sensible defence
TRANSCRIPT
Conostix S.A. [email protected]
• CIA and prevention/dectection/response• Risk management and its pitfalls• Economic incentives• Liability/regulation/compliance• Due care and due dilligence• Technology• Awareness• Conclusion
Introduction
Conostix S.A. [email protected]
• To ensure the CIA triad we use:
• Detection
• Prevention
• Response
How security works
Conostix S.A. [email protected]
• Identification Identify the actual threat
• Impact factorThe possible consequences of an attack
• FrequencyThe probable frequency of the occurrence of a threat
• Probability The extent of how confident we are a threat will happen
Today’s risk managementIdentification of a threat
Conostix S.A. [email protected]
• Identification of the current risks
• The cost/benefit justification of the countermeasures
• Influences the decision making process on hardware, etc
• Focus on security resources where they are needed most
Today’s risk managementRisk analysis goals
Conostix S.A. [email protected]
• Threat• Asset• Vulnerability• Safeguard• Asset value (AV)• Exposure factor (EF), value in percentage• Single loss expectancy (SLE), dollar figure (EFxAV)• Annualized rate of occurrence • Annualized loss expectancy (ALE= SLExARO)
Today’s risk managementRisk analysis – key terms
Conostix S.A. [email protected]
• Aims to assign tangible values• Relies on qualitative data • Process
• Estimate potential losses to the assets • Analyze potential threats to the assets
• Define impact and frequency levels• Define the ALE
Today’s risk managementRisk analysis – Quantitative
Conostix S.A. [email protected]
• Scenario oriented approach
• Rank threats on a scale to evaluate their risks, costs and outcome
• In contrast to quantitative analysis a purely qualitative analysis is always possible
• High guess rating
Today’s risk managementRisk analysis – Qualitative
Conostix S.A. [email protected]
• Misunderstanding between risk and certainty • A risk is the anticipated frequency of losses
• Certainties are occurring with high frequency
• Reliance on probability, impact and frequency• The unknown, controls the probability, frequency and the impact of a future incident.
Today’s risk managementPitfalls
Conostix S.A. [email protected]
• Benefits vs costs
• Economic pressure
Sensible defenceEconomic incentives
Conostix S.A. [email protected]
• Laws push standards
• Liability creates awareness
• Regulatory bodies motivate
Sensible defenceLiability, regulation, compliance
Conostix S.A. [email protected]
• Due care is using reasonable care to protect the interests of an organization
• Due diligence is practicing the activities to maintain the due care efforts.
• Common sense security framework
Sensible defenceDue care and due diligence
Conostix S.A. [email protected]
• Functionality vs security• User friendly does not mean insecure• Ease-of-Use + Common Sense = Security
• Privacy vs security• Sacrifice privacy for security?• Should security protect privacy or ignore it to enhance security?
Sensible defenceTechnology
Conostix S.A. [email protected]
• Human intelligence most important
• Reduce risk without technology
• Limit damage in case of an incident
• Give users insight in values of company assets and the usage of information systems
Sensible defenceAwareness
Conostix S.A. [email protected]
• Sensible defence is balanced security • Balance cost vs economic gain • Balance liberty vs privacy
• Balance functionality vs security• Liability, legislation and regulation
Sensible defencesecurity is a trade-off
Conostix S.A. [email protected]
Q & A
Thanks to:
My colleagues
Donn Parker
Bruce Schneier
Rebecca Herolds
Sensible defenceQuestions?