SlideShare a Scribd company logo
Essential Security & Risk
Fundamentals
Alison Gianotto
Who Am I?
• (Former) CTO/CSO of noise!
• 20 years in IT and software
development!
• Security Incident Response Team
(SIRT) !
• MacIT presenter in 2012!
• Survivor of more corporate
security audits than I care to
remember!
• @snipeyhead on Twitter
What is Security?!
Let’s start with what security is not.
• Security isn’t a thing you add on at the
end or a project.!
• Security isn’t “But… I have a firewall!”!
• Security isn’t a thing you’re ever “done”
with.
What Security Isn’t!
• Security is not the same as compliance.You
can be compliant and not be secure. (Just
ask Target.)!
• Security is not one person in your
organization.!
• Security is not an outsourced consultant
or consulting agency.
What Security Isn’t!
• Security is an ongoing group effort. !
• Security is where you start, not where you
finish.!
• Security is understanding and protecting your
valuable assets, information and people. !
• Security is multi-layered (defense-in-depth)
What Security Is!
What is Risk?!
Let’s start with what risk is not.
• Risk management isn’t something that has to
hinder innovation.!
• Risk management doesn’t have to be boring.!
• Managing risk isn’t one person’s job.!
• Risk isn’t just “hackers”
What Risk !
Management Isn’t!
• Risk tolerance is not singular.What
qualified as acceptable risk to your
company will not be the same as
acceptable risk to another company.
What Risk !
Management Isn’t!
• Risk management is a tool that helps you make
intelligent, informed decisions.!
• Risk management is your entire team’s
responsibility.!
• Risk is absolutely unavoidable. Being informed
will help you make the best choices for your
organization.
What Risk Management Is!
Security CIA Triad!
Confidentiality, Integrity & Availability
• Confidentiality is a set of rules that limits access to information.!
• Integrity is the assurance that the information is trustworthy and
accurate.!
• Availability is a guarantee of ready access to the information by
authorized people.
Confidentiality!
Making sure the right people can access sensitive data
and the wrong people cannot.
Confidentiality Examples
• Passwords. (boo!)!
• Data encryption (at rest and in
transmission.)!
• Two-factor authentication/
biometrics. (Yay!)!
• Group/user access permissions!
• CorporateVPN!
• IP Whitelisting!
• SSH keys
Confidentiality Risk Examples!
• Lack of control over content
your employees put on third-
party servers. (Basecamp, etc.)!
• Lack of control over password
requirements for third-party
vendors.!
• Shared passwords!
• Exploitable scripts uploaded to
web servers.!
• Lost/stolen smartphones, tablets
and laptops!
• Inadequate exit process
Confidentiality: Control/Possession!
Do you remain in control of your resources?
Control Examples!
1) A software program can be duplicated without the
manufacturer's permission; they are not in control of that software
anymore. *cough* Adobe source code *cough*!
!
2)You know your password, but who and what else has possession
of it, too?
Integrity!
Maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.!
!
Ensures that information is not modified or altered
intentionally or by accident.
Integrity Risk Examples!
• Data loss due to hardware
failure (server crash!)!
• Software bug that
unintentionally deletes/modifies
data!
• Data alteration via authorized
persons (human error)!
• Data alteration via unauthorized
persons (hackers)!
• No backups or no way to verify
the integrity of the backups you
have!
• Third-party vendor with
inadequate security
Integrity:Authenticity!
How can you be sure that the person you’re talking
to is who he or she claims to be?
Availability!
All systems and information resources must be "up
and running" as per the needs of the organization.
Availability Risk Examples!
• DDoS attacks!
• Third-party service failures!
• Hardware failures!
• Software bugs!
• Untested software patches!
• Natural disasters!
• Man-made disasters
Availability: Utility!
! ! An employee who had encrypted data leaves the company. !
!
! You still have possession of the data, but you do not have the
key to decrypt the contents, so you do not have the use or
utility of it.!
Getting Risky
• How bad will it be if this component fails?!
• What other components will this affect if it fails?!
• How likely is it that it will fail?!
• What are the ways it could fail?!
• What can we do in advance to prevent/reduce chances or impact of failure?
Getting Risky
• How can we consistently test that this component is healthy?!
• How will we know if it has failed?!
• How can we structure this component to be monitor-able through an external
system? (A status JSON/XML script generated, HTTP status codes, etc -
anything you can attach a status monitor to.)!
• How can we structure this component to fail more gracefully? (Firing an alert
and redirecting instead of 500 error, for example)
Risk Matrix Components
• Type!
• Third-Party!
• Dataflow diagram ID!
• Description!
• Triggering Action!
• Consequence of Service Failure!
• Risk of Failure!
• User Impact!
• Method used for monitoring this risk!
• Efforts to Mitigate in Case of Failure!
• Contact info
Risk Matrix
ThingsYou Can Start Doing
TODAY
• Start every project risk-first.!
• Build a clear inventory of surface areas and their value. Get stakeholders
involved.!
• Start using a risk matrix for every major project or product!
• Trust your gut. If something doesn’t look right, it probably isn’t.
• Keep your systems as simple as possible. Document them.!
• Don't abstract code/systems if you don’t have to. Premature optimization
is the devil. Build light and refactor as needed.!
• Get to know your user's behavior. Use things like Google Analytics and
heatmapping to understand what users do on your site. Be suspicious if
it changes for no apparent reason.
• Increased transparency reduces risk across departments. Consider
devops.!
• Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef,
Vagrant,Ansible, Salt or Fabric for server management.)!
• If you develop software, automate your deployment and configuration
management. Chatops FTW! !
• Log (almost!) EVERYTHING. Know where your logs are. Use a central
logging server if at all possible.
• Always employ the principles of “least privilege.”!
• Rely on role-based groups for OD/AD, email accounts, etc.!
• Consider who has access to your social media accounts. Use an SMMS
to manage access instead of giving out passwords.!
• Consider who has access to third-party services where billing
information is available via account management settings.
• Be proactive in educating your company’s staff about security. Measure
results.!
• Teach your users about password security, social engineering!
• Set your users up with a good password manager like LastPass or
1Password!
• Always be aware of single points of failure. (“Bus factor”, Maginot Line)
• Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)!
• Create a Business Continuity Plan.!
• Create an Incident Response Plan.Test it.!
• Create a Disaster Recovery Plan.TEST IT. (Seriously.)
• Give preference to vendors that integrate with your AD/OD.!
• Create a vendor management policy. Insist (and document) that your
vendors comply with your requirements, or find a new vendor. !
• Make sure you understand what happens when third-party services fail
or behave unexpectedly.
Thank you!
Alison Gianotto!
snipe@snipe.net!
@snipeyhead!

