Who Am I?
• (Former) CTO/CSO of noise!
• 20 years in IT and software
• Security Incident Response Team
• MacIT presenter in 2012!
• Survivor of more corporate
security audits than I care to
• @snipeyhead on Twitter
What is Security?!
Let’s start with what security is not.
• Security isn’t a thing you add on at the
end or a project.!
• Security isn’t “But… I have a ﬁrewall!”!
• Security isn’t a thing you’re ever “done”
What Security Isn’t!
• Security is not the same as compliance.You
can be compliant and not be secure. (Just
• Security is not one person in your
• Security is not an outsourced consultant
or consulting agency.
What Security Isn’t!
• Security is an ongoing group effort. !
• Security is where you start, not where you
• Security is understanding and protecting your
valuable assets, information and people. !
• Security is multi-layered (defense-in-depth)
What Security Is!
What is Risk?!
Let’s start with what risk is not.
• Risk management isn’t something that has to
• Risk management doesn’t have to be boring.!
• Managing risk isn’t one person’s job.!
• Risk isn’t just “hackers”
What Risk !
• Risk tolerance is not singular.What
qualiﬁed as acceptable risk to your
company will not be the same as
acceptable risk to another company.
What Risk !
• Risk management is a tool that helps you make
intelligent, informed decisions.!
• Risk management is your entire team’s
• Risk is absolutely unavoidable. Being informed
will help you make the best choices for your
What Risk Management Is!
Security CIA Triad!
Conﬁdentiality, Integrity & Availability
• Conﬁdentiality is a set of rules that limits access to information.!
• Integrity is the assurance that the information is trustworthy and
• Availability is a guarantee of ready access to the information by
Making sure the right people can access sensitive data
and the wrong people cannot.
• Passwords. (boo!)!
• Data encryption (at rest and in
• Two-factor authentication/
• Group/user access permissions!
• IP Whitelisting!
• SSH keys
Conﬁdentiality Risk Examples!
• Lack of control over content
your employees put on third-
party servers. (Basecamp, etc.)!
• Lack of control over password
requirements for third-party
• Shared passwords!
• Exploitable scripts uploaded to
• Lost/stolen smartphones, tablets
• Inadequate exit process
Do you remain in control of your resources?
1) A software program can be duplicated without the
manufacturer's permission; they are not in control of that software
anymore. *cough* Adobe source code *cough*!
2)You know your password, but who and what else has possession
of it, too?
Maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.!
Ensures that information is not modiﬁed or altered
intentionally or by accident.
Integrity Risk Examples!
• Data loss due to hardware
failure (server crash!)!
• Software bug that
• Data alteration via authorized
persons (human error)!
• Data alteration via unauthorized
• No backups or no way to verify
the integrity of the backups you
• Third-party vendor with
How can you be sure that the person you’re talking
to is who he or she claims to be?
All systems and information resources must be "up
and running" as per the needs of the organization.
! ! An employee who had encrypted data leaves the company. !
! You still have possession of the data, but you do not have the
key to decrypt the contents, so you do not have the use or
utility of it.!
• How bad will it be if this component fails?!
• What other components will this affect if it fails?!
• How likely is it that it will fail?!
• What are the ways it could fail?!
• What can we do in advance to prevent/reduce chances or impact of failure?
• How can we consistently test that this component is healthy?!
• How will we know if it has failed?!
• How can we structure this component to be monitor-able through an external
system? (A status JSON/XML script generated, HTTP status codes, etc -
anything you can attach a status monitor to.)!
• How can we structure this component to fail more gracefully? (Firing an alert
and redirecting instead of 500 error, for example)
Risk Matrix Components
• Dataﬂow diagram ID!
• Triggering Action!
• Consequence of Service Failure!
• Risk of Failure!
• User Impact!
• Method used for monitoring this risk!
• Efforts to Mitigate in Case of Failure!
• Contact info
• Start every project risk-ﬁrst.!
• Build a clear inventory of surface areas and their value. Get stakeholders
• Start using a risk matrix for every major project or product!
• Trust your gut. If something doesn’t look right, it probably isn’t.
• Keep your systems as simple as possible. Document them.!
• Don't abstract code/systems if you don’t have to. Premature optimization
is the devil. Build light and refactor as needed.!
• Get to know your user's behavior. Use things like Google Analytics and
heatmapping to understand what users do on your site. Be suspicious if
it changes for no apparent reason.
• Increased transparency reduces risk across departments. Consider
• Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef,
Vagrant,Ansible, Salt or Fabric for server management.)!
• If you develop software, automate your deployment and conﬁguration
management. Chatops FTW! !
• Log (almost!) EVERYTHING. Know where your logs are. Use a central
logging server if at all possible.
• Always employ the principles of “least privilege.”!
• Rely on role-based groups for OD/AD, email accounts, etc.!
• Consider who has access to your social media accounts. Use an SMMS
to manage access instead of giving out passwords.!
• Consider who has access to third-party services where billing
information is available via account management settings.
• Be proactive in educating your company’s staff about security. Measure
• Teach your users about password security, social engineering!
• Set your users up with a good password manager like LastPass or
• Always be aware of single points of failure. (“Bus factor”, Maginot Line)
• Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)!
• Create a Business Continuity Plan.!
• Create an Incident Response Plan.Test it.!
• Create a Disaster Recovery Plan.TEST IT. (Seriously.)
• Give preference to vendors that integrate with your AD/OD.!
• Create a vendor management policy. Insist (and document) that your
vendors comply with your requirements, or ﬁnd a new vendor. !
• Make sure you understand what happens when third-party services fail
or behave unexpectedly.