Your SlideShare is downloading. ×
0
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out

764

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
764
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Building Bridges: Forcing Hackers and Business to “Hug it Out” <ul><li>Andrew Hay, CISSP, The 451 Group </li></ul><ul><li>Chris Nickerson, CISSP, Lares Consulting </li></ul>
  • 2. About <ul><li>Andrew Hay </li></ul><ul><ul><li>Senior Analyst, The 451 Group </li></ul></ul><ul><ul><li>Analyst, Author, Speaker, Blogger, and more! </li></ul></ul><ul><li>Chris Nickerson </li></ul><ul><ul><li>Founder & Principal Security Consultant, Lares Consulting </li></ul></ul><ul><ul><li>Red Team and Social Engineering Expert </li></ul></ul>
  • 3. Change Log
  • 4. Why Talk About This? <ul><li>This talk shouldn’t need to exist! </li></ul><ul><ul><ul><li>But the industry obviously needs it </li></ul></ul></ul><ul><li>We’re all adults (well, most of us) </li></ul><ul><li>Business leaders should understand their staff </li></ul><ul><li>Employees should understand why the business needs to do what it does </li></ul>
  • 5. Overview <ul><li>The View From The Trenches </li></ul><ul><li>The View From The Business </li></ul><ul><li>The Problems </li></ul><ul><li>The Way to Fix The Problem </li></ul><ul><li>Questions? </li></ul>
  • 6. The View From The Trenches <ul><li>Management is clueless </li></ul><ul><li>They don ’t CARE about security </li></ul><ul><li>They will only do the “bare minimum” </li></ul><ul><li>They play golf and waste time in meetings all day </li></ul>
  • 7. The View From The Trenches (continued) <ul><li>They don ’t respond when I show them how important it is </li></ul><ul><li>We… </li></ul><ul><ul><li>Are overworked </li></ul></ul><ul><ul><li>Get all the blame </li></ul></ul><ul><ul><li>Don ’t get the respect we deserve </li></ul></ul>
  • 8. The View From The Business <ul><li>Hackers don ’t have a clue </li></ul><ul><li>They don ’t care about the business </li></ul><ul><li>They don ’t understand the economic challenges </li></ul><ul><li>They surf the Internet and talk to their “friends” on {IRC, Twitter, Newsgroups} all day </li></ul>
  • 9. The View From The Business <ul><li>They don ’t listen when I tell them how dangerous it is </li></ul><ul><li>We… </li></ul><ul><ul><li>Put in long hours </li></ul></ul><ul><ul><li>Answer to the business stakeholders </li></ul></ul><ul><ul><li>Don ’t get the respect we deserve </li></ul></ul>
  • 10. The Problems <ul><li>Pure Security vs. Business Security </li></ul><ul><li>Cost vs. Completeness </li></ul><ul><li>Scope vs. “Hackers Don't Have Scope” </li></ul><ul><li>Downtime vs. Patch to Secure </li></ul><ul><li>Feature Release vs. Secure Development </li></ul><ul><li>Compromise Disclosure vs. Potential Financial Devastation </li></ul><ul><li>Compliance vs. Security </li></ul>
  • 11. Pure Security vs. Business Security <ul><li>View from the trenches </li></ul><ul><ul><li>Security is an ever changing field/ not constrained by dated academic theories </li></ul></ul><ul><ul><li>A secure environment is the goal but never really gonna happen </li></ul></ul><ul><ul><li>Its secure when it can ’t be hacked </li></ul></ul><ul><ul><li>It requires 24/7 support </li></ul></ul>
  • 12. Pure Security vs. Business Security <ul><li>View from the business </li></ul><ul><ul><li>Security is defined by the CIA triad </li></ul></ul><ul><ul><li>Availability (typically) trumps Integrity and Confidentiality </li></ul></ul><ul><ul><li>The cost of operating securely should not be detrimental to the company ’s bottom line </li></ul></ul><ul><ul><li>The budget can not be expanded just because there are new threats </li></ul></ul>
