SlideShare a Scribd company logo

Accruent insights 2014 2014-04-28 - v8 - final

Major Hayden
Major Hayden
TechnologyBusiness
1 of 42
Download to read offline
EVADE THE BREACHBY CHANGING THE WAY YOU THINK ABOUT INFORMATION SECURITY MAJOR HAYDEN RACKSPACE @majorhayden FOR ACCRUENT INSIGHTS 2014, AUSTIN, TEXAS PHOTO CREDIT: CURTIS GREGORY PERRY [bit.ly/1k5ajws]
ABOUT MAJOR • Born in Austin • At Rackspace since 2006 • Focused on Linux engineering, software development and information security • Two kids and four chinchillas
THIS IS A CHINCHILLA THEY ARE AMAZING PETS AND I COULD TALK ABOUT THEM FOR A LONG TIME
AGENDA Presentation 30 minutes Q&A 30 minutes
Let's cover some critical concepts
SECURITY ISN'T EASY
YOUR BUSINESS DOESN'T EXIST TO BE SECURE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
SECURITY HAS NO FINISH LINE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
Reports that say...that something hasn't happened are always interesting to me, because as we know, there are known knowns; ! there are things that we know that we know. We also know there are known unknowns; ! that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.
 
 —Donald Rumsfeld, United States Secretary of Defense PUBLIC DOMAIN PHOTO BY THE UNITED STATES ARMY
THREE DEFENSIVE LAYERS PreventativeMake yourself a hard target DetectiveKnow when danger is on your doorstep CorrectiveRemove the threat and repair the damage PROCESSIMPROVEMENT ! FEEDBACKLOOP
We can apply these layers to something we all know well
How do we protect our homes? PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms* *
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms PREVENTATIVE
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms DETECTIVE
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms CORRECTIVE
You now know two other concepts
DEFENSE IN DEPTHASSUME THE WORST AND BUILD LAYERS OF DEFENSE PHOTO CREDIT: SZEKE [bit.ly/1mxjkzl]
RISK MANAGEMENTINVEST YOUR TIME SPENT ON SECURITY WISELY PHOTO CREDIT: LORENZOCLICK [bit.ly/1f40rns]
Do your third party vendors invest in security as much as you do?
How will you know for sure?
IT'S NOT EASY PHOTO CREDIT: KEVIN DOOLEY [bit.ly/1ri0hej]
Let's review the facts
"Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network."
"Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system."
"Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets."
"Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network."
What can we learn from the Target breach?
Target's situation isn't unique to Target
It's your responsibility to insulate yourself from third parties
Continually test your security layers so you can trust them in an emergency
What about the vendors that don't show up on your books? PHOTO CREDIT: CLASPINGWALNUT [BIT.LY/1K5J5DT]
HOW ABOUT THE OPENSSL SOFTWARE FOUNDATION?
HEARTBLEED: A QUICK SUMMARY • Small coding error allows attackers to steal chunks of memory from remote servers • Attackers repeatedly send requests to get different data from the server • Announcement of the vulnerability was handled extremely poorly • Much of the internet is still still vulnerable almost a month after the announcements
HEARTBLEED: LESSONS LEARNED Layer your defenses Segregate server duties Make emergency plans
Rackspace has joined many other companies in support of the Core Infrastructure Initiative that provides funding for open source projects that need assistance
LET'S WRAP IT UP PHOTO CREDIT: TANAKAWHO [bit.ly/1mxiEd3]
Three takeaways: (Or, if you fell asleep during the last half hour, here's what I was talking about)
1. Layer your defenses
2. The security of your business is your business
3. Better security requires changes in people, process, and technology
THANK YOU! ! PHOTO CREDIT: STUCK IN CUSTOMS [bit.ly/1k5nqha] Blog: major.io Twitter: @majorhayden Email: major.hayden@rackspace.com

Recommended

ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24
Major Hayden
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data Security
Major Hayden
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
Major Hayden
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talk
Major Hayden
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developers
Major Hayden
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Major Hayden
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
Major Hayden
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an Impostor
Major Hayden
 

Recommended

ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24
Major Hayden
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data Security
Major Hayden
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
Major Hayden
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talk
Major Hayden
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developers
Major Hayden
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Major Hayden
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
Major Hayden
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an Impostor
Major Hayden
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and Ansible
Major Hayden
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
Major Hayden
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
Major Hayden
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
Major Hayden
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
Major Hayden
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
Major Hayden
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
Major Hayden
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Major Hayden
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
Major Hayden
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
Pixlogix Infotech
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
TopCSSGallery
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
ScyllaDB
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
Mohamed Sweelam
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
Paolo Missier
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
yogeshlabana357357
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Exakis Nelite
 

