Mona Arkhipova, profile picture
Uploaded byMona Arkhipova
PPTX, PDF517 views

Risks vs real life

This document discusses how traditional approaches to information security risk management may not fully account for real-life risks. It provides examples of how risks can arise from unexpected places, like shared physical access to offices, insecure internal systems due to lack of segmentation, reuse of passwords in test environments, lack of oversight of third-party services, failure to patch legacy systems, poor code quality leading to stability issues, and insecure employee devices and actions. The document argues that a comprehensive security program must anticipate risks from all parts of an organization's systems and operations, not just external threats.

Embed presentation

Download to read offline
RISKS VS. REAL LIFE Mona Arkhipova Unit Manager of information security architecture and monitoring Acronis
PROPRIETARY AND CONFIDENTIAL 2PROPRIETARY AND CONFIDENTIAL 2 About me Unit Manager of information security architecture and monitoring, Acronis Past: • Head of SOC and OPS monitoring, Lead information security expert at QIWI group; • Security analyst at General Electric (GE Capital); • independent security consultant at fintech start-ups; • *nix systems and network administrator
PROPRIETARY AND CONFIDENTIAL 3PROPRIETARY AND CONFIDENTIAL 3 Traditional approach Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. - NIST 800-30 Risks management is the base for most part of security-related standards. But is it applicable to security in real life?
Prepare your perimeters
PROPRIETARY AND CONFIDENTIAL 5PROPRIETARY AND CONFIDENTIAL 5 Physical security Most widely used state to argue about internal systems’ security: “Why should we harden this asset/application/device? It’s for internal users only, no one can enter our office! There’s no risk!” There are many ”unbelievable” ways to get inside: • Shared areas in your business center • ”Comfortable” ways to less secure areas for employees • Good old social engineering
PROPRIETARY AND CONFIDENTIAL 6PROPRIETARY AND CONFIDENTIAL 6 Internal resources One more state to argue about internal systems security: “Why should we harden this asset/application/device? It’s for internal users only, everyone should be authorized to use those systems! The risk is low!” In many companies way inside is much easier than it could be imagined: • Lack of segmentation • Lack of controls on remote access • External-facing intranet portals • Oh, and one step back – physical security
PROPRIETARY AND CONFIDENTIAL 7PROPRIETARY AND CONFIDENTIAL 7 Test environments ”There’s no sensitive data, it is not production” Common mistakes: • Not (properly) segregated from internal network • Passwords/keys reuse • Core management systems links • Often DOES CONTAIN production data
PROPRIETARY AND CONFIDENTIAL 8PROPRIETARY AND CONFIDENTIAL 8 (Not so) good services Do you really rely on external services? • Had you ever reviewed information you send? • Aren’t you afraid to transfer your sensitive data to services with no formal background? • Do you believe to your security service providers’ employees like your own ones? • Do you have 3rd party security review?
Legacy systems
PROPRIETARY AND CONFIDENTIAL 10PROPRIETARY AND CONFIDENTIAL 10 Mission-critical systems ”We can not patch the system, it’s too critical, update would ruin it” • Good start point for your BCM program • Vulnerability and patch management declared by standards • One day it may ruin your business not only for security reasons • Human mistakes • Lack of expertise (delayed issues)
PROPRIETARY AND CONFIDENTIAL 11PROPRIETARY AND CONFIDENTIAL 11 Core Business Impact Code quality and less legacy directly affects business, especially based on in- house developed applications  Good code – stable and secure code  Stable code is the basic brick of overall service stability and availability  Stable HA service – good customer experience  Good customer experience brings more than just money.
Weakest link in your security chain
PROPRIETARY AND CONFIDENTIAL 13PROPRIETARY AND CONFIDENTIAL 13 Endpoints “I’m tired of all that weekly/monthly/quarter reboots” • Security is around data, not only a server somewhere • Old good software may be a great security risk • …as well as service tested on workstation for faster feedback/dev/PoC/whatever • What’s about lost devices, BYOD and remote access?
PROPRIETARY AND CONFIDENTIAL 14PROPRIETARY AND CONFIDENTIAL 14 Employees ”Our employees are loyal, we believe them” • Prepare for a lot of disappointment after DLP installation • Not all loyal employees stay loyal in crisis situations (or just local conflicts) • Not all “oldboys” are playing on your side • Unspoken things about contracts bribery and its detection • Not all companies have employment pre-checks and proper conflict of interests detection • Do you really know your data flows?
Questions? Mona Arkhipova Unit Manager of information security architecture and monitoring Mona@acronis.com /monaarkhipova

