Applying Physical Discipline to Cybersecurity Challenges

Cybersecurity has failed to learn from the physical world. More and more attacks have real world consequences including shutting down pipelines and casinos. This talk explains how Failure Mode and Effects Analysis (FMEA), which is a disciplined method to design reliable and robust systems and processes, can be applied to cybersecurity. FMEA compliments and goes beyond threat modeling and attack graphs by incorporating the probability of detection into the risk equation.

As professionals, we were taught to calculate risk as probability times impact. While this was good for a start, we now have expensive detection systems that need to be included in the risk equation. Luckily, FMEA already includes detection so we can leverage something that has been around since WWII.

Both attackers and defenders will benefit from analyzing the probability that an attack is detected.

About the Presenter: David Shinberg

David A. Shinberg stands at the forefront of cybersecurity and system architecture with a career spanning over two decades, marked by significant contributions to technological innovation and security. Educated with dual master's degrees in Computer Science and Business Administration, David has effectively bridged the gap between intricate technical challenges and strategic business initiatives. His tenure at Capital One highlighted his proficiency in cybersecurity consulting, especially within the Card division, where he developed models for rapid vulnerability identification and remediation, notably during the Log4j incident. This role underscored his ability to enhance security protocols and practices across large-scale financial systems, demonstrating a keen ability to mitigate risks while fostering business agility.

At LGS Innovations, as the Director of the Internet Research Lab, David led a pioneering team responsible for mapping the internet, developing novel techniques and software for analyzing network routing information. This effort not only contributed to a deeper understanding of global internet connectivity but also to David's reputation as a leader capable of driving significant technological advances. His work at Bell Labs further accentuated his expertise, where he managed the software development and hardware integration of two real-time controllers placed on a submarine, showcasing his ability to deliver high-quality solutions under stringent requirements. His selection by the Navy for at-sea testing due to his comprehensive system knowledge and troubleshooting skills was a testament to his exceptional technical and leadership capabilities.

David's experiences at CVS Health and Atlantic Health System further demonstrate his adeptness in navigating the complexities of healthcare IT, implementing robust security frameworks to safeguard sensitive health data, and ensuring compliance with HIPAA and PCI standards. His strategic approach to cybersecurity at CVS Health, focusing on improving operational capabilities while reducing costs, and his leadership in information security at Atlantic Health System, where he ensured the security of systems and patient information, highlight his versatile skill set and commitment to protecting critical information assets.

Holding an impressive array of SANS GIAC Certifications, including but not limited to GCFA, GSTRT, GPEN, GMON, and GCIH, David's extensive expertise across various cybersecurity domains is evident. His significant contributions to projects such as the real-time controller on a submarine, the mapping of the internet, and the implementation of comprehensive security measures in the healthcare sector, combined with his impactful work at Capital One, make him an invaluable asset to the cybersecurity field. David brings to the CanSecWest conference a wealth of knowledge and experience, offering profound insights into the intersections of technology, security, and strategic business operations.