Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ein Security Bitte

Bea Hughes
October 23, 2014
Technology
3
790

Ein Security Bitte

DevOps Days Berlin 2014

Video at http://vimeo.com/album/3093746/video/110133596

"So you've bought yourselves a top of the line devops appliance. Everything is great. But, from what you've heard from Twitter, the next thing you need is a security. My talk is about the next steps. To get from zero to well at least better than most of the industry.

Security from the application side, the CI/CD side, and the network/infrastructure end. Topics such as

making builds more trustworthy.
IDS that isn't a complete waste of €100,000.
detect XSS with this one weird trick.
the one firewall per child project.
They'll be humour, cat GIFs and some cool technical ideas."

Bea Hughes

October 23, 2014
Tweet

More Decks by Bea Hughes

See All by Bea Hughes
"Is security even important?" and other clickbait titles
barnbarn
1
310
Osquery, He Knows Me
barnbarn
0
480
Layer 2 person spoofing and impostor syndrome
barnbarn
2
720
MacOS security, hardening and forensics 101 workshop
barnbarn
2
1.4k
How you a actually get hacked!
barnbarn
7
4.9k
Why won’t my DevOps team talk to my Security team?
barnbarn
3
330
Impostor Syndrome in tech
barnbarn
4
520
SecDevOps: Creating cultural change to bridge between security and DevOps?
barnbarn
3
540
Security for non-Unicorns!
barnbarn
5
1.5k

Other Decks in Technology

See All in Technology
Pwning Old WebKit for Fun and Profit
hhc0null
0
330
竹芝地区のデジタルツイン開発と3D人流シミュレーション開発
sbtechnight
PRO
0
350
生成AIで文化を創造する(ChatGPT作成タイトル)
sbtechnight
PRO
0
380
インターネットの最新技術をモバイル網に持ち込んで最強のエッジコンピューティング基盤を作ってみた
sbtechnight
PRO
0
380
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
300
世界一位の精度を獲得した意味に基づく映像検索技術
sbtechnight
PRO
0
340
技育祭2023春 ちゅらデータ講演資料
foursue
1
590
How we build Ads Platform in Rust
mapbox_jp
1
200
Finally_I_can_kichijojipm32
kaznishi
0
150
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
540
様々な環境へコマンドラインツールを提供する上での苦労とその対策 / YAPC::Kyoto 2023
konboi
0
2.3k
Webとクラウド技術に全振りした最強のモバイルコア作ってみた
sbtechnight
PRO
0
390

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
910
What’s in a name? Adding method to the madness
productmarketing
PRO
13
2k
We Have a Design System, Now What?
morganepeng
37
6k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
Infographics Made Easy
chrislema
236
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
Why Our Code Smells
bkeepers
PRO
326
55k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k

Transcript

  1. Building Better Castles
    Ben Hughes

    Etsy

    @benjammingh

    View Slide

  2. @benjammingh
    Building better sand castles
    • I work at Etsy, yes that Etsy.
    • Yes we have a seemingly large security team.
    • We do “some” webops, arguably devops some days too.
    • My German is terrible.
    • No one cares about this slide.

    View Slide

  3. @benjammingh
    Building better sand castles
    • Intro (we’re here)
    • Users/laptops/the two people with “workstations”.
    • Servers/systems.
    • Data - that small topic.
    • Conclusions

    View Slide

  4. @benjammingh
    Securing

    laptops

    (and users)

    View Slide

  5. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  6. The landscape has changed.
    https://www.flickr.com/photos/andraspasztor

    View Slide

  7. View Slide

  8. What?

    !
    That’s an advert

    !
    A paid advert

    !
    For “TextWrangler”?!

