Why Your IT BytesFrank J. Hackett
Big Thanks!• Bsides Charlotte Organizers• Jon Molesa @rjmolesa• Bryan Tobey @_fmm• Damon Brinkley @damonbrinkley• Tom Moor...
Shout Outs• High Hack Society• Awesome group of people• iPivot by pr1me and g11tch• http://www.highhacksociety.com/2013/06...
Me• Security Consultant• Senior Systems Engineer• Senior r00kie under j0e McCray• SATF Member• http://www.satframework.org4
Why Your IT Bytes5• We know IT cannot get the job done!• That is why we have jobs • What are some of the major difference...
Why Your IT Bytes6• If we did not have IT professionals we would nothave IT Sec & InfoSec professionals• How boring would ...
Give Thanks!7• Network Admins• IT Engineers• Devs of all kinds• Senior System Engineers…
Major Differences - IT8• IT is the “yes man”• You’re a C-Level and want your tablet on the network?• No Problem Man!• Want...
Major Differences - IT9• What’s the big deal?• It’s an acceptable risk!• We need Java!
IT Staff’s Opinion About SecurityFolk10http://securityreactions.tumblr.com/post/33361186596/it-waiting-for-the-audit-to-be...
Major Differences - InfoSec11• Security thinks your baby is ugly• That’s being nice…• Security thinks your baby is REALLY ...
Major Differences - InfoSec12• N00b• zOMG why would you clickthat?!• You really don’t need Java!
Security Looking at IT People13http://securityreactions.tumblr.com/post/29960560750/when-they-say-their-firewall-cannot-be...
Why Your IT Bytes14InfoSecIT Pros
Common Ground15• “Enhance the university experience for students, facultyand staff by facilitating a more secure computing...
Common Ground16We have the same goals!!!
Common Ground17Protect TheData, TheUsers, And TheOrganization
Common Ground18Solid ITSecureNetworkHappy &Safe Users
IT Doesn’t Know19• What can malware really do?• Network security architecture• Passwords!!!• It’s OK to say no
IT Won’t Save You20• Firewalls, GAV, IPS, any amount of blinky boxes willnot keep hackers out• Patching is not enough• “Ac...
IT Can’t Save You21• Everyday new vulnerabilities are reported• How many aren’t officially reported???• It’s hard for Info...
Educate22• Stop talking down to your IT department• Work with them• Expose IT to new ideas, solutions, etc.• Show them how...
Educate23• Audit the IT department!• Explain the findings and what needs to be corrected• Eliminate the idea that security...
Work Together24• Communication is key!!!• Stop fighting with each other• Can IT help Security to do their job?
Work Together25• Mick Douglas @bettersafetynet• “Help from the Help Desk” – AIDE 2013• http://www.irongeek.com/i.php?page=...
Work Together26• Help secure IT from themselves!• zOMG IT reuses passwords!• Why aren’t all your routers, firewalls, switc...
Work Together27• IT specific policies• How quickly can a user realistically be deactivatedfrom IT?• How quickly does a new...
Work Together28• IT is lazy• Break the cycle• Remember  IT wants uptime• Patching = reboots• Stay away from the guy/gal w...
Work Together29• Positive correlation between the strength of the ITdepartment and the strength of the Securitydepartment•...
Work Together30• A pentest report is not enough• Work with your IT department!• Work with your customers!• If you test a n...
Relax A Little31• Let IT work for us• Smarter not harder• You did the audit right?• Are better policies in place for IT no...
Relax A Little32• Shhh parts of our job aren’t that hard – don’t tellthem• Now that you’ve lead IT down the path of righte...
Relax A Little33• If IT is deploying better, stronger, and more secureinfrastructure your job just got easier!• If IT is g...
Reality34• This is hard – people hate change• People really hate being told they’re doing things wrong• Start with your bo...
Reality35• Tighten the screw one turn at a time – no nails andhammer• When a change is introduced or a new policy isadded,...
Reality36• Everyone is human. Even you - awesome securityguru• There will always be resistance to change• More secure IT =...
Reality37• The trickle down effect is awesome!• Also there’s nothing wrong with improving the skillsof a coworker• People ...
Remember38• Avoid the know it all• IT can’t save you and they won’t save you• They can make your job easier• Don’t be the ...
Hit Me Up39• @fjhackett• http://www.hackettweb.com• http://www.slideshare.net/fjhackett• fjhackett@hackettweb.com
Upcoming SlideShare
Loading in …5
×

