Security and shizzle

Monday, 11 November 13
Whom be this?
• Ben Hughes, security monkey at Etsy.
• Bullet point fanatic.
• Terrible at slides.
• Shout out to the Etsy...
It’s a tale of two halves
• Security, where did it all go wrong?
• Don’t go alone, take this!
• Security-devops-maybe-DBAs...
Security, where did
it all go wrong?

@benjammingh
Monday, 11 November 13
Wait, but we bought a firewall!

@benjammingh
Monday, 11 November 13
They’re coming out of the walls

@benjammingh
Monday, 11 November 13
teh cloudz
• AWS logo goes here.
• Maybe not in AWS... (other cloudiness

vendors may be available)

@benjammingh
Monday, ...
But we’re secure, right?

@benjammingh
Monday, 11 November 13
But we’re secure, right?

@benjammingh
Monday, 11 November 13
The Watering hole attacks of Feb

@benjammingh
Monday, 11 November 13
Other than the occasional RCE/
SQLi or 0-day, companies just
aren’t getting breached directly
through their servers like t...
I’d buy that for a dollar
[laptop:~]% id
uid=501(ben) gid=20(staff) groups=20(staff)
[laptop:~]% ./magic
[*] running old e...
Zero [cool] day
• Zero day is bad!

@benjammingh
Monday, 11 November 13
Surprise!
• You can’t defend against unknown

attacks.
• Clue is in the name.

@benjammingh
Monday, 11 November 13
Rejoice. That mostly doesn’t matter!

@benjammingh
Monday, 11 November 13
Treat the symptoms
• Lateral movement can be more

important than how they got in.
• You don’t care that they broke a

win...
Hudson hawk reference
• Why is /bin/sh running on your

webserver?
• Why is your webserver trying to SSH to

other hosts?
...
But still patch
• Please, still patch things.
• Know that it isn’t a panacea.
• Realise that is okay.

@benjammingh
Monday...
Please do patch!
• No really!

@benjammingh
Monday, 11 November 13
Logs are your eyes.
“If it’s not monitored...
...it’s not in production”
Well
“If it’s not logged, did it really happen?”
...
You have a limited number of eyes.

@benjammingh
Monday, 11 November 13
Alerts

@benjammingh
Monday, 11 November 13
Logstash
• http://logstash.net/
• http://www.elasticsearch.org/overview/

kibana/
• http://www.logstashbook.com/
• https:/...
Two factor all the things
•Duo - https://www.duosecurity.com/
•Authy - https://www.authy.com/
•Google - http://goo.gl/hvre...
Duo and Yubikeys
vvbrc

@benjammingh
Monday, 11 November 13
Pen Testing
• Don’t pay someone else to tell you to

patch things.
• Don’t pay someone to run Nessus.
• Hire more security...
Attack simulations?
• Everything in scope.

@benjammingh
Monday, 11 November 13
Attack simulations?
• Everything in scope.
• Don’t have security run it.

@benjammingh
Monday, 11 November 13
Attack simulations?
• Everything in scope.
• Don’t have security run it.
• Don’t block on fragility.

@benjammingh
Monday,...
Transparency!
• Invite people to the brief.
• Don’t just expect a PDF.
• Treat it as a postmortem.
• Come out of it with a...
Game days.
• Ops’ “game day” simulations, but for

security.

@benjammingh
Monday, 11 November 13
Phishing
• Who’s stopped phishing?

@benjammingh
Monday, 11 November 13
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.

@benjammingh
Monday, 11 November 13
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.

@benjammingh
Monday, 11 No...
Phishing
• Who’s stopped phishing?
• You’re not going to stop phishing.
• That doesn’t matter.
• Don’t think you can fully...
Intermission.

@benjammingh
Monday, 11 November 13
New, Improved Devops

• Silo smashing in to one new larger silo!

@benjammingh
Monday, 11 November 13
DevSecOpsFarmerQueen
•
•
•

Many hats.

•

Security doesn’t just

Not just dev.
Not just ops.

magically happen.
@benjammi...
Get security involved!
• This can be done is all sized

environments!
•

Small - having someone who has a security backgro...
Security are people too!

