The document provides an overview of steps a new security person can take to improve their organization's security posture. It recommends focusing initially on low-hanging fruit like increasing security awareness training, network segmentation, implementing a VPN, centralized logging, and multi-factor authentication. Mid-term goals include assessing security risks, improving physical security controls, establishing security policies, and setting up annual audits and penetration tests. Long-term objectives involve data retention, hiring additional security staff, obtaining training and certifications, and continually updating security practices. The document emphasizes starting with achievable tasks and maintaining a sustainable work/life balance.

1. Eating The Security Elephant
Or
Swallowing the Security Ocean
Or
Congratulations! You’re the new security person!
Sean Jackson

2. Congratulations! You’re The New
Security Person!

3. About Me
Pentester, Incident Handling, Technical Debt
Consultant, Alliance Information Security
Senior Security Engineer, Solutionreach
General Manager of HackWest
InfoSec professional for 9 years
Husband, Father X5, keyboardist
I really like hacker challenges

4. Congratulations! You’re the new security person!
How did you get here?

6. Ignorance

7. Ignorance
L0: You don’t even know you’re ignorant of something
L1: You don’t know there are things you don’t know, and there’s no way you
might find out
L2: You know you don’t know something, but don’t know how to learn more
L3: You know you don’t know something, but you have a way to learn more
L4: You think you might know something

8. Competence
You don’t know you don’t do it well
You know you don’t do it well
You do it well, and you think about it while
doing it
You do it so well, it’s automatic

9. Playbooks

10. Playbooks
NIST (800-53)
ISO 23001
SANS 20 (CIS
Critical Security
Controls)
HIPAA
PCI
FISMA

11. Copy each line to a spreadsheet

12. Where are we today?

14. Are we doing it already?
(I color code yes/partial/no)

15. What would it take to do it?

16. When do we want to do it? (and notes)

17. – John Strand
“If you can’t detect an
inside actor, you have
no security program”

18. Inside Actor

19. What’s the low-hanging fruit?

20. Some of the things on the list will look simple
Application white listing? Not so much….

21. The Low-Hanging Fruit
Identify what you can knock out now without any
additional budget or headcount.
That’s all the low-hanging fruit. Go do it now.

22. Back to the Playbook
Identifying how much $ or how
many heads you’d need to do X
In budget = short/med
Not in budget = long and/or budget
conversation
Let’s talk about some good short/
med goals today:

23. What can we do TODAY?

24. Increased Security Awareness
EVERYONE is part of
Security
Empower all employees to
report things
Say Thank You to false
positives

25. Increased Security Awareness
Help the developers
(training SDL, OWASP,
Threat Modeling)

26. Increased Security Awareness
Train HR and Legal on
Information Disclosure,
espionage, policy violation
consequence, secure
hiring process, secure
dismissal process, etc

27. Increased Security Awareness
All these Increased Security Awareness items should be
short-term and med-term goals

28. Segment The Network
Break off everything that
doesn’t need to be externally
visible
Servers, file shares, printers,
etc
Need routers/switches/next-
gen firewall, if you have one
Short-term, maybe med-term

29. VPN
Don’t allow direct access
to ANYTHING from
outside
Need: Beefy (hardened)
box with multiple NIC
cards
Should be short-term

30. What else can we do today?
Logging

31. Logging
Need to learn grep, awk, sed,
regex
Set up a centralized logging
aggregation point
I recommend syslog-ng (on
linux) (windows can send to
it)
Make sure the box has lots of
storage

32. Logging
Logs are the paint on the
floor you’ll want to look at
when something wrong
happens
Get in the habit of
reviewing them
Could you automate
that?

33. Logging
Automation —
Something that reads logs
that come in, and match
something with regex
Maybe, send you an email
when it sees something you
have defined?
You’re standing on the edge of
a SEIM

34. Logging
Short-term, Med-term, and Long-term

35. What else can we do right now?
2FA On All Windows and Linux Boxes!

36. 2FA
Windows now has
the option
Use Google
Authenticator for
free with Linux
This should be
short-term

37. What else should we think about?

38. How Is Your Organization Going to Assess Risk?
Talk to management, find out what
they see as risk.
Document with a score
Likelihood * Impact = Risk
Identify mitigations, new scores
Take feedback from anyone/
everyone and address it, add it to
the list

39. How Is Your Organization Going to Assess Risk?
Start this today,
then rinse and
repeat, ad
infinitum.

40. Physical Security

41. Physical Security
Doors
(And locks)
And next time your
company wants to do
some light construction,
talk about the latest
Tinder plugin, the mantrap

42. Physical Security
Cameras
Cover where a bad guy
would be if he were doing
bad things:
General workstation areas
Specific paths to and from
data closets
All entry and exit

43. Physical Security
Cameras
Needed: Dedicated
server, lots of storage
Big $$ bite in the
beginning, then roll out
more yearly

44. Badges
Two kinds; ID badges
and/or Access Cards
Don’t use one card for
both

45. Badges
This is where you
empower employees
Have all employees
question EVERYONE
without a badge

46. Policies
You can have lots of policies —
Company Policy
Information Security Policy
Access Policy
Approved Usage Policy
Data Retention Policy
Clean Desk Policy
And many more!

47. Policies
Work with the legal
department
The policies need
teeth.
There should be real
consequences to
violation

48. Policies
Train and work with HR
Make policy violation a
part of reviews
Some violations should
cost the job

49. Policies
Policies need to be
reviewed and updated
You will need to keep a
record of reviews and
track changes

50. Audits and Pentests

51. Audits
NOT adversarial!
Show them your playbook
spreadsheet
You don’t need to do
everything
You DO need to show that
you’ve considered everything

52. Audits
The auditor will do their
job
Understand what that
job is, and help them

53. Pentests

54. Pentests
Lots of kinds of penetration tests
Application
External Network
Internal Network
Physical
Social Engineering

55. Pentests
Similar to an audit
Findings are not attacks
(the speak to ignorance
which you can now solve)
Use a reputable agency,
not the most expensive,
not the cheapest

56. Audits and Pentests
You’ll most likely do
audits and pentests
once per year.
Start putting that on
your calendar now as a
long-term goal

57. Data Retention

58. Data Retention
Backups
Logs
Email (<—talk to Legal
inre: discoverable
evidence)
This would be mid-term
to long-term

59. Spot The Fed

60. Relationship with Cops/FBI
Talk to the InfraGard peeps
Take your local Fed to lunch
Tell them who you are, what
your org does, and find out how
to reach them when you think
you’re hacked
Talk to them now, NOT once
you’re hacked
Med-term

61. Budget / Headcount

62. Budget / Headcount
Look at the playbook
Hire to fill in gaps in skillset
Network Security
Application Security
Forensics
Governance / Risk /
Compliance
Red Team

63. Budget / Headcount
Hardware / Software
Security on the cheap
Opensource
Hardware on eBay
When you have more budget,
develop relationship with
VARS
This is med- and long-term

64. Last thing today, What about YOU?

65. What about you?
Training

66. What about you?
Certifications

67. What about you?
Conferences
SaintCon, BSidesSLC, HackWest,
OpenWest
Regional
BlackHat ($$$), BSidesLV, DefCon,
CactusCon
National
Too many to list
UtahSec

68. What about you?
Maintain
work/life
balance

69. Taking care of you is short-, med-, and long-term

70. Rinse and Repeat

71. Questions?
Sean Jackson @74rku5