• Like
  • Save
Ultimate Hack! Layers 8 & 9 of the OSI Model
Upcoming SlideShare
Loading in...5
×
 

Ultimate Hack! Layers 8 & 9 of the OSI Model

on

  • 2,090 views

The vast chasm between business and Information Security must be bridged. In this talk from AtlSecCon in Halifax (Mar 2011) I discuss how Information Security professionals can 'hack' the management ...

The vast chasm between business and Information Security must be bridged. In this talk from AtlSecCon in Halifax (Mar 2011) I discuss how Information Security professionals can 'hack' the management and budget layers of their daily work to get things done more effectively.

Statistics

Views

Total Views
2,090
Views on SlideShare
2,087
Embed Views
3

Actions

Likes
1
Downloads
19
Comments
0

3 Embeds 3

http://twitter.com 1
http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ultimate Hack! Layers 8 & 9 of the OSI Model Ultimate Hack! Layers 8 & 9 of the OSI Model Presentation Transcript

    • Ultimate Hack Manipulating Layers 8 & 9 [Management & Budget] of the OSI ModelRafal M. Los ...aka „Wh1t3Rabbit“AtlSecCon – March 201 1© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Hi …I’m the Wh1t3 RabbitTwitter: “Wh1t3Rabbit”Blog: http://hp.com/go/white-rabbitPractical Experience?•IT since 1995•InfoSec since 1999•Built & led AppSec Program in Fortune 100•More years doing then talking© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Rules for this talk(seriously)CAUTION: The contents in 1. Participatethis talk may make youuncomfortable as an 2. Share your thoughtsinformation security 3. If you share, be honest with yourprofessional. answers 4. There is an assignment at the end… © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • A riddle:What does an Information Securityteam DO?© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Does senior management respect and support Information Security‟s vision & efforts? …or just deal© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here with you?
    • Our Goal as InfoSec Professionals(what we tell ourselves)•“secure the business”•“reduce risk”•“deploy security measures”•“protect the company”•“keep threats out”6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Our Goal as InfoSec ProfessionalsWhen management hears this…•“secure the business”  from what?•“reduce risk”  of what?•“deploy security measures”  why?•“protect the company”  from what?•“keep threats out”  of where? (and why?)7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Layers 8 & 9“the secret layers”Management Budget necessary for… necessary for…•Organizational buy-in •Required for staff, gear•Push change from the top •Persuasion•Create shift in policy & culture •Education•Credibility •Seed effort © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • So … you NEED Management & Budget …but how do you manipulate them to your ends?© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Getting what you want at Layers 8 & 9My 7 Secrets to Success© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Align to the BusinessWhat does your business do?Objective SituationUnderstand completely Many IT Security Pros do not know business driversand comprehensively • Align to your business or organizational goalswhat your organization – Compliance with government regulations may be a goal – Expanding into new markets may be a goaldoes, how it makes – Developing a new prototype may be a goalmoney, and how it • Drive security like it was a „business‟evolves. – Understand cause:effect of security policy & vision – Don‟t spend $10M to protect $100k11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Walk a mile...Go work as a business analystObjective SituationIf you want to Understand the situations you are working againstunderstand why business • Security must truly understand the motivations thatanalysts do drive business decisions and employeesstrange/insecure things – – Security analysts must work in the business – Understand „how it works‟ and what drives non-IT Securitygo be one of them for a – “Feel their pain”while. • I promise you will have a different outlook – Understand the business, protect its assets rationally12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Carrot & StickRewards balance consequencesObjective SituationNeither rewards, or You can lead a horse to water, even put him IN water…consequences alone will • Do better than “because security says so”reach your ends; a sane – People avoid you because they can and will get away with it – Policy is a weak motivational toolbalance must be foundbetween push and pull of • Offer incentives to make „secure‟ choices – Rewards, recognition, positive reinforcementyour security goals. • Severely punish blatant detractors – Approve severe punishment (firing?) through HR, enforce it. *Blog post http://h30501.www3.hp.com/t5/Following-the- White-Rabbit-A/The-Path-of-Least-Resistance/ba-p/2201113 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Advisory vs. OperationsSegment your security practiceObjective SituationSeparate our the ‘advise’ Split the organization to optimize efficienciesfrom the ‘do’ parts of • Operational tasks move out to small operations teamInformation Security to – Managing anti-virus, patches, IDM, firewall rules, etc – Manage the „doers‟, validate with small nimble teamachieve higher credibilityand better resource • Shift majority of team to advisory capacity – Much like internal consultants- provide sound advice, let others doutilization. – Formulate & dictate policy, push to ops teams to implement • Great cost efficiencies here, dynamic efficiencies14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Risk, Compliance, LegalMeet your new best friendsObjective SituationAlign with the 3 most IT Security is not unlike legal, risk and compliancepowerful parts of any • Get to know the practices of these departmentsorganization; adopt their – Understand their motivations and power capabilities – Understand their struggles with reaching goalsmethods and leverage o Offer technology-based approaches to their illseach others capabilities • Leverage each others strengths to drive key strategyand expertise. – What is good for me, is good for „we‟ – Security‟s goals can often be accomplished by legal‟s requirements15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Business-driven ’security’Business must need itObjective SituationAllow your business to You CAN NOT force security onto an organizationcome to the conclusion • Provide advisory assessments of IT risk to thethat it requires your organization as appropriateassistance to meet – Define the appropriate format for your industry, market – Make reports readily available to customers, auditorsbusiness goals and – Allow constituents to choose from approved remediation optionscustomer demands. • Offer a lower-cost, consolidated alternative to continually failing audit, scrambling to comply16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Leverage Accountability“Just sign here to accept risk”Objective SituationFew things are more Accountability in a visible way is fundamentalpowerful than the risk of • Provide objective assessment of riskbeing held accountable – Research, then file a comprehensive risk profile report – Discuss the impact, cost, and assessed risk to the organizationfor your actions; adviseon risk and allow a • Give leaders the ability to choose – Accept risk on behalf of the organizationbusiness owner to accept o Sign off on the risk (literally) and get reportedthat risk with a simple – Remediate the riskssignature.17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Measure Yourself (KPIs)How do you know you‟ve succeeded?Objective SituationThere are no more than 5 Can you measure security‟s true impact?KPIs you must measure • Most organizations have lots of data & metricsagainst; KPIs enable a – Metrics rarely tell a big picture – Spreadsheets, dashboards are often too complex and technicalnon-technicalconversation with • Do your KPIs pass the “so what?” test? – Does it impact the business?management & – Does it impact revenue?leadership. – Are you improving proportionately to fiscal spend?18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • The Most Important AnswerIf you want to shock your CIO, answer this question When can we stop spending money? When have you achieved a „good enough‟ state of IT risk? •Who defines and accepts those parameters? •How does security contribute to „good enough‟? •Can you tell the CIO when to stop spending?19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • These are my secrets to succeedingThey‟ve worked for me, they may work for youTry this at home ...but make sure you are rational.• There is no silver bullet, we‟re not baking cookies• Every organization is different, approaches vary –Some assembly required, batteries not included –No warranties, no returns20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • A smart poker player knows… •when to hold •when to fold •when to walk away •when to run like hell.© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Thank youDid you learn something? Rafal Los© Copyright 2011 Hewlett-Packard Development Company, L.P. The information Twitter.com/Wh1t3Rabbitcontained herein is subject to change without notice. Confidentiality label goes here HP.com/go/white-rabbit