@benjammingh
Whom be this?
• Ben Hughes, security monkey at Etsy.
• Bullet point fanatic.
• Terrible at slides.
• Shout out to the Etsy security team.
Monday, 11 November 13
Slide 3
Slide 3 text
@benjammingh
It’s a tale of two halves
• Security, where did it all go wrong?
• Don’t go alone, take this!
• Security-devops-maybe-DBAs-too-
oh and-QA-sure-who-else?
• I quite like Etsy, here’s why.
Monday, 11 November 13
Slide 4
Slide 4 text
@benjammingh
Security, where did
it all go wrong?
Monday, 11 November 13
Slide 5
Slide 5 text
@benjammingh
Wait, but we bought a firewall!
Monday, 11 November 13
Slide 6
Slide 6 text
@benjammingh
They’re coming out of the walls
Monday, 11 November 13
Slide 7
Slide 7 text
@benjammingh
teh cloudz
• AWS logo goes here.
• Maybe not in AWS... (other cloudiness
vendors may be available)
Monday, 11 November 13
Slide 8
Slide 8 text
@benjammingh
But we’re secure, right?
Monday, 11 November 13
Slide 9
Slide 9 text
@benjammingh
But we’re secure, right?
Monday, 11 November 13
Slide 10
Slide 10 text
@benjammingh
The Watering hole attacks of Feb
Monday, 11 November 13
Slide 11
Slide 11 text
@benjammingh
Other than the occasional RCE/
SQLi or 0-day, companies just
aren’t getting breached directly
through their servers like they
used to.
Monday, 11 November 13
Slide 12
Slide 12 text
@benjammingh
I’d buy that for a dollar
[laptop:~]% id
uid=501(ben) gid=20(staff) groups=20(staff)
[laptop:~]% ./magic
[*] running old exploit against unpatched OSX.
[*] firing off connect back shell to AWS.
[*] throwing mad persistence in to LaunchAgents.
[*] dropping to a shell.
[laptop:~]# id
uid=0(root) gid=0(root)
Monday, 11 November 13
Slide 13
Slide 13 text
@benjammingh
Zero [cool] day
• Zero day is bad!
Monday, 11 November 13
Slide 14
Slide 14 text
@benjammingh
Surprise!
• You can’t defend against unknown
attacks.
• Clue is in the name.
Monday, 11 November 13
Slide 15
Slide 15 text
@benjammingh
Rejoice. That mostly doesn’t matter!
Monday, 11 November 13
Slide 16
Slide 16 text
@benjammingh
Treat the symptoms
• Lateral movement can be more
important than how they got in.
• You don’t care that they broke a
window, you care that they got in your
living room and took your TV.
• (still fix your window)
Monday, 11 November 13
Slide 17
Slide 17 text
@benjammingh
Hudson hawk reference
• Why is /bin/sh running on your
webserver?
• Why is your webserver trying to SSH to
other hosts?
• Why is the Cold Fusion process reading
arbitrary files off of disk (SE/NSA Linux
time)
Monday, 11 November 13
Slide 18
Slide 18 text
@benjammingh
But still patch
• Please, still patch things.
• Know that it isn’t a panacea.
• Realise that is okay.
Monday, 11 November 13
Slide 19
Slide 19 text
@benjammingh
Please do patch!
• No really!
Monday, 11 November 13
Slide 20
Slide 20 text
@benjammingh
Logs are your eyes.
“If it’s not monitored...
...it’s not in production”
Well
“If it’s not logged, did it really happen?”
Monday, 11 November 13
Slide 21
Slide 21 text
@benjammingh
You have a limited number of eyes.
Monday, 11 November 13
@benjammingh
Two factor all the things
•Duo - https://www.duosecurity.com/
•Authy - https://www.authy.com/
•Google - http://goo.gl/hvre2D
•YubiKey - https://www.yubico.com/
Hat tip to Jan Schaumann (@jschauma),
from whom I stole the title of this slide from.
Monday, 11 November 13
Slide 25
Slide 25 text
@benjammingh
Duo and Yubikeys
vvbrc
Monday, 11 November 13
Slide 26
Slide 26 text
@benjammingh
Pen Testing
• Don’t pay someone else to tell you to
patch things.
• Don’t pay someone to run Nessus.
• Hire more security people before paying
for pen-tests.
• Attack simulations are better. http://
bit.ly/attacksims
Monday, 11 November 13
Slide 27
Slide 27 text
@benjammingh
Attack simulations?
• Everything in scope.