More Related Content

What's hot

LASCON 2015
LASCON 2015LASCON 2015
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and Libraries
Blake Carver
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
North Texas Chapter of the ISSA
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
Jerod Brennen
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Keith Brooks
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 

What's hot (20)

LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and Libraries
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't EnoughNTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 

Viewers also liked

Vierwaldstättersee - Paradies Zentralschweiz
Vierwaldstättersee - Paradies ZentralschweizVierwaldstättersee - Paradies Zentralschweiz
Vierwaldstättersee - Paradies Zentralschweiz
AuVi - eBooks & Photos
 
Biosciences lecture17a
Biosciences lecture17aBiosciences lecture17a
Biosciences lecture17aalem010
 
La integración de las empresas vascas en las cadenas de valor globales Clave...
La integración de las empresas vascas en las cadenas de valor globales Clave...La integración de las empresas vascas en las cadenas de valor globales Clave...
La integración de las empresas vascas en las cadenas de valor globales Clave...
Jose Mari Luzarraga
 
Autoridad Portuaria de VIgo
Autoridad Portuaria de VIgoAutoridad Portuaria de VIgo
Autoridad Portuaria de VIgosandy moragón
 
The Power Of Unified Communications Vision Confidential Version
The Power Of Unified Communications Vision Confidential VersionThe Power Of Unified Communications Vision Confidential Version
The Power Of Unified Communications Vision Confidential Version
dvalik
 
Equus ferus caballus
Equus ferus caballusEquus ferus caballus
Equus ferus caballus
Laura5775
 
Comparación de correos
Comparación de correosComparación de correos
Comparación de correos
Ixchel Abaúnza
 
Eres lo que haces. No lo que dices que haces
Eres lo que haces. No lo que dices que hacesEres lo que haces. No lo que dices que haces
Eres lo que haces. No lo que dices que haces
Jorge Barahona Ch.
 
