SlideShare a Scribd company logo

Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model - atlseccon2011

Atlantic Security Conference
Atlantic Security Conference

Rafal Los - Ultimate Hack - AtlSecCon 2011

Technology
1 of 20
Download to read offline
Ultimate Hack Rafal M. Los ...aka „Wh1t3Rabbit“ AtlSecCon – March 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Manipulating Layers 8 & 9 [Management & Budget] of the OSI Model
Hi …I‟m the Wh1t3 Rabbit Twitter: “Wh1t3Rabbit” Blog: http://hp.com/go/white-rabbit Practical Experience? •IT since 1995 •InfoSec since 1999 •Built & led AppSec Program in Fortune 100 •More years doing then talking © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
(seriously) Rules for this talk 1. Participate 2. Share your thoughts 3. If you share, be honest with your answers 4. There is an assignment at the end… CAUTION: The contents in this talk may make you uncomfortable as an information security professional. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
A riddle: What does an Information Security team DO? © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Does senior management respect and support Information Security‟s vision & efforts? …or just deal with you?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
(what we tell ourselves) Our Goal as InfoSec Professionals 7 •“secure the business” •“reduce risk” •“deploy security measures” •“protect the company” •“keep threats out” © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
When management hears this… Our Goal as InfoSec Professionals 8 •“secure the business”  from what? •“reduce risk”  of what? •“deploy security measures”  why? •“protect the company”  from what? •“keep threats out”  of where? (and why?) © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
“the secret layers” Layers 8 & 9 Management necessary for… •Organizational buy-in •Push change from the top •Create shift in policy & culture •Credibility © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Budget necessary for… •Required for staff, gear •Persuasion •Education •Seed effort
So … you NEED Management & Budget …but how do you manipulate them to your ends? © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Getting what you want at Layers 8 & 9 My 7 Secrets to Success © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
What does your business do? Align to the Business Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Understand completely and comprehensively what your organization does, how it makes money, and how it evolves. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 12
Go work as a business analyst Walk a mile... Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective If you want to understand why business analysts do strange/insecure things –go be one of them for a while. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 13
Rewards balance consequences Carrot & Stick Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Neither rewards, or consequences alone will reach your ends; a sane balance must be found between push and pull of your security goals. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 14
Segment your security practice Advisory vs. Operations Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Separate our the „advise‟ from the „do‟ parts of Information Security to achieve higher credibility and better resource utilization. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 15
Meet your new best friends Risk, Compliance, Legal Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Align with the 3 most powerful parts of any organization; adopt their methods and leverage each others capabilities and expertise. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 16
Business must need it Business-driven ‟security‟ Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Allow your business to come to the conclusion that it requires your assistance to meet business goals and customer demands. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 17
“Just sign here to accept risk” Leverage Accountability Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Few things are more powerful than the risk of being held accountable for your actions; advise on risk and allow a business owner to accept that risk with a simple signature. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 18
They‟ve worked for me, they may work for you These are my secrets to succeeding 19 Try this at home ...but make sure you are rational. • There is no silver bullet, we‟re not baking cookies • Every organization is different, approaches vary –Some assembly required, batteries not included –No warranties, no returns © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Did you learn something? Thank you © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Rafal Los Twitter.com/Wh1t3Rabbit HP.com/go/white-rabbit

Recommended

Vista previa, ensamble y conexión de los componentes de la tarjeta madre.
Vista previa, ensamble y conexión de los componentes de la tarjeta madre.Vista previa, ensamble y conexión de los componentes de la tarjeta madre.
Vista previa, ensamble y conexión de los componentes de la tarjeta madre.Wilmer Mellizo
 
Experiencias en el glenn doman pipe velandia
Experiencias en el glenn doman pipe velandiaExperiencias en el glenn doman pipe velandia
Experiencias en el glenn doman pipe velandiaPipe Velandia
 
Privacy impact assessment
Privacy impact assessmentPrivacy impact assessment
Privacy impact assessmentSpringer
 
TIAD : In a chocolate factory
TIAD : In a chocolate factoryTIAD : In a chocolate factory
TIAD : In a chocolate factoryThe Incredible Automation Day
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FORAnastasiya Skliar
 
