SlideShare a Scribd company logo

Inconvenience, not security

M
mipearson
Technology
1 of 13
INCONVENIENCE ≠ SECURITY Wednesday, 6 June 12
Securing everything is good, right? Wednesday, 6 June 12
Well, mostly. • Ongoing maintenance of security policies • Artificial barriers (‘inconvenience’) lead to lost productivity and possible downtime Wednesday, 6 June 12 SECURITY =~ INCONVENIENCE INCONVENIENCE != SECURITY LAZY THINKING! All security is good, right? Security policies have: * an ongoing maintenance cost * an inconvenience factor Inconvenience leads to lost productivity (I don't know what my application is doing in production) and downtime (I can't bring the server back up - I'm not on the VPN). Fortunately - you don't necessarily need to increase your exposure to decrease your inconvenience.
Avoid ‘wasteful’ security: policies that provide minimal benefit. Obvious, right? Wednesday, 6 June 12 Easiest target: avoid security policies that don't actually provide security benefit. Seems obvious? It isn't. Some of the truisms from server security in the 90's and 00's no longer apply.
Environments Then Bob Steve Carol Wednesday, 6 June 12 Some of the truisms from server security in the 90's and 00's no longer apply. Servers used to be shared between actual, real users (or customers). UNIX security theory is based around that assumption. Users, groups, permissions, sudo, logging, all that shit.
Environments Now Bob Steve Carol Wednesday, 6 June 12 These days: your server instance is yours. You've got one non-root logon ('ubuntu', 'aws', 'vagrant'), you use that to sudo. If your user account is compromised, you're going to take that server offline, fire up another one, and do a root cause analysis before wiping it.
Policies Then • Compilers don’t belong in production • Clamp down on installed software • Hard gates between local applications and users Wednesday, 6 June 12 Because we're interacting with servers in a new way, some of the security measures of the past have been downgraded to 'inconvenience': * don't install a compiler on your production server (that's the 80's talking) * hard-limit what software is installed/running on your instances (that's what your ingress firewall is for) * SELinux (you're not ASIO)
Inconvenience Now • GCC is required to build your nginx configuration file. • Open ports? This is what we have ingress firewalls for. • A compromised server is treated as fully compromised, regardless of access level Wednesday, 6 June 12 Because we're interacting with servers in a new way, some of the security measures of the past have been downgraded to 'inconvenience': * don't install a compiler on your production server (that's the 80's talking) * hard-limit what software is installed/running on your instances (that's what your ingress firewall is for) * SELinux (you're not ASIO)
Server-local permissions are for accident prevention, not security. ‘sudo’ means ‘think first’ Wednesday, 6 June 12 Remember: instance-level permission elevation is about preventing accidents. 'sudo' means 'think first'. It's also there so you can give developers read-only access to the resources they need to do their own problem solving: logs, configuration, all that. That's accident prevention, too: a sufficiently skilled developer, with ill intent, will find a way to make your life difficult regardless of whether you gave him a production account or not.
Think outcomes, not policies. ‘What am I achieving by limiting this?’ Wednesday, 6 June 12 Now! Let's talk coverage. I see this all the time: operations staff patching what they understand, ignoring what they don't. Or, even worse, they'll deliberatly go overboard securing the system because they know the application is terrible. This isn't useful: if the application gets hacked, you're offline anyway. Assuming a targetted attack your database credentials are in an easily accessed, readable location - and the attacker has jumped another fence you've put up.
These Common Policies • Hard locking application library dependencies • Insisting on using CentOS because it’s “security focused” • Disallowing developer access to production logs Wednesday, 6 June 12 Here's some common patterns and why they don't make sense: * you're hard-locking what the application's library dependencies .. so the developers are just writing their own insecure, unreliable variants * you're insisting on using CentOS because it's more "secure" than Ubuntu ... but you're using 'community' packages because CentOS doesn't really include anything useful or modern * you're disallowing your developers access to your production logs .. but without an idea of scale, the next deployment will confuse n2 and log(n)
Actually Lead To • Developers creating insecure, unreliable library ‘copies’ • Use of uncertified ‘community’ packages to make up for CentOS shortfalls • Developers without production access have no concept of scale, implement for themselves, not your actual load Wednesday, 6 June 12 Here's some common patterns and why they don't make sense: * you're hard-locking what the application's library dependencies .. so the developers are just writing their own insecure, unreliable variants * you're insisting on using CentOS because it's more "secure" than Ubuntu ... but you're using 'community' packages because CentOS doesn't really include anything useful or modern * you're disallowing your developers access to your production logs .. but without an idea of scale, the next deployment will confuse n2 and log(n)
Finally, Credit: SMBC Wednesday, 6 June 12 Thanks for listening.

