macit 2014 - essential security & risk fundamentals
DESCRIPTION
My presentation from the 2014 MacIT conference.TRANSCRIPT
![Page 1: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/1.jpg)
Essential Security & Risk Fundamentals
Alison Gianotto
![Page 2: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/2.jpg)
Who Am I?• (Former) CTO/CSO of noise!
• 20 years in IT and software development!
• Security Incident Response Team (SIRT) !
• MacIT presenter in 2012!
• Survivor of more corporate security audits than I care to remember!
• @snipeyhead on Twitter
![Page 3: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/3.jpg)
![Page 4: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/4.jpg)
What is Security?!Let’s start with what security is not.
![Page 5: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/5.jpg)
• Security isn’t a thing you add on at the end or a project.!
• Security isn’t “But… I have a firewall!”!
• Security isn’t a thing you’re ever “done” with.
What Security Isn’t!
![Page 6: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/6.jpg)
• Security is not the same as compliance. You can be compliant and not be secure. (Just ask Target.)!
• Security is not one person in your organization.!
• Security is not an outsourced consultant or consulting agency.
What Security Isn’t!
![Page 7: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/7.jpg)
• Security is an ongoing group effort. !
• Security is where you start, not where you finish.!
• Security is understanding and protecting your valuable assets, information and people. !
• Security is multi-layered (defense-in-depth)
What Security Is!
![Page 8: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/8.jpg)
What is Risk?!Let’s start with what risk is not.
![Page 9: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/9.jpg)
• Risk management isn’t something that has to hinder innovation.!
• Risk management doesn’t have to be boring.!
• Managing risk isn’t one person’s job.!
• Risk isn’t just “hackers”
What Risk !Management Isn’t!
![Page 10: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/10.jpg)
• Risk tolerance is not singular. What qualified as acceptable risk to your company will not be the same as acceptable risk to another company.
What Risk !Management Isn’t!
![Page 11: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/11.jpg)
• Risk management is a tool that helps you make intelligent, informed decisions.!
• Risk management is your entire team’s responsibility.!
• Risk is absolutely unavoidable. Being informed will help you make the best choices for your organization.
What Risk Management Is!
![Page 12: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/12.jpg)
Security CIA Triad!Confidentiality, Integrity & Availability
• Confidentiality is a set of rules that limits access to information.!
• Integrity is the assurance that the information is trustworthy and accurate.!
• Availability is a guarantee of ready access to the information by authorized people.
![Page 13: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/13.jpg)
Confidentiality!Making sure the right people can access sensitive data
and the wrong people cannot.
![Page 14: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/14.jpg)
Confidentiality Examples• Passwords. (boo!)!
• Data encryption (at rest and in transmission.)!
• Two-factor authentication/biometrics. (Yay!)!
• Group/user access permissions!
• Corporate VPN!
• IP Whitelisting!
• SSH keys
![Page 15: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/15.jpg)
Confidentiality Risk Examples!• Lack of control over content
your employees put on third-party servers. (Basecamp, etc.)!
• Lack of control over password requirements for third-party vendors.!
• Shared passwords!
• Exploitable scripts uploaded to web servers.!
• Lost/stolen smartphones, tablets and laptops!
• Inadequate exit process
![Page 16: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/16.jpg)
Confidentiality: Control/Possession!Do you remain in control of your resources?
![Page 17: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/17.jpg)
Control Examples!1) A software program can be duplicated without the manufacturer's permission; they are not in control of that software anymore. *cough* Adobe source code *cough*!!
2) You know your password, but who and what else has possession of it, too?
![Page 18: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/18.jpg)
Integrity!Maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.!!
Ensures that information is not modified or altered intentionally or by accident.
![Page 19: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/19.jpg)
Integrity Risk Examples!• Data loss due to hardware
failure (server crash!)!
• Software bug that unintentionally deletes/modifies data!
• Data alteration via authorized persons (human error)!
