Informazioni personali

Cerca nel blog

Translate

Visualizzazione post con etichetta General and Freelance. Mostra tutti i post
Visualizzazione post con etichetta General and Freelance. Mostra tutti i post

venerdì 11 ottobre 2013

Wanted Dead or Alive: The Human Factor

TECHNOLOGY originally published on DaftBlogger.com

Wanted Dead or Alive: The Human Factor

By Antonio Ieranò on September 29, 2013 at 7:45 PM

Contents [hide]

  • 1 From where should we start?
  • 2 I said it all but…
  • 3 Theory?

OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.

dead or alive

I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?

From where should we start?

Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.

men-men

Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.

men men men

And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….

I said it all but…

Wait a moment are we missing something here? Here are some considerations :

  1. Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
  2. How do they want to “communicate”?
  3. What do they want to “communicate”
  4. Why do they want to “communicate”?
  5. Why they need to “communicate” in that specific way?

Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.

There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.

Theory?

Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.

Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.

All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.

Go on, buy your firewall

 

Wanted Dead or Alive: The Human Factor

TECHNOLOGY originally published on DaftBlogger.com

Wanted Dead or Alive: The Human Factor

By Antonio Ieranò on September 29, 2013 at 7:45 PM

Contents [hide]

  • 1 From where should we start?
  • 2 I said it all but…
  • 3 Theory?

OK I confess I am quite bored to listen to all those knowledgeable IT security experts talking about what is needed to secure a system. Everyone has his own point of view; of course they’re right when they say we need end-point security, mobile protection, anti-malware, anti-hacking, dlp, advance threat defense and protection. We all know we need firewalls, IPSIDS, cypher encryption systems, SSO, 802.1x, strong authentication, anti-virus, anti-everything, application and context aware systems but what is the point? Seems to me that beside all the technicality we are losing sight a focal point: security, even within the IT sector, is a matter of human behavior.

dead or alive

I do not dispute that a patched system is harder to hack than a not patched one, but the point is where was the careful planning before? We can, of course, employ dlp, sim, advanced threat defense system firewalls and so on but how can they save us if we do not understand what we need to protect? And, even worse, how we can even think to implement any security measure if we do not know what to protect?

From where should we start?

Probably we should start form the basic trying to consider what we need to protect starting from the very beginning. And at the beginning there is a human being that want to interact with another human being through a process.

men-men

Of course we filled our systems with great security garbage all around the process box and also we put in place all those great barriers to make the user harder to use the process’ instruments itself.

men men men

And keep adding and adding we realized we need siem to monitor all this crap, and control systems, and dashboards and smart whatever and….

I said it all but…

Wait a moment are we missing something here? Here are some considerations :

  1. Who is the guygirl that wants to “communicate” with the other guygirl to do something that both value “valuable” for some unknown reason?
  2. How do they want to “communicate”?
  3. What do they want to “communicate”
  4. Why do they want to “communicate”?
  5. Why they need to “communicate” in that specific way?

Isn’t it funny that those considerations are still the key points for any successful security project? The 3 main subjects of ANY security implementation should be: human sender, human receiver and the process involved. Therefore there is no such thing as a successful security implementation without entering deeper inside those 3 aspects. Of course, this requires a careful interaction between the so-called security expert and all the players involved in the security process: because human and technical aspects are strictly connected.

There could not be security if security is not perceived as a value from the stakeholder of the process; you can put in place all the rules you want, but it will eventually fail. The worst scenario is that people will stop using the process to build a parallel one that is more suitable for their needs. This is the main cause behind security project and implementation failures; it is not a matter of technology but of not carefully evaluating the human factor.
Things like planning and training are not naïve requirements in an implementation but the most valuable asset of the project.

Theory?

Funny enough all the statistics and literature we find on the internet state that the biggest threat of all is always the user, no matter whether skilled or not. Bad guys already know it, and social engineering is not a recent invention when as far as hacking is concerned. It can be done on purpose, or by mistake, or by simply looking for a way to avoid a crazy close policy. Eventually though a user will breach your security.