More Related Content

PPTX
Security Ops for large and small companies
byMona Arkhipova
 
PDF
Positive Hack Days 7 - Ransomware forensiсs
byMona Arkhipova
 
PPTX
QIWI SOC benchmarking: Blue Team story
byMona Arkhipova
 
PPTX
Enterprise Forensics 101
byMona Arkhipova
 
PPTX
Network Forensics Backwards and Forwards
bySavvius, Inc
 
PPTX
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
bySavvius, Inc
 
PDF
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
bySavvius, Inc
 
PDF
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
byNCCOMMS
 
Security Ops for large and small companies
byMona Arkhipova
 
Positive Hack Days 7 - Ransomware forensiсs
byMona Arkhipova
 
QIWI SOC benchmarking: Blue Team story
byMona Arkhipova
 
Enterprise Forensics 101
byMona Arkhipova
 
Network Forensics Backwards and Forwards
bySavvius, Inc
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
bySavvius, Inc
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
bySavvius, Inc
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
byNCCOMMS
 

What's hot

PPTX
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
byDigital Bond
 
PPTX
Introducing Savvius Vigil
bySavvius, Inc
 
PDF
Enterprise Vulnerability Management - ZeroNights16
byAlexander Leonov
 
PPTX
Incident response live demo slides final
byAlienVault
 
PPTX
Let’s play the game. Yet another way to perform penetration test. Russian “re...
byKirill Ermakov
 
PDF
What Is Next-Generation Endpoint Security and Why Do You Need It?
byPriyanka Aash
 
PPTX
NextGen Endpoint Security for Dummies
byAtif Ghauri
 
PPTX
IDS for Security Analysts: How to Get Actionable Insights from your IDS
byAlienVault
 
PDF
Security Automation and Orchestration
byGreg Foss
 
PPTX
Maturing Endpoint Security: 5 Key Considerations
bySirius
 
PPTX
Endpoint Modeling 101 - A New Approach to Endpoint Security
byObservable Networks
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
Ethical hacking/ Penetration Testing
byANURAG CHAKRABORTY
 
PDF
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
byColorTokens Inc
 
PDF
Soc analyst course content
byShivamSharma909
 
PDF
IDC Security 2014, Endpoint Security in Depth
byKen Tulegenov
 
PPTX
The Future of ICS Security Products
byDigital Bond
 
PDF
CSW2017 chuanda ding_state of windows application security
byCanSecWest
 
PPTX
Practical Defense
bySean Whalen
 
PPTX
Security Essentials
byAshley Deuble
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
byDigital Bond
 
Introducing Savvius Vigil
bySavvius, Inc
 
Enterprise Vulnerability Management - ZeroNights16
byAlexander Leonov
 
Incident response live demo slides final
byAlienVault
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
byKirill Ermakov
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
byPriyanka Aash
 
NextGen Endpoint Security for Dummies
byAtif Ghauri
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
byAlienVault
 
Security Automation and Orchestration
byGreg Foss
 
Maturing Endpoint Security: 5 Key Considerations
bySirius
 
Endpoint Modeling 101 - A New Approach to Endpoint Security
byObservable Networks
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
Ethical hacking/ Penetration Testing
byANURAG CHAKRABORTY
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
byColorTokens Inc
 