@benjammingh
Monday, 11 November 13
Security are people too!
• they just might not always act like it...
• security is the only area of technology

with genui...
Infosec, this one’s for you
• Dev and ops (and everyone else) are

people too.
• They made those decisions without

malice...
Primary action items
• Don’t just say “did you speak to security

about this?”
• Get people involved!
• Security has never...
Reducing barriers.
Having an approachable security team is
the most important thing they can do.
The second you lose the a...
So, that party you mentioned?
• Skill sharing.

@benjammingh
Monday, 11 November 13
So, that party you mentioned?
• Hack week.

@benjammingh
Monday, 11 November 13
So, that party you mentioned?
• Boot camping.

@benjammingh
Monday, 11 November 13
Borrowing from the devops.
• Tests!

@benjammingh
Monday, 11 November 13
Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.

@benjammingh
Monday, 11 November 13
Borrowing from the devops.
• Tests!
• Test your code and your infrastructure.
• Wait, someone already gave this talk:
http...
Borrowing from the devops.
So did Gareth!
https://speakerdeck.com/garethr/securitymonitoring-penetration-testing-meetsmoni...
Stop saying “No!”

@benjammingh
Monday, 11 November 13
So finally
• The most important thing that we do as

a security team is...
• Humility.

@benjammingh
Monday, 11 November 13
So finally
• The most important thing that we do as

a security team is...
• Humility.
• Security isn’t everything. People ...
Fin

<golden axe screen shot>

@benjammingh
Monday, 11 November 13
Upcoming SlideShare
Loading in...5
×

DevOpsDay London Ben Hughes Security

2,697

Published on

Security, how we used to do that, why that's wrong, what to do instead.

Video of this talk being given is http://vimeo.com/album/2594031/video/79378300

Published in: Technology, News & Politics
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,697
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
22
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