Why Your IT Bytes

422 views

Published on

Why your IT can't - won't - and don't win AKA Why Your IT Bytes. IT Sec and InfoSec professionals are necessary in this day and age. IT always looks for the quick and dirty fix. They want to keep the end user/manager/C-level happy. InfoSec pros know this isn't the way. So why the difference? It's simple, IT doesn't know. Malware to them is an inconvenience - not a sign of something bigger might be at stake and that's it's a deterrent. IT worries too much about losing their job and not enough about what's really at stake, the data. So how do we educate IT, get help from IT, let IT work for us? First we identify the problems, second we educate, and lastly we implement. Often times many of us don't want to get our hands dirty with IT work. Many of us left it in a world behind and don't want to return. It's time we return to our roots and lift up our computer brethren.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
422
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Why Your IT Bytes

  1. 1. Why Your IT BytesFrank J. Hackett
  2. 2. Big Thanks!• Bsides Charlotte Organizers• Jon Molesa @rjmolesa• Bryan Tobey @_fmm• Damon Brinkley @damonbrinkley• Tom Moore @c0ncealed• Red Davies @noidd• Adam Byers @al14s• KC Yerrid @K0nsp1racy• Chris Teodorski @can0beans• SELF for having us2
  3. 3. Shout Outs• High Hack Society• Awesome group of people• iPivot by pr1me and g11tch• http://www.highhacksociety.com/2013/06/02/ipivot-for-all-you-pivoting-needs/3
  4. 4. Me• Security Consultant• Senior Systems Engineer• Senior r00kie under j0e McCray• SATF Member• http://www.satframework.org4
  5. 5. Why Your IT Bytes5• We know IT cannot get the job done!• That is why we have jobs • What are some of the major differences?• Similarities?• IT drives the organization• No email = no productivity• No shared files = no big data *gasp*
  6. 6. Why Your IT Bytes6• If we did not have IT professionals we would nothave IT Sec & InfoSec professionals• How boring would that be?
  7. 7. Give Thanks!7• Network Admins• IT Engineers• Devs of all kinds• Senior System Engineers…
  8. 8. Major Differences - IT8• IT is the “yes man”• You’re a C-Level and want your tablet on the network?• No Problem Man!• Want simple access from home or abroad?• No Problem Man!
  9. 9. Major Differences - IT9• What’s the big deal?• It’s an acceptable risk!• We need Java!
  10. 10. IT Staff’s Opinion About SecurityFolk10http://securityreactions.tumblr.com/post/33361186596/it-waiting-for-the-audit-to-beginIT waiting for the audit to begin
  11. 11. Major Differences - InfoSec11• Security thinks your baby is ugly• That’s being nice…• Security thinks your baby is REALLY ugly• Honest truth
  12. 12. Major Differences - InfoSec12• N00b• zOMG why would you clickthat?!• You really don’t need Java!
  13. 13. Security Looking at IT People13http://securityreactions.tumblr.com/post/29960560750/when-they-say-their-firewall-cannot-be-breachedWhen they say their firewall cannot be breached
  14. 14. Why Your IT Bytes14InfoSecIT Pros
  15. 15. Common Ground15• “Enhance the university experience for students, facultyand staff by facilitating a more secure computingenvironment.”• UFL IT Security Team Mission Statement• https://infosec.ufl.edu/aboutus/mission.shtml• “… providing a reliable, comprehensive informationtechnology environment to enhanceteaching, learning, research, services, and businessoperations. The division encourageseffective, innovative, and ethical uses of technology whileassuring efficient use of university resources.”• WCU IT Mission Statement• http://www.wcu.edu/academics/campus-academic-resources/it/aboutit/it-mission-statement.asp
  16. 16. Common Ground16We have the same goals!!!
  17. 17. Common Ground17Protect TheData, TheUsers, And TheOrganization
  18. 18. Common Ground18Solid ITSecureNetworkHappy &Safe Users
  19. 19. IT Doesn’t Know19• What can malware really do?• Network security architecture• Passwords!!!• It’s OK to say no