Soc analyst course content
byShivamSharma909
 
IDC Security 2014, Endpoint Security in Depth
byKen Tulegenov
 
The Future of ICS Security Products
byDigital Bond
 
CSW2017 chuanda ding_state of windows application security
byCanSecWest
 
Practical Defense
bySean Whalen
 
Security Essentials
byAshley Deuble
 

Similar to Risks vs real life

PPTX
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PDF
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
PPTX
Privacies are Coming
byErnest Staats
 
PDF
Acuent Security
byStephen Bates
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PPTX
INFRAGARD 2014: Back to basics security
byJoel Cardella
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PDF
Data security in cloud
byInterop
 
PPTX
Privacies are coming
byErnest Staats
 
PDF
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
byMichael Davis
 
PPTX
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPTX
Janitor vs cleaner
byJohn Stauffacher
 
PDF
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
PPTX
Community IT Webinar - IT Security for Nonprofits
byCommunity IT Innovators
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
MacIT 2014 - Essential Security & Risk Fundamentals
byAlison Gianotto
 
Privacies are Coming
byErnest Staats
 
Acuent Security
byStephen Bates
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
INFRAGARD 2014: Back to basics security
byJoel Cardella
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
Data security in cloud
byInterop
 
Privacies are coming
byErnest Staats
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
byMichael Davis
 
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Janitor vs cleaner
byJohn Stauffacher
 
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
Community IT Webinar - IT Security for Nonprofits
byCommunity IT Innovators
 
A guide to Sustainable Cyber Security
byErnest Staats
 
MIS: Information Security Management
byJonathan Coleman
 

Recently uploaded

PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 

Risks vs real life

  • 1.
    RISKS VS. REALLIFE Mona Arkhipova Unit Manager of information security architecture and monitoring Acronis
  • 2.
    PROPRIETARY AND CONFIDENTIAL2PROPRIETARY AND CONFIDENTIAL 2 About me Unit Manager of information security architecture and monitoring, Acronis Past: • Head of SOC and OPS monitoring, Lead information security expert at QIWI group; • Security analyst at General Electric (GE Capital); • independent security consultant at fintech start-ups; • *nix systems and network administrator
  • 3.
    PROPRIETARY AND CONFIDENTIAL3PROPRIETARY AND CONFIDENTIAL 3 Traditional approach Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. - NIST 800-30 Risks management is the base for most part of security-related standards. But is it applicable to security in real life?
  • 4.
  • 5.
    PROPRIETARY AND CONFIDENTIAL5PROPRIETARY AND CONFIDENTIAL 5 Physical security Most widely used state to argue about internal systems’ security: “Why should we harden this asset/application/device? It’s for internal users only, no one can enter our office! There’s no risk!” There are many ”unbelievable” ways to get inside: • Shared areas in your business center • ”Comfortable” ways to less secure areas for employees • Good old social engineering
  • 6.
    PROPRIETARY AND CONFIDENTIAL6PROPRIETARY AND CONFIDENTIAL 6 Internal resources One more state to argue about internal systems security: “Why should we harden this asset/application/device? It’s for internal users only, everyone should be authorized to use those systems! The risk is low!” In many companies way inside is much easier than it could be imagined: • Lack of segmentation • Lack of controls on remote access • External-facing intranet portals • Oh, and one step back – physical security
  • 7.
    PROPRIETARY AND CONFIDENTIAL7PROPRIETARY AND CONFIDENTIAL 7 Test environments ”There’s no sensitive data, it is not production” Common mistakes: • Not (properly) segregated from internal network • Passwords/keys reuse • Core management systems links • Often DOES CONTAIN production data
  • 8.
    PROPRIETARY AND CONFIDENTIAL8PROPRIETARY AND CONFIDENTIAL 8 (Not so) good services Do you really rely on external services? • Had you ever reviewed information you send? • Aren’t you afraid to transfer your sensitive data to services with no formal background? • Do you believe to your security service providers’ employees like your own ones? • Do you have 3rd party security review?
  • 9.
  • 10.
    PROPRIETARY AND CONFIDENTIAL10PROPRIETARY AND CONFIDENTIAL 10 Mission-critical systems ”We can not patch the system, it’s too critical, update would ruin it” • Good start point for your BCM program • Vulnerability and patch management declared by standards • One day it may ruin your business not only for security reasons • Human mistakes • Lack of expertise (delayed issues)
  • 11.
    PROPRIETARY AND CONFIDENTIAL11PROPRIETARY AND CONFIDENTIAL 11 Core Business Impact Code quality and less legacy directly affects business, especially based on in- house developed applications  Good code – stable and secure code  Stable code is the basic brick of overall service stability and availability  Stable HA service – good customer experience  Good customer experience brings more than just money.
  • 12.
    Weakest link inyour security chain
  • 13.
    PROPRIETARY AND CONFIDENTIAL13PROPRIETARY AND CONFIDENTIAL 13 Endpoints “I’m tired of all that weekly/monthly/quarter reboots” • Security is around data, not only a server somewhere • Old good software may be a great security risk • …as well as service tested on workstation for faster feedback/dev/PoC/whatever • What’s about lost devices, BYOD and remote access?
  • 14.
    PROPRIETARY AND CONFIDENTIAL14PROPRIETARY AND CONFIDENTIAL 14 Employees ”Our employees are loyal, we believe them” • Prepare for a lot of disappointment after DLP installation • Not all loyal employees stay loyal in crisis situations (or just local conflicts) • Not all “oldboys” are playing on your side • Unspoken things about contracts bribery and its detection • Not all companies have employment pre-checks and proper conflict of interests detection • Do you really know your data flows?
  • 15.
    Questions? Mona Arkhipova Unit Managerof information security architecture and monitoring [email protected] /monaarkhipova

