There is no security (and it feels just fine)

•Download as PPTX, PDF•

2 likes•742 views

This document discusses security issues and failures across different domains including web commerce, industrial control systems, consumers, and software. It notes that all software has bugs, some of which will have security impacts. It concludes that product owners prioritize functionality over security and investors do not highly value security. The document recommends steps organizations can take to improve security including adopting the SANS Top 20 Critical Controls and implementing practices for secure software development environments.

Technology

There is no security
(and it feels just fine)
Jonathan Care
@arashiyama
http://uk.linkedin.com/in/computercrime/

We really do care about security and
@arashiyama
privacy…

What do IT guys actually care about?
@arashiyama

three faces of information security
@arashiyama

Most breaches web-commerce based
@arashiyama

Although compromised PEDs are fun
@arashiyama
too 

Security fail #2 : ICS/SCADA
@arashiyama

Note: I will not visit you in prison if
you get into trouble trying out this
stuff. Also, SCADA systems control
things that are IMPORTANT and
should not be fscked with lightly
@arashiyama

@arashiyama
http://bit.ly/lyMi35
Siemens, SIMATIC HMI, XP277, 6AV6 643-0CD01-1AX0, HW: 0, SW: V 1 1 2

@arashiyama
http://bit.ly/jTlKsL
(What temperature would you like your HVAC today?)

Security fail #3 : Consumers
@arashiyama

Security fail #4 – Software (!)
@arashiyama

So, how’s YOUR software dev doing?
@arashiyama

3. Some bugs will have a security
@arashiyama
impact

4. Product owners continue to value
@arashiyama
functionality over security

5. Investors place little value on
@arashiyama
security and privacy

SANS Top 20 Critical Controls
@arashiyama

Policy, processes & guidelines
InfoSec checkpoints in project lifecycle
Threat Model
Risk Appetite / Risk Tolerance
@arashiyama
Secure Software Environment
Operational Security Controls
Continuous Vulnerability Scan –
Fix
Penetration Testing / Red teaming
Malware
IDS / IPS
Firewalls
Centralised Logging (SIEM)
Threat Intelligence
PROTECT
RESPOND DETECT
Incident Response (Threat Model)
Incident Response (“Bluebird”)
Exec-level(press, clients)
“Forensic Readiness”
Update PROTECT model

Secure Software Environment - BSIMM
@arashiyama

Secure
Software
Environment
@arashiyama
Governance
Intelligence
SSDL
Touchpoints
Deployment
Strategy and Metrics
Compliance and Policy
Training
Attack Models
Security Features and Design
Standards and Requirements
Architecture Analysis
Code Review
Security Testing
Penetration Testing
Software Environment
Configuration Mgmt /
Vulnerability Mgmt

This presentation showcased live during the DNIF KONNECT meetup on 19th December 2019. We have our presenter: Ruchir Shah- Account Manager at DNIF, walk us through the importance of SOAR Some key points discussed during the meetup: -Understand, what is SOAR. -The problems a SOAR solution solves. -Real-time demo by DNIF expert on SOAR. Watch the full presentation here: https://www.youtube.com/watch?v=bCp-WAs6w5I

Sp2h Grammer Book

arsnyder7

Revista fomyextranove

Who am iTony Lathum Jr.

Paying attention

dani_2010

Revista fomy san valentinextranove

30 years living a happy life - Breaking Systems, Chasing Bad Guys and Teachin...

Jonathan Care

Input-output performance problems are on every day agenda for DBAs since the databases exist. Volume of data grows rapidly and you need to get your data fast from the disk and moreover - fast to the disk. For most databases there is a more or less easy to find checklist of recommended Linux settings to maximize IO throughput. In most cases that checklist is good enough. But it is always better to understand how it works, especially if you run into some corner-cases. This talk is about how IO in Linux works, how database pages travel from disk level to database own shared memory and back and what kind of mechanisms exist to control this. We will discuss memory structures, swap and page-out daemons, filesystems, schedullers and IO methods. Some fundamental differences in IO approaches between PostgreSQL, Oracle and MySQL will be covered.

ЧПЛП: Презентація класного керівника

Andrey Gumeniuk

PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky

PostgreSQL-Consulting

Demystifying Security Analytics: Data, Methods, Use Cases

Priyanka Aash

AWS Security Ideas - re:Invent 2016

Teri Radichel

RSA 2016 Security Analytics Presentation

Anton Chuvakin

Addressing Web Application Security Vulnerabilities.pdf

CecilSu

Automation: Embracing the Future of SecOps

IBM Security

Join Mike Rothman, Analyst & President of Securosis and Ted Julian, VP of Product Management and co-founder of IBM Resilient, for a webinar on common automation use cases for the Security Operations Center (SOC). Security Orchestration, Automation and Response (SOAR) tools are garnering interest in enterprise security teams due to tangible short-term benefits. Watch the recording: https://event.on24.com/wcc/r/2007717/385A881A097E8EFCE493981972303416?partnerref=LI

Incident Response and SAP SystemsOnapsis Inc.

