SlideShare une entreprise Scribd logo
1  sur  52
How to Measure the Security of your Network Defenses
The Premise(s)
• Current Security Models are 45 Years Old. (Anderson, 1972)
• Next Gen Ain’t Working and the next next-Gen won’t either.
• Digital is not binary.
• The key to network survival is the ability to adapt to change.
• We are stuck. In. Stasis.
• Infinity is why traditional network security has failed.
• Infinity is Our Single Biggest Enemy
My Mom -1943.
NBC Mastering Engineer
DAD
RADAR DEV. WW2
My First DefCon
Winn As TV Repairman: $.50 per Repair
My Electronics Store
1961
The Family Business: My First Studio (16 yrs. Old)
My First Lathe: Analogue/Mechanical
1969-1970: Complex Systems
Manual Sync for TV/Movies
7 January 1983: went into security
No Degree. No Certs. No Creds.
The Early Days:
Weaponization of the Internet
1990 1993
June 27, 1991
Our computer systems are so
poorly protected, they are “An
electronic Pearl Harbor waiting
to happen.”
“The Civilian Architect of
Information Warfare.”
Admiral Tyrrell, UK MoD
Need To Fix The Internet
I Wanted to Prove Security
Impossible.
Of Course It Is.
Hold On.
Wait.
(crass commercial Plug
coming later…)
Security can be measured.
We’ve just been thinking the problem wrong.
• Digital is not binary. Binary conditions rarely exist. There is fuzz
everywhere.
• Security is never 100%. No, never.
• Firewalls, Passwords et al. are the Maginot Lines of network security.
• Infinity is the Enemy. Feedback is a Must!
• Think recursive. Get loopy.
• “At the same time” (simultaneity) only means something at the quantum
level. It’s otherwise meaningless. You really mean “in sync” or “soon”.
• One can never be 100% positive about trust; it is an analogue function.
Therefore, neither 100% or 0% trust is achievable or meaningful.
A Philosophical Approach to Cyber-Security
• Kill Absolutism: Min-Max Only. No ‘0’s and no ‘1’s. That’s
called ‘Analogue’.
• Security is Dynamic. Not Static. Trust is Fuzzy.
• Employ Detection in Depth.
• Integrate Analogue Functions to Measure Security
• Insert Feedback. (Pos/Neg/OODA)
• OOB Comm is Required.
• Introduce Negative Time.
Time is the common metric between security,
privacy and risk.
Above All:
Do Not Change
Current Internet
(TCP/IP) Protocols or
Network Architecture.
START HERE: Time Based Security (1998)
• Protection (Fortress Mentality Does Not Work)
• P(t) > D(t) + R(t), & P(t) = indeterminate
• D(t) + R(t) = E(t)
• The goal is: [D(t) + R(t)] >> 0
• If, Pt < Dt + Rt, then Et = [(Dt + Rt) - Pt]
• BW / IDBI = 1/E(t)
• Data Loss Risk
The Premises of Feedback in Networks
•Static Security is a Fail. Dynamism is Required.
•Without Feedback, Network Chaos is Ensured.
•Apply Min-Max instead of 1s and 0s.
•Think recursive. Get loopy. Squeeze the Loop.
•“At the same time” (simultaneity) only means
something at the quantum level. It’s otherwise
meaningless. You really mean “in sync”.
SCADA/ICS are Measureable!
Programmable Logic
Controller
• Binary Controls
- On-Off = 1:0 =
Yes/No
• Analogue Controls
- > 0 & < 1
SCADA-like Negative Feedback In Our Personal Lives
• Thermostats: Auto-adjust cooling and heating systems to
dynamically adapt as dictated by the chosen temperature.
• Toilet ballcocks rises with water level; closes a valve that
turns off water.
• Motion detection for room lighting, which also happens to
be time-based.
• Home automation systems.
• Driverless cars.
Synaptic Weighting in Neural Networks
The Brain is Analogue, and
Processes Neurally.
Why are we letting the tech
(them!) tell we humans to
think like them?
Constant weighting,
feedback/feedforward, and
updates.
•We are only moving
data… not dynamic
control information.
•SCADA/ICS does
both.
Where is Network Security Feedback?
• This is the basis of
Analogue Network
Security.
Network Security Is A Bear
OODA Loop Feedback
• Apply to Kinetic Conflict
• Apply to Marketing
• Apply to Business
Processes
• It’s a Decision Cycle!
Developed by USAF Col. John B
for Aerial Dog-Fighting
OODA With More Feedback
OODA in Security Awareness: Positive
Feedback
Banking Verification with OOB Feedback
My Wife’s Car Does This – Out of Band
• Natural
Human
Feedback
• OOB (Head
Turn)
• Adapted to
Collision
Avoidance
I Have Trust Issues
•Trust is NOT
Binary!
•It changes over
time!
•Dynamic Trust
Degradation
•Periodic Trust Re-
Evaluation
The Analogue Two (Or More!) Man (Person) Rule
• Alice makes a choice
• Bob must approve
(Feedback)
• Time is the Metric
2 People or Processes
MUST agree.
Replace Defense in Depth (Epic Fail) with Detection
in Depth
Sensors on GE (et al) jet engines can produce 10
terabytes of operational information for every 30 minutes
they turn. A four engine jumbo jet can create 640
terabytes of data on just one Atlantic crossing. Now,
multiply that by the more than 25,000 flights flown each
day…”
COMMON DETECTION SENSOR TECHNIQUES:
Optical spectrum. Electromagnetic - DC to 300+
PetaHertz (gamma rays, 3 X 10^21 Hz). Sonic: from
almost 0 Hz to ~250KHz at sea level air. Pressure.
Viscosity. Phase relationships (time). Vibration
(intensity/time). Velocity (time). Acceleration (time^2).
Tuned to specific Chemical Signatures. Echoing &
Doppler. Temperature (time & time^2). Proximity.
Weight/Mass. Flow (time).
Testing Vendor Claims with Feedback
34
Using Feedback to Measure Security D&R Efficacy
35
• Detection
• Reaction
• “Squeeze The Loop”
• Add Trust Factor
For defensive security to
be effective:
P(t) > D(t) + R(t), and
E(t) → 0 (Limit formula)
2 Detection Products: Applying Bayes and Trust
Data Exfiltration Protection
Measure Your Phishing Vendor Products
Adding an OOB Channel
When Primary Comm is DOS’d
•Reaction/Remedia
tion
not possible over
primary comm
channel;
•Ergo, OOB
Feedback
OOB/DDoS Feedback in Closed System
1st Hop Feedback Mechanism:
Feedforward and Negative Time
Feedforward and Negative Time with Toggled Delay
Multi-Tier Feedback (DDoS)
Squeezing the Loop: T ➞ 0
Intelligence in the Loop
Feedback & Ebbinghaus: Visualizing Security
Feedback Yield OODA via Trust Decay
OODA: Go Fast or Lose
What Can You Do Now?
•Measure Your Detection Process. You can do this!
•Measure Your Reaction Process. You can do this!
•Measure Vendor Performance: You can do this!
•Compare Products in Test Bed
•Demand Hard Data From Your Vendor!
•Examine Security Process for Intrinsic Feedback
• Where else can Feedback be applied? Code? Human/Cyber/Physical
Pocesses?
ISO/IEC 27032
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events
THANK YOU
?
winn@thesecurityawarenesscompany.com
www.thesecurityawarenesscompany.com
linkedin.com/in/winnschwartau

