on system/data access • Role/visibility • Security hygiene • Disgruntled/disciplined/separating • Internet presence
Think && Act Different – Equal Treatment Not Required 51  Some people are riskier • Based on system/data access • Role/visibility • Security hygiene • Disgruntled/disciplined/separating • Internet presence  It’s OK to treat them differently • Different training • Different detective and preventive controls • If a systems’ users are higher risk, so is the system (inherited risk)
If This is You, You’re Doing it Wrong! Dilbert: Mordac, the Preventer of Information Services (http://dilbert.com/strips/comic/2007-11-16/) 52
The Challenge 53 Think and act different.
The Challenge 53 Think and act different. Share your experiences.
The Challenge 53 Think and act different. Share your experiences. Do infosec better.
The Challenge 53 Think and act different. Share your experiences. Do infosec better. Get better infosec outcomes.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different @stevewerby Steve Werby Questions? Ideas? Thoughts? WerbyCon 2014 54

Recomendados

10 principles of organizational DNA
10 principles of organizational DNA10 principles of organizational DNA
10 principles of organizational DNAArun Chinnaraju MBA, PMP, CSM, CSPO, SA
 
CaseMark Weekly Webinar: AI-in-Legal Q3'2023
CaseMark Weekly Webinar: AI-in-Legal Q3'2023CaseMark Weekly Webinar: AI-in-Legal Q3'2023
CaseMark Weekly Webinar: AI-in-Legal Q3'2023Scott Kveton
 
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Integrating Stage Gate with Product Development Models and the CMMI WB v2.2
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Tim Kasse
 
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)OECD Directorate for Employment, Labour and Social Affairs
 
The AI Revolution - Aaron Stelle - WFG Title
The AI Revolution - Aaron Stelle - WFG TitleThe AI Revolution - Aaron Stelle - WFG Title
The AI Revolution - Aaron Stelle - WFG TitleAaron Stelle
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewGraeme Wood
 
Big Data & Business Analytics: Understanding the Marketspace
Big Data & Business Analytics: Understanding the MarketspaceBig Data & Business Analytics: Understanding the Marketspace
Big Data & Business Analytics: Understanding the MarketspaceBala Iyer
 
Where to Find Sources for Primary and Secondary Research?
Where to Find Sources for Primary and Secondary Research?Where to Find Sources for Primary and Secondary Research?
Where to Find Sources for Primary and Secondary Research?Secondary Research
 

Recomendados

10 principles of organizational DNA
10 principles of organizational DNA10 principles of organizational DNA
10 principles of organizational DNAArun Chinnaraju MBA, PMP, CSM, CSPO, SA
 
CaseMark Weekly Webinar: AI-in-Legal Q3'2023
CaseMark Weekly Webinar: AI-in-Legal Q3'2023CaseMark Weekly Webinar: AI-in-Legal Q3'2023
CaseMark Weekly Webinar: AI-in-Legal Q3'2023Scott Kveton
 
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Integrating Stage Gate with Product Development Models and the CMMI WB v2.2
Integrating Stage Gate with Product Development Models and the CMMI WB v2.2Tim Kasse
 
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)
The Patient-Reported Indicator Surveys (PaRIS): An Introduction (update)OECD Directorate for Employment, Labour and Social Affairs
 
The AI Revolution - Aaron Stelle - WFG Title
The AI Revolution - Aaron Stelle - WFG TitleThe AI Revolution - Aaron Stelle - WFG Title
The AI Revolution - Aaron Stelle - WFG TitleAaron Stelle
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewGraeme Wood
 
Big Data & Business Analytics: Understanding the Marketspace
Big Data & Business Analytics: Understanding the MarketspaceBig Data & Business Analytics: Understanding the Marketspace
Big Data & Business Analytics: Understanding the MarketspaceBala Iyer
 