Static Analysis Security Testing for Dummies... and You

Kevin Fealey

Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program. In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues

SIEM evaluator guide for soc analyst

InfosecTrain

Modern SIEMs support many different business and technical use cases, including security, compliance, big data analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy your unique business and technical needs. Not all SIEMs are built equally or optimally to support all use cases, so it’s important to begin your SIEM evaluation by defining your specific use cases or goals.

Security Opportunities A Silicon Valley VC Perspective

Positive Hack Days

Viewers also liked

Kiindumuskäitumine ja sõltuvuskäitumineKalle Laane

Toetus alkoholi tarvitamisest loobumiselKalle Laane

Kergesti haavatavad sotsiaalsed rühmadKalle Laane

IKT eta EMOZIOAK

unaitoralesteban

ЧПЛП: спецмалювання. додаткова література

Andrey Gumeniuk

ЧПЛП: Світ українського фентезі

Andrey Gumeniuk

ЧПЛП: Книжкова полиця педагога

Andrey Gumeniuk

Motibazioaunaitoralesteban

ЧПЛП: Гуртожиток

Andrey Gumeniuk

Портфоліо: Купа І.М. (ЧПЛП)

Andrey Gumeniuk

Linux internals for Database administrators at Linux Piter 2016

PostgreSQL-Consulting

ЧПЛП: Презентація класного керівника

Andrey Gumeniuk

PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky

PostgreSQL-Consulting

Viewers also liked (13)

Kiindumuskäitumine ja sõltuvuskäitumine

Toetus alkoholi tarvitamisest loobumisel

Kergesti haavatavad sotsiaalsed rühmad

IKT eta EMOZIOAK

ЧПЛП: спецмалювання. додаткова література

ЧПЛП: Світ українського фентезі

ЧПЛП: Книжкова полиця педагога

Motibazioa

ЧПЛП: Гуртожиток

Портфоліо: Купа І.М. (ЧПЛП)

Linux internals for Database administrators at Linux Piter 2016

ЧПЛП: Презентація класного керівника

PostgreSQL worst practices, version FOSDEM PGDay 2017 by Ilya Kosmodemiansky

Similar to There is no security (and it feels just fine)

Demystifying Security Analytics: Data, Methods, Use Cases

Priyanka Aash

AWS Security Ideas - re:Invent 2016

Teri Radichel

RSA 2016 Security Analytics Presentation

Anton Chuvakin

Addressing Web Application Security Vulnerabilities.pdf

CecilSu

Automation: Embracing the Future of SecOps

IBM Security

Incident Response and SAP SystemsOnapsis Inc.

Static Analysis Security Testing for Dummies... and You

Kevin Fealey

SIEM evaluator guide for soc analyst

InfosecTrain

Security Opportunities A Silicon Valley VC Perspective

Positive Hack Days

DMA - Stupid Cyber Criminal Tricks

ThreatReel Podcast

So You Got That SIEM. NOW What Do You Do? by Dr. Anton Chuvakin

Anton Chuvakin

So You Got That SIEM. Now What Do You Do? Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin) Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful? At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.

Corona| COVID IT Tactical Security Preparedness: Threat Management

RedZone Technologies

Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin

Ten security product categories you've (probably) never heard of

Adrian Sanabria

Which generation of siem?

Ertugrul Akbas

There are many SIEM solutions available. And some ML or AI modules/tools/Add-ons available on the market. Some of those ML/AI tools available are using pure statistics for outlier detection apart from current hot topic ML, AI algorithms. What is tactical SIEM? if you are spending 80 percent of your time within a SIEM tool doing alert review and analysis, then you are on the right track. If you are an organization that is instead focusing heavily on collecting more data sources, applying patches, or running compliance reports, then your SIEM implementation may not be tactical. [2] So correlation/alert is the heart of SIEM. Some SIEM solutions have strong correlation engine and some others are weak relatively. Some SIEM correlation engines are just filters and some of them are no more than Esper CEP query. Correlation is the key factor for SIEM success. So the emphasis is correlation engine.