• Data alteration via unauthorized persons (hackers)!
• No backups or no way to verify the integrity of the backups you have!
• Third-party vendor with inadequate security
![Page 20: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/20.jpg)
Integrity: Authenticity!How can you be sure that the person you’re talking
to is who he or she claims to be?
![Page 21: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/21.jpg)
Availability!All systems and information resources must be "up and running" as per the needs of the organization.
![Page 22: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/22.jpg)
Availability Risk Examples!• DDoS attacks!
• Third-party service failures!
• Hardware failures!
• Software bugs!
• Untested software patches!
• Natural disasters!
• Man-made disasters
![Page 23: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/23.jpg)
Availability: Utility!! ! An employee who had encrypted data leaves the company. !
!
! You still have possession of the data, but you do not have the key to decrypt the contents, so you do not have the use or utility of it.!
![Page 24: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/24.jpg)
Getting Risky
• How bad will it be if this component fails?!
• What other components will this affect if it fails?!
• How likely is it that it will fail?!
• What are the ways it could fail?!
• What can we do in advance to prevent/reduce chances or impact of failure?
![Page 25: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/25.jpg)
Getting Risky• How can we consistently test that this component is healthy?!
• How will we know if it has failed?!
• How can we structure this component to be monitor-able through an external system? (A status JSON/XML script generated, HTTP status codes, etc - anything you can attach a status monitor to.)!
• How can we structure this component to fail more gracefully? (Firing an alert and redirecting instead of 500 error, for example)
![Page 26: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/26.jpg)
Risk Matrix Components• Type!
• Third-Party!
• Dataflow diagram ID!
• Description!
• Triggering Action!
• Consequence of Service Failure!
• Risk of Failure!
• User Impact!
• Method used for monitoring this risk!
• Efforts to Mitigate in Case of Failure!
• Contact info
![Page 27: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/27.jpg)
Risk Matrix
![Page 28: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/28.jpg)
Things You Can Start Doing TODAY
![Page 29: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/29.jpg)
• Start every project risk-first.!
• Build a clear inventory of surface areas and their value. Get stakeholders involved.!
• Start using a risk matrix for every major project or product!
• Trust your gut. If something doesn’t look right, it probably isn’t.
![Page 30: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/30.jpg)
• Keep your systems as simple as possible. Document them.!
• Don't abstract code/systems if you don’t have to. Premature optimization is the devil. Build light and refactor as needed.!
• Get to know your user's behavior. Use things like Google Analytics and heatmapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.
![Page 31: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/31.jpg)
• Increased transparency reduces risk across departments. Consider devops.!
• Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef, Vagrant, Ansible, Salt or Fabric for server management.)!
• If you develop software, automate your deployment and configuration management. Chatops FTW! !
• Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.
![Page 32: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/32.jpg)
• Always employ the principles of “least privilege.”!
• Rely on role-based groups for OD/AD, email accounts, etc.!
• Consider who has access to your social media accounts. Use an SMMS to manage access instead of giving out passwords.!
• Consider who has access to third-party services where billing information is available via account management settings.
![Page 33: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/33.jpg)
• Be proactive in educating your company’s staff about security. Measure results.!
• Teach your users about password security, social engineering!
• Set your users up with a good password manager like LastPass or 1Password!
• Always be aware of single points of failure. (“Bus factor”, Maginot Line)
![Page 34: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/34.jpg)
• Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)!
• Create a Business Continuity Plan.!
• Create an Incident Response Plan. Test it.!
• Create a Disaster Recovery Plan. TEST IT. (Seriously.)
![Page 35: MacIT 2014 - Essential Security & Risk Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547a767db479599a098b49b9/html5/thumbnails/35.jpg)
• Give preference to vendors that integrate with your AD/OD.!
• Create a vendor management policy. Insist (and document) that your vendors comply with your requirements, or find a new vendor. !
• Make sure you understand what happens when third-party services fail or behave unexpectedly.