Where to Find Sources for Primary and Secondary Research?
Where to Find Sources for Primary and Secondary Research?Where to Find Sources for Primary and Secondary Research?
Where to Find Sources for Primary and Secondary Research?Secondary Research
 
Thinking Critically about the Research Process
Thinking Critically about the Research ProcessThinking Critically about the Research Process
Thinking Critically about the Research Processjoancrittenden
 
ChatGPT prompt.docx
ChatGPT prompt.docxChatGPT prompt.docx
ChatGPT prompt.docxchayhofmes
 
Scoping Review Infographic
Scoping Review InfographicScoping Review Infographic
Scoping Review InfographicLaura Huey
 
Generative AI and law.pptx
Generative AI and law.pptxGenerative AI and law.pptx
Generative AI and law.pptxChris Marsden
 
Analyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in PythonAnalyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in PythonAbhinav Gupta
 
Pareja sombra-espejo
Pareja sombra-espejoPareja sombra-espejo
Pareja sombra-espejoBlancaMaria
 
AI Medical Education
AI Medical Education AI Medical Education
AI Medical Education Hasnain Zafar
 
Introduction to AI Ethics
Introduction to AI EthicsIntroduction to AI Ethics
Introduction to AI EthicsGabriele Graffieti
 
ChatGPT for Data Science Projects
ChatGPT for Data Science ProjectsChatGPT for Data Science Projects
ChatGPT for Data Science ProjectsAjitesh Kumar
 
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...Yole Developpement
 
Learn Prompting with ChatGPT
Learn Prompting with ChatGPTLearn Prompting with ChatGPT
Learn Prompting with ChatGPTNikhil Gadkar
 
Appellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of AppealsAppellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of AppealsJanet McDonald
 
Theranos Biz Model
Theranos Biz ModelTheranos Biz Model
Theranos Biz ModelJeffrey Funk Business Models
 
How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication BhaskarBorgohain4
 
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...SOLTUIONSpeople, THINKubators, THINKathons
 
Artificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in ResearchArtificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in ResearchAmazon Web Services
 
AI in research: ChatGPT and more
AI in research: ChatGPT and moreAI in research: ChatGPT and more
AI in research: ChatGPT and moreSonja Aits
 
Unleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett ExplorationUnleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett ExplorationDobo Radichkov
 
Let's Build a Chatbot!
Let's Build a Chatbot!Let's Build a Chatbot!
Let's Build a Chatbot!Christopher Mohritz
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 

Mais conteúdo relacionado

Mais procurados

Thinking Critically about the Research Process
Thinking Critically about the Research ProcessThinking Critically about the Research Process
Thinking Critically about the Research Processjoancrittenden
 
ChatGPT prompt.docx
ChatGPT prompt.docxChatGPT prompt.docx
ChatGPT prompt.docxchayhofmes
 
Scoping Review Infographic
Scoping Review InfographicScoping Review Infographic
Scoping Review InfographicLaura Huey
 
Generative AI and law.pptx
Generative AI and law.pptxGenerative AI and law.pptx
Generative AI and law.pptxChris Marsden
 
Analyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in PythonAnalyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in PythonAbhinav Gupta
 
Pareja sombra-espejo
Pareja sombra-espejoPareja sombra-espejo
Pareja sombra-espejoBlancaMaria
 
AI Medical Education
AI Medical Education AI Medical Education
AI Medical Education Hasnain Zafar
 
ChatGPT for Data Science Projects
ChatGPT for Data Science ProjectsChatGPT for Data Science Projects
ChatGPT for Data Science ProjectsAjitesh Kumar
 
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...Yole Developpement
 
Learn Prompting with ChatGPT
Learn Prompting with ChatGPTLearn Prompting with ChatGPT
Learn Prompting with ChatGPTNikhil Gadkar
 
Appellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of AppealsAppellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of AppealsJanet McDonald
 
How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication BhaskarBorgohain4
 