CurriculumVitae-UpdatedBusinessFocus
CurriculumVitae-UpdatedBusinessFocusCurriculumVitae-UpdatedBusinessFocus
CurriculumVitae-UpdatedBusinessFocusHannah Grace
 
Alma, carácter y vocación (por: carlitosrangel)
Alma, carácter y vocación (por: carlitosrangel)Alma, carácter y vocación (por: carlitosrangel)
Alma, carácter y vocación (por: carlitosrangel)
Carlos Rangel
 
Plan oportunidad 2014 Oriflame
Plan oportunidad 2014 OriflamePlan oportunidad 2014 Oriflame
Plan oportunidad 2014 Oriflame
Anika Díaz
 
Introducing Faveo Helpdesk
Introducing Faveo HelpdeskIntroducing Faveo Helpdesk
Introducing Faveo Helpdesk
Faveo HELPDESK
 
“YouTube, la audiencia del siglo XXI”
“YouTube, la audiencia del siglo XXI”“YouTube, la audiencia del siglo XXI”
“YouTube, la audiencia del siglo XXI”
Social Media Day Argentina
 
2D Group - 2D Pole Katalog 2013
2D Group - 2D Pole Katalog 20132D Group - 2D Pole Katalog 2013
2D Group - 2D Pole Katalog 2013
2D Group
 

Viewers also liked (20)

Vierwaldstättersee - Paradies Zentralschweiz
Vierwaldstättersee - Paradies ZentralschweizVierwaldstättersee - Paradies Zentralschweiz
Vierwaldstättersee - Paradies Zentralschweiz
 
Biosciences lecture17a
Biosciences lecture17aBiosciences lecture17a
Biosciences lecture17a
 
La integración de las empresas vascas en las cadenas de valor globales Clave...
La integración de las empresas vascas en las cadenas de valor globales Clave...La integración de las empresas vascas en las cadenas de valor globales Clave...
La integración de las empresas vascas en las cadenas de valor globales Clave...
 
Autoridad Portuaria de VIgo
Autoridad Portuaria de VIgoAutoridad Portuaria de VIgo
Autoridad Portuaria de VIgo
 
The Power Of Unified Communications Vision Confidential Version
The Power Of Unified Communications Vision Confidential VersionThe Power Of Unified Communications Vision Confidential Version
The Power Of Unified Communications Vision Confidential Version
 
Equus ferus caballus
Equus ferus caballusEquus ferus caballus
Equus ferus caballus
 
Comparación de correos
Comparación de correosComparación de correos
Comparación de correos
 
Eres lo que haces. No lo que dices que haces
Eres lo que haces. No lo que dices que hacesEres lo que haces. No lo que dices que haces
Eres lo que haces. No lo que dices que haces
 
Pozvánka sraz liberec 2012
Pozvánka sraz liberec 2012Pozvánka sraz liberec 2012
Pozvánka sraz liberec 2012
 
Dicen que en la vida uno cosecha lo que siembra
Dicen que en la vida uno cosecha lo que siembraDicen que en la vida uno cosecha lo que siembra
Dicen que en la vida uno cosecha lo que siembra
 
CurriculumVitae-UpdatedBusinessFocus
CurriculumVitae-UpdatedBusinessFocusCurriculumVitae-UpdatedBusinessFocus
CurriculumVitae-UpdatedBusinessFocus
 
Alma, carácter y vocación (por: carlitosrangel)
Alma, carácter y vocación (por: carlitosrangel)Alma, carácter y vocación (por: carlitosrangel)
Alma, carácter y vocación (por: carlitosrangel)
 
Delitos en la red
Delitos en la redDelitos en la red
Delitos en la red
 
Portuguese way 2013
Portuguese way 2013Portuguese way 2013
Portuguese way 2013
 
Plan oportunidad 2014 Oriflame
Plan oportunidad 2014 OriflamePlan oportunidad 2014 Oriflame
Plan oportunidad 2014 Oriflame
 
The chichen
The chichen The chichen
The chichen
 
Introducing Faveo Helpdesk
Introducing Faveo HelpdeskIntroducing Faveo Helpdesk
Introducing Faveo Helpdesk
 
“YouTube, la audiencia del siglo XXI”
“YouTube, la audiencia del siglo XXI”“YouTube, la audiencia del siglo XXI”
“YouTube, la audiencia del siglo XXI”
 
2D Group - 2D Pole Katalog 2013
2D Group - 2D Pole Katalog 20132D Group - 2D Pole Katalog 2013
2D Group - 2D Pole Katalog 2013
 