SAST Code Security Advisor for SAP [Webinar]

akquinet enterprise solutions GmbH

sPlatform Security: "Are you really that attached to your ABAP security flaws, or can they go?" ------------------------------------------------------------------------------------- Attacks on companies have increased exponentially in recent years. Not uncommonly, these were made possible by software vulnerabilities. SAP systems are particularly critical for many core business processes and should receive corresponding protections. However, you'll only achieve a basic level of security that can weather stress tests and remain consistent if you take a truly head-to-toe approach to security. And that includes your ABAP code. In our experience to date, many companies balk at audits of their custom developments or 3rd-party add-ons, or are unsatisfied with the nearly unmanageable number of findings. How can this mass of supposedly critical security flaws be evaluated reliably? Where do you even start to clean up? The newest module in our SAST SUITE, the Code Security Advisor, offers a solution. It is directly integrated into your SAP system and has a risk assessment enriched by key figures such as usage statistics for prioritization, an option to easily decommission obsolete code and a comprehensive set of rules with test cases developed by our SAP security and compliance consultants based on their years of experience. ------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

Secure Coding principles by example: Build Security In from the start - Carlo...

Codemotion

Security engineering 101 when good design & security work together

Wendy Knox Everette

Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go? Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why. She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies. Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.

Kista watson summit final public version

IBM Sverige

IBM Security Strategi Talare: Peter Holm, Sweden Country Manager Security Systems, IBM och Kaja Narum, Integrated Business Unit Leader Security, IBM Security Operations Center behind the curtain Talare: Marcus Hallberg, Technical Solution Specialist, IBM Security From Log to SIEM ... and Incident Response Talare: Marcus Hallberg, Marcus Hallberg, Technical Solution Specialist, IBM Security och Victor Grane, Techical Sales, IBM Security IoT Security Talare: Torbjörn Andersson, Senior Security Consultant, IBM Presentationerna hölls på Watson Kista Summit 2018

Maturing DevSecOps: From Easy to High Impact

SBWebinars

Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place. So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are: Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns Securing DevOps methodologies - changing when and how security controls interact with the application and the development process Adapting to a DevOps philosophy of shared ownership for security In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.

Similar to There is no security (and it feels just fine) (20)

Demystifying Security Analytics: Data, Methods, Use Cases

AWS Security Ideas - re:Invent 2016

RSA 2016 Security Analytics Presentation

Addressing Web Application Security Vulnerabilities.pdf

Automation: Embracing the Future of SecOps

Incident Response and SAP Systems

Static Analysis Security Testing for Dummies... and You

SIEM evaluator guide for soc analyst

Security Opportunities A Silicon Valley VC Perspective

DMA - Stupid Cyber Criminal Tricks

So You Got That SIEM. NOW What Do You Do? by Dr. Anton Chuvakin

Corona| COVID IT Tactical Security Preparedness: Threat Management

Something Fun About Using SIEM by Dr. Anton Chuvakin

Ten security product categories you've (probably) never heard of

Which generation of siem?

SAST Code Security Advisor for SAP [Webinar]

Secure Coding principles by example: Build Security In from the start - Carlo...

Security engineering 101 when good design & security work together

Kista watson summit final public version

Maturing DevSecOps: From Easy to High Impact

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

The Future of Platform Engineering

Jemma Hussein Allen

DevOps and Testing slides at DASA Connect

Kari Kakkonen

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

A tale of scale & speed: How the US Navy is enabling software delivery from l...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Essentials of Automations: Optimizing FME Workflows with Parameters

The Future of Platform Engineering

DevOps and Testing slides at DASA Connect

By Design, not by Accident - Agile Venture Bolzano 2024

Securing your Kubernetes cluster_ a step-by-step guide to success !

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Epistemic Interaction - tuning interfaces to provide information for AI support

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Accelerate your Kubernetes clusters with Varnish Caching

How world-class product teams are winning in the AI era by CEO and Founder, P...

GraphRAG is All You need? LLM & Knowledge Graph

There is no security (and it feels just fine)

1. There is no security (and it feels just fine) Jonathan Care @arashiyama http://uk.linkedin.com/in/computercrime/

2. @arashiyama No Security: wtf?