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...SOLTUIONSpeople, THINKubators, THINKathons
 
Artificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in ResearchArtificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in ResearchAmazon Web Services
 
AI in research: ChatGPT and more
AI in research: ChatGPT and moreAI in research: ChatGPT and more
AI in research: ChatGPT and moreSonja Aits
 
Unleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett ExplorationUnleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett ExplorationDobo Radichkov
 

Mais procurados (19)

Thinking Critically about the Research Process
Thinking Critically about the Research ProcessThinking Critically about the Research Process
Thinking Critically about the Research Process
 
ChatGPT prompt.docx
ChatGPT prompt.docxChatGPT prompt.docx
ChatGPT prompt.docx
 
Scoping Review Infographic
Scoping Review InfographicScoping Review Infographic
Scoping Review Infographic
 
Generative AI and law.pptx
Generative AI and law.pptxGenerative AI and law.pptx
Generative AI and law.pptx
 
Analyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in PythonAnalyzing Arguments during a Debate using Natural Language Processing in Python
Analyzing Arguments during a Debate using Natural Language Processing in Python
 
Pareja sombra-espejo
Pareja sombra-espejoPareja sombra-espejo
Pareja sombra-espejo
 
AI Medical Education
AI Medical Education AI Medical Education
AI Medical Education
 
Introduction to AI Ethics
Introduction to AI EthicsIntroduction to AI Ethics
Introduction to AI Ethics
 
ChatGPT for Data Science Projects
ChatGPT for Data Science ProjectsChatGPT for Data Science Projects
ChatGPT for Data Science Projects
 
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
Neurotechnologies and brain computer interface 2018 Report by Yole Developpem...
 
Learn Prompting with ChatGPT
Learn Prompting with ChatGPTLearn Prompting with ChatGPT
Learn Prompting with ChatGPT
 
Appellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of AppealsAppellant's Reply Brief in Georgia Court of Appeals
Appellant's Reply Brief in Georgia Court of Appeals
 
Theranos Biz Model
Theranos Biz ModelTheranos Biz Model
Theranos Biz Model
 
How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication How to do a Literature search for your research and scientific publication
How to do a Literature search for your research and scientific publication
 
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
arbar https://www.slideshare.net/Solutionman/charles-caldwell-improve-your-li...
 
Artificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in ResearchArtificial Intelligence and Machine Learning in Research
Artificial Intelligence and Machine Learning in Research
 
AI in research: ChatGPT and more
AI in research: ChatGPT and moreAI in research: ChatGPT and more
AI in research: ChatGPT and more
 
Unleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett ExplorationUnleashing the Power of GPT & LLM: A Holland & Barrett Exploration
Unleashing the Power of GPT & LLM: A Holland & Barrett Exploration
 
Let's Build a Chatbot!
Let's Build a Chatbot!Let's Build a Chatbot!
Let's Build a Chatbot!
 

Semelhante a Steve Werby's Bad Advice, Unintended Consequences, and Broken Paradigms at DerbyCon 2014

Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini
 
The Human Delimma - KnowBe4 & Vectra
The Human Delimma - KnowBe4 & VectraThe Human Delimma - KnowBe4 & Vectra
The Human Delimma - KnowBe4 & VectraAdam Basedow
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplationsChris Roberts
 
Collaboration through Conflict - Orlando Code Camp March 2014
Collaboration through Conflict - Orlando Code Camp March 2014Collaboration through Conflict - Orlando Code Camp March 2014
Collaboration through Conflict - Orlando Code Camp March 2014Mark Kilby
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignMorten Rand-Hendriksen
 
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...Santhosh Tuppad
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCapgemini
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
Agile?! Are You Crazy???
Agile?! Are You Crazy???Agile?! Are You Crazy???
Agile?! Are You Crazy???lazygolfer
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConMichael Gough
 
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearn
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearnDesigning Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearn
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearnCammy Bean
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...SurfWatch Labs
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialWill Gallego
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24
 
