Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Major Hayden University of the Incarnate Word - November 2, 2015 Five lessons I learned about information security
A bit about me
Major Hayden Principal Architect at Rackspace Fedora Security Team Package maintainer Fedora Planet blogger Former board m...
Major Hayden Principal Architect at Rackspace GIAC Certified Unix Security Administrator Paper: Securing Linux Containers ...
icanhazip.com icanhazptr.com icanhaztrace.com icanhazproxy.com icanhazepoch.com icanhaztraceroute.com
Agenda How did I get into information security? Five lessons learned (many of them learned the hard way) Final thoughts (a...
How did I get into information security?
How did I stumble into information security?
I sent an angry email after a security incident. Special note: this is not a recommended method for getting into an inform...
Impromptu calendar invitation from the Chief Security Officer (CSO) arrives
“I’m totally fired.”
Lesson 1: Information security requires lots of communication and relationships
People within businesses generally fall into one of three security mindsets:
“Security is mission-critical for us and it’s how we maintain our customers’ trust.” These are your allies. Share your int...
“Security is really important, but we have lots of features to release. We will get to it.” These people see security as a...
“I opened this weird file from someone I didn’t know and now my computer is acting funny.” This group is your biggest risk...
Lesson 2: Spend the majority of your time and money on detection and response capabilities
Make it easier to detect an intruder and respond to the intrusion Don’t let your intruders act like this: Make them act mo...
Ensure that if an attacker gains access to your network, you know about the intrusion and how to respond Automation, aggre...
Incident communication Use broad communication that hints at urgency without sharing details. Share the details with your ...
Lesson 3: People, process, and technology must be in sync
After an incident: Don’t talk about people*. Don’t talk about what could have been done. Don’t talk about vendors. * No ma...
Assume the worst will happen again. Design processes and technologies to reduce its impact in the future. This is an itera...
Lesson 4: Set standards, not policies.
Use a little psychology to drive the behavior you truly want: a more secure infrastructure
Compare these two methods of communicating with the business:
“If your system doesn’t pass this PCI-DSS audit, we won’t be able to take credit cards. We know what that means.”
“We have a technical standard for public-facing environments that you need to meet, and we have some tools to self-assess ...
Technical people can easily digest technical standards, but not lengthy compliance documents. Design a standard so that an...
Lesson 5: Don’t take security incidents personally.
Security incidents highlight areas for improvement. They also give you a better idea of what attackers want from your busi...
Take the time to do a thorough root cause analysis. Adjust spending, priorities, and tasks based on what you find.
Final thoughts
Information security thrives on frequent, honest, meaningful communication more than anything else. Security incidents wil...
Switch: How to Change Things When Change is Hard Chip & Dan Heath When you want to make change happen, this book will help...
Winning With People John Maxwell Building relationships requires learning a lot about yourself first. This book is broken ...
The Phoenix Project Gene Kim, Kevin Behr, and George Spafford A must for anyone working in IT. It’s a modern spin on Goldr...
Thank you! majorhayden major.hayden@rackspace.com major.io
Image Credits Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa...
Five things I learned about information security
Five things I learned about information security
Five things I learned about information security
Five things I learned about information security
Upcoming SlideShare
Loading in …5
×

Five things I learned about information security

19,582 views

Published on

I delivered this presentation at the University of the Incarnate Word in San Antonio, Texas, to a group of students studying information security. They're learning plenty about the technical aspects of information security, but I wanted to talk to them about the non-technical aspects as well. This presentation is meant to be a low-tech, more social introduction on how to handle security within a large organization.

Published in: Technology
License: CC Attribution-ShareAlike License
no profile picture user

