Slide 1

Slide 1 text

Security and shizzle Monday, 11 November 13

Slide 2

Slide 2 text

@benjammingh Whom be this? • Ben Hughes, security monkey at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team. Monday, 11 November 13

Slide 3

Slide 3 text

@benjammingh It’s a tale of two halves • Security, where did it all go wrong? • Don’t go alone, take this! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why. Monday, 11 November 13

Slide 4

Slide 4 text

@benjammingh Security, where did it all go wrong? Monday, 11 November 13

Slide 5

Slide 5 text

@benjammingh Wait, but we bought a firewall! Monday, 11 November 13

Slide 6

Slide 6 text

@benjammingh They’re coming out of the walls Monday, 11 November 13

Slide 7

Slide 7 text

@benjammingh teh cloudz • AWS logo goes here. • Maybe not in AWS... (other cloudiness vendors may be available) Monday, 11 November 13

Slide 8

Slide 8 text

@benjammingh But we’re secure, right? Monday, 11 November 13

Slide 9

Slide 9 text

@benjammingh But we’re secure, right? Monday, 11 November 13

Slide 10

Slide 10 text

@benjammingh The Watering hole attacks of Feb Monday, 11 November 13

Slide 11

Slide 11 text

@benjammingh Other than the occasional RCE/ SQLi or 0-day, companies just aren’t getting breached directly through their servers like they used to. Monday, 11 November 13

Slide 12

Slide 12 text

@benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben) gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root) Monday, 11 November 13

Slide 13

Slide 13 text

@benjammingh Zero [cool] day • Zero day is bad! Monday, 11 November 13

Slide 14

Slide 14 text

@benjammingh Surprise! • You can’t defend against unknown attacks. • Clue is in the name. Monday, 11 November 13

Slide 15

Slide 15 text

@benjammingh Rejoice. That mostly doesn’t matter! Monday, 11 November 13

Slide 16

Slide 16 text

@benjammingh Treat the symptoms • Lateral movement can be more important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window) Monday, 11 November 13

Slide 17

Slide 17 text

@benjammingh Hudson hawk reference • Why is /bin/sh running on your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time) Monday, 11 November 13

Slide 18

Slide 18 text

@benjammingh But still patch • Please, still patch things. • Know that it isn’t a panacea. • Realise that is okay. Monday, 11 November 13

Slide 19

Slide 19 text

@benjammingh Please do patch! • No really! Monday, 11 November 13

Slide 20

Slide 20 text

@benjammingh Logs are your eyes. “If it’s not monitored... ...it’s not in production” Well “If it’s not logged, did it really happen?” Monday, 11 November 13

Slide 21

Slide 21 text

@benjammingh You have a limited number of eyes. Monday, 11 November 13

Slide 22

Slide 22 text

@benjammingh Alerts Monday, 11 November 13

Slide 23

Slide 23 text

@benjammingh Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ • https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/ logstash Monday, 11 November 13

Slide 24

Slide 24 text

@benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from. Monday, 11 November 13

Slide 25

Slide 25 text

@benjammingh Duo and Yubikeys vvbrc Monday, 11 November 13

Slide 26

Slide 26 text

@benjammingh Pen Testing • Don’t pay someone else to tell you to patch things. • Don’t pay someone to run Nessus. • Hire more security people before paying for pen-tests. • Attack simulations are better. http:// bit.ly/attacksims Monday, 11 November 13

Slide 27

Slide 27 text

@benjammingh Attack simulations? • Everything in scope. Monday, 11 November 13

Slide 28

Slide 28 text

@benjammingh Attack simulations? • Everything in scope. • Don’t have security run it. Monday, 11 November 13

Slide 29

Slide 29 text

@benjammingh Attack simulations? • Everything in scope. • Don’t have security run it. • Don’t block on fragility. Monday, 11 November 13

Slide 30

Slide 30 text

@benjammingh Transparency! • Invite people to the brief. • Don’t just expect a PDF. • Treat it as a postmortem. • Come out of it with a set of actions. Monday, 11 November 13

Slide 31

Slide 31 text

@benjammingh Game days. • Ops’ “game day” simulations, but for security. Monday, 11 November 13

Slide 32

Slide 32 text

@benjammingh Phishing • Who’s stopped phishing? Monday, 11 November 13

Slide 33

Slide 33 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. Monday, 11 November 13

Slide 34

Slide 34 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. Monday, 11 November 13

Slide 35

Slide 35 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead. Monday, 11 November 13

Slide 36

Slide 36 text

@benjammingh Intermission. Monday, 11 November 13

Slide 37

Slide 37 text

@benjammingh New, Improved Devops • Silo smashing in to one new larger silo! Monday, 11 November 13

Slide 38

Slide 38 text

@benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. • Not just ops. • Security doesn’t just magically happen. Monday, 11 November 13

Slide 39

Slide 39 text

@benjammingh Get security involved! • This can be done is all sized environments! • Small - having someone who has a security background or interest. • Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-eng- ryan-oboyle-from-the-trenches-real-world-agile-sdlc/ Monday, 11 November 13

Slide 40

Slide 40 text

@benjammingh Security are people too! Monday, 11 November 13

Slide 41

Slide 41 text

@benjammingh Security are people too! • they just might not always act like it... • security is the only area of technology with genuine adversaries. Monday, 11 November 13

Slide 42

Slide 42 text

@benjammingh Infosec, this one’s for you • Dev and ops (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure! Monday, 11 November 13

Slide 43

Slide 43 text

@benjammingh Primary action items • Don’t just say “did you speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box. Monday, 11 November 13

Slide 44

Slide 44 text

@benjammingh Reducing barriers. Having an approachable security team is the most important thing they can do. The second you lose the ability to talk to them about anything, you effectively lose your security team. Monday, 11 November 13

Slide 45

Slide 45 text

@benjammingh So, that party you mentioned? • Skill sharing. Monday, 11 November 13

Slide 46

Slide 46 text

@benjammingh So, that party you mentioned? • Hack week. Monday, 11 November 13

Slide 47

Slide 47 text

@benjammingh So, that party you mentioned? • Boot camping. Monday, 11 November 13

Slide 48

Slide 48 text

@benjammingh Borrowing from the devops. • Tests! Monday, 11 November 13

Slide 49

Slide 49 text

@benjammingh Borrowing from the devops. • Tests! • Test your code and your infrastructure. Monday, 11 November 13

Slide 50

Slide 50 text

@benjammingh Borrowing from the devops. • Tests! • Test your code and your infrastructure. • Wait, someone already gave this talk: http://www.slideshare.net/nickgsuperstar/ devopssec-apply-devops-principles-to-security/32 Monday, 11 November 13

Slide 51

Slide 51 text

@benjammingh Borrowing from the devops. So did Gareth! https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Monday, 11 November 13

Slide 52

Slide 52 text

@benjammingh Stop saying “No!” Monday, 11 November 13

Slide 53

Slide 53 text

@benjammingh So finally • The most important thing that we do as a security team is... • Humility. Monday, 11 November 13

Slide 54

Slide 54 text

@benjammingh So finally • The most important thing that we do as a security team is... • Humility. • Security isn’t everything. People are rad. Monday, 11 November 13

Slide 55

Slide 55 text

@benjammingh Fin Monday, 11 November 13