Recommended

Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...Netgear Italia
 
Top 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance SecurityTop 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance Security9 series
 
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudTop Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
 
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...DevOpsDays Riga
 
AndrianinaSystemNetworkAdmin
AndrianinaSystemNetworkAdminAndrianinaSystemNetworkAdmin
AndrianinaSystemNetworkAdminAndrianina Rakotondrafahitra
 

Recommended

Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
Returnil 2010
Returnil 2010Returnil 2010
Returnil 2010Rose Banioki
 
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...
Webinar NETGEAR - Acronis e Netgear, una soluzione concreta per la virtualizz...Netgear Italia
 
Top 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance SecurityTop 6 Practices to Harden Docker Images to Enhance Security
Top 6 Practices to Harden Docker Images to Enhance Security9 series
 
Top Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudTop Ten Security Considerations when Setting up your OpenNebula Cloud
Top Ten Security Considerations when Setting up your OpenNebula CloudNETWAYS
 
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...
DevOpsDaysRiga 2017 Ignite: Daniel Houston - Thinking outside the box: The Do...DevOpsDays Riga
 
AndrianinaSystemNetworkAdmin
AndrianinaSystemNetworkAdminAndrianinaSystemNetworkAdmin
AndrianinaSystemNetworkAdminAndrianina Rakotondrafahitra
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We TrustAndy Harjanto
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Readme1
Readme1Readme1
Readme1milindmiet
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzzIñaki Rodríguez
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impactRogue Wave Software
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Unleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistUnleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistFredReynolds2
 
Fantastic Elastic
Fantastic ElasticFantastic Elastic
Fantastic ElasticUwe Friedrichsen
 
Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...XHANI TRUNGU
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 

More Related Content

What's hot

Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 

What's hot (6)

Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Readme1
Readme1Readme1
Readme1
 
App locker
App lockerApp locker
App locker
 
Show me your kung fuzz
Show me your kung fuzzShow me your kung fuzz
Show me your kung fuzz
 

Similar to Inconvenience, not security

Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impactRogue Wave Software
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Unleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistUnleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistFredReynolds2
 
Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Winbmbouter
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015TGodfrey
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...XHANI TRUNGU
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Linux Operating SystemMigration ProposalCMIT 391 - Section .docx
Linux Operating SystemMigration ProposalCMIT 391 - Section .docxLinux Operating SystemMigration ProposalCMIT 391 - Section .docx
Linux Operating SystemMigration ProposalCMIT 391 - Section .docxwashingtonrosy
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 

Similar to Inconvenience, not security (20)

Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impact
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Unleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistUnleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a Twist
 
Fantastic Elastic
Fantastic ElasticFantastic Elastic
Fantastic Elastic
 
Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...Take a step forward from user to maintainer or developer in open source secur...
Take a step forward from user to maintainer or developer in open source secur...
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015Kali Linux - CleveSec 2015
Kali Linux - CleveSec 2015
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Linux Operating SystemMigration ProposalCMIT 391 - Section .docx
Linux Operating SystemMigration ProposalCMIT 391 - Section .docxLinux Operating SystemMigration ProposalCMIT 391 - Section .docx
Linux Operating SystemMigration ProposalCMIT 391 - Section .docx
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Inconvenience, not security

