Lessons From The Defensive Security Podcast

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Cedes.ba The art of security What is not security (what years of pen testing have shown us)
“Those who cannot remember the past are condemned to repeat it. ” George Santayana Life of Reason, 1905.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Communication Skills with Friends & Family
Chapter 4.  Can technology alone provide the best security for your organization?
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.
Learning to Learn This project has been funded with support from the European Commission. This [publication] communication reflects the views only of the.
Understanding Technology Stakeholders: Their Progress and Challenges John M. Gilligan Software Assurance Forum November 4, 2009.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
DBT – dialectical behavioural therapy
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Computer Security By Duncan Hall.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
EIC – Jornada ciberatacs cyber risk outlook June 2016.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Proactive Incident Response
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
Firmware threat Dhaval Chauhan MIS 534.
Cybersecurity - What’s Next? June 2017
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Socializing Attack/Defense Trees to Prevent Misuse
Compliance with hardening standards
Concept Level Project Plan P08008 – ArcWorks Process Improvement
Lesson Objectives Aims You should be able to:
Making a Holiday Special For All The Right Reasons
Understand Core Security Principles
Panel Discussion Can We Handle an Advanced Cyber Threat?
Transforming IT Management
5G Security Training
I have many checklists: how do I get started with cyber security?
Combining the best of Audit and Penetration Testing
Company Overview & Strategy
PROACTIVE SNOOPING ANALYSIS
Successful Strategies in Enterprise Intrusion Investigations
Where is Your Organization on the Accessibility Maturity Scale
BOLTED JOINT ASSEMBLY WIND ENERGY FIELD SERVICE TECHNICIANS
An Urgent National Imperative
BOLTED JOINT ASSEMBLY WIND ENERGY FIELD SERVICE TECHNICIANS
Assessing Deterrence Options for Cyberweapons
Risk Management CSCE 489/689 (Software Security) Fall 2018
Right Choice Prepared Segment #2
2 OVERVIEW Cybersecurity initiative launched in July 2015 to create a trusted environment to address Cybersecurity -- Focus on the security needs of operators.
Cybersecurity Threat Assessment
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Lessons From The Defensive Security Podcast @maliciouslink

I’m Jerry Bell Work @ IBM – I speak for myself only Podcast @ DefensiveSecuirty.org @maliciouslink

“ Those who cannot remember the past are condemned to repeat it. - George Santayana

I study how data breaches happen and talk about them on a podcast

Many opportunities to learn

As defenders, we have limited budget, limited time

As defenders, we have limited budget, limited time We must efficiently prioritize

There are many good industry reports that help explain breaches

Most reports segment breaches by attack type or motives of the adversary

Reports are helpful… But they do not explain what to fix.

What I’ve learned

Our people are the key to security

Our people are the key to security Let me explain…

Security researchers have grown adept at manipulating media coverage of vulnerabilities they found

The concept of “least privilege” is not well understood or implemented

Example: NotPetya

Supply chain is a significant emerging threat

Example: NotPetya, Target

IT architectures and software are more a form of individual artistic expression than principled engineering

“ Hackers only have to be right once… Defenders have to be right every time.

Attacks shift away from what no longer works to what does work

Attack techniques and tools are getting more complicated

Attack techniques and tools are getting more complicated But opportunistic attacks still work very well

The industry endlessly debates end-user security training

The industry endlessly debates end-user security training But rarely about training the people designing our IT systems

The debate about end user training is a red herring

Business leaders have little idea how much risk they are accepting

Our IT tools are being used against us

Cloud and automation create dramatic opportunities to mitigate risk… and also creates new risks

Indicators that a breach was underway are usually obvious… But only during forensic analysis

The entry point in nearly all breaches seems obvious… After the breach happened

Organizations are judged on their handling of a breach… Possibly more than having the breach

Organizations will have difficulty meeting breach reporting timeframes of new regulations

Security is a people problem… …and the problem start with IT and Security staff.

THANK YOU! @maliciouslink

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.