Alas doors are slammed in our faces when we try to explain that security is only in part a question of how I encrypt a disk or how I make server hardening. At the end of the day, what should a CSO worry about? Basically speaking, that rules and processes are built to be secure, among others, through the use of technology but not because of the technology implemented.

All we do is related to our interactions with others human beings, the rest are “tools” to implement a process. Changing human behavior and technology we change the tools, we discover more needs we create new processes so security needs to adapt, and IT people should drive the change from the process point of view. Or we will continue to have security breaches, PRISM and Snowden cases, Anonymous groups and we will again be forced to live unpleasant surprises due to humans bypassing all those so carefully implemented security systems.

Go on, buy your firewall

 

venerdì 10 maggio 2013

(ISC)2 Italy Chapter Site » Mobile Security Series – Beyond BYOD – Slides

(ISC)2 Italy Chapter Site » Mobile Security Series – Beyond BYOD – Slides

Mobile Security Series – Beyond BYOD – Slides

Le slide del primo approfondimento (ISC)2 Italy Chapter sul Mobile (Beyond BYOD) sono disponibili ai soci a questo link(*)Webinar – (ISC)2 Italy – Mobile Series 1 – Beyond BYOD
Ringraziamo tutti coloro che hanno seguito il seminario e ancor di piu’ chi ha dedicato del tempo per completare il sondaggio sull’iniziativa. Stay tuned: nelle prossime settimane vi informeremo sulle date del secondo e poi del terzo seminario della serie.
(*) Per accedere alle slides e’ necessario essere Soci di (ISC)Italy Chapter; l’utenza per l’accesso e’ stata inviata contestualmente all’associazione. Per problemi tecnici, e’ possibile inviare una mail a webmaster@isc2chapter-italy.it

mercoledì 6 marzo 2013

Security Summit :: Il 12 marzo si apre l'edizione 2013: pronto il programma, definiti i contenuti

Steve Purser, Head of the Technical Department...
Steve Purser, Head of the Technical Department, ENISA (Photo credit: Security & Defence Agenda)

Security Summit :: Il 12 marzo si apre l’edizione 2013: pronto il programma, definiti i contenuti

Il 12 marzo si apre l’edizione 2013: pronto il programma, definiti i contenuti
E’ praticamente definito il programma della prima tappa del Security Summit 2013 che si aprirà la mattina del 12 marzo a Milano.
Si inizia infatti con un ospite d’eccezione, Steve Purser, Head of Technical Department, ENISA – European Network and Information Security Agency, che disegnerà il quadro dei progetti europei in tema di Ict security, tema di grande rilevanza perchè naturalmente coinvolge poi le politiche dei singoli Paesi.

Security Summit :: Il 12 marzo si apre l'edizione 2013: pronto il programma, definiti i contenuti

Steve Purser, Head of the Technical Department...
Steve Purser, Head of the Technical Department, ENISA (Photo credit: Security & Defence Agenda)

Security Summit :: Il 12 marzo si apre l’edizione 2013: pronto il programma, definiti i contenuti

Il 12 marzo si apre l’edizione 2013: pronto il programma, definiti i contenuti
E’ praticamente definito il programma della prima tappa del Security Summit 2013 che si aprirà la mattina del 12 marzo a Milano.
Si inizia infatti con un ospite d’eccezione, Steve Purser, Head of Technical Department, ENISA – European Network and Information Security Agency, che disegnerà il quadro dei progetti europei in tema di Ict security, tema di grande rilevanza perchè naturalmente coinvolge poi le politiche dei singoli Paesi.

lunedì 26 marzo 2012

Rapport clusit sulla sicurezza informatica in italia

È uscito il rapporto clusit sulla sicurezza informatica in italia, una finestra autorevole per conoscere lo stato della cybersecurity nel nostro paese.

La documentazione si può scaricare direttamente e gratuitamente dal sito clusit 🙂 o direttamente dal link del security summit.