That is Mr. The Plague to you: Security and Devops

C7bf554286ede7cb2786b5b19649c19b?s=47 Bea Hughes
November 25, 2013
220

That is Mr. The Plague to you: Security and Devops

DevOps Days London 2013.

Video at http://vimeo.com/album/2594031/video/79378300

C7bf554286ede7cb2786b5b19649c19b?s=128

Bea Hughes

November 25, 2013
Tweet

Transcript

  1. Security and shizzle Monday, 11 November 13

  2. @benjammingh Whom be this? • Ben Hughes, security monkey at

    Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team. Monday, 11 November 13
  3. @benjammingh It’s a tale of two halves • Security, where

    did it all go wrong? • Don’t go alone, take this! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why. Monday, 11 November 13
  4. @benjammingh Security, where did it all go wrong? Monday, 11

    November 13
  5. @benjammingh Wait, but we bought a firewall! Monday, 11 November

    13
  6. @benjammingh They’re coming out of the walls Monday, 11 November

    13
  7. @benjammingh teh cloudz • AWS logo goes here. • Maybe

    not in AWS... (other cloudiness vendors may be available) Monday, 11 November 13
  8. @benjammingh But we’re secure, right? Monday, 11 November 13

  9. @benjammingh But we’re secure, right? Monday, 11 November 13

  10. @benjammingh The Watering hole attacks of Feb Monday, 11 November

    13
  11. @benjammingh Other than the occasional RCE/ SQLi or 0-day, companies

    just aren’t getting breached directly through their servers like they used to. Monday, 11 November 13
  12. @benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben)

    gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root) Monday, 11 November 13
  13. @benjammingh Zero [cool] day • Zero day is bad! Monday,

    11 November 13
  14. @benjammingh Surprise! • You can’t defend against unknown attacks. •

    Clue is in the name. Monday, 11 November 13
  15. @benjammingh Rejoice. That mostly doesn’t matter! Monday, 11 November 13

  16. @benjammingh Treat the symptoms • Lateral movement can be more

    important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window) Monday, 11 November 13
  17. @benjammingh Hudson hawk reference • Why is /bin/sh running on

    your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time) Monday, 11 November 13
  18. @benjammingh But still patch • Please, still patch things. •

    Know that it isn’t a panacea. • Realise that is okay. Monday, 11 November 13
  19. @benjammingh Please do patch! • No really! Monday, 11 November

    13
  20. @benjammingh Logs are your eyes. “If it’s not monitored... ...it’s

    not in production” Well “If it’s not logged, did it really happen?” Monday, 11 November 13
  21. @benjammingh You have a limited number of eyes. Monday, 11

    November 13
  22. @benjammingh Alerts Monday, 11 November 13

  23. @benjammingh Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ •

    https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/ logstash Monday, 11 November 13
  24. @benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy

    - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from. Monday, 11 November 13
  25. @benjammingh Duo and Yubikeys vvbrc Monday, 11 November 13

  26. @benjammingh Pen Testing • Don’t pay someone else to tell

    you to patch things. • Don’t pay someone to run Nessus. • Hire more security people before paying for pen-tests. • Attack simulations are better. http:// bit.ly/attacksims Monday, 11 November 13
  27. @benjammingh Attack simulations? • Everything in scope. Monday, 11 November

    13
  28. @benjammingh Attack simulations? • Everything in scope. • Don’t have

    security run it. Monday, 11 November 13
  29. @benjammingh Attack simulations? • Everything in scope. • Don’t have

    security run it. • Don’t block on fragility. Monday, 11 November 13
  30. @benjammingh Transparency! • Invite people to the brief. • Don’t

    just expect a PDF. • Treat it as a postmortem. • Come out of it with a set of actions. Monday, 11 November 13
  31. @benjammingh Game days. • Ops’ “game day” simulations, but for

    security. Monday, 11 November 13
  32. @benjammingh Phishing • Who’s stopped phishing? Monday, 11 November 13

  33. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. Monday, 11 November 13
  34. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter. Monday, 11 November 13
  35. @benjammingh Phishing • Who’s stopped phishing? • You’re not going

    to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead. Monday, 11 November 13
  36. @benjammingh Intermission. Monday, 11 November 13

  37. @benjammingh New, Improved Devops • Silo smashing in to one

    new larger silo! Monday, 11 November 13
  38. @benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. •

    Not just ops. • Security doesn’t just magically happen. Monday, 11 November 13
  39. @benjammingh Get security involved! • This can be done is

    all sized environments! • Small - having someone who has a security background or interest. • Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-eng- ryan-oboyle-from-the-trenches-real-world-agile-sdlc/ Monday, 11 November 13
  40. @benjammingh Security are people too! Monday, 11 November 13

  41. @benjammingh Security are people too! • they just might not

    always act like it... • security is the only area of technology with genuine adversaries. Monday, 11 November 13
  42. @benjammingh Infosec, this one’s for you • Dev and ops

    (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure! Monday, 11 November 13
  43. @benjammingh Primary action items • Don’t just say “did you

    speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box. Monday, 11 November 13
  44. @benjammingh Reducing barriers. Having an approachable security team is the

    most important thing they can do. The second you lose the ability to talk to them about anything, you effectively lose your security team. Monday, 11 November 13
  45. @benjammingh So, that party you mentioned? • Skill sharing. Monday,

    11 November 13
  46. @benjammingh So, that party you mentioned? • Hack week. Monday,

    11 November 13
  47. @benjammingh So, that party you mentioned? • Boot camping. Monday,

    11 November 13
  48. @benjammingh Borrowing from the devops. • Tests! Monday, 11 November

    13
  49. @benjammingh Borrowing from the devops. • Tests! • Test your

    code and your infrastructure. Monday, 11 November 13
  50. @benjammingh Borrowing from the devops. • Tests! • Test your

    code and your infrastructure. • Wait, someone already gave this talk: http://www.slideshare.net/nickgsuperstar/ devopssec-apply-devops-principles-to-security/32 Monday, 11 November 13
  51. @benjammingh Borrowing from the devops. So did Gareth! https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets-

    monitoring Monday, 11 November 13
  52. @benjammingh Stop saying “No!” Monday, 11 November 13

  53. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility. Monday, 11 November 13
  54. @benjammingh So finally • The most important thing that we

    do as a security team is... • Humility. • Security isn’t everything. People are rad. Monday, 11 November 13
  55. @benjammingh Fin <golden axe screen shot> Monday, 11 November 13