• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
 

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out

on

  • 948 views

 

Statistics

Views

Total Views
948
Views on SlideShare
948
Embed Views
0

Actions

Likes
0
Downloads
17
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Andrew Hay  - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out Presentation Transcript

    • Building Bridges: Forcing Hackers and Business to “Hug it Out”
      • Andrew Hay, CISSP, The 451 Group
      • Chris Nickerson, CISSP, Lares Consulting
    • About
      • Andrew Hay
        • Senior Analyst, The 451 Group
        • Analyst, Author, Speaker, Blogger, and more!
      • Chris Nickerson
        • Founder & Principal Security Consultant, Lares Consulting
        • Red Team and Social Engineering Expert
    • Change Log
    • Why Talk About This?
      • This talk shouldn’t need to exist!
          • But the industry obviously needs it
      • We’re all adults (well, most of us)
      • Business leaders should understand their staff
      • Employees should understand why the business needs to do what it does
    • Overview
      • The View From The Trenches
      • The View From The Business
      • The Problems
      • The Way to Fix The Problem
      • Questions?
    • The View From The Trenches
      • Management is clueless
      • They don ’t CARE about security
      • They will only do the “bare minimum”
      • They play golf and waste time in meetings all day
    • The View From The Trenches (continued)
      • They don ’t respond when I show them how important it is
      • We…
        • Are overworked
        • Get all the blame
        • Don ’t get the respect we deserve
    • The View From The Business
      • Hackers don ’t have a clue
      • They don ’t care about the business
      • They don ’t understand the economic challenges
      • They surf the Internet and talk to their “friends” on {IRC, Twitter, Newsgroups} all day
    • The View From The Business
      • They don ’t listen when I tell them how dangerous it is
      • We…
        • Put in long hours
        • Answer to the business stakeholders
        • Don ’t get the respect we deserve
    • The Problems
      • Pure Security vs. Business Security
      • Cost vs. Completeness
      • Scope vs. “Hackers Don't Have Scope”
      • Downtime vs. Patch to Secure
      • Feature Release vs. Secure Development
      • Compromise Disclosure vs. Potential Financial Devastation
      • Compliance vs. Security
    • Pure Security vs. Business Security
      • View from the trenches
        • Security is an ever changing field/ not constrained by dated academic theories
        • A secure environment is the goal but never really gonna happen
        • Its secure when it can ’t be hacked
        • It requires 24/7 support
    • Pure Security vs. Business Security
      • View from the business
        • Security is defined by the CIA triad
        • Availability (typically) trumps Integrity and Confidentiality
        • The cost of operating securely should not be detrimental to the company ’s bottom line
        • The budget can not be expanded just because there are new threats
    • Cost vs. Completeness
      • View from the trenches
        • Completeness should be the goal
        • Budget should be flexible to accommodate
        • We must test ALL devices
        • We must look at every level (Network,App,Code, etc..)
        • The test/testers you bought SUCK
    • Cost vs. Completeness
      • View from the business
        • Fixed cost for project / no wiggle room
        • Budget dictates the depth, you don ’t!
        • The only thing in scope are the machines holding (insert here) <PCI,PHI,etc..> Data on them
        • I only have to do a Web App test OR Code review not both. It says it right here in the standard.
    • Scope vs. “Hackers Don't Have Scope”
      • View from the trenches
        • Scope is a guideline / ROE may need to be adjusted as required
        • We will attack any asset that you own. What ’s on it doesn’t matter.
        • You must test everything on the box/app, not just what that dumb compliance sheet tells you
        • SE is out of scope? WHY? Real hackers will attack our people
    • Scope vs. “Hackers Don't Have Scope”
      • View from the business
        • ROE non-negotiable / paid to adhere to scope
        • We know what we want tested and what is important for the business
        • Scope creep does not benefit the business
        • Political ramifications of “testing” our people is a large liability.
    • Downtime vs. Patch to Secure
      • View from the trenches
        • Patches need to be applied / that ’s why they’re released
        • How much revenue will be lost if this threat vector is exploited?
