$30 off During Our Annual Pro Sale. View Details »

Ein Security Bitte

Bea Hughes
October 23, 2014

Ein Security Bitte

DevOps Days Berlin 2014

Video at http://vimeo.com/album/3093746/video/110133596

"So you've bought yourselves a top of the line devops appliance. Everything is great. But, from what you've heard from Twitter, the next thing you need is a security. My talk is about the next steps. To get from zero to well at least better than most of the industry.

Security from the application side, the CI/CD side, and the network/infrastructure end. Topics such as

making builds more trustworthy.
IDS that isn't a complete waste of €100,000.
detect XSS with this one weird trick.
the one firewall per child project.
They'll be humour, cat GIFs and some cool technical ideas."

Bea Hughes

October 23, 2014
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. Building Better Castles
    Ben Hughes

    Etsy

    @benjammingh

    View Slide

  2. @benjammingh
    Building better sand castles
    • I work at Etsy, yes that Etsy.
    • Yes we have a seemingly large security team.
    • We do “some” webops, arguably devops some days too.
    • My German is terrible.
    • No one cares about this slide.

    View Slide

  3. @benjammingh
    Building better sand castles
    • Intro (we’re here)
    • Users/laptops/the two people with “workstations”.
    • Servers/systems.
    • Data - that small topic.
    • Conclusions

    View Slide

  4. @benjammingh
    Securing

    laptops

    (and users)

    View Slide

  5. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  6. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  7. View Slide

  8. What?

    !
    That’s an advert

    !
    A paid advert

    !
    For “TextWrangler”?!

    View Slide

  9. Sink holes!

    View Slide

  10. View Slide

  11. IPv6
    (it’s big outside of America)

    View Slide

  12. @benjammingh
    Building better sand castles
    • http://labs.neohapsis.com/2013/07/30/picking-up-the-
    slaac-with-sudden-six/
    • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/
    configuration/15-2mt/ip6-15-2mt-book/ip6-ra-
    guard.html
    • http://resources.infosecinstitute.com/slaac-attack/
    • https://github.com/Neohapsis/suddensix

    View Slide

  13. @benjammingh
    Building better sand castles
    Oprah says “And you get an IDS….”
    • On most desktop OSes (Linux/
    OSX/Windows… I have no idea
    about Windows) you can use the
    firewall like an IDS.
    • PF example:
    pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

    View Slide

  14. Servers!
    https://www.flickr.com/photos/stalker_cz/

    View Slide

  15. Patching…

    View Slide

  16. https://twitter.com/TimDenike/status/162973991034826752

    View Slide

  17. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

    View Slide

  18. View Slide

  19. @benjammingh
    Building better sand castles
    Uptime security solutions!

    View Slide

  20. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/

    View Slide

  21. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php

    View Slide

  22. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php
    • Ksplice - https://www.ksplice.com/ scariest fix ever.

    View Slide

  23. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    Realities of the situation:

    View Slide

  24. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    Realities of the situation:

    View Slide

  25. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    • Knowing they happened is much better than not
    knowing.
    Realities of the situation:

    View Slide

  26. @benjammingh
    Building better sand castles
    Bundesdatenschutzgesetz

    warning!

    View Slide

  27. View Slide

  28. @benjammingh
    Building better sand castles
    • Linux kernel auditd events.
    • http://people.redhat.com/sgrubb/audit/ (driest page ever)
    • Mangled with some python because auditd is awful.
    • (will open source this, once the bugs are out. Pinkie swear)
    • Use Mozilla’s https://github.com/mozilla-it/audit-cef
    • Pay https://www.threatstack.com/ if you “Cloud”.
    • Throw in ELK/syslog/giant file to grep through.

    View Slide

  29. @benjammingh
    Building better sand castles
    More awesome auditd stuff purely for people
    downloading the slides:
    • http://security.blogoverflow.com/2013/01/a-brief-
    introduction-to-auditd/
    • http://blog.threatstack.com/labs/2014/8/21/threat-stack-
    vs-redhat-auditd-showdown
    • http://www.slideshare.net/MarkEllzeyThomas/

    View Slide

  30. https://www.flickr.com/photos/jdhancock
    Data

    View Slide

  31. Backups

    View Slide

  32. @benjammingh
    Building better sand castles
    • Don’t ship your DB backups off unencrypted.
    • Don’t use symmetric encryption, because the key will
    live with the backup (probably).
    Backups

    View Slide

  33. Canaries

    View Slide

  34. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    “Animal sentinel”

    View Slide

  35. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    “Animal sentinel”

    View Slide

  36. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    • Load Balancer Canary
    “Animal sentinel”

    View Slide

  37. To Conclude

    View Slide

  38. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    Conclusions

    View Slide

  39. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    Conclusions

    View Slide

  40. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    • Be careful with data. Help it be careful with you.
    Conclusions

    View Slide

  41. @benjammingh
    Building better sand castles
    Questions?
    (Hah! As if we have time…)
    https://www.codeascraft.com/
    https://github.com/etsy/
    https://www.etsy.com/

    View Slide