0
You built a security castle but you forgot the bridge...<br />now your users are climbing up the walls<br />Soraya Viloria...
Disclaimer<br /><ul><li>The views expressed in this presentation are the views of the speaker and do not reflect the views...
The cases and examples while inspired in real life, are the result of her crazy imagination.
The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' p...
Some slides may vary from live presentation due to restrictions and © license permissions</li></li></ul><li>IT projects #f...
Is it really a o/ #win?<br />To be successful  you need to aim  beyond the aims of<br />“completing on time and in budget”...
Once upon a time...<br />You built a security castle<br />
If you don’t understand...<br />Users<br />Assets<br />Assets<br />Users<br />Get ready for a battle<br />
If you don’t understand...<br />“Users” vs. “Service desk”<br />“Service desk” <br />vs. <br />“Systems Ops” <br />Assets<...
One shoe...doesn’t fit all<br />Users  are not homogenous<br />they access different information <br />... in a variety of...
And different assets...<br />Would you put the same resources and efforts to protects these?<br />...have different values...
If too tight security is soon...<br />What do we hear?<br /><ul><li>You are costing us money
We can live with the risk
Your position of advisory</li></ul>To succeed the business will soon sell your castle<br />The original  cartoon  had to b...
By week 112<br />© secure-uk.imrworldwide.com<br />You have more holes than a colander<br />
Without the buy-in<br />Board<br />I.T<br />Users<br />Users<br />The security battle will be lost<br />
Time for a quick game?<br />Let’s suggest a secure solution which will enable Occupational Therapy  (OT) team to provide m...
Info you have<br />Documentation:<br />The blueprints of the sites<br />Hospitals<br />GP surgeries/clinics<br />NPLS netw...
Take a closer look<br />Occupational Therapy Team<br />Occupational therapy careers are instrumental in teaching individua...
Take a closer look<br />Occupational Therapy Team<br /><ul><li>  Some work at the hospital
  Others at GP surgeries or clinics
Upcoming SlideShare
Loading in...5
×

You built a security castle and forgot the bridge…now users are climbing your walls

488

Published on

BSidesLondon 20th April 2011 - Soraya Viloria Montes de Oca
------------
Successful IT projects are not always security successful. The question of How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls? is asked...and discussed.
------- for more about Iggy follow @GeekChickUK

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
488
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • MORE FAILURESUK prison IT: Massive and &apos;spectacular&apos; failure (http://www.zdnet.com/blog/projectfailures/uk-prison-it-massive-and-spectacular-failure/2353)High failure rate hits IT projects (http://www.computing.co.uk/ctg/news/1829160/high-failure-rate-hits-it-projects)Labour&apos;s computer blunders cost £26bn (http://www.independent.co.uk/news/uk/politics/labours-computer-blunders-cost-16326bn-1871967.html)GLIMMER of IMPROVEMENTSStandish Group (1994) estimated U.S. IT projects wasted $140 billion—$80 billion of that from failed projects—out of a total of $250 billion in project spending. Standish Group (2004)report entitled “CHAOS Chronicles,” found total U.S. project waste to be $55 billion, made up of $38 billion in lost dollar value and $17 billion in cost overruns. Total project spending was found to be $255 billion in the 2004 report. 
  • If you forget to involve your users and understand their information flows.. You are in for a battle PLUSYou might be protecting the wrong assetsOr protecting the right assets the wrong way.
  • If you forget to involve your users and understand their information flows.. You are in for a battle PLUSYou might be protecting the wrong assetsOr protecting the right assets the wrong way.
  • Even if in same teams, their circumstances may vary. Security can be tiresome when is obviously unnecessary.If you make people jump hops for nothing you won’t win any security friends
  • Don&apos;t obsess about protecting everything... You may not need too
  • Pentester arrivesYou have more holes than a colanderFinds faults within 10 minutesPentester tell the business...
  • Get the buy-in from the wider business – not just the board but:the asset owners and the asset administratorsInvolve the IT department and the business security departmentUse a magnifier and look at the deeply ingrained patterns – the org culturethere is no magic bullet for IT security success BUT understands the organisation, communicates effectively and can see the project through to the end
  • What it means is that under the same title you may have 5 ot 8 different types of professionals working differently, even if from the same team.So you need to look deeper than just the JDs
  • Huge difference in the infrastructure available to them, Those based at hospital would have access to fibre and highest speedsSurgeries a lilbe rubbishyBut those around rural areas using only 3G, seeing 4 or 5 patients a day and not coming back to yheoffcice form long periods
  • Transcript of "You built a security castle and forgot the bridge…now users are climbing your walls "