  • 13. Cost vs. Completeness <ul><li>View from the trenches </li></ul><ul><ul><li>Completeness should be the goal </li></ul></ul><ul><ul><li>Budget should be flexible to accommodate </li></ul></ul><ul><ul><li>We must test ALL devices </li></ul></ul><ul><ul><li>We must look at every level (Network,App,Code, etc..) </li></ul></ul><ul><ul><li>The test/testers you bought SUCK </li></ul></ul>
  • 14. Cost vs. Completeness <ul><li>View from the business </li></ul><ul><ul><li>Fixed cost for project / no wiggle room </li></ul></ul><ul><ul><li>Budget dictates the depth, you don ’t! </li></ul></ul><ul><ul><li>The only thing in scope are the machines holding (insert here) <PCI,PHI,etc..> Data on them </li></ul></ul><ul><ul><li>I only have to do a Web App test OR Code review not both. It says it right here in the standard. </li></ul></ul>
  • 15. Scope vs. “Hackers Don't Have Scope” <ul><li>View from the trenches </li></ul><ul><ul><li>Scope is a guideline / ROE may need to be adjusted as required </li></ul></ul><ul><ul><li>We will attack any asset that you own. What ’s on it doesn’t matter. </li></ul></ul><ul><ul><li>You must test everything on the box/app, not just what that dumb compliance sheet tells you </li></ul></ul><ul><ul><li>SE is out of scope? WHY? Real hackers will attack our people </li></ul></ul>
  • 16. Scope vs. “Hackers Don't Have Scope” <ul><li>View from the business </li></ul><ul><ul><li>ROE non-negotiable / paid to adhere to scope </li></ul></ul><ul><ul><li>We know what we want tested and what is important for the business </li></ul></ul><ul><ul><li>Scope creep does not benefit the business </li></ul></ul><ul><ul><li>Political ramifications of “testing” our people is a large liability. </li></ul></ul>
  • 17. Downtime vs. Patch to Secure <ul><li>View from the trenches </li></ul><ul><ul><li>Patches need to be applied / that ’s why they’re released </li></ul></ul><ul><ul><li>How much revenue will be lost if this threat vector is exploited? </li></ul></ul><ul><ul><li>Patching now may reduce downtime due to breach later </li></ul></ul><ul><ul><li>If you are worried about installing the patch, test it first </li></ul></ul><ul><ul><li>This is stupid, why isn ’t it automated? </li></ul></ul>
  • 18. Downtime vs. Patch to Secure <ul><li>View from the business </li></ul><ul><ul><li>The business can ’t afford downtime to patch / disrupts business and potential for lost revenue </li></ul></ul><ul><ul><ul><li>Availability is more important than security </li></ul></ul></ul><ul><ul><li>We have a network firewall and desktop AV / should be enough </li></ul></ul><ul><ul><li>Attackers are on the outside </li></ul></ul><ul><ul><li>We are a Hospital/bank/Whatever, we CAN ’T go DOWN! </li></ul></ul>
  • 19. Feature Release vs. Secure Development <ul><li>View from the trenches </li></ul><ul><ul><li>If we fix it now, we ’re releasing products that are secure out of the box / don’t have to fix later </li></ul></ul><ul><ul><li>Delivery timelines can shift / they ’re just dates in MS Project </li></ul></ul><ul><ul><li>Saving money by fixing it now. (cite post release 100x bugfix increase cost) </li></ul></ul><ul><ul><li>“ I won’t put my name on this *tantrum* *badmouth*” </li></ul></ul>
  • 20. Feature Release vs. Secure Development <ul><li>View from the business </li></ul><ul><ul><li>Delaying release may jeopardize our GTM strategy </li></ul></ul><ul><ul><li>Fixes can be applied in a post-release hotfix or in the next minor/major release </li></ul></ul><ul><ul><li>Development & QA time cost money / not a money maker </li></ul></ul><ul><ul><li>May lose money by fixing it now </li></ul></ul><ul><ul><li>Feature profits will fund future security enhancements </li></ul></ul>
  • 21. Compromise Disclosure vs. Potential Financial Devastation <ul><li>View from the trenches </li></ul><ul><ul><li>It ’s our duty to report exploit vectors to the vendors / we’d want others to do the same </li></ul></ul><ul><ul><li>We got hacked, we need to tell our customers. </li></ul></ul><ul><ul><li>YOU are unethical if you don ’t tell anyone </li></ul></ul>