DevOpsDay London Ben Hughes Security

  1. 1. Security and shizzle Monday, 11 November 13
  2. 2. Whom be this? • Ben Hughes, security monkey at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team. @benjammingh Monday, 11 November 13
  3. 3. It’s a tale of two halves • Security, where did it all go wrong? • Don’t go alone, take this! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why. @benjammingh Monday, 11 November 13
  4. 4. Security, where did it all go wrong? @benjammingh Monday, 11 November 13
  5. 5. Wait, but we bought a firewall! @benjammingh Monday, 11 November 13
  6. 6. They’re coming out of the walls @benjammingh Monday, 11 November 13
  7. 7. teh cloudz • AWS logo goes here. • Maybe not in AWS... (other cloudiness vendors may be available) @benjammingh Monday, 11 November 13
  8. 8. But we’re secure, right? @benjammingh Monday, 11 November 13
  9. 9. But we’re secure, right? @benjammingh Monday, 11 November 13
  10. 10. The Watering hole attacks of Feb @benjammingh Monday, 11 November 13
  11. 11. Other than the occasional RCE/ SQLi or 0-day, companies just aren’t getting breached directly through their servers like they used to. @benjammingh Monday, 11 November 13
  12. 12. I’d buy that for a dollar [laptop:~]% id uid=501(ben) gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root) @benjammingh Monday, 11 November 13
  13. 13. Zero [cool] day • Zero day is bad! @benjammingh Monday, 11 November 13
  14. 14. Surprise! • You can’t defend against unknown attacks. • Clue is in the name. @benjammingh Monday, 11 November 13
  15. 15. Rejoice. That mostly doesn’t matter! @benjammingh Monday, 11 November 13
  16. 16. Treat the symptoms • Lateral movement can be more important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window) @benjammingh Monday, 11 November 13
  17. 17. Hudson hawk reference • Why is /bin/sh running on your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time) @benjammingh Monday, 11 November 13
  18. 18. But still patch • Please, still patch things. • Know that it isn’t a panacea. • Realise that is okay. @benjammingh Monday, 11 November 13
  19. 19. Please do patch! • No really! @benjammingh Monday, 11 November 13
  20. 20. Logs are your eyes. “If it’s not monitored... ...it’s not in production” Well “If it’s not logged, did it really happen?” @benjammingh Monday, 11 November 13
  21. 21. You have a limited number of eyes. @benjammingh Monday, 11 November 13
  22. 22. Alerts @benjammingh Monday, 11 November 13
  23. 23. Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ • https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/ logstash @benjammingh Monday, 11 November 13
  24. 24. Two factor all the things •Duo - https://www.duosecurity.com/ •Authy - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from. @benjammingh Monday, 11 November 13
  25. 25. Duo and Yubikeys vvbrc @benjammingh Monday, 11 November 13
  26. 26. Pen Testing • Don’t pay someone else to tell you to patch things. • Don’t pay someone to run Nessus. • Hire more security people before paying for pen-tests. • Attack simulations are better. http:// bit.ly/attacksims @benjammingh Monday, 11 November 13
  27. 27. Attack simulations? • Everything in scope. @benjammingh Monday, 11 November 13
  28. 28. Attack simulations? • Everything in scope. • Don’t have security run it. @benjammingh Monday, 11 November 13
  29. 29. Attack simulations? • Everything in scope. • Don’t have security run it. • Don’t block on fragility. @benjammingh Monday, 11 November 13
  30. 30. Transparency! • Invite people to the brief. • Don’t just expect a PDF. • Treat it as a postmortem. • Come out of it with a set of actions. @benjammingh Monday, 11 November 13
  31. 31. Game days. • Ops’ “game day” simulations, but for security. @benjammingh Monday, 11 November 13
  32. 32. Phishing • Who’s stopped phishing? @benjammingh Monday, 11 November 13
  33. 33. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. @benjammingh Monday, 11 November 13
  34. 34. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. @benjammingh Monday, 11 November 13
  35. 35. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead. @benjammingh Monday, 11 November 13
  36. 36. Intermission. @benjammingh Monday, 11 November 13
  37. 37. New, Improved Devops • Silo smashing in to one new larger silo! @benjammingh Monday, 11 November 13
  38. 38. DevSecOpsFarmerQueen • • • Many hats. • Security doesn’t just Not just dev. Not just ops. magically happen. @benjammingh Monday, 11 November 13
  39. 39. Get security involved! • This can be done is all sized environments! • Small - having someone who has a security background or interest. • Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-engryan-oboyle-from-the-trenches-real-world-agile-sdlc/ @benjammingh Monday, 11 November 13
  40. 40. Security are people too! @benjammingh Monday, 11 November 13
  41. 41. Security are people too! • they just might not always act like it... • security is the only area of technology with genuine adversaries. @benjammingh Monday, 11 November 13
  42. 42. Infosec, this one’s for you • Dev and ops (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure! @benjammingh Monday, 11 November 13
  43. 43. Primary action items • Don’t just say “did you speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box. @benjammingh Monday, 11 November 13
  44. 44. Reducing barriers. Having an approachable security team is the most important thing they can do. The second you lose the ability to talk to them about anything, you effectively lose your security team. @benjammingh Monday, 11 November 13
  45. 45. So, that party you mentioned? • Skill sharing. @benjammingh Monday, 11 November 13
  46. 46. So, that party you mentioned? • Hack week. @benjammingh Monday, 11 November 13
  47. 47. So, that party you mentioned? • Boot camping. @benjammingh Monday, 11 November 13
  48. 48. Borrowing from the devops. • Tests! @benjammingh Monday, 11 November 13
  49. 49. Borrowing from the devops. • Tests! • Test your code and your infrastructure. @benjammingh Monday, 11 November 13
  50. 50. Borrowing from the devops. • Tests! • Test your code and your infrastructure. • Wait, someone already gave this talk: http://www.slideshare.net/nickgsuperstar/ devopssec-apply-devops-principles-to-security/32 @benjammingh Monday, 11 November 13
  51. 51. Borrowing from the devops. So did Gareth! https://speakerdeck.com/garethr/securitymonitoring-penetration-testing-meetsmonitoring @benjammingh Monday, 11 November 13
  52. 52. Stop saying “No!” @benjammingh Monday, 11 November 13
  53. 53. So finally • The most important thing that we do as a security team is... • Humility. @benjammingh Monday, 11 November 13
  54. 54. So finally • The most important thing that we do as a security team is... • Humility. • Security isn’t everything. People are rad. @benjammingh Monday, 11 November 13
  55. 55. Fin <golden axe screen shot> @benjammingh Monday, 11 November 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×