DevOpsDay London Ben Hughes Security

3,281 views
3,104 views

Published on

Security, how we used to do that, why that's wrong, what to do instead.

Video of this talk being given is http://vimeo.com/album/2594031/video/79378300

Published in: Technology, News & Politics

DevOpsDay London Ben Hughes Security

  1. 1. Security and shizzle Monday, 11 November 13
  2. 2. Whom be this? • Ben Hughes, security monkey at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team. @benjammingh Monday, 11 November 13
  3. 3. It’s a tale of two halves • Security, where did it all go wrong? • Don’t go alone, take this! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why. @benjammingh Monday, 11 November 13
  4. 4. Security, where did it all go wrong? @benjammingh Monday, 11 November 13
  5. 5. Wait, but we bought a firewall! @benjammingh Monday, 11 November 13
  6. 6. They’re coming out of the walls @benjammingh Monday, 11 November 13
  7. 7. teh cloudz • AWS logo goes here. • Maybe not in AWS... (other cloudiness vendors may be available) @benjammingh Monday, 11 November 13
  8. 8. But we’re secure, right? @benjammingh Monday, 11 November 13
  9. 9. But we’re secure, right? @benjammingh Monday, 11 November 13
  10. 10. The Watering hole attacks of Feb @benjammingh Monday, 11 November 13
  11. 11. Other than the occasional RCE/ SQLi or 0-day, companies just aren’t getting breached directly through their servers like they used to. @benjammingh Monday, 11 November 13
  12. 12. I’d buy that for a dollar [laptop:~]% id uid=501(ben) gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root) @benjammingh Monday, 11 November 13
  13. 13. Zero [cool] day • Zero day is bad! @benjammingh Monday, 11 November 13
  14. 14. Surprise! • You can’t defend against unknown attacks. • Clue is in the name. @benjammingh Monday, 11 November 13
  15. 15. Rejoice. That mostly doesn’t matter! @benjammingh Monday, 11 November 13
  16. 16. Treat the symptoms • Lateral movement can be more important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window) @benjammingh Monday, 11 November 13
  17. 17. Hudson hawk reference • Why is /bin/sh running on your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time) @benjammingh Monday, 11 November 13
  18. 18. But still patch • Please, still patch things. • Know that it isn’t a panacea. • Realise that is okay. @benjammingh Monday, 11 November 13
  19. 19. Please do patch! • No really! @benjammingh Monday, 11 November 13
  20. 20. Logs are your eyes. “If it’s not monitored... ...it’s not in production” Well “If it’s not logged, did it really happen?” @benjammingh Monday, 11 November 13
  21. 21. You have a limited number of eyes. @benjammingh Monday, 11 November 13
  22. 22. Alerts @benjammingh Monday, 11 November 13
  23. 23. Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ • https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/ logstash @benjammingh Monday, 11 November 13
  24. 24. Two factor all the things •Duo - https://www.duosecurity.com/ •Authy - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from. @benjammingh Monday, 11 November 13
  25. 25. Duo and Yubikeys vvbrc @benjammingh Monday, 11 November 13
  26. 26. Pen Testing • Don’t pay someone else to tell you to patch things. • Don’t pay someone to run Nessus. • Hire more security people before paying for pen-tests. • Attack simulations are better. http:// bit.ly/attacksims @benjammingh Monday, 11 November 13
  27. 27. Attack simulations? • Everything in scope. @benjammingh Monday, 11 November 13
  28. 28. Attack simulations? • Everything in scope. • Don’t have security run it. @benjammingh Monday, 11 November 13
  29. 29. Attack simulations? • Everything in scope. • Don’t have security run it. • Don’t block on fragility. @benjammingh Monday, 11 November 13
  30. 30. Transparency! • Invite people to the brief. • Don’t just expect a PDF. • Treat it as a postmortem. • Come out of it with a set of actions. @benjammingh Monday, 11 November 13
  31. 31. Game days. • Ops’ “game day” simulations, but for security. @benjammingh Monday, 11 November 13
  32. 32. Phishing • Who’s stopped phishing? @benjammingh Monday, 11 November 13
  33. 33. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. @benjammingh Monday, 11 November 13
  34. 34. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. @benjammingh Monday, 11 November 13
  35. 35. Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead. @benjammingh Monday, 11 November 13
  36. 36. Intermission. @benjammingh Monday, 11 November 13
  37. 37. New, Improved Devops • Silo smashing in to one new larger silo! @benjammingh Monday, 11 November 13
  38. 38. DevSecOpsFarmerQueen • • • Many hats. • Security doesn’t just Not just dev. Not just ops. magically happen. @benjammingh Monday, 11 November 13
  39. 39. Get security involved! • This can be done is all sized environments! • Small - having someone who has a security background or interest. • Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-engryan-oboyle-from-the-trenches-real-world-agile-sdlc/ @benjammingh Monday, 11 November 13
  40. 40. Security are people too! @benjammingh Monday, 11 November 13
  41. 41. Security are people too! • they just might not always act like it... • security is the only area of technology with genuine adversaries. @benjammingh Monday, 11 November 13
  42. 42. Infosec, this one’s for you • Dev and ops (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure! @benjammingh Monday, 11 November 13
  43. 43. Primary action items • Don’t just say “did you speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box. @benjammingh Monday, 11 November 13
  44. 44. Reducing barriers. Having an approachable security team is the most important thing they can do. The second you lose the ability to talk to them about anything, you effectively lose your security team. @benjammingh Monday, 11 November 13
  45. 45. So, that party you mentioned? • Skill sharing. @benjammingh Monday, 11 November 13
  46. 46. So, that party you mentioned? • Hack week. @benjammingh Monday, 11 November 13
  47. 47. So, that party you mentioned? • Boot camping. @benjammingh Monday, 11 November 13
  48. 48. Borrowing from the devops. • Tests! @benjammingh Monday, 11 November 13
  49. 49. Borrowing from the devops. • Tests! • Test your code and your infrastructure. @benjammingh Monday, 11 November 13
  50. 50. Borrowing from the devops. • Tests! • Test your code and your infrastructure. • Wait, someone already gave this talk: http://www.slideshare.net/nickgsuperstar/ devopssec-apply-devops-principles-to-security/32 @benjammingh Monday, 11 November 13
  51. 51. Borrowing from the devops. So did Gareth! https://speakerdeck.com/garethr/securitymonitoring-penetration-testing-meetsmonitoring @benjammingh Monday, 11 November 13
  52. 52. Stop saying “No!” @benjammingh Monday, 11 November 13
  53. 53. So finally • The most important thing that we do as a security team is... • Humility. @benjammingh Monday, 11 November 13
  54. 54. So finally • The most important thing that we do as a security team is... • Humility. • Security isn’t everything. People are rad. @benjammingh Monday, 11 November 13
  55. 55. Fin <golden axe screen shot> @benjammingh Monday, 11 November 13

×