Ultimate Hack! Layers 8 & 9 of the OSI Model

Ultimate Hack
Manipulating Layers 8 & 9 [Management & Budget] of the OSI Model

Rafal M. Los ...aka „Wh1t3Rabbit“
AtlSecCon – March 201 1

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Hi …I’m the Wh1t3 Rabbit
Twitter: “Wh1t3Rabbit”
Blog: http://hp.com/go/white-rabbit

Practical Experience?
•IT since 1995
•InfoSec since 1999
•Built & led AppSec Program in Fortune 100
•More years doing then talking


Rules for this talk
(seriously)

CAUTION: The contents in 1. Participate
this talk may make you
uncomfortable as an
2. Share your thoughts
information security 3. If you share, be honest with your
professional. answers
4. There is an assignment at the end…


A riddle:
What does an Information Security
team DO?


Does senior
management respect
and support
Information Security‟s
vision & efforts?

…or just deal
contained herein is subject to change without notice. Confidentiality label goes here with you?

Our Goal as InfoSec Professionals
(what we tell ourselves)

•“secure the business”
•“reduce risk”
•“deploy security measures”
•“protect the company”
•“keep threats out”

6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information

Our Goal as InfoSec Professionals
When management hears this…

•“secure the business”  from what?
•“reduce risk”  of what?
•“deploy security measures”  why?
•“protect the company”  from what?
•“keep threats out”  of where? (and why?)


Layers 8 & 9
“the secret layers”

Management Budget

necessary for… necessary for…

•Organizational buy-in •Required for staff, gear
•Push change from the top •Persuasion
•Create shift in policy & culture •Education
•Credibility •Seed effort


So … you NEED
Management &
Budget
…but how do
you manipulate
them to your
ends?

Getting what you want at
Layers 8 & 9
My 7 Secrets to Success


Align to the Business
What does your business do?

Objective Situation
Understand completely Many IT Security Pros do not know business drivers
and comprehensively • Align to your business or organizational goals
what your organization – Compliance with government regulations may be a goal
– Expanding into new markets may be a goal
does, how it makes
– Developing a new prototype may be a goal
money, and how it
• Drive security like it was a „business‟
evolves.
– Understand cause:effect of security policy & vision
– Don‟t spend $10M to protect $100k


Walk a mile...
Go work as a business analyst

Objective Situation
If you want to Understand the situations you are working against
understand why business • Security must truly understand the motivations that
analysts do drive business decisions and employees
strange/insecure things – – Security analysts must work in the business
– Understand „how it works‟ and what drives non-IT Security
go be one of them for a
– “Feel their pain”
while.
• I promise you will have a different outlook
– Understand the business, protect its assets rationally


Carrot & Stick
Rewards balance consequences

Objective Situation
Neither rewards, or You can lead a horse to water, even put him IN water…
consequences alone will • Do better than “because security says so”
reach your ends; a sane – People avoid you because they can and will get away with it
– Policy is a weak motivational tool
balance must be found
between push and pull of • Offer incentives to make „secure‟ choices
– Rewards, recognition, positive reinforcement
your security goals.
• Severely punish blatant detractors
– Approve severe punishment (firing?) through HR, enforce it.

*Blog post http://h30501.www3.hp.com/t5/Following-the-
White-Rabbit-A/The-Path-of-Least-Resistance/ba-p/22011

Advisory vs. Operations
Segment your security practice

Objective Situation
Separate our the ‘advise’ Split the organization to optimize efficiencies
from the ‘do’ parts of • Operational tasks move out to small operations team
Information Security to – Managing anti-virus, patches, IDM, firewall rules, etc
– Manage the „doers‟, validate with small nimble team
achieve higher credibility
and better resource • Shift majority of team to advisory capacity
– Much like internal consultants- provide sound advice, let others do
utilization.
– Formulate & dictate policy, push to ops teams to implement
• Great cost efficiencies here, dynamic efficiencies


Risk, Compliance, Legal
Meet your new best friends

Objective Situation
Align with the 3 most IT Security is not unlike legal, risk and compliance
powerful parts of any • Get to know the practices of these departments
organization; adopt their – Understand their motivations and power capabilities
– Understand their struggles with reaching goals
methods and leverage
o Offer technology-based approaches to their ills
each others capabilities
• Leverage each others strengths to drive key strategy
and expertise.
– What is good for me, is good for „we‟
– Security‟s goals can often be accomplished by legal‟s requirements


Business-driven ’security’
Business must need it

Objective Situation
Allow your business to You CAN NOT force security onto an organization
come to the conclusion • Provide advisory assessments of IT risk to the
that it requires your organization as appropriate
assistance to meet – Define the appropriate format for your industry, market
– Make reports readily available to customers, auditors
business goals and
– Allow constituents to choose from approved remediation options
customer demands.
• Offer a lower-cost, consolidated alternative to
continually failing audit, scrambling to comply


Leverage Accountability
“Just sign here to accept risk”

Objective Situation
Few things are more Accountability in a visible way is fundamental
powerful than the risk of • Provide objective assessment of risk
being held accountable – Research, then file a comprehensive risk profile report
– Discuss the impact, cost, and assessed risk to the organization
for your actions; advise
on risk and allow a • Give leaders the ability to choose
– Accept risk on behalf of the organization
business owner to accept
o Sign off on the risk (literally) and get reported
that risk with a simple – Remediate the risks
signature.

Measure Yourself (KPIs)
How do you know you‟ve succeeded?

Objective Situation
There are no more than 5 Can you measure security‟s true impact?
KPIs you must measure • Most organizations have lots of data & metrics
against; KPIs enable a – Metrics rarely tell a big picture
– Spreadsheets, dashboards are often too complex and technical
non-technical
conversation with • Do your KPIs pass the “so what?” test?
– Does it impact the business?
management &
– Does it impact revenue?
leadership. – Are you improving proportionately to fiscal spend?


The Most Important Answer
If you want to shock your CIO, answer this question

When can we stop
spending money?
When have you achieved a „good enough‟ state of IT risk?
•Who defines and accepts those parameters?
•How does security contribute to „good enough‟?
•Can you tell the CIO when to stop spending?

These are my secrets to succeeding
They‟ve worked for me, they may work for you

Try this at home ...but make sure you are rational.

• There is no silver bullet, we‟re not baking cookies
• Every organization is different, approaches vary
–Some assembly required, batteries not included
–No warranties, no returns


A smart poker player
knows…
•when to hold
•when to fold
•when to walk away
•when to run like hell.


Thank you
Did you learn something?

Rafal Los
Twitter.com/Wh1t3Rabbit
HP.com/go/white-rabbit

Ultimate Hack! Layers 8 & 9 of the OSI Model

Recommended

Recommended

More Related Content

Similar to Ultimate Hack! Layers 8 & 9 of the OSI Model

Similar to Ultimate Hack! Layers 8 & 9 of the OSI Model (20)

More from Rafal Los

More from Rafal Los (20)

Recently uploaded

Recently uploaded (20)

Ultimate Hack! Layers 8 & 9 of the OSI Model