More Related Content

More from Major Hayden

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 

More from Major Hayden (12)

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and Ansible
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 

Recently uploaded

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
SOFTTECHHUB
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 

Recently uploaded (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 

Accruent insights 2014 2014-04-28 - v8 - final

  • 1. EVADE THE BREACHBY CHANGING THE WAY YOU THINK ABOUT INFORMATION SECURITY MAJOR HAYDEN RACKSPACE @majorhayden FOR ACCRUENT INSIGHTS 2014, AUSTIN, TEXAS PHOTO CREDIT: CURTIS GREGORY PERRY [bit.ly/1k5ajws]
  • 2. ABOUT MAJOR • Born in Austin • At Rackspace since 2006 • Focused on Linux engineering, software development and information security • Two kids and four chinchillas
  • 3. THIS IS A CHINCHILLA THEY ARE AMAZING PETS AND I COULD TALK ABOUT THEM FOR A LONG TIME
  • 7. YOUR BUSINESS DOESN'T EXIST TO BE SECURE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
  • 8. SECURITY HAS NO FINISH LINE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
  • 9. Reports that say...that something hasn't happened are always interesting to me, because as we know, there are known knowns; ! there are things that we know that we know. We also know there are known unknowns; ! that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.
 
 —Donald Rumsfeld, United States Secretary of Defense PUBLIC DOMAIN PHOTO BY THE UNITED STATES ARMY
  • 10. THREE DEFENSIVE LAYERS PreventativeMake yourself a hard target DetectiveKnow when danger is on your doorstep CorrectiveRemove the threat and repair the damage PROCESSIMPROVEMENT ! FEEDBACKLOOP
  • 11. We can apply these layers to something we all know well
  • 12. How do we protect our homes? PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]
  • 13. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms* *
  • 14. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms PREVENTATIVE
  • 15. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms DETECTIVE
  • 16. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms CORRECTIVE
  • 17. You now know two other concepts
  • 18. DEFENSE IN DEPTHASSUME THE WORST AND BUILD LAYERS OF DEFENSE PHOTO CREDIT: SZEKE [bit.ly/1mxjkzl]
  • 19. RISK MANAGEMENTINVEST YOUR TIME SPENT ON SECURITY WISELY PHOTO CREDIT: LORENZOCLICK [bit.ly/1f40rns]
  • 20. Do your third party vendors invest in security as much as you do?
  • 21. How will you know for sure?
  • 22. IT'S NOT EASY PHOTO CREDIT: KEVIN DOOLEY [bit.ly/1ri0hej]
  • 24. "Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network."
  • 25. "Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system."
  • 26. "Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets."
  • 27. "Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network."
  • 28. What can we learn from the Target breach?
  • 30. It's your responsibility to insulate yourself from third parties
  • 31. Continually test your security layers so you can trust them in an emergency
  • 32. What about the vendors that don't show up on your books? PHOTO CREDIT: CLASPINGWALNUT [BIT.LY/1K5J5DT]
  • 33. HOW ABOUT THE OPENSSL SOFTWARE FOUNDATION?
  • 34. HEARTBLEED: A QUICK SUMMARY • Small coding error allows attackers to steal chunks of memory from remote servers • Attackers repeatedly send requests to get different data from the server • Announcement of the vulnerability was handled extremely poorly • Much of the internet is still still vulnerable almost a month after the announcements
  • 35. HEARTBLEED: LESSONS LEARNED Layer your defenses Segregate server duties Make emergency plans
  • 36. Rackspace has joined many other companies in support of the Core Infrastructure Initiative that provides funding for open source projects that need assistance
  • 37. LET'S WRAP IT UP PHOTO CREDIT: TANAKAWHO [bit.ly/1mxiEd3]
  • 38. Three takeaways: (Or, if you fell asleep during the last half hour, here's what I was talking about)
  • 39. 1. Layer your defenses
  • 40. 2. The security of your business is your business
  • 41. 3. Better security requires changes in people, process, and technology
  • 42. THANK YOU! ! PHOTO CREDIT: STUCK IN CUSTOMS [bit.ly/1k5nqha] Blog: major.io Twitter: @majorhayden Email: major.hayden@rackspace.com