  • Be the first to comment

Five things I learned about information security

  1. 1. Major Hayden University of the Incarnate Word - November 2, 2015 Five lessons I learned about information security
  2. 2. A bit about me
  3. 3. Major Hayden Principal Architect at Rackspace Fedora Security Team Package maintainer Fedora Planet blogger Former board member Ambassador Ansible Python OpenStack Xen/KVM/Containers Information Security
  4. 4. Major Hayden Principal Architect at Rackspace GIAC Certified Unix Security Administrator Paper: Securing Linux Containers http://bit.ly/securinglinuxcontainers GIAC Security Essentials Certification Red Hat Certified Architect
  5. 5. icanhazip.com icanhazptr.com icanhaztrace.com icanhazproxy.com icanhazepoch.com icanhaztraceroute.com
  6. 6. Agenda How did I get into information security? Five lessons learned (many of them learned the hard way) Final thoughts (and some required reading)
  7. 7. How did I get into information security?
  8. 8. How did I stumble into information security?
  9. 9. I sent an angry email after a security incident. Special note: this is not a recommended method for getting into an information security career.
  10. 10. Impromptu calendar invitation from the Chief Security Officer (CSO) arrives
  11. 11. “I’m totally fired.”
  12. 12. Lesson 1: Information security requires lots of communication and relationships
  13. 13. People within businesses generally fall into one of three security mindsets:
  14. 14. “Security is mission-critical for us and it’s how we maintain our customers’ trust.” These are your allies. Share your intelligence with them frequently. They must be ”read into” what’s happening. Highlight their accomplishments and efforts to your leadership and theirs at every possible opportunity.
  15. 15. “Security is really important, but we have lots of features to release. We will get to it.” These people see security as a bolt-on, value-added product feature. Share methods for building in security from the start. Make it easier for this group to build secure systems through technical standards.
  16. 16. “I opened this weird file from someone I didn’t know and now my computer is acting funny.” This group is your biggest risk. Take steps to prevent them from being able to make mistakes in the first place. Regularly send high-level communication to this group with useful information in a friendly format.
  17. 17. Lesson 2: Spend the majority of your time and money on detection and response capabilities
  18. 18. Make it easier to detect an intruder and respond to the intrusion Don’t let your intruders act like this: Make them act more like this:
  19. 19. Ensure that if an attacker gains access to your network, you know about the intrusion and how to respond Automation, aggregation, alerting Firewall logs Netflow data/analysis Intrusion Detection Systems (IDS) Server logs Authentication logs Physical security devices Immediate, coordinated response
  20. 20. Incident communication Use broad communication that hints at urgency without sharing details. Share the details with your allies in the business.
  21. 21. Lesson 3: People, process, and technology must be in sync
  22. 22. After an incident: Don’t talk about people*. Don’t talk about what could have been done. Don’t talk about vendors. * No matter how delicate you are, you will eventually “call the baby ugly”.
  23. 23. Assume the worst will happen again. Design processes and technologies to reduce its impact in the future. This is an iterative process.
  24. 24. Lesson 4: Set standards, not policies.
  25. 25. Use a little psychology to drive the behavior you truly want: a more secure infrastructure
  26. 26. Compare these two methods of communicating with the business:
  27. 27. “If your system doesn’t pass this PCI-DSS audit, we won’t be able to take credit cards. We know what that means.”
  28. 28. “We have a technical standard for public-facing environments that you need to meet, and we have some tools to self-assess your systems.”
  29. 29. Technical people can easily digest technical standards, but not lengthy compliance documents. Design a standard so that an environment can meet multiple compliance programs if it is followed carefully.
  30. 30. Lesson 5: Don’t take security incidents personally.
  31. 31. Security incidents highlight areas for improvement. They also give you a better idea of what attackers want from your business.
  32. 32. Take the time to do a thorough root cause analysis. Adjust spending, priorities, and tasks based on what you find.
  33. 33. Final thoughts
  34. 34. Information security thrives on frequent, honest, meaningful communication more than anything else. Security incidents will happen. How you respond to them is critical. Design systems that prevent people from making mistakes in the first place.
  35. 35. Switch: How to Change Things When Change is Hard Chip & Dan Heath When you want to make change happen, this book will help you focus your thinking. It has some great frameworks and situational examples.
  36. 36. Winning With People John Maxwell Building relationships requires learning a lot about yourself first. This book is broken into five sections that gradually take you through how to have stronger, lasting relationships with others.
  37. 37. The Phoenix Project Gene Kim, Kevin Behr, and George Spafford A must for anyone working in IT. It’s a modern spin on Goldratt’s classic, The Goal, that focuses on a new IT executive that is in over his head. Security and compliance issues play a big role in how he works within his business.
  38. 38. Thank you! majorhayden major.hayden@rackspace.com major.io
  39. 39. Image Credits Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons Honduran TIGRES soldiers: United States Special Operations Command (Flickr: https://flic.kr/p/qweJtn, CC-BY 2.0) Longhorn cattle: Evelyn Simak [CC BY-SA 2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons NORAD: By NORAD (government website) [Public domain], via Wikimedia Commons Iterative process diagram: By Aflafla1 [CC0], via Wikimedia Commons

×