Rischi o vulnerabilità?

Post on 21-Dec-2014

472 views 0 download


Slide prepararate in poche ore per sopperire alla mancanza di un relatore al convegno All Security a Roma 2011


Alessio L.R. Pennasilicomayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico

Roma, 7 Aprile 2011

Rischi o vulnerabilità?

Rischi o vulnerabilità? mayhem@alba.st

$ whois mayhem

Board of Directors:CLUSIT, Associazione Informatici Professionisti,

Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group,

Hacker’s Profiling Project


Security Evangelist @

Rischi o vulnerabilità? mayhem@alba.st


Roger G. Johnston

Vulnerability Assessment Team

Nuclear Engineering Division Argonne National Laboratory



Rischi o vulnerabilità?

Rischi o vulnerabilità? mayhem@alba.st


Threat: Adversaries might install malware in the computers in our Personnel Department so they can steal social security numbers for

purposes of identity theft.

Vulnerability:The computers in the Personnel Department do not have up to date virus

definitions for their anti-malware software.


Rischi o vulnerabilità? mayhem@alba.st


Threat: Thieves could break into our facility and steal our equipment.

Vulnerability: The lock we are using on the building doors is easy to pick or bump.


Rischi o vulnerabilità? mayhem@alba.st

Social Engineering

Threat: Nefarious insiders might release confidential information to adversaries.

Vulnerability: Employees don’t currently have a good understanding of what information is

sensitive/confidential and what is not, so they can’t do a good job of protecting it.


Rischi o vulnerabilità? mayhem@alba.st

Myth #1

“a Threat without a mitigation is a Vulnerability” makes no sense because

(a) a Threat is not a Vulnerability(b) security is a continuum and 100%

elimination of a Vulnerability is rarely possible(c) adversaries may not automatically recognize

a Vulnerability so mitigating it may be irrelevant for that specific Threat


Rischi o vulnerabilità? mayhem@alba.st

Myth #2

“Threats are more important than Vulnerabilities” we need to consider that a TA involves mostly

speculating about people who are not in front of us, and who might not even exist, but who have complex motivations, goals, mindsets,

and resources if they do exist. Vulnerabilities are more concrete and right in

front of us (if we’re clever and imaginative enough to see them). They are discovered by doing an analysis of actual infrastructure and its security—not speculating about people.


Rischi o vulnerabilità? mayhem@alba.st

Passato vs Futuro

Some people claim that past security incidents can tell us all we need to know

about Threats, but that is just being reactive, not proactive, and misses rare but

very catastrophic attacks.


Rischi o vulnerabilità? mayhem@alba.st

If you understand and take some reasonable effort to mitigate your security

Vulnerabilities, you are probably in fairly good shape regardless of the Threats


Rischi o vulnerabilità? mayhem@alba.st

if you understand the Threats but are ignorant of the Vulnerabilities, you are not likely to be

very secure because the adversaries will have many different ways in.


Cognitive Biases

Rischi o vulnerabilità? mayhem@alba.st

Optimism Bias

the demonstrated systematic tendency for people to be over-optimistic about the

outcome of planned actions. This includes over-estimating the likelihood of positive

events and under-estimating the likelihood of negative events. It is one of several

kinds of positive illusion to which people are generally susceptible.


Rischi o vulnerabilità? mayhem@alba.st

Optimism Bias

Optimistic overconfidence bias can induce people to underinvest in primary and

preventive care and other risk-reducing behaviors.


Rischi o vulnerabilità? mayhem@alba.st

A brain-imaging study found that, when imagining negative future events, signals in

the amygdala, an emotion centre of the brain, are weaker than when remembering

past negative events. This weakened consideration of possible negative

outcomes is one possible mechanism for optimism bias.


Rischi o vulnerabilità? mayhem@alba.st


experience-based techniques that help in problem solving, learning and discovery

"rule of thumb", an educated guess, an intuitive judgment or simply common sense


Rischi o vulnerabilità? mayhem@alba.st

Availability heuristic

estimating what is more likely by what is more available in memory, which is biased

toward vivid, unusual, or emotionally charged examples


Rischi o vulnerabilità? mayhem@alba.st

Representativeness heuristic

judging probabilities on the basis of resemblance


Rischi o vulnerabilità? mayhem@alba.st

Affect heuristic

basing a decision on an emotional reaction rather than a calculation of risks and



Rischi o vulnerabilità? mayhem@alba.st

Donald Norman



Rischi o vulnerabilità? mayhem@alba.st


Ci dobbiamo occupare delle minacce

Ci dobbiamo occupare delle vulnerabilità


Rischi o vulnerabilità? mayhem@alba.st


Siamo umani, possiamo sbagliare

Tentare di gestire le cause di errore di valutazione aiuta


Alessio L.R. Pennasilicomayhem@alba.sttwitter: mayhemsppFaceBook: alessio.pennasilico

Roma, 7 Aprile 2011


These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)

Grazie per l’attenzione!