        • Patching now may reduce downtime due to breach later
        • If you are worried about installing the patch, test it first
        • This is stupid, why isn ’t it automated?
    • Downtime vs. Patch to Secure
      • View from the business
        • The business can ’t afford downtime to patch / disrupts business and potential for lost revenue
          • Availability is more important than security
        • We have a network firewall and desktop AV / should be enough
        • Attackers are on the outside
        • We are a Hospital/bank/Whatever, we CAN ’T go DOWN!
    • Feature Release vs. Secure Development
      • View from the trenches
        • If we fix it now, we ’re releasing products that are secure out of the box / don’t have to fix later
        • Delivery timelines can shift / they ’re just dates in MS Project
        • Saving money by fixing it now. (cite post release 100x bugfix increase cost)
        • “ I won’t put my name on this *tantrum* *badmouth*”
    • Feature Release vs. Secure Development
      • View from the business
        • Delaying release may jeopardize our GTM strategy
        • Fixes can be applied in a post-release hotfix or in the next minor/major release
        • Development & QA time cost money / not a money maker
        • May lose money by fixing it now
        • Feature profits will fund future security enhancements
    • Compromise Disclosure vs. Potential Financial Devastation
      • View from the trenches
        • It ’s our duty to report exploit vectors to the vendors / we’d want others to do the same
        • We got hacked, we need to tell our customers.
        • YOU are unethical if you don ’t tell anyone
    • Compromise Disclosure vs. Potential Financial Devastation
      • View from the business
        • Disclosing weaknesses jeopardize our business!
        • Let someone else report it to the vendors / social responsibility be damned!
        • We ’re in business to make money, not help the vendors fix their problems
        • We got hit but no sensitive information was accessed
    • Compliance vs. Security
      • View from the trenches
        • Compliance IS NOT Security
        • Compliance a byproduct of being secure
        • Compliance is stupid and is someone else ’s problem
        • How can one size fit all?
        • How does securing 10% of our assets and ignoring the other 90% Make us secure?
    • Compliance vs. Security
      • View from the business
        • Sometimes compliance is the end goal / deemed ‘good enough’
        • Our customers (who pay your salary) REQUIRE us to be certified
        • Achieve compliance, security should follow
        • Not enough money for both but higher risk of fines for not being compliant
    • The Way To Fix the Problem
      • Some common ground must be found
      Business Hackers What we need
      • Understand that…
        • Hackers are intelligent people that are responsible enough to be educated on the business and its issues
        • Business has a large moving target to keep up with and need effective direction
        • Hackers are their first and last line of defense / They defend your paycheck and require your support
      • Provide executive support, understanding, and financial backing for the security team or expect failure
        • Security is just like ALL other business units, with out those things…they will fail.
      Business Needs To…
    • Hackers Need To…
      • Learn more about the business, its operations, and how cost plays into the decision process
      • Identify the political challenges and pose their problems/solutions in a manner that fits
      • Talk in language that executives understand
        • Articulate technical issues in less complex terms
        • Pretend you ’re explaining to your mother
    • Both Need To…
      • Learn respect and tolerance for the others skills and problems
      • Recognize that both camps bring valuable information to the table / keep an open mind!
      • Realize that neither camp should dictate best practices but rather agree on best practices
      • Understand that they have the same goals but start off on opposite sides to get there.
    • Questions? Ask yourself ‘ what have I done to bridge the gap? ’
    • Thank you!
      • Andrew Hay
        • Senior Analyst, The 451 Group,
        • Enterprise Security Practice
      • [email_address]
      • http://www.the451group.com
      • http://twitter.com/andrewsmhay
      • http://www.andrewhay.ca
      • Chris Nickerson
        • Founder & Principal Security Consultant, Lares Consulting
      • [email_address]
      • http://www.laresconsulting.com
      • http://twitter.com/indi303
      • http://exoticliability.libsyn.com/