Monday, 11 November 13
Slide 28
Slide 28 text
@benjammingh
Attack simulations?
• Everything in scope.
• Don’t have security run it.
Monday, 11 November 13
Slide 29
Slide 29 text
@benjammingh
Attack simulations?
• Everything in scope.
• Don’t have security run it.
• Don’t block on fragility.
Monday, 11 November 13
Slide 30
Slide 30 text
@benjammingh
Transparency!
• Invite people to the brief.
• Don’t just expect a PDF.
• Treat it as a postmortem.
• Come out of it with a set of actions.
Monday, 11 November 13
Slide 31
Slide 31 text
@benjammingh
Game days.
• Ops’ “game day” simulations, but for
security.
Monday, 11 November 13
Slide 32
Slide 32 text
@benjammingh
Phishing
• Who’s stopped phishing?
Monday, 11 November 13
Slide 33
Slide 33 text
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
Monday, 11 November 13
Slide 34
Slide 34 text
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
Monday, 11 November 13
Slide 35
Slide 35 text
@benjammingh
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
• Don’t think you can fully eliminate it, get
it reported instead.
Monday, 11 November 13
Slide 36
Slide 36 text
@benjammingh
Intermission.
Monday, 11 November 13
Slide 37
Slide 37 text
@benjammingh
New, Improved Devops
• Silo smashing in to one new larger silo!
Monday, 11 November 13
Slide 38
Slide 38 text
@benjammingh
DevSecOpsFarmerQueen
• Many hats.
• Not just dev.
• Not just ops.
• Security doesn’t just
magically happen.
Monday, 11 November 13
Slide 39
Slide 39 text
@benjammingh
Get security involved!
• This can be done is all sized
environments!
• Small - having someone who has a security background or
interest.
• Large - ”Chris Eng & Ryan O’Boyle – From the Trenches:
Real-World Agile SDLC” - http://nsc.is/presentation/chris-eng-
ryan-oboyle-from-the-trenches-real-world-agile-sdlc/
Monday, 11 November 13
Slide 40
Slide 40 text
@benjammingh
Security are people too!
Monday, 11 November 13
Slide 41
Slide 41 text
@benjammingh
Security are people too!
• they just might not always act like it...
• security is the only area of technology
with genuine adversaries.
Monday, 11 November 13
Slide 42
Slide 42 text
@benjammingh
Infosec, this one’s for you
• Dev and ops (and everyone else) are
people too.
• They made those decisions without
malice in mind.
• People don’t go out of their way to
make things insecure!
Monday, 11 November 13
Slide 43
Slide 43 text
@benjammingh
Primary action items
• Don’t just say “did you speak to security
about this?”
• Get people involved!
• Security has never [succesfully] been a
check box.
Monday, 11 November 13
Slide 44
Slide 44 text
@benjammingh
Reducing barriers.
Having an approachable security team is
the most important thing they can do.
The second you lose the ability to talk to
them about anything, you effectively lose
your security team.
Monday, 11 November 13
Slide 45
Slide 45 text
@benjammingh
So, that party you mentioned?
• Skill sharing.
Monday, 11 November 13
Slide 46
Slide 46 text
@benjammingh
So, that party you mentioned?
• Hack week.
Monday, 11 November 13
Slide 47
Slide 47 text
@benjammingh
So, that party you mentioned?
• Boot camping.
Monday, 11 November 13
Slide 48
Slide 48 text
@benjammingh
Borrowing from the devops.
• Tests!
Monday, 11 November 13
Slide 49
Slide 49 text
@benjammingh
Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.
Monday, 11 November 13
Slide 50
Slide 50 text
@benjammingh
Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.
• Wait, someone already gave this talk:
http://www.slideshare.net/nickgsuperstar/
devopssec-apply-devops-principles-to-security/32
Monday, 11 November 13
Slide 51
Slide 51 text
@benjammingh
Borrowing from the devops.
So did Gareth!
https://speakerdeck.com/garethr/security-
monitoring-penetration-testing-meets-
monitoring
Monday, 11 November 13
Slide 52
Slide 52 text
@benjammingh
Stop saying “No!”
Monday, 11 November 13
Slide 53
Slide 53 text
@benjammingh
So finally
• The most important thing that we do as
a security team is...
• Humility.
Monday, 11 November 13
Slide 54
Slide 54 text
@benjammingh
So finally
• The most important thing that we do as
a security team is...
• Humility.
• Security isn’t everything. People are rad.
Monday, 11 November 13