@benjammingh Whom be this? • Ben Hughes, security monkey at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team. Monday, 11 November 13
@benjammingh It’s a tale of two halves • Security, where did it all go wrong? • Don’t go alone, take this! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why. Monday, 11 November 13
@benjammingh Other than the occasional RCE/ SQLi or 0-day, companies just aren’t getting breached directly through their servers like they used to. Monday, 11 November 13
@benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben) gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root) Monday, 11 November 13
@benjammingh Treat the symptoms • Lateral movement can be more important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window) Monday, 11 November 13
@benjammingh Hudson hawk reference • Why is /bin/sh running on your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time) Monday, 11 November 13
@benjammingh Logs are your eyes. “If it’s not monitored... ...it’s not in production” Well “If it’s not logged, did it really happen?” Monday, 11 November 13
@benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from. Monday, 11 November 13
@benjammingh Pen Testing • Don’t pay someone else to tell you to patch things. • Don’t pay someone to run Nessus. • Hire more security people before paying for pen-tests. • Attack simulations are better. http:// bit.ly/attacksims Monday, 11 November 13
@benjammingh Transparency! • Invite people to the brief. • Don’t just expect a PDF. • Treat it as a postmortem. • Come out of it with a set of actions. Monday, 11 November 13
@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead. Monday, 11 November 13
@benjammingh Get security involved! • This can be done is all sized environments! • Small - having someone who has a security background or interest. • Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-eng- ryan-oboyle-from-the-trenches-real-world-agile-sdlc/ Monday, 11 November 13
@benjammingh Security are people too! • they just might not always act like it... • security is the only area of technology with genuine adversaries. Monday, 11 November 13
@benjammingh Infosec, this one’s for you • Dev and ops (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure! Monday, 11 November 13
@benjammingh Primary action items • Don’t just say “did you speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box. Monday, 11 November 13
@benjammingh Reducing barriers. Having an approachable security team is the most important thing they can do. The second you lose the ability to talk to them about anything, you effectively lose your security team. Monday, 11 November 13
@benjammingh Borrowing from the devops. • Tests! • Test your code and your infrastructure. • Wait, someone already gave this talk: http://www.slideshare.net/nickgsuperstar/ devopssec-apply-devops-principles-to-security/32 Monday, 11 November 13
@benjammingh Borrowing from the devops. So did Gareth! https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Monday, 11 November 13
@benjammingh So finally • The most important thing that we do as a security team is... • Humility. • Security isn’t everything. People are rad. Monday, 11 November 13
barnbarn
eileencodes
edds
productmarketing
morganepeng
tanoku
mclloyd
paulrobertlloyd
frogandcode
chriscoyier
cassininazir
jrom
zakiwarfel