How Four Cognitive Biases Deceive Analysts and Destroy Actionability
How Four Cognitive Biases Deceive Analysts and Destroy ActionabilityHow Four Cognitive Biases Deceive Analysts and Destroy Actionability
How Four Cognitive Biases Deceive Analysts and Destroy ActionabilityEric Garland
 

Semelhante a Steve Werby's Bad Advice, Unintended Consequences, and Broken Paradigms at DerbyCon 2014 (20)

Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
 
The Human Delimma - KnowBe4 & Vectra
The Human Delimma - KnowBe4 & VectraThe Human Delimma - KnowBe4 & Vectra
The Human Delimma - KnowBe4 & Vectra
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
 
Collaboration through Conflict - Orlando Code Camp March 2014
Collaboration through Conflict - Orlando Code Camp March 2014Collaboration through Conflict - Orlando Code Camp March 2014
Collaboration through Conflict - Orlando Code Camp March 2014
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web Design
 
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
 
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powellCWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
Agile?! Are You Crazy???
Agile?! Are You Crazy???Agile?! Are You Crazy???
Agile?! Are You Crazy???
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecCon
 
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearn
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearnDesigning Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearn
Designing Learning Solutions for Results (Cammy Bean & Ashley Reardon) #DevLearn
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
 
How Four Cognitive Biases Deceive Analysts and Destroy Actionability
How Four Cognitive Biases Deceive Analysts and Destroy ActionabilityHow Four Cognitive Biases Deceive Analysts and Destroy Actionability
How Four Cognitive Biases Deceive Analysts and Destroy Actionability
 

Mais de Steve Werby

Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...Steve Werby
 
Information Security Threat Level Snapshot Template by Steve Werby 2014
Information Security Threat Level Snapshot Template by Steve Werby 2014Information Security Threat Level Snapshot Template by Steve Werby 2014
Information Security Threat Level Snapshot Template by Steve Werby 2014Steve Werby
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
 
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...Steve Werby
 
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...Steve Werby
 
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Steve Werby
 
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...Steve Werby
 

Mais de Steve Werby (7)

Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
 
Information Security Threat Level Snapshot Template by Steve Werby 2014
Information Security Threat Level Snapshot Template by Steve Werby 2014Information Security Threat Level Snapshot Template by Steve Werby 2014
Information Security Threat Level Snapshot Template by Steve Werby 2014
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
 
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...
Building Dictionaries and Destroying Hashes Using Amazon EC2 [Presented by St...
 
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...
A Fistful of Fire Hoses: Putting out Fires Without Crossing Streams [Presente...
 
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
 
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...
You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve We...
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Steve Werby's Bad Advice, Unintended Consequences, and Broken Paradigms at DerbyCon 2014