Editor's Notes

  • #4 Риск - возможность того, что произойдет определенное неблагоприятное событие, имеющее свою цену (размер ожидаемого ущерба) и вероятность наступления. Традиционный подход к рискам подразумевает модель угроз с учётом экспертной оценки и/или с учётом уже реализовавшихся рисков (пентест, редтим, факты). С какой частотой пересматривается?
  • #6 Аварийные лестницы, общие области с БЦ Удобные проходы для сотрудников (курилка, столовка и тп) Социнженерия – насколько осведомлены пользователи
  • #7 Проблемы сегментации Удаленный доступ (например простые пароли без 2fa) Порталы/сервисы для сотрудников наружу
  • #8 Опять проблемы сегментации, повторение ключей/паролей, связка с уже имеющимися системами
  • #9 Как часто пересматриваете информацию, которая отдается третьей сторне Вы не боитесь отдавать данные третьей стороне без юрлица/с непроверяемым юрлицом/просто по знакомству? А запускать скрипты? Персонал сервиса и ваши внутрение проверки Есть ли проверка третьей стороны, можете ли вы устроить аудит? GDPR и IP-адреса
  • #11 Обеспечение непрерывности бизнеса – ОНИВД, 242-П Продиктовано стандартами Иногда может грохнуться не только по причине уязвимостей (функц.баги) Человеческие ошибки Отдельной строкой – уход квалифицированных кадров, «незаменимых нет», передача менее квалифицированным без обучения, анекдот про три письма
  • #12 Для тех, у кого есть внутренняя разработка Best practices (SDLC/VPM) Code quality Product quality Service quality UX …Profit!
  • #13 На самом деле вообще не звено
  • #14 Трудности взаимодействия с пользователями при старте VPM Привычный софт (дырявый) Для ИТ-компаний – разработка сервисов/PoC на рабочих станциях Потерянные устройства, BYOD, удаленный доступ с домашних ПК
  • #15 Риски, которые никто не хочет документировать. Не стоит ставить DLP первым приоритетом, но будет много разочарований Не все лояльные сотрудники остаются лояльными (например когда бизнес продают или локальные конфликты) Не все дружбаны на вашей стороне О чём не принято говорить – торговля инсайдом, прозрачность закупок Конфликт интересов То же, что с третьими сторонами – потоки данных