3. @arashiyama kill off misconceptions

4. @arashiyama get past the sales talk

5. @arashiyama expose the cyber

6. We really do care about security and @arashiyama privacy…

7. @arashiyama

8. @arashiyama Meanwhile …

9. @arashiyama

10. What do IT guys actually care about? @arashiyama

11. @arashiyama Credit: 451 Research

12. three faces of information security @arashiyama

13. @arashiyama compliance

14. @arashiyama business enablement

15. @arashiyama real infosec

16. @arashiyama Security fail #1 : PCI DSS

17. Most breaches web-commerce based @arashiyama

18. Although compromised PEDs are fun @arashiyama too 

19. Security fail #2 : ICS/SCADA @arashiyama

20. Note: I will not visit you in prison if you get into trouble trying out this stuff. Also, SCADA systems control things that are IMPORTANT and should not be fscked with lightly @arashiyama

21. @arashiyama http://bit.ly/lyMi35 Siemens, SIMATIC HMI, XP277, 6AV6 643-0CD01-1AX0, HW: 0, SW: V 1 1 2

22. @arashiyama http://bit.ly/jTlKsL (What temperature would you like your HVAC today?)

23. @arashiyama Wide open webcams?

24. @arashiyama Oh yeah.

25. Security fail #3 : Consumers @arashiyama

26. @arashiyama ecommerce

27. @arashiyama SaaS

28. @arashiyama (we are all consumers)

29. Security fail #4 – Software (!) @arashiyama

30. @arashiyama Heartbleed

31. @arashiyama ShellShock

32. @arashiyama

33. @arashiyama

34. So, how’s YOUR software dev doing? @arashiyama

35. @arashiyama

36. @arashiyama Conclusions:

37. @arashiyama 1.All software has bugs.

38. 2. Bugs will be discovered @arashiyama

39. 3. Some bugs will have a security @arashiyama impact

40. 4. Product owners continue to value @arashiyama functionality over security

41. 5. Investors place little value on @arashiyama security and privacy

42. 6. End users trust vendors @arashiyama

43. @arashiyama What can we do?

44. @arashiyama PROTECT RESPOND DETECT

45. SANS Top 20 Critical Controls @arashiyama

46. Policy, processes & guidelines InfoSec checkpoints in project lifecycle Threat Model Risk Appetite / Risk Tolerance @arashiyama Secure Software Environment Operational Security Controls Continuous Vulnerability Scan – Fix Penetration Testing / Red teaming Malware IDS / IPS Firewalls Centralised Logging (SIEM) Threat Intelligence PROTECT RESPOND DETECT Incident Response (Threat Model) Incident Response (“Bluebird”) Exec-level(press, clients) “Forensic Readiness” Update PROTECT model

47. Secure Software Environment - BSIMM @arashiyama

48. Secure Software Environment @arashiyama Governance Intelligence SSDL Touchpoints Deployment Strategy and Metrics Compliance and Policy Training Attack Models Security Features and Design Standards and Requirements Architecture Analysis Code Review Security Testing Penetration Testing Software Environment Configuration Mgmt / Vulnerability Mgmt

49. @arashiyama

Editor's Notes

There is a part of me that wonders why I am talking to hackers and pentesters (and possibly a couple of you are corporate types with your suits off) about this. Our industry is full of snake oil, from sales guys desperate to make their number, to consultants on a mission for fame and glory, and a boatload of products that frankly, don’t actually work. I want to give you guys a view from the other side of the mirror, so that if you encounter this stuff in your day jobs, you’ll be forearmed.
People (sort of) care about it Lots of misconceptions Those of us in day jobs need to know about this stuff (if only in order to kill off misconceptions, sales talk, and outright lies)
Expose the outright lies … oops
A friend of mine David Lacey coined the phrase “three faces” which goes as follows
Where most of the action lies Dominates the work of your internal security team Justifies the budget, produces large documentation trees, makes audit happy Based on ancient practices (not current threats)
The board love it (“This guy understands the business!”) Enhance reputation, gain sales, innovate new products, new ways of working Sounds great, but its wishful thinking Rarely passes an investment appraisal board Even if it does, first year results do not justify further investment
Expensive, difficult and disruptive * Manage current risks and threats, not last years audit actions Tackle advanced persistent threats (PEOPLE) * Speak up (those SCADA systems are still insecure) Take critical intellectual assets off the network * Tell project managers to go back to the drawing board Be prepared to be unpopular, and potentially unemployable
DISCLAIMER: …. Or for that matter CONNECTED TO THE INTERNET
Why on earth would you put an SNMP interface on the internet for a SCADA system? Why would you leave it with a default read string?
If you remember the Dilbert voice controlled shower, having an environmental system open to the internet seems to invite a similar level of chaos. Nice toasty machine room, chilly office space… a complete recipe for chaos

There is no security (and it feels just fine)

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (13)

Similar to There is no security (and it feels just fine)

Similar to There is no security (and it feels just fine) (20)

Recently uploaded

Recently uploaded (20)

There is no security (and it feels just fine)

Editor's Notes