  • 1. Steve Werby DerbyCon 2014 Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different 1
  • 2. Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different @stevewerby Steve Werby WerbyCon 2014 1
  • 3. goto fail; goto fail;  Don’t have a strategy…or a [vision|mission|target state|roadmap]  Don’t understand risk  Serve as an obstacle…because we don’t align with the business  Don’t engage our stakeholders  Scream about irrelevant vulns  Want to solve everything with shiny things  Yet don’t know how are shiny things work  And only use a fraction of their capabilities  Can’t state how effective we are  But think we’re right and they’re wrong 2
  • 4. We’re Doing it Wrong Insanity [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and expecting different results 3
  • 5. We’re Doing it Wrong Infosec [noun] in-ˈsa-nə-tē: Doing the same thing over and over again and expecting different results 4
  • 6. Disclaimer “I am Jack’s raging bile duct.” 5 fbbba818c9dcdcbd9c6e2430f59871e8
  • 7. Who am I?  I am not a rock star 6
  • 8. What Information Security Is (Allegedly)  Information security is the practice of defending information against unauthorized access, use, disclosure, modification, or destruction 7
  • 9. What Information Security Is (Really)  Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities 8
  • 10. What Information Security Is (Really)  Information security is the defense of information and IT systems in alignment with stakeholders' direction for addressing risk and opportunities  Breaking it Down • What information do we have? • What IT systems use it? • Who are stakeholders? • What are our risks? • What are our opportunities? 9
  • 11. We’re Doing it Wrong 0 KPMG: Cyber Security: It’s Not Just About the Technology (http://www.kpmg.com/GI/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-security- not-just-about-technology.pdf)
  • 12. The Stakeholder Immaturity Model How can we align with org’s objectives? What do you think we should do? What’s our risk for scenario I read about? Should we address this? How can we prevent this in the future? How did you let this happen!? 11
  • 13. Bad Advice – Passwords  Make them complex  Memorize them  Change them regularly 12
  • 14. Bad Advice – Passwords 12  Hard to guess  Protect them  Hard to crack the hash  Make them complex  Memorize them  Change them regularly
  • 15. 12 Unintended Consequences – Passwords  Hard to guess  Protect them  Hard to crack the hash  Make them complex  Memorize them  Change them regularly  Compliant, but weak, reused, and similar  Write them down, but poorly protected  Only if forced, increment/rotate
  • 16. Think && Act Different – Passwords  Make it loooooooooooooong  Disallow common topologies1  Require a Unicode character  Audit them 13 1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
  • 17. Think && Act Different – Passwords  Make it loooooooooooooong  Disallow common topologies1  Require a Unicode character  Audit them 13  thinkandactdifferentinfosec  ullllldd  passw⛽rd  If too easily guessed, force change 1 KoreLogic Security Blog: Pathwell Topologies (https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies)
  • 18. Broken Paradigm – Policy  Legalese  Verbose  What to [not] do 14  Comprehensible  Retainable  What to [not] do and why  Great for CYA, but don’t understand it, can’t retain it  Don’t read it  Don’t know why and think we don’t get it
  • 19. Think && Act Different – Policy  Keep traditional policy if you want, but translate and/or create cheat sheet Create a password which isn’t guessable by someone who knows you or is similar to one you currently or previously used here or anywhere else. Protect it by never sharing it with ANYONE, being wary of phishing attacks, and by memorizing it or writing it down in securely. Adversaries are good at tricking people and using their knowledge of typical approaches for constructing passwords. Don’t let them gain access to your personal accounts and info or the company information you have access to. 15
  • 20. Broken Paradigm – CIA Triad 16
  • 21. Broken Paradigm – CIA Triad 16
  • 22. Werbian Quintet Level 1 • Utility • Availability Level 2 • Integrity Level 3 • Confidentiality/Possession • Authenticity 17
  • 23. Broken Paradigm – The Quartet of Doom 18 Passwords Firewalls OS Patching Antivirus
  • 24. “I am Jack’s cold sweat.” 19