  • 2. Securing everything is good, right? Wednesday, 6 June 12
  • 3. Well, mostly. • Ongoing maintenance of security policies • Artificial barriers (‘inconvenience’) lead to lost productivity and possible downtime Wednesday, 6 June 12 SECURITY =~ INCONVENIENCE INCONVENIENCE != SECURITY LAZY THINKING! All security is good, right? Security policies have: * an ongoing maintenance cost * an inconvenience factor Inconvenience leads to lost productivity (I don't know what my application is doing in production) and downtime (I can't bring the server back up - I'm not on the VPN). Fortunately - you don't necessarily need to increase your exposure to decrease your inconvenience.
  • 4. Avoid ‘wasteful’ security: policies that provide minimal benefit. Obvious, right? Wednesday, 6 June 12 Easiest target: avoid security policies that don't actually provide security benefit. Seems obvious? It isn't. Some of the truisms from server security in the 90's and 00's no longer apply.
  • 5. Environments Then Bob Steve Carol Wednesday, 6 June 12 Some of the truisms from server security in the 90's and 00's no longer apply. Servers used to be shared between actual, real users (or customers). UNIX security theory is based around that assumption. Users, groups, permissions, sudo, logging, all that shit.
  • 6. Environments Now Bob Steve Carol Wednesday, 6 June 12 These days: your server instance is yours. You've got one non-root logon ('ubuntu', 'aws', 'vagrant'), you use that to sudo. If your user account is compromised, you're going to take that server offline, fire up another one, and do a root cause analysis before wiping it.
  • 7. Policies Then • Compilers don’t belong in production • Clamp down on installed software • Hard gates between local applications and users Wednesday, 6 June 12 Because we're interacting with servers in a new way, some of the security measures of the past have been downgraded to 'inconvenience': * don't install a compiler on your production server (that's the 80's talking) * hard-limit what software is installed/running on your instances (that's what your ingress firewall is for) * SELinux (you're not ASIO)
  • 8. Inconvenience Now • GCC is required to build your nginx configuration file. • Open ports? This is what we have ingress firewalls for. • A compromised server is treated as fully compromised, regardless of access level Wednesday, 6 June 12 Because we're interacting with servers in a new way, some of the security measures of the past have been downgraded to 'inconvenience': * don't install a compiler on your production server (that's the 80's talking) * hard-limit what software is installed/running on your instances (that's what your ingress firewall is for) * SELinux (you're not ASIO)
  • 9. Server-local permissions are for accident prevention, not security. ‘sudo’ means ‘think first’ Wednesday, 6 June 12 Remember: instance-level permission elevation is about preventing accidents. 'sudo' means 'think first'. It's also there so you can give developers read-only access to the resources they need to do their own problem solving: logs, configuration, all that. That's accident prevention, too: a sufficiently skilled developer, with ill intent, will find a way to make your life difficult regardless of whether you gave him a production account or not.
  • 10. Think outcomes, not policies. ‘What am I achieving by limiting this?’ Wednesday, 6 June 12 Now! Let's talk coverage. I see this all the time: operations staff patching what they understand, ignoring what they don't. Or, even worse, they'll deliberatly go overboard securing the system because they know the application is terrible. This isn't useful: if the application gets hacked, you're offline anyway. Assuming a targetted attack your database credentials are in an easily accessed, readable location - and the attacker has jumped another fence you've put up.
  • 11. These Common Policies • Hard locking application library dependencies • Insisting on using CentOS because it’s “security focused” • Disallowing developer access to production logs Wednesday, 6 June 12 Here's some common patterns and why they don't make sense: * you're hard-locking what the application's library dependencies .. so the developers are just writing their own insecure, unreliable variants * you're insisting on using CentOS because it's more "secure" than Ubuntu ... but you're using 'community' packages because CentOS doesn't really include anything useful or modern * you're disallowing your developers access to your production logs .. but without an idea of scale, the next deployment will confuse n2 and log(n)
  • 12. Actually Lead To • Developers creating insecure, unreliable library ‘copies’ • Use of uncertified ‘community’ packages to make up for CentOS shortfalls • Developers without production access have no concept of scale, implement for themselves, not your actual load Wednesday, 6 June 12 Here's some common patterns and why they don't make sense: * you're hard-locking what the application's library dependencies .. so the developers are just writing their own insecure, unreliable variants * you're insisting on using CentOS because it's more "secure" than Ubuntu ... but you're using 'community' packages because CentOS doesn't really include anything useful or modern * you're disallowing your developers access to your production logs .. but without an idea of scale, the next deployment will confuse n2 and log(n)
  • 13. Finally, Credit: SMBC Wednesday, 6 June 12 Thanks for listening.