Contenu connexe

Similaire à How to Measure the Security of your Network Defenses

Transblock Presentation 4 14 09
Transblock Presentation   4 14 09Transblock Presentation   4 14 09
Transblock Presentation 4 14 09James Hahn
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...Arjan
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Crew
 
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn UCICove
 
Electronic Principles At Uxbridge College
Electronic Principles At Uxbridge CollegeElectronic Principles At Uxbridge College
Electronic Principles At Uxbridge CollegeCheryl Viljoen
 
Transblock Presentation
Transblock PresentationTransblock Presentation
Transblock Presentationjpenna1
 
1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan
1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan
1984 Big Brother is Watching you (and helping with savings) - Tomislav KrizanInstitute of Contemporary Sciences
 
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...AEI / Affiliated Engineers
 
The Evolution of Fire Safety & Hypoxic-Air Across Industries
The Evolution of Fire Safety & Hypoxic-Air Across IndustriesThe Evolution of Fire Safety & Hypoxic-Air Across Industries
The Evolution of Fire Safety & Hypoxic-Air Across Industrieszeroburnfps
 
Transblock Presentation 4-14-09
Transblock Presentation  4-14-09Transblock Presentation  4-14-09
Transblock Presentation 4-14-09easond
 
An Engineer's experience moving from a MNC to a Technology Start-up
An Engineer's experience moving from a MNC to a Technology Start-upAn Engineer's experience moving from a MNC to a Technology Start-up
An Engineer's experience moving from a MNC to a Technology Start-upRekaNext Capital
 
Digital Fingerprinting
Digital FingerprintingDigital Fingerprinting
Digital Fingerprintingsanthu652
 
How Internet Peering Improves Security
How Internet Peering Improves SecurityHow Internet Peering Improves Security
How Internet Peering Improves SecurityWilliam Norton
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchDimitry Snezhkov
 
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...Surety, LLC
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embeddedantitree
 

Similaire à How to Measure the Security of your Network Defenses (20)