  • 25. If This is You, You’re Doing it Wrong! FUD: 005 (http://fearuncertaintydoubt.wordpress.com/2009/12/21/fud-005/) 20
  • 26. If This is You, You’re Doing it Wrong! User Friendly: Please Create a Password (http://ars.userfriendly.org/cartoons/?id=20070929) 21
  • 27. Broken Paradigm – Vulnerability Management  Unlocked, 20-year old, empty beaten up car in middle of full parking lot  Unlocked house with $10MM in diamonds in the middle of the desert and only 1 person knows it’s there 22
  • 28. Broken Paradigm – Vulnerability Management  Unlocked, 20-year old, empty beaten up car in middle of full parking lot  Unlocked house with $10MM in diamonds in the middle of the desert and only 1 person knows it’s there 22  Insignificant impact  Improbable threat  Context is critical
  • 29. Risk is This…Because Algebra  R = Threat * Vulnerability * Impact  R = Likelihood * Impact • Almost certainly a range of impact/likelihood scenarios • Likelihood of threat exploiting a vulnerability resulting in impact 23
  • 30. “I am Jack’s wasted life.” 24
  • 31. Risk Assessment Model and Infosec Lexicon 25  Iteration 1: Impacts and threats – impact, threat actor, likelihood  Iteration 2: Exploitation likelihood – attack vectors, likelihood  Iteration 3: Assessment of controls – controls, residual risk, risk appetite  Iteration 4: Controls architecture – define controls, residual risk, risk appetite
  • 32. Threat Actor / Motivation Likelihood Matrix 26
  • 33. Think && Act Different – Ask Questions (Direction)  Are we meeting stakeholder expectations? 27
  • 34. Think && Act Different – Ask Questions (Direction)  Are we meeting stakeholder expectations? • Who are our stakeholders? • What are their goals and concerns? • Are we helping them achieve their goals? • Are we reporting our progress? • Do they understand what we’re telling them? • What has their feedback been? 27
  • 35. Think && Act Different – Ask Questions (Risk Scenarios)  What if someone stole the CEO’s laptop while he was using it at the park? 28
  • 36. Think && Act Different – Ask Questions (Risk Scenarios)  What if someone stole the CEO’s laptop while he was using it at the park? • Are there preventive or detective controls in place? • Does he know who to contact? • Do you know what info and systems are accessible? • Is there an incident response plan for this scenario? • How long will the incident take to contain? 28
  • 37. Think && Act Different – Ask Questions (Capabilities)  What percentage of critical vulnerabilities for systems in our environment are exploited in the wild before we’ve remediated them? Exploited in our environment? 29
  • 38. Think && Act Different – Ask Questions (Capabilities)  What percentage of critical vulnerabilities for systems in our environment are exploited in the wild before we’ve remediated them? Exploited in our environment? • How does this compare to the previous quarter? • Patch frequency? • Target (and actual) turnaround between patch release and implementation? • How might we reduce this from X% to Y%? 29
  • 39. Think && Act Different – Ask Questions (Assessment of Controls)  What if an attacker enumerated all of our AD accounts to intentionally lock them out? 30
  • 40. Think && Act Different – Ask Questions (Assessment of Controls)  What if an attacker enumerated all of our AD accounts to intentionally lock them out? • Are there preventive or detective controls in place? • Do you know what the impact would be? • Is there an incident response plan for this scenario? • How long will the incident take to contain? • What was the objective of the control and is the objective being met? 30
  • 41. Think && Act Different – Attack Trees  How can we better protect our CEO’s devices when he travels to China? • Assumption: Threat actor = competitor, motivation = espionage, skills = high • Goal: Acquire trade secrets 31
  • 42. Think && Act Different – Attack Trees  How can we better protect our CEO’s devices when he travels to China? • Assumption: Threat actor = competitor, motivation = espionage, skills = high • Goal: Acquire trade secrets 31
  • 43. Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32
  • 44. Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32  How might we: • Mitigate a HW modification? • Detect a HW installation? • Mitigate the risk after CEO’s return?
