Ein Security Bitte

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
October 23, 2014

Ein Security Bitte

DevOps Days Berlin 2014

Video at http://vimeo.com/album/3093746/video/110133596

"So you've bought yourselves a top of the line devops appliance. Everything is great. But, from what you've heard from Twitter, the next thing you need is a security. My talk is about the next steps. To get from zero to well at least better than most of the industry.

Security from the application side, the CI/CD side, and the network/infrastructure end. Topics such as

making builds more trustworthy.
IDS that isn't a complete waste of €100,000.
detect XSS with this one weird trick.
the one firewall per child project.
They'll be humour, cat GIFs and some cool technical ideas."

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

October 23, 2014
Tweet

Transcript

  1. Building Better Castles Ben Hughes Etsy @benjammingh

  2. @benjammingh Building better sand castles • I work at Etsy,

    yes that Etsy. • Yes we have a seemingly large security team. • We do “some” webops, arguably devops some days too. • My German is terrible. • No one cares about this slide.
  3. @benjammingh Building better sand castles • Intro (we’re here) •

    Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions
  4. @benjammingh Securing laptops (and users)

  5. The landscape has changed. https://www.flickr.com/photos/andraspasztor

  6. The landscape has changed. https://www.flickr.com/photos/andraspasztor

  7. None
  8. What? ! That’s an advert ! A paid advert !

    For “TextWrangler”?!
  9. Sink holes!

  10. None
  11. IPv6 (it’s big outside of America)

  12. @benjammingh Building better sand castles • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/ • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/

    configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix
  13. @benjammingh Building better sand castles Oprah says “And you get

    an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }
  14. Servers! https://www.flickr.com/photos/stalker_cz/

  15. Patching…

  16. https://twitter.com/TimDenike/status/162973991034826752

  17. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

  18. None
  19. @benjammingh Building better sand castles Uptime security solutions!

  20. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/
  21. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php
  22. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php • Ksplice - https://www.ksplice.com/ scariest fix ever.
  23. @benjammingh Building better sand castles • There will always be

    un-patched machines. Realities of the situation:
  24. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. Realities of the situation:
  25. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:
  26. @benjammingh Building better sand castles Bundesdatenschutzgesetz warning!

  27. None
  28. @benjammingh Building better sand castles • Linux kernel auditd events.

    • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/mozilla-it/audit-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.
  29. @benjammingh Building better sand castles More awesome auditd stuff purely

    for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/
  30. https://www.flickr.com/photos/jdhancock Data

  31. Backups

  32. @benjammingh Building better sand castles • Don’t ship your DB

    backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups
  33. Canaries

  34. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. “Animal sentinel”
  35. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”
  36. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. • Load Balancer Canary “Animal sentinel”
  37. To Conclude

  38. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. Conclusions
  39. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions
  40. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. • Be careful with data. Help it be careful with you. Conclusions
  41. @benjammingh Building better sand castles Questions? (Hah! As if we

    have time…) https://www.codeascraft.com/ https://github.com/etsy/ https://www.etsy.com/