Transblock Presentation 4 14 09
Transblock Presentation   4 14 09Transblock Presentation   4 14 09
Transblock Presentation 4 14 09
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...
Puniani, Arjan Singh | Candidate Time-Delayed Decryption Protocols for Deploy...
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic Modules
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
How to Build Out a Tech Eco-System | Dan Cregg | Lunch & Learn
 
Electronic Principles At Uxbridge College
Electronic Principles At Uxbridge CollegeElectronic Principles At Uxbridge College
Electronic Principles At Uxbridge College
 
Transblock Presentation
Transblock PresentationTransblock Presentation
Transblock Presentation
 
1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan
1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan
1984 Big Brother is Watching you (and helping with savings) - Tomislav Krizan
 
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...
Emerging Hazards: Renewables and Microgrids, U.S. Department of Energy, Energ...
 
The Evolution of Fire Safety & Hypoxic-Air Across Industries
The Evolution of Fire Safety & Hypoxic-Air Across IndustriesThe Evolution of Fire Safety & Hypoxic-Air Across Industries
The Evolution of Fire Safety & Hypoxic-Air Across Industries
 
Transblock Presentation 4-14-09
Transblock Presentation  4-14-09Transblock Presentation  4-14-09
Transblock Presentation 4-14-09
 
An Engineer's experience moving from a MNC to a Technology Start-up
An Engineer's experience moving from a MNC to a Technology Start-upAn Engineer's experience moving from a MNC to a Technology Start-up
An Engineer's experience moving from a MNC to a Technology Start-up
 
Digital Fingerprinting
Digital FingerprintingDigital Fingerprinting
Digital Fingerprinting
 
How Internet Peering Improves Security
How Internet Peering Improves SecurityHow Internet Peering Improves Security
How Internet Peering Improves Security
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, Touch
 
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...
Cloud-enabled Protection of Data Integrity and Authenticity of Electronic Con...
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 

Plus de PECB

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?PECB
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 

Plus de PECB (20)

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 

Dernier

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxraviapr7
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 

Dernier (20)

Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Education and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptxEducation and training program in the hospital APR.pptx
Education and training program in the hospital APR.pptx
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 