Arne jacobsen
Arne jacobsenArne jacobsen
Arne jacobsen
 

Similar to MacIT 2014 - Essential Security & Risk Fundamentals

Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
John Stauffacher
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
Joel Cardella
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
Santhosh Tuppad
 
Building a Modern Security Engineering Organization. Zane Lackey
 Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
MuhammadShahidulIsla8
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
Kazi Sarwar Hossain
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
jadedsecurity
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
Phish training final
Phish training finalPhish training final
Phish training final
Jen Ruhman
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Assessing Your security
Assessing Your securityAssessing Your security
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
PINT Inc
 
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Vlad Catrinescu
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NC
All Things Open
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
Tony Perez
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 

Similar to MacIT 2014 - Essential Security & Risk Fundamentals (20)

Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
 
Building a Modern Security Engineering Organization. Zane Lackey
 Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Phish training final
Phish training finalPhish training final
Phish training final
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Assessing Your security
Assessing Your securityAssessing Your security
Assessing Your security
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NC
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 

More from Alison Gianotto

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
Alison Gianotto
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
Alison Gianotto
 
dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014
Alison Gianotto
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
Alison Gianotto
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
Alison Gianotto
 
Security Primer
Security PrimerSecurity Primer
Security Primer
Alison Gianotto
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
Alison Gianotto
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
Alison Gianotto
 

More from Alison Gianotto (9)

Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses Security Bootcamp for Startups and Small Businesses
Security Bootcamp for Startups and Small Businesses
 
Laravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and PoliciesLaravel 5.2 Gates, AuthServiceProvider and Policies
Laravel 5.2 Gates, AuthServiceProvider and Policies
 
dotScale 2014
dotScale 2014dotScale 2014
dotScale 2014
 
Failing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance ApplicationsFailing well: Managing Risk in High Performance Applications
Failing well: Managing Risk in High Performance Applications
 
DNS 101 for Non-Techs
DNS 101 for Non-TechsDNS 101 for Non-Techs
DNS 101 for Non-Techs
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
Facebook Timeline for Pages
Facebook Timeline for PagesFacebook Timeline for Pages
Facebook Timeline for Pages
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.Twitter 101: 140 characters. Don't be a douche.
Twitter 101: 140 characters. Don't be a douche.
 