  • 45. Think && Act Different – How Might We?  Install RF hardware in laptop (or modify BIOS or modify a component)  Ask yourself “How might we?” 32  How might we: • Mitigate a HW modification? • Detect a HW installation? • Mitigate the risk after CEO’s return? • Tamper-proof tape • Weigh the laptop • Destroy laptop or sanitize and sell
  • 46. Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33
  • 47. Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33  How might we: • Prevent it or mitigate it?
  • 48. Think && Act Different – How Might We?  Steal in-use laptop  Ask yourself “How might we?” 33  How might we: • Prevent it or mitigate it? • Not use it in public • Stay-alive code • Proximity device to trigger logout
  • 49. “I am Jack’s epiphany.” 34
  • 50. Think && Act Different – Assume Failure  Before a project, initiative, or major change, assume it will fail • Do individually, more than one individual, discuss 35
  • 51. Think && Act Different – Metrics 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year
  • 52. Think && Act Different – Metrics  % of vulns patched after threshold & median days > threshold  % of users exhibiting undesired phishing response by awareness status  % of web apps with VAs having repeat OWASP Top 10 findings 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year
  • 53. Think && Act Different – Metrics  % of vulns patched after threshold & median days > threshold  % of users exhibiting undesired phishing response by awareness status  % of web apps with VAs having repeat OWASP Top 10 findings 36  Average # of days to patch a vulnerability  # of people who opened phishing security awareness communication  % of web apps with VAs performed last year  Describe outcomes, capabilities, or progress towards target state  Answer questions or allow you to formulate new questions  Are meaningful and actionable
  • 54. Think && Act Different – Understand Stakeholders 37  Identify stakeholders  Define roles  Understand goals/needs
  • 55. Think && Act Different – Understand Stakeholders 37  Identify stakeholders  You, CFO, CIO, Audit, Law, Owner, User  Define roles  Understand goals/needs
  • 56. Think && Act Different – Understand Stakeholders 37  You, CFO, CIO, Audit, Law, Owner, User  RACI model  CFO – fiscal responsibility, ROI CIO – deliver value, cut costs Audit – assurance of controls User – effectiveness, efficiency  Identify stakeholders  Define roles  Understand goals/needs
  • 57. Think && Act Different – Communicate with Stakeholders 38  Establish channels  Speak their language  Educate them  Concise, defensible  Choices
  • 58. Think && Act Different – Communicate with Stakeholders 38  Establish channels  Speak their language  Educate them  Concise, defensible  Choices  Formal group, leverage group, survey  ! [0-day|worm|insecure]  Lexicon, role, bidirectional collaboration  Strategy, roadmap, progress, risk environ  Menu, considerations, likely outcomes
  • 59. Think && Act Different – Get What You Want 39  Make it benefit them
  • 60. Think && Act Different – Get What You Want 39  Make it benefit them  Longer password by giving up expiration
  • 61. Think && Act Different – Gorge on Data 40  You’ll find: • Baselines • Patterns • Correlations • New questions to ask
  • 62. Think && Act Different – Gorge on Data 40  You’ll find: • Baselines • Patterns • Correlations • New questions to ask • ECM documents accessed daily by user • 19% of users’ passwords are ULLLLLLNS • 317% more likely to forget password if changed entering weekend, holiday, or vacation • What are USB flash drives being used for?
  • 63. Broken Paradigm – The Quartet of Doom 41 Passwords Firewalls OS Patching Antivirus
  • 64. Broken Paradigm – The Quartet of Doom 42 Passwords Firewalls OS Patching Antivirus Prevent unauthorized access Reduce exploitation Barricade vulnerable systems Detect malicious code
  • 65. The Quartet of Potential Hope and Lower Discontent OTPs Anomaly Detection 43 Passwords Firewalls OS Patching Antivirus Prevent unauthorized access Reduce exploitation Barricade vulnerable systems Detect malicious code Mitigate Java Malware Sandboxing
  • 66. Broken Paradigm – The Quartet of Doom 44 Control Success Confidence Risk Mitigation User Friction Implement Burden Govern/Admin Burden Org Friction Cost Passwords 2* 3 3 - 1 3 1 OTPs 4 4 2 3 4 4 4 Firewalls 1 2 5 - 1 1 1 Anomaly Detection 2 4 3 5 1 4 2 OS Patching 3 1 3 - 3 3 2 Mitigate Java 5 5 5 2 5 5 1 Antivirus 2 1 3 - 2 4 2 Malware Sandbox 3 3 5 2 4 5 3 ✓ ✓ * 1 is the least desirable, 5 is the most desirable