How to Measure the Security of your Network Defenses

  • 2. The Premise(s) • Current Security Models are 45 Years Old. (Anderson, 1972) • Next Gen Ain’t Working and the next next-Gen won’t either. • Digital is not binary. • The key to network survival is the ability to adapt to change. • We are stuck. In. Stasis. • Infinity is why traditional network security has failed. • Infinity is Our Single Biggest Enemy
  • 3. My Mom -1943. NBC Mastering Engineer DAD RADAR DEV. WW2
  • 5. Winn As TV Repairman: $.50 per Repair
  • 8. The Family Business: My First Studio (16 yrs. Old)
  • 9. My First Lathe: Analogue/Mechanical
  • 11. Manual Sync for TV/Movies
  • 12. 7 January 1983: went into security No Degree. No Certs. No Creds.
  • 13. The Early Days: Weaponization of the Internet 1990 1993
  • 14. June 27, 1991 Our computer systems are so poorly protected, they are “An electronic Pearl Harbor waiting to happen.” “The Civilian Architect of Information Warfare.” Admiral Tyrrell, UK MoD
  • 15. Need To Fix The Internet
  • 16. I Wanted to Prove Security Impossible. Of Course It Is. Hold On. Wait. (crass commercial Plug coming later…)
  • 17. Security can be measured. We’ve just been thinking the problem wrong. • Digital is not binary. Binary conditions rarely exist. There is fuzz everywhere. • Security is never 100%. No, never. • Firewalls, Passwords et al. are the Maginot Lines of network security. • Infinity is the Enemy. Feedback is a Must! • Think recursive. Get loopy. • “At the same time” (simultaneity) only means something at the quantum level. It’s otherwise meaningless. You really mean “in sync” or “soon”. • One can never be 100% positive about trust; it is an analogue function. Therefore, neither 100% or 0% trust is achievable or meaningful.
  • 18. A Philosophical Approach to Cyber-Security • Kill Absolutism: Min-Max Only. No ‘0’s and no ‘1’s. That’s called ‘Analogue’. • Security is Dynamic. Not Static. Trust is Fuzzy. • Employ Detection in Depth. • Integrate Analogue Functions to Measure Security • Insert Feedback. (Pos/Neg/OODA) • OOB Comm is Required. • Introduce Negative Time. Time is the common metric between security, privacy and risk. Above All: Do Not Change Current Internet (TCP/IP) Protocols or Network Architecture.
  • 19. START HERE: Time Based Security (1998) • Protection (Fortress Mentality Does Not Work) • P(t) > D(t) + R(t), & P(t) = indeterminate • D(t) + R(t) = E(t) • The goal is: [D(t) + R(t)] >> 0 • If, Pt < Dt + Rt, then Et = [(Dt + Rt) - Pt] • BW / IDBI = 1/E(t) • Data Loss Risk
  • 20. The Premises of Feedback in Networks •Static Security is a Fail. Dynamism is Required. •Without Feedback, Network Chaos is Ensured. •Apply Min-Max instead of 1s and 0s. •Think recursive. Get loopy. Squeeze the Loop. •“At the same time” (simultaneity) only means something at the quantum level. It’s otherwise meaningless. You really mean “in sync”.
  • 21. SCADA/ICS are Measureable! Programmable Logic Controller • Binary Controls - On-Off = 1:0 = Yes/No • Analogue Controls - > 0 & < 1
  • 22. SCADA-like Negative Feedback In Our Personal Lives • Thermostats: Auto-adjust cooling and heating systems to dynamically adapt as dictated by the chosen temperature. • Toilet ballcocks rises with water level; closes a valve that turns off water. • Motion detection for room lighting, which also happens to be time-based. • Home automation systems. • Driverless cars.
  • 23. Synaptic Weighting in Neural Networks The Brain is Analogue, and Processes Neurally. Why are we letting the tech (them!) tell we humans to think like them? Constant weighting, feedback/feedforward, and updates.
  • 24. •We are only moving data… not dynamic control information. •SCADA/ICS does both. Where is Network Security Feedback?
  • 25. • This is the basis of Analogue Network Security. Network Security Is A Bear
  • 26. OODA Loop Feedback • Apply to Kinetic Conflict • Apply to Marketing • Apply to Business Processes • It’s a Decision Cycle! Developed by USAF Col. John B for Aerial Dog-Fighting
  • 27. OODA With More Feedback
  • 28. OODA in Security Awareness: Positive Feedback
  • 30. My Wife’s Car Does This – Out of Band • Natural Human Feedback • OOB (Head Turn) • Adapted to Collision Avoidance
  • 31. I Have Trust Issues •Trust is NOT Binary! •It changes over time! •Dynamic Trust Degradation •Periodic Trust Re- Evaluation
  • 32. The Analogue Two (Or More!) Man (Person) Rule • Alice makes a choice • Bob must approve (Feedback) • Time is the Metric 2 People or Processes MUST agree.
  • 33. Replace Defense in Depth (Epic Fail) with Detection in Depth Sensors on GE (et al) jet engines can produce 10 terabytes of operational information for every 30 minutes they turn. A four engine jumbo jet can create 640 terabytes of data on just one Atlantic crossing. Now, multiply that by the more than 25,000 flights flown each day…” COMMON DETECTION SENSOR TECHNIQUES: Optical spectrum. Electromagnetic - DC to 300+ PetaHertz (gamma rays, 3 X 10^21 Hz). Sonic: from almost 0 Hz to ~250KHz at sea level air. Pressure. Viscosity. Phase relationships (time). Vibration (intensity/time). Velocity (time). Acceleration (time^2). Tuned to specific Chemical Signatures. Echoing & Doppler. Temperature (time & time^2). Proximity. Weight/Mass. Flow (time).
  • 34. Testing Vendor Claims with Feedback 34
  • 35. Using Feedback to Measure Security D&R Efficacy 35 • Detection • Reaction • “Squeeze The Loop” • Add Trust Factor For defensive security to be effective: P(t) > D(t) + R(t), and E(t) → 0 (Limit formula)
  • 36. 2 Detection Products: Applying Bayes and Trust
  • 38. Measure Your Phishing Vendor Products
  • 39. Adding an OOB Channel
  • 40. When Primary Comm is DOS’d •Reaction/Remedia tion not possible over primary comm channel; •Ergo, OOB Feedback
  • 41. OOB/DDoS Feedback in Closed System
  • 42. 1st Hop Feedback Mechanism: Feedforward and Negative Time
  • 43. Feedforward and Negative Time with Toggled Delay
  • 47. Feedback & Ebbinghaus: Visualizing Security
  • 48. Feedback Yield OODA via Trust Decay
  • 49. OODA: Go Fast or Lose
  • 50. What Can You Do Now? •Measure Your Detection Process. You can do this! •Measure Your Reaction Process. You can do this! •Measure Vendor Performance: You can do this! •Compare Products in Test Bed •Demand Hard Data From Your Vendor! •Examine Security Process for Intrinsic Feedback • Where else can Feedback be applied? Code? Human/Cyber/Physical Pocesses?
  • 51. ISO/IEC 27032 Training Courses • ISO/IEC 27001 Introduction 1 Day Course • ISO/IEC 27001 Foundation 2 Days Course • ISO/IEC 27001 Lead Implementer 5 Days Course • ISO/IEC 27001 Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 www.pecb.com/events