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 

MacIT 2014 - Essential Security & Risk Fundamentals

  • 1. Essential Security & Risk Fundamentals Alison Gianotto
  • 2. Who Am I? • (Former) CTO/CSO of noise! • 20 years in IT and software development! • Security Incident Response Team (SIRT) ! • MacIT presenter in 2012! • Survivor of more corporate security audits than I care to remember! • @snipeyhead on Twitter
  • 3.
  • 4. What is Security?! Let’s start with what security is not.
  • 5. • Security isn’t a thing you add on at the end or a project.! • Security isn’t “But… I have a firewall!”! • Security isn’t a thing you’re ever “done” with. What Security Isn’t!
  • 6. • Security is not the same as compliance.You can be compliant and not be secure. (Just ask Target.)! • Security is not one person in your organization.! • Security is not an outsourced consultant or consulting agency. What Security Isn’t!
  • 7. • Security is an ongoing group effort. ! • Security is where you start, not where you finish.! • Security is understanding and protecting your valuable assets, information and people. ! • Security is multi-layered (defense-in-depth) What Security Is!
  • 8. What is Risk?! Let’s start with what risk is not.
  • 9. • Risk management isn’t something that has to hinder innovation.! • Risk management doesn’t have to be boring.! • Managing risk isn’t one person’s job.! • Risk isn’t just “hackers” What Risk ! Management Isn’t!
  • 10. • Risk tolerance is not singular.What qualified as acceptable risk to your company will not be the same as acceptable risk to another company. What Risk ! Management Isn’t!
  • 11. • Risk management is a tool that helps you make intelligent, informed decisions.! • Risk management is your entire team’s responsibility.! • Risk is absolutely unavoidable. Being informed will help you make the best choices for your organization. What Risk Management Is!
  • 12. Security CIA Triad! Confidentiality, Integrity & Availability • Confidentiality is a set of rules that limits access to information.! • Integrity is the assurance that the information is trustworthy and accurate.! • Availability is a guarantee of ready access to the information by authorized people.
  • 13. Confidentiality! Making sure the right people can access sensitive data and the wrong people cannot.
  • 14. Confidentiality Examples • Passwords. (boo!)! • Data encryption (at rest and in transmission.)! • Two-factor authentication/ biometrics. (Yay!)! • Group/user access permissions! • CorporateVPN! • IP Whitelisting! • SSH keys
  • 15. Confidentiality Risk Examples! • Lack of control over content your employees put on third- party servers. (Basecamp, etc.)! • Lack of control over password requirements for third-party vendors.! • Shared passwords! • Exploitable scripts uploaded to web servers.! • Lost/stolen smartphones, tablets and laptops! • Inadequate exit process
  • 16. Confidentiality: Control/Possession! Do you remain in control of your resources?
  • 17. Control Examples! 1) A software program can be duplicated without the manufacturer's permission; they are not in control of that software anymore. *cough* Adobe source code *cough*! ! 2)You know your password, but who and what else has possession of it, too?
  • 18. Integrity! Maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle.! ! Ensures that information is not modified or altered intentionally or by accident.
  • 19. Integrity Risk Examples! • Data loss due to hardware failure (server crash!)! • Software bug that unintentionally deletes/modifies data! • Data alteration via authorized persons (human error)! • Data alteration via unauthorized persons (hackers)! • No backups or no way to verify the integrity of the backups you have! • Third-party vendor with inadequate security
  • 20. Integrity:Authenticity! How can you be sure that the person you’re talking to is who he or she claims to be?
  • 21. Availability! All systems and information resources must be "up and running" as per the needs of the organization.
  • 22. Availability Risk Examples! • DDoS attacks! • Third-party service failures! • Hardware failures! • Software bugs! • Untested software patches! • Natural disasters! • Man-made disasters
  • 23. Availability: Utility! ! ! An employee who had encrypted data leaves the company. ! ! ! You still have possession of the data, but you do not have the key to decrypt the contents, so you do not have the use or utility of it.!
  • 24. Getting Risky • How bad will it be if this component fails?! • What other components will this affect if it fails?! • How likely is it that it will fail?! • What are the ways it could fail?! • What can we do in advance to prevent/reduce chances or impact of failure?
  • 25. Getting Risky • How can we consistently test that this component is healthy?! • How will we know if it has failed?! • How can we structure this component to be monitor-able through an external system? (A status JSON/XML script generated, HTTP status codes, etc - anything you can attach a status monitor to.)! • How can we structure this component to fail more gracefully? (Firing an alert and redirecting instead of 500 error, for example)
  • 26. Risk Matrix Components • Type! • Third-Party! • Dataflow diagram ID! • Description! • Triggering Action! • Consequence of Service Failure! • Risk of Failure! • User Impact! • Method used for monitoring this risk! • Efforts to Mitigate in Case of Failure! • Contact info
  • 28. ThingsYou Can Start Doing TODAY
  • 29. • Start every project risk-first.! • Build a clear inventory of surface areas and their value. Get stakeholders involved.! • Start using a risk matrix for every major project or product! • Trust your gut. If something doesn’t look right, it probably isn’t.
  • 30. • Keep your systems as simple as possible. Document them.! • Don't abstract code/systems if you don’t have to. Premature optimization is the devil. Build light and refactor as needed.! • Get to know your user's behavior. Use things like Google Analytics and heatmapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.
  • 31. • Increased transparency reduces risk across departments. Consider devops.! • Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef, Vagrant,Ansible, Salt or Fabric for server management.)! • If you develop software, automate your deployment and configuration management. Chatops FTW! ! • Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.
  • 32. • Always employ the principles of “least privilege.”! • Rely on role-based groups for OD/AD, email accounts, etc.! • Consider who has access to your social media accounts. Use an SMMS to manage access instead of giving out passwords.! • Consider who has access to third-party services where billing information is available via account management settings.
  • 33. • Be proactive in educating your company’s staff about security. Measure results.! • Teach your users about password security, social engineering! • Set your users up with a good password manager like LastPass or 1Password! • Always be aware of single points of failure. (“Bus factor”, Maginot Line)
  • 34. • Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)! • Create a Business Continuity Plan.! • Create an Incident Response Plan.Test it.! • Create a Disaster Recovery Plan.TEST IT. (Seriously.)
  • 35. • Give preference to vendors that integrate with your AD/OD.! • Create a vendor management policy. Insist (and document) that your vendors comply with your requirements, or find a new vendor. ! • Make sure you understand what happens when third-party services fail or behave unexpectedly.