    1. 1. You built a security castle but you forgot the bridge...<br />now your users are climbing up the walls<br />Soraya Viloria Montes de Oca<br />@GeekChickUK<br />
    2. 2. Disclaimer<br /><ul><li>The views expressed in this presentation are the views of the speaker and do not reflect the views or policies of her present or past employers.
    3. 3. The cases and examples while inspired in real life, are the result of her crazy imagination.
    4. 4. The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' parental efforts.
    5. 5. Some slides may vary from live presentation due to restrictions and © license permissions</li></li></ul><li>IT projects #fail<br />75% of all IT projects fail...<br />UK Projects<br />£12.7bn National Programme for IT (NHS)<br />£7.1bn Defence Information Infrastructure (DII)<br />£5bn National Identity Scheme <br />£400m Libra system (for magistrates' courts)<br />Gartner‘s reports plus various other articles <br />Let’s not dwell on that<br />
    6. 6. Is it really a o/ #win?<br />To be successful you need to aim beyond the aims of<br />“completing on time and in budget”. <br />IMHO<br />
    7. 7. Once upon a time...<br />You built a security castle<br />
    8. 8. If you don’t understand...<br />Users<br />Assets<br />Assets<br />Users<br />Get ready for a battle<br />
    9. 9. If you don’t understand...<br />“Users” vs. “Service desk”<br />“Service desk” <br />vs. <br />“Systems Ops” <br />Assets<br />Users<br />“Users” vs. “InfoSec”<br />“Systems Ops” vs. “InfoSec”<br />The battle..will be lost<br />
    10. 10. One shoe...doesn’t fit all<br />Users are not homogenous<br />they access different information <br />... in a variety of ways<br />Good security understands that<br />
    11. 11. And different assets...<br />Would you put the same resources and efforts to protects these?<br />...have different values<br />
    12. 12. If too tight security is soon...<br />What do we hear?<br /><ul><li>You are costing us money
    13. 13. We can live with the risk
    14. 14. Your position of advisory</li></ul>To succeed the business will soon sell your castle<br />The original cartoon had to be removed as the license was only for live presentation<br />...undermined<br />
    15. 15. By week 112<br />© secure-uk.imrworldwide.com<br />You have more holes than a colander<br />
    16. 16. Without the buy-in<br />Board<br />I.T<br />Users<br />Users<br />The security battle will be lost<br />
    17. 17. Time for a quick game?<br />Let’s suggest a secure solution which will enable Occupational Therapy (OT) team to provide medical care to patients somewhere in... Scotland<br />
    18. 18. Info you have<br />Documentation:<br />The blueprints of the sites<br />Hospitals<br />GP surgeries/clinics<br />NPLS networks<br />Organisational charts<br />Even..<br />Job Descriptions<br />Some security architects start and finish here...<br />
    19. 19. Take a closer look<br />Occupational Therapy Team<br />Occupational therapy careers are instrumental in teaching individuals who suffer from a physical, mental, emotional, or developmental disability to develop, to recover or to maintain the tasks of daily living along with work skills if needed.<br />In practice very different functions and 5+ different positions<br />To build security that lasts<br />
    20. 20. Take a closer look<br />Occupational Therapy Team<br /><ul><li> Some work at the hospital
    21. 21. Others at GP surgeries or clinics
    22. 22. Others support patients at home and goes back to base once a month</li></ul>which means very different infrastructure & tools<br />How canyou achieve work targets if<br />You can’t perform same tasks at the same speed?<br />Not everything is what it seems<br />
    23. 23. Look deeper...<br />The same team doesn’t have the same tools<br />
    24. 24. and deeper...<br />Based at hospital you get top speeds but...<br />Could you upload videos of patients from a GP surgery or using 3G?<br />Many GP practices are struggling with inadequate broadband speeds over N3....<br />...the majority of practices, with up to 49 network devices, are now limited to a 1Mb ADSL connection with upstream rates of 288kb/s...<br />NHS broadband leaves GPs in slow lane<br />© 2006 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED<br />Same speeds? <br />
    25. 25. And your point is?<br />In order to make your castle stand the test of time<br /><ul><li>Get to know who your users are and the assets you are protecting
    26. 26. Design a security model that fits the organisation’s functional and legal requirements.
    27. 27. Don’t build “security” that gets in the way but one that is flexible and copes with a variety of business processes and allows the data to flow...securely
    28. 28. Don’t make assumptions
    29. 29. Balance usability & security, minimal amount of rules.</li></li></ul><li>Report time<br /><ul><li>To make a difference highlight the good and the bad, always be constructive
    30. 30. Write English no matter how cool your findings are; don’t brag using technical terms
    31. 31. Aim to make a difference</li></ul>Auditors, pentesters and the like...<br />
    32. 32. and if you want to chat about security that lasts ...come and find me<br />Soraya Viloria Montes de Oca<br />@GeekChickUK<br />GeekChickUK ( @ ) gmail (.) com<br />Cheers! <br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×