Ein Security Bitte - Speaker Deck

Slide 1

Slide 1 text

Building Better Castles Ben Hughes Etsy @benjammingh

Slide 2

Slide 2 text

@benjammingh Building better sand castles • I work at Etsy, yes that Etsy. • Yes we have a seemingly large security team. • We do “some” webops, arguably devops some days too. • My German is terrible. • No one cares about this slide.

Slide 3

Slide 3 text

@benjammingh Building better sand castles • Intro (we’re here) • Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions

Slide 4

Slide 4 text

@benjammingh Securing laptops (and users)

Slide 5

Slide 5 text

The landscape has changed. https://www.ﬂickr.com/photos/andraspasztor

Slide 6

Slide 6 text

The landscape has changed. https://www.ﬂickr.com/photos/andraspasztor

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

What? ! That’s an advert ! A paid advert ! For “TextWrangler”?!

Slide 9

Slide 9 text

Sink holes!

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

IPv6 (it’s big outside of America)

Slide 12

Slide 12 text

@benjammingh Building better sand castles • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/ • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/ configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix

Slide 13

Slide 13 text

@benjammingh Building better sand castles Oprah says “And you get an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

Slide 14

Slide 14 text

Servers! https://www.ﬂickr.com/photos/stalker_cz/

Slide 15

Slide 15 text

Patching…

Slide 16

Slide 16 text

https://twitter.com/TimDenike/status/162973991034826752

Slide 17

Slide 17 text

https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

@benjammingh Building better sand castles Uptime security solutions!

Slide 20

Slide 20 text

@benjammingh Building better sand castles Uptime security solutions! • SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/

Slide 21

Slide 21 text

@benjammingh Building better sand castles Uptime security solutions! • SELinux - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php

Slide 22

Slide 22 text

Slide 23

Slide 23 text

@benjammingh Building better sand castles • There will always be un-patched machines. Realities of the situation:

Slide 24

Slide 24 text

@benjammingh Building better sand castles • There will always be un-patched machines. • Breeches will occur. Realities of the situation:

Slide 25

Slide 25 text

@benjammingh Building better sand castles • There will always be un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:

Slide 26

Slide 26 text

@benjammingh Building better sand castles Bundesdatenschutzgesetz warning!

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

@benjammingh Building better sand castles • Linux kernel auditd events. • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/mozilla-it/audit-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.

Slide 29

Slide 29 text

@benjammingh Building better sand castles More awesome auditd stuff purely for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/

Slide 30

Slide 30 text

https://www.ﬂickr.com/photos/jdhancock Data

Slide 31

Slide 31 text

Backups

Slide 32

Slide 32 text

@benjammingh Building better sand castles • Don’t ship your DB backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups

Slide 33

Slide 33 text

Canaries

Slide 34

Slide 34 text

@benjammingh Building better sand castles • Put obvious “fake” data in data stores, use IDS to detect them in places they should never go. “Animal sentinel”

Slide 35

Slide 35 text

@benjammingh Building better sand castles • Put obvious “fake” data in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”

Slide 36

Slide 36 text

Slide 37

Slide 37 text

To Conclude

Slide 38

Slide 38 text

@benjammingh Building better sand castles • Laptops/users trust the environment. This isn’t always good. Conclusions

Slide 39

Slide 39 text

@benjammingh Building better sand castles • Laptops/users trust the environment. This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions

Slide 40

Slide 40 text

Slide 41

Slide 41 text

@benjammingh Building better sand castles Questions? (Hah! As if we have time…) https://www.codeascraft.com/ https://github.com/etsy/ https://www.etsy.com/