Five things I learned about information security

Major Hayden
University of the Incarnate Word - November 2, 2015
Five lessons I learned
about information security

Major Hayden
Principal Architect at Rackspace
Fedora Security Team
Package maintainer
Fedora Planet blogger
Former board member
Ambassador
Ansible
Python
OpenStack
Xen/KVM/Containers
Information Security

Major Hayden
Principal Architect at Rackspace
GIAC Certified Unix Security Administrator
Paper: Securing Linux Containers
http://bit.ly/securinglinuxcontainers
GIAC Security Essentials Certification
Red Hat Certified Architect

icanhazip.com
icanhazptr.com
icanhaztrace.com
icanhazproxy.com
icanhazepoch.com
icanhaztraceroute.com

Agenda
How did I get into
information security?
Five lessons learned
(many of them learned the hard way)
Final thoughts
(and some required reading)

How did I get into

How did I stumble into

I sent an angry email
after a security incident.
Special note: this is not a recommended method
for getting into an information security career.

Impromptu calendar invitation from
the Chief Security Officer (CSO) arrives

Lesson 1:
Information security requires
lots of communication and relationships

People within businesses generally
fall into one of three security mindsets:

“Security is mission-critical for us
and it’s how we maintain
our customers’ trust.”
These are your allies.
Share your intelligence with them frequently.
They must be ”read into” what’s happening.
Highlight their accomplishments and efforts
to your leadership and theirs
at every possible opportunity.

“Security is really important,
but we have lots of features to release.
We will get to it.”
These people see security as a bolt-on,
value-added product feature.
Share methods for building in security from the start.
Make it easier for this group to build secure systems
through technical standards.

“I opened this weird file from
someone I didn’t know
and now my computer is acting funny.”
This group is your biggest risk.
Take steps to prevent them from being able
to make mistakes in the first place.
Regularly send high-level communication
to this group with useful information
in a friendly format.

Lesson 2:
Spend the majority of your time and money
on detection and response capabilities

Make it easier to detect an intruder
and respond to the intrusion
Don’t let your
intruders act like this:
Make them
act more like this:

Ensure that if an attacker
gains access to your network,
you know about the intrusion
and how to respond
Automation,
aggregation, alerting
Firewall logs
Netflow
data/analysis
Intrusion Detection
Systems (IDS)
Server logs
Authentication
logs
Physical security
devices
Immediate,
coordinated response

Incident communication
Use broad communication that
hints at urgency without sharing details.
Share the details with your allies in the business.

Lesson 3:
People, process, and technology
must be in sync

After an incident:
Don’t talk about people*.
Don’t talk about what could have been done.
Don’t talk about vendors.
* No matter how delicate you are, you will eventually “call the baby ugly”.

Assume the worst will happen again.
Design processes and technologies to
reduce its impact in the future.
This is an iterative process.

Lesson 4:
Set standards, not policies.

Use a little psychology to
drive the behavior you truly want:
a more secure infrastructure

Compare these two methods of
communicating with the business:

“If your system doesn’t pass this PCI-DSS audit,
we won’t be able to take credit cards.
We know what that means.”

“We have a technical standard
for public-facing environments
that you need to meet,
and we have some tools
to self-assess your systems.”

Technical people can easily
digest technical standards, but
not lengthy compliance documents.
Design a standard so that an environment
can meet multiple compliance programs
if it is followed carefully.

Lesson 5:
Don’t take security incidents personally.

Security incidents highlight
areas for improvement.
They also give you a better idea
of what attackers want from your business.

Take the time to do a
thorough root cause analysis.
Adjust spending, priorities, and tasks
based on what you find.

Information security thrives on frequent,
honest, meaningful communication
more than anything else.
Security incidents will happen.
How you respond to them is critical.
Design systems that prevent people
from making mistakes in the first place.

Switch: How to Change Things
When Change is Hard
Chip & Dan Heath
When you want to make change
happen, this book will help you
focus your thinking. It has some
great frameworks and situational
examples.

Winning With People
John Maxwell
Building relationships requires
learning a lot about yourself first.
This book is broken into five
sections that gradually take you
through how to have stronger,
lasting relationships with others.

The Phoenix Project
Gene Kim, Kevin Behr, and George Spafford
A must for anyone working in IT.
It’s a modern spin on Goldratt’s
classic, The Goal, that focuses on
a new IT executive that is in over
his head. Security and
compliance issues play a big role
in how he works within his
business.

Thank you!
majorhayden
major.hayden@rackspace.com
major.io

Image Credits
Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via
Wikimedia Commons
Honduran TIGRES soldiers: United States Special Operations Command (Flickr: https://flic.kr/p/qweJtn, CC-BY 2.0)
Longhorn cattle: Evelyn Simak [CC BY-SA 2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons
NORAD: By NORAD (government website) [Public domain], via Wikimedia Commons
Iterative process diagram: By Aflafla1 [CC0], via Wikimedia Commons

Five things I learned about information security

More Related Content

What's hot

Viewers also liked

Similar to Five things I learned about information security

More from Major Hayden

Recently uploaded

Five things I learned about information security