Juniper Network Certification
Juniper Network CertificationJuniper Network Certification
Juniper Network CertificationHector Tavares
 
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...Kokeileva Suomi
 

Recommended

Vista previa, ensamble y conexión de los componentes de la tarjeta madre.
Vista previa, ensamble y conexión de los componentes de la tarjeta madre.Vista previa, ensamble y conexión de los componentes de la tarjeta madre.
Vista previa, ensamble y conexión de los componentes de la tarjeta madre.Wilmer Mellizo
 
Experiencias en el glenn doman pipe velandia
Experiencias en el glenn doman pipe velandiaExperiencias en el glenn doman pipe velandia
Experiencias en el glenn doman pipe velandiaPipe Velandia
 
Privacy impact assessment
Privacy impact assessmentPrivacy impact assessment
Privacy impact assessmentSpringer
 
TIAD : In a chocolate factory
TIAD : In a chocolate factoryTIAD : In a chocolate factory
TIAD : In a chocolate factoryThe Incredible Automation Day
 
Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Jonathan raymond 2010 rotman telus - atlseccon2011
Jonathan raymond 2010 rotman telus - atlseccon2011Atlantic Security Conference
 
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FOR
9 SIGNS YOU HAVE FOUND THE SEO COMPANY YOU HAVE BEEN LOOKING FORAnastasiya Skliar
 
Juniper Network Certification
Juniper Network CertificationJuniper Network Certification
Juniper Network CertificationHector Tavares
 
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...
Annukka Berg: Kokeilujen muotoilu, tekeminen ja tilaaminen - järjestystä koke...Kokeileva Suomi
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Atlantic Security Conference
 
Workshop on Identity & Access Management.
Workshop on Identity & Access Management.Workshop on Identity & Access Management.
Workshop on Identity & Access Management.cisoplatform
 
Case Lapinjärvi
Case LapinjärviCase Lapinjärvi
Case LapinjärviKokeileva Suomi
 
TIAD 2016 : Is Automation Worth My Time?
TIAD 2016 : Is Automation Worth My Time?TIAD 2016 : Is Automation Worth My Time?
TIAD 2016 : Is Automation Worth My Time?The Incredible Automation Day
 
Tips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen OvertonTips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen OvertonStephen Overton
 
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godiniIzvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godiniphskola
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Sit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxSit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxjennifer822
 
Putting the Product in Product-Led GTM
Putting the Product in Product-Led GTMPutting the Product in Product-Led GTM
Putting the Product in Product-Led GTMVivek Saraswat
 
Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013Fernando Herrera
 
How to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris DuarteHow to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris DuarteSalesforce Admins
 
IntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThieleIntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThieleTerry Thiele
 
2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKU2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKUAndreas Wintersteiger
 
Common Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins MakeCommon Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins MakeMike Gerholdt
 
Chap002 (Management Information System)
Chap002 (Management Information System)Chap002 (Management Information System)
Chap002 (Management Information System)Abbott
 
Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13Jared Miller
 
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS GroupMarketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS GroupCorporate Visions
 
The Story of User Stories
The Story of User StoriesThe Story of User Stories
The Story of User StoriesRobbie Mac Iver
 
Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit? Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit? SAP Ariba
 

More Related Content

Viewers also liked

Workshop on Identity & Access Management.
Workshop on Identity & Access Management.Workshop on Identity & Access Management.
Workshop on Identity & Access Management.cisoplatform
 
Tips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen OvertonTips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen OvertonStephen Overton
 
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godiniIzvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godiniphskola
 

Viewers also liked (6)

Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
Workshop on Identity & Access Management.
Workshop on Identity & Access Management.Workshop on Identity & Access Management.
Workshop on Identity & Access Management.
 
Case Lapinjärvi
Case LapinjärviCase Lapinjärvi
Case Lapinjärvi
 
TIAD 2016 : Is Automation Worth My Time?
TIAD 2016 : Is Automation Worth My Time?TIAD 2016 : Is Automation Worth My Time?
TIAD 2016 : Is Automation Worth My Time?
 