    View Slide

  9. Sink holes!

    View Slide

  10. View Slide

  11. IPv6
    (it’s big outside of America)

    View Slide

  12. @benjammingh
    Building better sand castles
    • http://labs.neohapsis.com/2013/07/30/picking-up-the-
    slaac-with-sudden-six/
    • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/
    configuration/15-2mt/ip6-15-2mt-book/ip6-ra-
    guard.html
    • http://resources.infosecinstitute.com/slaac-attack/
    • https://github.com/Neohapsis/suddensix

    View Slide

  13. @benjammingh
    Building better sand castles
    Oprah says “And you get an IDS….”
    • On most desktop OSes (Linux/
    OSX/Windows… I have no idea
    about Windows) you can use the
    firewall like an IDS.
    • PF example:
    pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

    View Slide

  14. Servers!
    https://www.flickr.com/photos/stalker_cz/

    View Slide

  15. Patching…

    View Slide

  16. https://twitter.com/TimDenike/status/162973991034826752

    View Slide

  17. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

    View Slide

  18. View Slide

  19. @benjammingh
    Building better sand castles
    Uptime security solutions!

    View Slide

  20. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/

    View Slide

  21. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php

    View Slide

  22. @benjammingh
    Building better sand castles
    Uptime security solutions!
    • SELinux - ‘setenforce 0’ as it’s also known as.
    • http://stopdisablingselinux.com/
    • grsecurity - set of hardening patches to Linux.
    • http://grsecurity.net/features.php
    • Ksplice - https://www.ksplice.com/ scariest fix ever.

    View Slide

  23. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    Realities of the situation:

    View Slide

  24. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    Realities of the situation:

    View Slide

  25. @benjammingh
    Building better sand castles
    • There will always be un-patched machines.
    • Breeches will occur.
    • Knowing they happened is much better than not
    knowing.
    Realities of the situation:

    View Slide

  26. @benjammingh
    Building better sand castles
    Bundesdatenschutzgesetz

    warning!

    View Slide

  27. View Slide

  28. @benjammingh
    Building better sand castles
    • Linux kernel auditd events.
    • http://people.redhat.com/sgrubb/audit/ (driest page ever)
    • Mangled with some python because auditd is awful.
    • (will open source this, once the bugs are out. Pinkie swear)
    • Use Mozilla’s https://github.com/mozilla-it/audit-cef
    • Pay https://www.threatstack.com/ if you “Cloud”.
    • Throw in ELK/syslog/giant file to grep through.

    View Slide

  29. @benjammingh
    Building better sand castles
    More awesome auditd stuff purely for people
    downloading the slides:
    • http://security.blogoverflow.com/2013/01/a-brief-
    introduction-to-auditd/
    • http://blog.threatstack.com/labs/2014/8/21/threat-stack-
    vs-redhat-auditd-showdown
    • http://www.slideshare.net/MarkEllzeyThomas/

    View Slide

  30. https://www.flickr.com/photos/jdhancock
    Data

    View Slide

  31. Backups

    View Slide

  32. @benjammingh
    Building better sand castles
    • Don’t ship your DB backups off unencrypted.
    • Don’t use symmetric encryption, because the key will
    live with the backup (probably).
    Backups

    View Slide

  33. Canaries

    View Slide

  34. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    “Animal sentinel”

    View Slide

  35. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    “Animal sentinel”

    View Slide

  36. @benjammingh
    Building better sand castles
    • Put obvious “fake” data in data stores, use IDS to detect
    them in places they should never go.
    • Operational uses too. Spotting non-TLS LDAP traffic.
    • Load Balancer Canary
    “Animal sentinel”

    View Slide

  37. To Conclude

    View Slide

  38. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    Conclusions

    View Slide

  39. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    Conclusions

    View Slide

  40. @benjammingh
    Building better sand castles
    • Laptops/users trust the environment. This isn’t always
    good.
    • Servers don’t have to run so blindly, there’s a wealth of
    information in the Linux kernel.
    • Be careful with data. Help it be careful with you.
    Conclusions

    View Slide

  41. @benjammingh
    Building better sand castles
    Questions?
    (Hah! As if we have time…)
    https://www.codeascraft.com/
    https://github.com/etsy/
    https://www.etsy.com/

    View Slide