Security, how we used to do that, why that's wrong, what to do instead.
Video of this talk being given is http://vimeo.com/album/2594031/video/79378300
2. Whom be this?
• Ben Hughes, security monkey at Etsy.
• Bullet point fanatic.
• Terrible at slides.
• Shout out to the Etsy security team.
@benjammingh
Monday, 11 November 13
3. It’s a tale of two halves
• Security, where did it all go wrong?
• Don’t go alone, take this!
• Security-devops-maybe-DBAs-too-
oh and-QA-sure-who-else?
• I quite like Etsy, here’s why.
@benjammingh
Monday, 11 November 13
10. The Watering hole attacks of Feb
@benjammingh
Monday, 11 November 13
11. Other than the occasional RCE/
SQLi or 0-day, companies just
aren’t getting breached directly
through their servers like they
used to.
@benjammingh
Monday, 11 November 13
12. I’d buy that for a dollar
[laptop:~]% id
uid=501(ben) gid=20(staff) groups=20(staff)
[laptop:~]% ./magic
[*] running old exploit against unpatched OSX.
[*] firing off connect back shell to AWS.
[*] throwing mad persistence in to LaunchAgents.
[*] dropping to a shell.
[laptop:~]# id
uid=0(root) gid=0(root)
@benjammingh
Monday, 11 November 13
13. Zero [cool] day
• Zero day is bad!
@benjammingh
Monday, 11 November 13
14. Surprise!
• You can’t defend against unknown
attacks.
• Clue is in the name.
@benjammingh
Monday, 11 November 13
16. Treat the symptoms
• Lateral movement can be more
important than how they got in.
• You don’t care that they broke a
window, you care that they got in your
living room and took your TV.
• (still fix your window)
@benjammingh
Monday, 11 November 13
17. Hudson hawk reference
• Why is /bin/sh running on your
webserver?
• Why is your webserver trying to SSH to
other hosts?
• Why is the Cold Fusion process reading
arbitrary files off of disk (SE/NSA Linux
time)
@benjammingh
Monday, 11 November 13
18. But still patch
• Please, still patch things.
• Know that it isn’t a panacea.
• Realise that is okay.
@benjammingh
Monday, 11 November 13
20. Logs are your eyes.
“If it’s not monitored...
...it’s not in production”
Well
“If it’s not logged, did it really happen?”
@benjammingh
Monday, 11 November 13
21. You have a limited number of eyes.
@benjammingh
Monday, 11 November 13
24. Two factor all the things
•Duo - https://www.duosecurity.com/
•Authy - https://www.authy.com/
•Google - http://goo.gl/hvre2D
•YubiKey - https://www.yubico.com/
Hat tip to Jan Schaumann (@jschauma),
from whom I stole the title of this slide from.
@benjammingh
Monday, 11 November 13
26. Pen Testing
• Don’t pay someone else to tell you to
patch things.
• Don’t pay someone to run Nessus.
• Hire more security people before paying
for pen-tests.
• Attack simulations are better. http://
bit.ly/attacksims
@benjammingh
Monday, 11 November 13
29. Attack simulations?
• Everything in scope.
• Don’t have security run it.
• Don’t block on fragility.
@benjammingh
Monday, 11 November 13
30. Transparency!
• Invite people to the brief.
• Don’t just expect a PDF.
• Treat it as a postmortem.
• Come out of it with a set of actions.
@benjammingh
Monday, 11 November 13
31. Game days.
• Ops’ “game day” simulations, but for
security.
@benjammingh
Monday, 11 November 13
33. Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
@benjammingh
Monday, 11 November 13
34. Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
@benjammingh
Monday, 11 November 13
35. Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
• Don’t think you can fully eliminate it, get
it reported instead.
@benjammingh
Monday, 11 November 13
39. Get security involved!
• This can be done is all sized
environments!
•
Small - having someone who has a security background or
interest.
•
Large - ”Chris Eng & Ryan O’Boyle – From the Trenches:
Real-World Agile SDLC” - http://nsc.is/presentation/chris-engryan-oboyle-from-the-trenches-real-world-agile-sdlc/
@benjammingh
Monday, 11 November 13
41. Security are people too!
• they just might not always act like it...
• security is the only area of technology
with genuine adversaries.
@benjammingh
Monday, 11 November 13
42. Infosec, this one’s for you
• Dev and ops (and everyone else) are
people too.
• They made those decisions without
malice in mind.
• People don’t go out of their way to
make things insecure!
@benjammingh
Monday, 11 November 13
43. Primary action items
• Don’t just say “did you speak to security
about this?”
• Get people involved!
• Security has never [succesfully] been a
check box.
@benjammingh
Monday, 11 November 13
44. Reducing barriers.
Having an approachable security team is
the most important thing they can do.
The second you lose the ability to talk to
them about anything, you effectively lose
your security team.
@benjammingh
Monday, 11 November 13
45. So, that party you mentioned?
• Skill sharing.
@benjammingh
Monday, 11 November 13
46. So, that party you mentioned?
• Hack week.
@benjammingh
Monday, 11 November 13
47. So, that party you mentioned?
• Boot camping.
@benjammingh
Monday, 11 November 13
49. Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.
@benjammingh
Monday, 11 November 13
50. Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.
• Wait, someone already gave this talk:
http://www.slideshare.net/nickgsuperstar/
devopssec-apply-devops-principles-to-security/32
@benjammingh
Monday, 11 November 13
51. Borrowing from the devops.
So did Gareth!
https://speakerdeck.com/garethr/securitymonitoring-penetration-testing-meetsmonitoring
@benjammingh
Monday, 11 November 13
53. So finally
• The most important thing that we do as
a security team is...
• Humility.
@benjammingh
Monday, 11 November 13
54. So finally
• The most important thing that we do as
a security team is...
• Humility.
• Security isn’t everything. People are rad.
@benjammingh
Monday, 11 November 13