$30 off During Our Annual Pro Sale. View Details »

Ein Security Bitte

Bea Hughes
October 23, 2014
Technology
3
850

Ein Security Bitte

DevOps Days Berlin 2014

Video at http://vimeo.com/album/3093746/video/110133596

"So you've bought yourselves a top of the line devops appliance. Everything is great. But, from what you've heard from Twitter, the next thing you need is a security. My talk is about the next steps. To get from zero to well at least better than most of the industry.

Security from the application side, the CI/CD side, and the network/infrastructure end. Topics such as

making builds more trustworthy.
IDS that isn't a complete waste of €100,000.
detect XSS with this one weird trick.
the one firewall per child project.
They'll be humour, cat GIFs and some cool technical ideas."

Bea Hughes

October 23, 2014
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
"Is security even important?" and other clickbait titles
barnbarn
1
320
Osquery, He Knows Me
barnbarn
0
510
Layer 2 person spoofing and impostor syndrome
barnbarn
2
740
MacOS security, hardening and forensics 101 workshop
barnbarn
2
1.5k
How you a actually get hacked!
barnbarn
7
5k
Why won’t my DevOps team talk to my Security team?
barnbarn
3
340
Impostor Syndrome in tech
barnbarn
4
530
SecDevOps: Creating cultural change to bridge between security and DevOps?
barnbarn
3
580
Security for non-Unicorns!
barnbarn
5
1.6k

Other Decks in Technology

See All in Technology
Repro の開発組織体制の変遷そして Platform Engineering / Platform Engineering Meetup #6
a_bicky
4
880
Microsoft Fabric と データメッシュ
ryomaru0825
2
190
コンテナ支部recapをrecapしよう_気になったコンテナの周りのアップデートを紹介.pdf
yoshiitaka
0
300
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.6k
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
3
900
TextField 表示スタイル変更の 有効活用例 5 選
akkie76
0
160
技術コミュニティの中での生成AI(自身の観測範囲での事例について) / 23 Xmas Talk / 20231209
you
PRO
0
1.3k
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.3k
2023年度版! Chatwork流Kubernetesの運用方法
hanayo04
0
130
EMのスケールとマネジメントがチームになるということ / Team Building And Scaling Engineering Managers
yoshikiiida
1
930
Parsing case study in Go / Go Conference mini 2023 Winter IN KYOTO
k1low
2
400
AI-OCR機能のバクラクな体験を支えるソフトウェアエンジニアリング
tomoaki25
0
110

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
66
8.2k
Web development in the modern age
philhawksworth
201
9.9k
YesSQL, Process and Tooling at Scale
rocio
160
13k
In The Pink: A Labor of Love
frogandcode
135
21k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k
Automating Front-end Workflow
addyosmani
1354
200k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Agile that works and the tools we love
rasmusluckow
323
20k
We Have a Design System, Now What?
morganepeng
41
6.5k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.7k

Transcript

  1. Building Better Castles
    Ben Hughes

    Etsy

    @benjammingh

    View Slide

  2. @benjammingh
    Building better sand castles
    • I work at Etsy, yes that Etsy.
    • Yes we have a seemingly large security team.
    • We do “some” webops, arguably devops some days too.
    • My German is terrible.
    • No one cares about this slide.

    View Slide

  3. @benjammingh
    Building better sand castles
    • Intro (we’re here)
    • Users/laptops/the two people with “workstations”.
    • Servers/systems.
    • Data - that small topic.
    • Conclusions

    View Slide

  4. @benjammingh
    Securing

    laptops

    (and users)

    View Slide

  5. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  6. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  7. View Slide

  8. What?

    !
    That’s an advert

    !
    A paid advert

    !
    For “TextWrangler”?!

    View Slide

  9. Sink holes!

    View Slide

  10. View Slide

  11. IPv6
    (it’s big outside of America)

    View Slide

  12. @benjammingh
    Building better sand castles
    • http://labs.neohapsis.com/2013/07/30/picking-up-the-
    slaac-with-sudden-six/
    • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/
    configuration/15-2mt/ip6-15-2mt-book/ip6-ra-
    guard.html
    • http://resources.infosecinstitute.com/slaac-attack/
    • https://github.com/Neohapsis/suddensix

    View Slide

  13. @benjammingh
    Building better sand castles
    Oprah says “And you get an IDS….”
    • On most desktop OSes (Linux/
    OSX/Windows… I have no idea
    about Windows) you can use the
    firewall like an IDS.
    • PF example:
    pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

    View Slide

  14. Servers!
    https://www.flickr.com/photos/stalker_cz/

    View Slide

  15. Patching…

    View Slide

  16. https://twitter.com/TimDenike/status/162973991034826752

    View Slide

  17. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

    View Slide

  18. View Slide

  19. @benjammingh
    Building better sand castles
    Uptime security solutions!

    View Slide

  20. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/

    View Slide

  21. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php

    View Slide

  22. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php
    • Ksplice - https://www.ksplice.com/ scariest fix ever.

    View Slide

  23. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    Realities of the situation:

    View Slide

  24. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    Realities of the situation:

    View Slide

  25. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    • Knowing they happened is much better than not
    knowing.
    Realities of the situation:

    View Slide

  26. @benjammingh
    Building better sand castles
    Bundesdatenschutzgesetz

    warning!

    View Slide

  27. View Slide

  28. @benjammingh
    Building better sand castles
    • Linux kernel auditd events.
    • http://people.redhat.com/sgrubb/audit/ (driest page ever)
    • Mangled with some python because auditd is awful.
    • (will open source this, once the bugs are out. Pinkie swear)
    • Use Mozilla’s https://github.com/mozilla-it/audit-cef
    • Pay https://www.threatstack.com/ if you “Cloud”.
    • Throw in ELK/syslog/giant file to grep through.

    View Slide

  29. @benjammingh
    Building better sand castles
    More awesome auditd stuff purely for people
    downloading the slides:
    • http://security.blogoverflow.com/2013/01/a-brief-
    introduction-to-auditd/
    • http://blog.threatstack.com/labs/2014/8/21/threat-stack-
    vs-redhat-auditd-showdown
    • http://www.slideshare.net/MarkEllzeyThomas/

    View Slide

  30. https://www.flickr.com/photos/jdhancock
    Data

    View Slide

  31. Backups

    View Slide

  32. @benjammingh
    Building better sand castles
    • Don’t ship your DB backups off unencrypted.
    • Don’t use symmetric encryption, because the key will
    live with the backup (probably).
    Backups

    View Slide

  33. Canaries

    View Slide

  34. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    “Animal sentinel”

    View Slide

  35. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    “Animal sentinel”

    View Slide

  36. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    • Load Balancer Canary
    “Animal sentinel”

    View Slide

  37. To Conclude

    View Slide

  38. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    Conclusions

    View Slide

  39. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    Conclusions

    View Slide

  40. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    • Be careful with data. Help it be careful with you.
    Conclusions

    View Slide

  41. @benjammingh
    Building better sand castles
    Questions?
    (Hah! As if we have time…)
    https://www.codeascraft.com/
    https://github.com/etsy/
    https://www.etsy.com/

    View Slide