BSidesLondon 20th April 2011 - Soraya Viloria Montes de Oca ------------ Successful IT projects are not always security successful. The question of How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls? is asked...and discussed. ------- for more about Iggy follow @GeekChickUK

1. You built a security castle but you forgot the bridge... now your users are climbing up the walls Soraya Viloria Montes de Oca @GeekChickUK

3. The cases and examples while inspired in real life, are the result of her crazy imagination.

4. The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' parental efforts.

6. Is it really a / #win? To be successful you need to aim beyond the aims of “completing on time and in budget”. IMHO

7. Once upon a time... You built a security castle

8. If you don’t understand... Users Assets Assets Users Get ready for a battle

9. If you don’t understand... “Users” vs. “Service desk” “Service desk” vs. “Systems Ops” Assets Users “Users” vs. “InfoSec” “Systems Ops” vs. “InfoSec” The battle..will be lost

10. One shoe...doesn’t fit all Users are not homogenous they access different information ... in a variety of ways Good security understands that

11. And different assets... Would you put the same resources and efforts to protects these? ...have different values

13. We can live with the risk

14. Your position of advisoryTo succeed the business will soon sell your castle The original cartoon had to be removed as the license was only for live presentation ...undermined

15. By week 112 © secure-uk.imrworldwide.com You have more holes than a colander

16. Without the buy-in Board I.T Users Users The security battle will be lost

17. Time for a quick game? Let’s suggest a secure solution which will enable Occupational Therapy (OT) team to provide medical care to patients somewhere in... Scotland

18. Info you have Documentation: The blueprints of the sites Hospitals GP surgeries/clinics NPLS networks Organisational charts Even.. Job Descriptions Some security architects start and finish here...

19. Take a closer look Occupational Therapy Team Occupational therapy careers are instrumental in teaching individuals who suffer from a physical, mental, emotional, or developmental disability to develop, to recover or to maintain the tasks of daily living along with work skills if needed. In practice very different functions and 5+ different positions To build security that lasts

21. Others at GP surgeries or clinics

22. Others support patients at home and goes back to base once a monthwhich means very different infrastructure & tools How canyou achieve work targets if You can’t perform same tasks at the same speed? Not everything is what it seems

23. Look deeper... The same team doesn’t have the same tools

24. and deeper... Based at hospital you get top speeds but... Could you upload videos of patients from a GP surgery or using 3G? Many GP practices are struggling with inadequate broadband speeds over N3.... ...the majority of practices, with up to 49 network devices, are now limited to a 1Mb ADSL connection with upstream rates of 288kb/s... NHS broadband leaves GPs in slow lane © 2006 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED Same speeds?

26. Design a security model that fits the organisation’s functional and legal requirements.

27. Don’t build “security” that gets in the way but one that is flexible and copes with a variety of business processes and allows the data to flow...securely

28. Don’t make assumptions

30. Write English no matter how cool your findings are; don’t brag using technical terms

31. Aim to make a differenceAuditors, pentesters and the like...

32. and if you want to chat about security that lasts ...come and find me Soraya Viloria Montes de Oca @GeekChickUK GeekChickUK ( @ ) gmail (.) com Cheers!