sensible defence

Download Sensible defence

Post on 14-Jul-2015

50 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  • Sensible defence

    Conostix S.A. koen@conostix.com

  • CIA and prevention/dectection/response Risk management and its pitfalls Economic incentives Liability/regulation/compliance Due care and due dilligence Technology Awareness Conclusion

    Introduction

    Conostix S.A. koen@conostix.com

  • To ensure the CIA triad we use:

    Detection

    Prevention

    Response

    How security works

    Conostix S.A. koen@conostix.com

  • Identification Identify the actual threat

    Impact factor The possible consequences of an attack

    Frequency The probable frequency of the occurrence of a threat

    Probability The extent of how confident we are a threat will happenTodays risk managementIdentification of a threat

    Conostix S.A. koen@conostix.com

  • Identification of the current risks

    The cost/benefit justification of the countermeasures

    Influences the decision making process on hardware, etc

    Focus on security resources where they are needed mostTodays risk managementRisk analysis goals

    Conostix S.A. koen@conostix.com

  • Threat Asset Vulnerability Safeguard Asset value (AV) Exposure factor (EF), value in percentage Single loss expectancy (SLE), dollar figure (EFxAV) Annualized rate of occurrence Annualized loss expectancy (ALE= SLExARO)

    Todays risk managementRisk analysis key terms

    Conostix S.A. koen@conostix.com

  • Aims to assign tangible values Relies on qualitative data Process Estimate potential losses to the assets Analyze potential threats to the assets Define impact and frequency levels Define the ALE

    Todays risk managementRisk analysis Quantitative

    Conostix S.A. koen@conostix.com

  • Scenario oriented approach Rank threats on a scale to evaluate their risks, costs and outcome

    In contrast to quantitative analysis a purely qualitative analysis is always possible

    High guess ratingTodays risk managementRisk analysis Qualitative

    Conostix S.A. koen@conostix.com

  • Misunderstanding between risk and certainty A risk is the anticipated frequency of losses Certainties are occurring with high frequency

    Reliance on probability, impact and frequency The unknown, controls the probability, frequency and the impact of a future incident.Todays risk managementPitfalls

    Conostix S.A. koen@conostix.com

  • Benefits vs costs

    Economic pressureSensible defenceEconomic incentives

    Conostix S.A. koen@conostix.com

  • Laws push standards

    Liability creates awareness

    Regulatory bodies motivateSensible defenceLiability, regulation, compliance

    Conostix S.A. koen@conostix.com

  • Due care is using reasonable care to protect the interests of an organization

    Due diligence is practicing the activities to maintain the due care efforts.

    Common sense security frameworkSensible defenceDue care and due diligence

    Conostix S.A. koen@conostix.com

  • Functionality vs security User friendly does not mean insecure Ease-of-Use + Common Sense = Security Privacy vs security Sacrifice privacy for security? Should security protect privacy or ignore it to enhance security?Sensible defenceTechnology

    Conostix S.A. koen@conostix.com

  • Human intelligence most important

    Reduce risk without technology

    Limit damage in case of an incident

    Give users insight in values of company assets and the usage of information systems

    Sensible defenceAwareness

    Conostix S.A. koen@conostix.com

  • Sensible defence is balanced security Balance cost vs economic gain Balance liberty vs privacy Balance functionality vs security Liability, legislation and regulation

    Sensible defencesecurity is a trade-off

    Conostix S.A. koen@conostix.com

  • Q & A

    Thanks to:My colleaguesDonn ParkerBruce SchneierRebecca HeroldsSensible defenceQuestions?

    Conostix S.A. koen@conostix.com