  • 67. Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!)  Block User Agent for Java at proxy  Microsoft EMET
  • 68. Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each
  • 69. Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each  Block User Agent for Java at proxy • Query proxy logs for visited hosts that used Java user agent • Aggregate by host, sort by frequency, analyze • Generate exclusions • Attacker can not modify the user agent before exploit attempt • Prevents web-based attacks against all operating systems
  • 70. Yes, You Can Tame Java 45  Deployment Rule Sets (then you can actually patch too!) • Install multiple versions of Java per device • Limit which applets and applications end user can execute • Limit which version of Java is associated with each  Block User Agent for Java at proxy • Query proxy logs for visited hosts that used Java user agent • Aggregate by host, sort by frequency, analyze • Generate exclusions • Attacker can not modify the user agent before exploit attempt • Prevents web-based attacks against all operating systems  Microsoft EMET
  • 71. Yes, You Can Tame Java 46 Option Risk Mitigation Implement Burden Govern/Admin Burden User Friction Deployment Rule Sets H M L L Patch Acceleration M M M M Block Java at Proxy H L L L EMET to Protect Java H L L L  Implementation order • Block Java at proxy • EMET to project Java • Deployment Rule Sets • Patch acceleration
  • 72. Think && Act Different – Start *Somewhere* 47  Where? • Easiest? Highest value? With person who raises hand? • May not be your call • Could be based on surprise opportunity  Be prepared • Incident in your environment • Incident elsewhere • Inquiry from stakeholder  Crawl, walk, run – gain experience and learn lessons
  • 73. Think && Act Different – Start *Somewhere* (Local Admin PW) 48  Scenario: Single enterprise-wide weak Local Admin password (LA PW) which hasn’t been changed in years and was poorly controlled  Document risk, share options with stakeholders  Change it to an acceptable password && implement governance  Create unique LA PW for segments of population  Create unique LA PW for each device based on root + device attribute  Create unique random LA PW for each device via PW escrow tool  Eliminate use of the LA PW
  • 74. Think && Act Different – Go Against the Grain 49  Get a Mac campaigns from 2006 to 2009  Higher the penetration of a technology or tool, the more likely it will be targeted • If you use tools with high penetration - How quickly can your use of it be discovered? - Do you have compensating controls? - How quickly can you remediate vulnerabilities?  Consider technologies, tools, and configurations that reduce exploitation likelihood
  • 75. Think && Act Different – Step Out of the Echo Chamber 50  Infosec is a field compromised of numerous disciplines  Social engineering => psychology, marketing, data analytics  Infosec • Risk mgmt • Strategy • Negotiation • Statistics • Probability • Data analytics • Psychology • Marketing • Education • Law • Privacy • Fraud prevention • Finance • Human factors engr • Operations research • Military science • Safety
  • 76. Think && Act Different – Equal Treatment Not Required 51  Some people are riskier • Based on system/data access • Role/visibility • Security hygiene • Disgruntled/disciplined/separating • Internet presence
  • 77. Think && Act Different – Equal Treatment Not Required 51  Some people are riskier • Based on system/data access • Role/visibility • Security hygiene • Disgruntled/disciplined/separating • Internet presence  It’s OK to treat them differently • Different training • Different detective and preventive controls • If a systems’ users are higher risk, so is the system (inherited risk)
  • 78. If This is You, You’re Doing it Wrong! Dilbert: Mordac, the Preventer of Information Services (http://dilbert.com/strips/comic/2007-11-16/) 52
  • 79. The Challenge 53 Think and act different.
  • 80. The Challenge 53 Think and act different. Share your experiences.
  • 81. The Challenge 53 Think and act different. Share your experiences. Do infosec better.
  • 82. The Challenge 53 Think and act different. Share your experiences. Do infosec better. Get better infosec outcomes.
  • 83. Bad Advice, Unintended Consequences, and Broken Paradigms: Think and Act Different @stevewerby Steve Werby Questions? Ideas? Thoughts? WerbyCon 2014 54