1. Security in the Internet
Economy
How to go from nothing to
something!
@StuHirstInfosec
2. My background
My Background…..
@StuHirstInfosec
• 12 years as a mainframe COBOL guy
• 1 year in the music industry
• 3 years at The Trainline where I moved into
security
• Now the IT Security Manager / Squad Lead at
Skyscanner
3. Skyscanner
Skyscanner….. background
One of the world’s leading travel search engines formed in 2003
Over 3 million hits a day
Flights, Hotels, Car Hire Mobile apps
Powering MSN’s Flight Search, plus Yahoo Japan JV
Over 30 versions of the site around the globe
Offices in Edinburgh, Glasgow, Miami, Beijing, Singapore,
Shenzen, Budapest, Sofia, Barcelona, London
100 employees in 2012, 800+ now!
9. Squads
Squads (Flights Search, Car Hire iOS, Hotels android etc…)
Nearly 100 Squads across the business!
Are cross functional teams; usually
around 3 – 6 people – essentially a ‘mini start-up’
They look after specific parts of the Skyscanner product
Establish & improve their own processes and use their own
technologies – self sufficient
16. User Data
User Data Implemented new MINIMUM
STANDARDS for user data
Privacy BY DESIGN!
Examples;
• Only stored in agreed places (e.g.
AWS)
• Minimum encryptions levels when
transferring
• Same for data at rest
• Only using TLS
• Get rid of old ciphers
• Segment the network
• Tighten up access controls to the
data
20. AWS
AWS
@StuHirstInfosec
• HUGE learning curve!
• Security have had to learn about the whole product, not
just security aspects; EC2 instances, Container
Service, Elastic Beanstalk, Lambda, Glacier,
DynamoDB etc
We’re now preparing training courses for AWS Best Practice in
Security, based on the CIS Benchmark Standards and using
info from the various White Papers available and content from
the 2015 Re:Invent conference
21. What we do…
What we do: Code Voyagers /
Ignition
• 1 hour specific induction
sessions with all new
engineers
• Focusing on secure
development
• OWASP Top 10
• Trends
22. What we do…
What we do: Security Meet Up
@stuhirstinfosec
Community
Sharing Ideas
24. Phishing
Phishing – part1
Actually investigate them!
• If there’s a link, debug it – where is it
going?
• If an attachment, what does it do? Does it
look to download a payload? If so, block
the IP’s on your firewall
• Check anti-virus to see if it’s been picked
up
• Use a malware sandboxer
• Strip the malware apart & understand what
it’s doing
26. What we do
What we do: Bug Bounties
“Let’s be safe, let’s get a CREST registered Pen
Tester to test us”
Why don’t you get the public to test you?
They’re the ones that’ll be hacking you…
IN ONE WEEK OF A BUG
BOUNTY PROGRAM, WE
HAD OVER 150
SUBMISSIONS FROM 49
TESTERS
27. What we do
What we do: Bug Bounties…cont
• Why not take the main bugs found and learn how to
replicate them and test against them in the future?
• Teach your engineers / devs to do the same
• Share the knowledge / the love / the beer
Any reasonable security analyst should be able to test for a SQL
Injection and a XSS vulnerability – plenty of online training
resources to help
28. What we do
Announcing failure…
Weekly PRODOPS
Review
NO BLAME! It’s a learning exercise
@StuHirstInfosec
31. War Games
What we do (a bit more exciting!)
WAR GAMES!
WE SET OURSELVES A TARGET TO HACK
OURSELVES FOR 2 DAYS A MONTH
We drain Data Centres and try to DDoS them
We set up spoof wi-fi points and attempt Man
In The Middle attacks on company phones
We try to find internal data we shouldn’t have
access to
AND MORE!
38. Stats
Not everything is critical!
Simple and quick wins are GOOD wins!
Try and increase the likelihood of an employee telling you
about an event or potential attack
Run attack simulations. Break something before
someone else does!
FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS
IF YOU GO FROM 48% TO 32% ON FIRE, YOU’RE STILL ON FIRE!
(Zane Lackey, ex-Etsy)
39. Past Vs Future
Just because you have done
something a certain way in the
past, doesn’t mean it has to be that
way in the future
e.g. pen testing vs bug bounty
40. What next?
What next?
Focus on what you can do, not necessarily
what you’d like to do
Discover your ‘crown jewels’. Protect that!
Build defences around real-world attack
patterns. Focus on who is going after you!
EMPLOY MORE PEOPLE!
43. What next?
Employ more people!
“Proactive Security, not Reactive”
A lot of companies are merely performing gap analysis
and plugging the gaps (or not!)
At Skyscanner, we’ve split our strategy into two streams;
Product and Corporate and we identify the major risks
for each of those
44. What next?
Don’t lie!
I took on a role where the guy
before me had DRASTICALLY
under-estimated how far they
were from PCI compliance.
If you deal with Boards/Execs –
it’s better they know the real
position – even if it’s a sh*t-
storm
45. Some thoughts to take away
Reward people…
For making you aware of
issues.
You feel good, they feel good
& they’re likely to tell others.
46. What next?
Shout about your successes!
• Security is as
important as any
other business unit
• So shout about
successes you
have
• Positive PR across
the business
47. Edinburgh
Quartermile One
15 Lauriston Place
Edinburgh
EH3 9EN
Glasgow
5th floor,
151-155 St Vincent
St, Glasgow
G2 5NW
Singapore
No. 08-01&04 & 09-
04
8th floor,
Robinson Point,
39 Robinson Rd,
Singapore
Beijing
Level 19, Tower E2,
Oriental Plaza,
No. 1 East Chang An
Avenue,
Dong Cheng District,
Beijing 100738
Miami
1395 Brickell Ave,
Suite 900,
Miami,
Florida 33131
Barcelona
C/Esteve Terradas,
21, Bajos 3a - 08023
Barcelona,
España
thank you
@stuhirstinfosec