  • 22. Compromise Disclosure vs. Potential Financial Devastation <ul><li>View from the business </li></ul><ul><ul><li>Disclosing weaknesses jeopardize our business! </li></ul></ul><ul><ul><li>Let someone else report it to the vendors / social responsibility be damned! </li></ul></ul><ul><ul><li>We ’re in business to make money, not help the vendors fix their problems </li></ul></ul><ul><ul><li>We got hit but no sensitive information was accessed </li></ul></ul>
  • 23. Compliance vs. Security <ul><li>View from the trenches </li></ul><ul><ul><li>Compliance IS NOT Security </li></ul></ul><ul><ul><li>Compliance a byproduct of being secure </li></ul></ul><ul><ul><li>Compliance is stupid and is someone else ’s problem </li></ul></ul><ul><ul><li>How can one size fit all? </li></ul></ul><ul><ul><li>How does securing 10% of our assets and ignoring the other 90% Make us secure? </li></ul></ul>
  • 24. Compliance vs. Security <ul><li>View from the business </li></ul><ul><ul><li>Sometimes compliance is the end goal / deemed ‘good enough’ </li></ul></ul><ul><ul><li>Our customers (who pay your salary) REQUIRE us to be certified </li></ul></ul><ul><ul><li>Achieve compliance, security should follow </li></ul></ul><ul><ul><li>Not enough money for both but higher risk of fines for not being compliant </li></ul></ul>
  • 25. The Way To Fix the Problem <ul><li>Some common ground must be found </li></ul>Business Hackers What we need
  • 26. <ul><li>Understand that… </li></ul><ul><ul><li>Hackers are intelligent people that are responsible enough to be educated on the business and its issues </li></ul></ul><ul><ul><li>Business has a large moving target to keep up with and need effective direction </li></ul></ul><ul><ul><li>Hackers are their first and last line of defense / They defend your paycheck and require your support </li></ul></ul><ul><li>Provide executive support, understanding, and financial backing for the security team or expect failure </li></ul><ul><ul><li>Security is just like ALL other business units, with out those things…they will fail. </li></ul></ul>Business Needs To…
  • 27. Hackers Need To… <ul><li>Learn more about the business, its operations, and how cost plays into the decision process </li></ul><ul><li>Identify the political challenges and pose their problems/solutions in a manner that fits </li></ul><ul><li>Talk in language that executives understand </li></ul><ul><ul><li>Articulate technical issues in less complex terms </li></ul></ul><ul><ul><li>Pretend you ’re explaining to your mother </li></ul></ul>
  • 28. Both Need To… <ul><li>Learn respect and tolerance for the others skills and problems </li></ul><ul><li>Recognize that both camps bring valuable information to the table / keep an open mind! </li></ul><ul><li>Realize that neither camp should dictate best practices but rather agree on best practices </li></ul><ul><li>Understand that they have the same goals but start off on opposite sides to get there. </li></ul>
  • 29. Questions? Ask yourself ‘ what have I done to bridge the gap? ’
  • 30. Thank you! <ul><li>Andrew Hay </li></ul><ul><ul><li>Senior Analyst, The 451 Group, </li></ul></ul><ul><ul><li>Enterprise Security Practice </li></ul></ul><ul><li>[email_address] </li></ul><ul><li>http://www.the451group.com </li></ul><ul><li>http://twitter.com/andrewsmhay </li></ul><ul><li>http://www.andrewhay.ca </li></ul><ul><li>Chris Nickerson </li></ul><ul><ul><li>Founder & Principal Security Consultant, Lares Consulting </li></ul></ul><ul><li>[email_address] </li></ul><ul><li>http://www.laresconsulting.com </li></ul><ul><li>http://twitter.com/indi303 </li></ul><ul><li>http://exoticliability.libsyn.com/ </li></ul>

×