BSidesLondon 20th April 2011 - Soraya Viloria Montes de Oca
------------
Successful IT projects are not always security successful. The question of How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls? is asked...and discussed.
------- for more about Iggy follow @GeekChickUK
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
You built a security castle and forgot the bridge…now users are climbing your walls
1. You built a security castle but you forgot the bridge... now your users are climbing up the walls Soraya Viloria Montes de Oca @GeekChickUK
2.
3. The cases and examples while inspired in real life, are the result of her crazy imagination.
4. The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' parental efforts.
5.
6. Is it really a / #win? To be successful you need to aim beyond the aims of “completing on time and in budget”. IMHO
7. Once upon a time... You built a security castle
8. If you don’t understand... Users Assets Assets Users Get ready for a battle
9. If you don’t understand... “Users” vs. “Service desk” “Service desk” vs. “Systems Ops” Assets Users “Users” vs. “InfoSec” “Systems Ops” vs. “InfoSec” The battle..will be lost
10. One shoe...doesn’t fit all Users are not homogenous they access different information ... in a variety of ways Good security understands that
11. And different assets... Would you put the same resources and efforts to protects these? ...have different values
14. Your position of advisoryTo succeed the business will soon sell your castle The original cartoon had to be removed as the license was only for live presentation ...undermined
16. Without the buy-in Board I.T Users Users The security battle will be lost
17. Time for a quick game? Let’s suggest a secure solution which will enable Occupational Therapy (OT) team to provide medical care to patients somewhere in... Scotland
18. Info you have Documentation: The blueprints of the sites Hospitals GP surgeries/clinics NPLS networks Organisational charts Even.. Job Descriptions Some security architects start and finish here...
19. Take a closer look Occupational Therapy Team Occupational therapy careers are instrumental in teaching individuals who suffer from a physical, mental, emotional, or developmental disability to develop, to recover or to maintain the tasks of daily living along with work skills if needed. In practice very different functions and 5+ different positions To build security that lasts
22. Others support patients at home and goes back to base once a monthwhich means very different infrastructure & tools How canyou achieve work targets if You can’t perform same tasks at the same speed? Not everything is what it seems
26. Design a security model that fits the organisation’s functional and legal requirements.
27. Don’t build “security” that gets in the way but one that is flexible and copes with a variety of business processes and allows the data to flow...securely
30. Write English no matter how cool your findings are; don’t brag using technical terms
31. Aim to make a differenceAuditors, pentesters and the like...
32. and if you want to chat about security that lasts ...come and find me Soraya Viloria Montes de Oca @GeekChickUK GeekChickUK ( @ ) gmail (.) com Cheers!
Editor's Notes
MORE FAILURESUK prison IT: Massive and 'spectacular' failure (http://www.zdnet.com/blog/projectfailures/uk-prison-it-massive-and-spectacular-failure/2353)High failure rate hits IT projects (http://www.computing.co.uk/ctg/news/1829160/high-failure-rate-hits-it-projects)Labour's computer blunders cost £26bn (http://www.independent.co.uk/news/uk/politics/labours-computer-blunders-cost-16326bn-1871967.html)GLIMMER of IMPROVEMENTSStandish Group (1994) estimated U.S. IT projects wasted $140 billion—$80 billion of that from failed projects—out of a total of $250 billion in project spending. Standish Group (2004)report entitled “CHAOS Chronicles,” found total U.S. project waste to be $55 billion, made up of $38 billion in lost dollar value and $17 billion in cost overruns. Total project spending was found to be $255 billion in the 2004 report.
If you forget to involve your users and understand their information flows.. You are in for a battle PLUSYou might be protecting the wrong assetsOr protecting the right assets the wrong way.
If you forget to involve your users and understand their information flows.. You are in for a battle PLUSYou might be protecting the wrong assetsOr protecting the right assets the wrong way.
Even if in same teams, their circumstances may vary. Security can be tiresome when is obviously unnecessary.If you make people jump hops for nothing you won’t win any security friends
Don't obsess about protecting everything... You may not need too
Pentester arrivesYou have more holes than a colanderFinds faults within 10 minutesPentester tell the business...
Get the buy-in from the wider business – not just the board but:the asset owners and the asset administratorsInvolve the IT department and the business security departmentUse a magnifier and look at the deeply ingrained patterns – the org culturethere is no magic bullet for IT security success BUT understands the organisation, communicates effectively and can see the project through to the end
What it means is that under the same title you may have 5 ot 8 different types of professionals working differently, even if from the same team.So you need to look deeper than just the JDs
Huge difference in the infrastructure available to them, Those based at hospital would have access to fibre and highest speedsSurgeries a lilbe rubbishyBut those around rural areas using only 3G, seeing 4 or 5 patients a day and not coming back to yheoffcice form long periods