Tips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen OvertonTips for Charitable Donations | Stephen Overton
Tips for Charitable Donations | Stephen Overton
 
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godiniIzvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
Izvestaj o radu Poljoprivredno-hemijske škole u školskoj 2015/2016. godini
 

Similar to Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model - atlseccon2011

Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Sit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxSit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxjennifer822
 
Putting the Product in Product-Led GTM
Putting the Product in Product-Led GTMPutting the Product in Product-Led GTM
Putting the Product in Product-Led GTMVivek Saraswat
 
Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013Fernando Herrera
 
How to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris DuarteHow to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris DuarteSalesforce Admins
 
IntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThieleIntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThieleTerry Thiele
 
2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKU2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKUAndreas Wintersteiger
 
Common Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins MakeCommon Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins MakeMike Gerholdt
 
Chap002 (Management Information System)
Chap002 (Management Information System)Chap002 (Management Information System)
Chap002 (Management Information System)Abbott
 
Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13Jared Miller
 
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS GroupMarketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS GroupCorporate Visions
 
The Story of User Stories
The Story of User StoriesThe Story of User Stories
The Story of User StoriesRobbie Mac Iver
 
Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit? Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit? SAP Ariba
 
conf2015_BusinessPracticePreso_092215_post
conf2015_BusinessPracticePreso_092215_postconf2015_BusinessPracticePreso_092215_post
conf2015_BusinessPracticePreso_092215_postAnne-Marie "Punky" Chun
 
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015G3 Communications
 
OOW15 - Maintenance Strategies for Oracle E-Business Suite
OOW15 - Maintenance Strategies for Oracle E-Business SuiteOOW15 - Maintenance Strategies for Oracle E-Business Suite
OOW15 - Maintenance Strategies for Oracle E-Business Suitevasuballa
 

Similar to Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model - atlseccon2011 (20)

Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security program
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Sit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docxSit in a common area and observe. This may be in your office, a co.docx
Sit in a common area and observe. This may be in your office, a co.docx
 
Putting the Product in Product-Led GTM
Putting the Product in Product-Led GTMPutting the Product in Product-Led GTM
Putting the Product in Product-Led GTM
 
Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013Keeping your career secure presentation august 2013
Keeping your career secure presentation august 2013
 
How to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris DuarteHow to Write the Trailhead Way by Chris Duarte
How to Write the Trailhead Way by Chris Duarte
 
IntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThieleIntelCollab_March-14_wTerryThiele
IntelCollab_March-14_wTerryThiele
 
2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKU2005 talk on starting a business @ JKU
2005 talk on starting a business @ JKU
 
Common Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins MakeCommon Mistakes Salesforce Admins Make
Common Mistakes Salesforce Admins Make
 
Chap002 (Management Information System)
Chap002 (Management Information System)Chap002 (Management Information System)
Chap002 (Management Information System)
 
Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13Common Mistakes Salesforce Admins Make - #DF13
Common Mistakes Salesforce Admins Make - #DF13
 
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS GroupMarketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
Marketing and Sales Alignment, Erica Ruliffson, Oracle SaaS Group
 
The Story of User Stories
The Story of User StoriesThe Story of User Stories
The Story of User Stories
 
Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit? Demystifying the Cloud: Can Procurement Really Benefit?
Demystifying the Cloud: Can Procurement Really Benefit?
 
conf2015_BusinessPracticePreso_092215_post
conf2015_BusinessPracticePreso_092215_postconf2015_BusinessPracticePreso_092215_post
conf2015_BusinessPracticePreso_092215_post
 
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015
The 5 Building Blocks For A Sustainable Content Strategy - #SPS2015
 
OOW15 - Maintenance Strategies for Oracle E-Business Suite
OOW15 - Maintenance Strategies for Oracle E-Business SuiteOOW15 - Maintenance Strategies for Oracle E-Business Suite
OOW15 - Maintenance Strategies for Oracle E-Business Suite
 
USC Entrepreneurship Seminar Series
USC Entrepreneurship Seminar SeriesUSC Entrepreneurship Seminar Series
USC Entrepreneurship Seminar Series
 

More from Atlantic Security Conference

Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Atlantic Security Conference
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Atlantic Security Conference
 
Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011Atlantic Security Conference
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Atlantic Security Conference
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Atlantic Security Conference
 
Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011Atlantic Security Conference
 

More from Atlantic Security Conference (11)

Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011Henry stern - turning point on war on spam - atlseccon2011
Henry stern - turning point on war on spam - atlseccon2011
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
 
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
 
Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011Joe power - managing risk through compliance - atlseccon2011
Joe power - managing risk through compliance - atlseccon2011
 
Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011Ron perris compliance-v-security - atlseccon2011
Ron perris compliance-v-security - atlseccon2011
 
Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011Wayne richard - pia risk management - atlseccon2011
Wayne richard - pia risk management - atlseccon2011
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
 
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011
 
Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011Larry fermi generic nac overview-expanded - atlseccon2011
Larry fermi generic nac overview-expanded - atlseccon2011
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model - atlseccon2011

  • 1. Ultimate Hack Rafal M. Los ...aka „Wh1t3Rabbit“ AtlSecCon – March 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Manipulating Layers 8 & 9 [Management & Budget] of the OSI Model
  • 2. Hi …I‟m the Wh1t3 Rabbit Twitter: “Wh1t3Rabbit” Blog: http://hp.com/go/white-rabbit Practical Experience? •IT since 1995 •InfoSec since 1999 •Built & led AppSec Program in Fortune 100 •More years doing then talking © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 3. (seriously) Rules for this talk 1. Participate 2. Share your thoughts 3. If you share, be honest with your answers 4. There is an assignment at the end… CAUTION: The contents in this talk may make you uncomfortable as an information security professional. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 4. A riddle: What does an Information Security team DO? © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 5. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Does senior management respect and support Information Security‟s vision & efforts? …or just deal with you?
  • 6. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 7. (what we tell ourselves) Our Goal as InfoSec Professionals 7 •“secure the business” •“reduce risk” •“deploy security measures” •“protect the company” •“keep threats out” © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 8. When management hears this… Our Goal as InfoSec Professionals 8 •“secure the business”  from what? •“reduce risk”  of what? •“deploy security measures”  why? •“protect the company”  from what? •“keep threats out”  of where? (and why?) © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 9. “the secret layers” Layers 8 & 9 Management necessary for… •Organizational buy-in •Push change from the top •Create shift in policy & culture •Credibility © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Budget necessary for… •Required for staff, gear •Persuasion •Education •Seed effort
  • 10. So … you NEED Management & Budget …but how do you manipulate them to your ends? © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 11. Getting what you want at Layers 8 & 9 My 7 Secrets to Success © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 12. What does your business do? Align to the Business Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Understand completely and comprehensively what your organization does, how it makes money, and how it evolves. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 12
  • 13. Go work as a business analyst Walk a mile... Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective If you want to understand why business analysts do strange/insecure things –go be one of them for a while. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 13
  • 14. Rewards balance consequences Carrot & Stick Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Neither rewards, or consequences alone will reach your ends; a sane balance must be found between push and pull of your security goals. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 14
  • 15. Segment your security practice Advisory vs. Operations Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Separate our the „advise‟ from the „do‟ parts of Information Security to achieve higher credibility and better resource utilization. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 15
  • 16. Meet your new best friends Risk, Compliance, Legal Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Align with the 3 most powerful parts of any organization; adopt their methods and leverage each others capabilities and expertise. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 16
  • 17. Business must need it Business-driven ‟security‟ Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Allow your business to come to the conclusion that it requires your assistance to meet business goals and customer demands. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 17
  • 18. “Just sign here to accept risk” Leverage Accountability Situation First line of copy goes here. • First level bullet goes here and can be quite long –Second level bullet goes here. Try to keep bullet lists simple o Third level bullet goes here. Use no more than you need to explain your point Objective Few things are more powerful than the risk of being held accountable for your actions; advise on risk and allow a business owner to accept that risk with a simple signature. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here 18
  • 19. They‟ve worked for me, they may work for you These are my secrets to succeeding 19 Try this at home ...but make sure you are rational. • There is no silver bullet, we‟re not baking cookies • Every organization is different, approaches vary –Some assembly required, batteries not included –No warranties, no returns © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 20. Did you learn something? Thank you © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Rafal Los Twitter.com/Wh1t3Rabbit HP.com/go/white-rabbit