  20. 20. IT Won’t Save You20• Firewalls, GAV, IPS, any amount of blinky boxes willnot keep hackers out• Patching is not enough• “Acceptable” and “Risk” should never be used in thesame sentence
  21. 21. IT Can’t Save You21• Everyday new vulnerabilities are reported• How many aren’t officially reported???• It’s hard for InfoSec to even keep up sometimes• Too much to do
  22. 22. Educate22• Stop talking down to your IT department• Work with them• Expose IT to new ideas, solutions, etc.• Show them how MS08-067 works and what it does!• It’s a lot more then just a red tick on a Nessus report
  23. 23. Educate23• Audit the IT department!• Explain the findings and what needs to be corrected• Eliminate the idea that security costs tons of $$$• Don’t “train” per say… demonstrate• They know how computers work and are smart people too!
  24. 24. Work Together24• Communication is key!!!• Stop fighting with each other• Can IT help Security to do their job?
  25. 25. Work Together25• Mick Douglas @bettersafetynet• “Help from the Help Desk” – AIDE 2013• http://www.irongeek.com/i.php?page=videos/aide2013/help-from-the-helpdesk-mick-douglas-bettersafetynet
  26. 26. Work Together26• Help secure IT from themselves!• zOMG IT reuses passwords!• Why aren’t all your routers, firewalls, switches, etc. 2fa??• Not hard to implement• Fast and reliable• Duo Security• Wikid Systems
  27. 27. Work Together27• IT specific policies• How quickly can a user realistically be deactivatedfrom IT?• How quickly does a new tech gain access to yourinformation?
  28. 28. Work Together28• IT is lazy• Break the cycle• Remember  IT wants uptime• Patching = reboots• Stay away from the guy/gal who “knows it all”
  29. 29. Work Together29• Positive correlation between the strength of the ITdepartment and the strength of the Securitydepartment• Vice versa• Each department should make the other better• Same team!!!• This is very true for consultants as well
  30. 30. Work Together30• A pentest report is not enough• Work with your IT department!• Work with your customers!• If you test a network, pwn everything, and offer nosuggestions… what good have you done?
  31. 31. Relax A Little31• Let IT work for us• Smarter not harder• You did the audit right?• Are better policies in place for IT now?• Do you really want to add new Snort signatures forthe rest of your life?
  32. 32. Relax A Little32• Shhh parts of our job aren’t that hard – don’t tellthem• Now that you’ve lead IT down the path of righteousthey will help lead the users• Remember what Mick said – “The help desk isalready seen better then us!”
  33. 33. Relax A Little33• If IT is deploying better, stronger, and more secureinfrastructure your job just got easier!• If IT is going back and fixing weak infrastructure ontheir own give yourself a pat on the back• Go write some new exploit code to keep themguessing 
  34. 34. Reality34• This is hard – people hate change• People really hate being told they’re doing things wrong• Start with your boss – get buy in• Don’t expect everything to change over night
  35. 35. Reality35• Tighten the screw one turn at a time – no nails andhammer• When a change is introduced or a new policy isadded, urge your coworkers to give it a week or twoto try it• After this time it will be habit and the “old and good way” willbe forgotten about
  36. 36. Reality36• Everyone is human. Even you - awesome securityguru• There will always be resistance to change• More secure IT = more secure helpdesk = moresecure users
  37. 37. Reality37• The trickle down effect is awesome!• Also there’s nothing wrong with improving the skillsof a coworker• People like careers!
  38. 38. Remember38• Avoid the know it all• IT can’t save you and they won’t save you• They can make your job easier• Don’t be the know it all
  39. 39. Hit Me Up39• @fjhackett• http://www.hackettweb.com• http://www.slideshare.net/fjhackett• fjhackett@hackettweb.com

×