SlideShare uma empresa Scribd logo

LISA18 - How to be your Security Team's Best Friend

E
EmilyGladstoneCole

Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018

Tecnologia
1 de 42
Baixar para ler offline
Emily Gladstone Cole @unixgeekem How to be your Security Team’s Best Friend
Emily Gladstone Cole @unixgeekem Why listen to me talk about Ops and Security? PAST CURRENT CONTACT 2 " UNIX SysAdmin/Operations background " Transitioned to Security Incident Response/Security Research " Senior Security Engineer at " Mentor for SANS’ Women’s CyberTalent Immersion Academy " Twitter: @unixgeekem
Emily Gladstone Cole @unixgeekem Talk Agenda 1. Introduction 2. CIS Critical Security Controls 3. More Security Thoughts Standard Disclaimer: The opinions expressed in this talk are my own and do not represent the views of my employer. Non-Standard Disclaimer: I hope you like cat photos. 3
Emily Gladstone Cole @unixgeekem 4
Emily Gladstone Cole @unixgeekem 5 Not Rocket Science
Emily Gladstone Cole @unixgeekem The CIS Critical Security Controls " Industry consensus guidelines " Your security/compliance officer likes these " 3 types: Basic, Foundational, and Organizational1 6 1. #TeamOxfordComma Emily Gladstone Cole @unixgeekem
Emily Gladstone Cole @unixgeekem 7 Hardware Inventory #1: Hardware / Asset Inventory
Emily Gladstone Cole @unixgeekem CSC 1: Inventory and Control of Hardware Assets Questions you need to answer about your hardware/instances/containers: " Network Access Control - how do you know what’s on your network? " Automation - how do you keep your assets in a known state? " Asset Management - how do you keep track of assets? ○ No, saying “a spreadsheet” or “a database” doesn’t count 8
Emily Gladstone Cole @unixgeekem 9 Software Inventory #2: Software Inventory
Emily Gladstone Cole @unixgeekem CSC 2: Inventory and Control of Software Assets Questions you need to answer about your software: " What software is running/installed in your infrastructure? " Who installed the software? " What does the software do? 10
Emily Gladstone Cole @unixgeekem Track Expiration Dates Too " Software Licenses " Domains " SSL Certificates Don’t be this site 11
Emily Gladstone Cole @unixgeekem Vulnerability Management 12 #3: Continuous Vulnerability Management
Emily Gladstone Cole @unixgeekem CSC 3: Continuous Vulnerability Management: Scanning " Logos create buzz! " Scan early, scan often " Authenticated and non-authenticated " Scan from inside and outside your perimeter2 13 2. If you have a perimeter
Emily Gladstone Cole @unixgeekem 14 A digression: Threat + Vulnerability = Risk
Emily Gladstone Cole @unixgeekem CSC 3: Continuous Vulnerability Management: Patching " Understand your risks, and remediate the serious vulnerabilities. ○ Highest risk first is the best practice ● Use your automation to ensure updates are applied everywhere. ○ Though maybe you test first before you upgrade Python/Ruby in your Production environment... 15
Emily Gladstone Cole @unixgeekem 16 #4: Control Admin Privileges
Emily Gladstone Cole @unixgeekem CSC 4: Controlled Use of Admin Privileges " Separate out admin accounts from user accounts if you can. " Use groups or roles. " Consider functional names for your groups. ○ “sec-logging-read-only” is more informative than “logging” 17
Emily Gladstone Cole @unixgeekem Least Privilege, Passwords, and Passphrases Any resemblance to actual companies, existing or defunct, or actual events, is purely coincidental. What if there was a company that didn’t set a root password for their databases… What if there was a company that didn’t change default credentials to the admin interface of their website… What if there was a company that let everyone ssh in as root… 18
Emily Gladstone Cole @unixgeekem 19 #5: Secure Default Configs
Emily Gladstone Cole @unixgeekem CSC 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers " Base your secure configs on a security standard. " Don’t install software you don’t need to run your systems! " Use Automation/Configuration Management tools to enforce security. " Regularly evaluate the security of your Gold Images. " Transition from policies to automation as your company grows. 20
Emily Gladstone Cole @unixgeekem 21 #6: Log All the Things, and Review the Logs
Emily Gladstone Cole @unixgeekem CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs " Log all the things. ○ Systems, security devices, applications, access points " Collect all your logs somewhere and review them. ○ Review: not all done by hand! " Outbound traffic is always interesting. 22
Emily Gladstone Cole @unixgeekem Plus 14 More " Email and Web Browser Protections " Malware Defenses " Limitation and Control of Network Ports, Protocols, and Services " Data Recovery Capabilities " Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches " Boundary Defense " Data Protection 23 " Controlled Access Based on the Need to Know " Wireless Access Control " Account Monitoring and Control " Implement a Security Awareness and Training Program " Application Software Security " Incident Response and Management " Penetration Tests and Red Team Exercises
Emily Gladstone Cole @unixgeekem Data Protection: it’s been in the news a lot lately 24
Emily Gladstone Cole @unixgeekem Think before you check into GitHub So many interesting things can be found in publicly-available GitHub repositories: " Hardcoded passwords " AWS Keys " SSH Keys " PGP Private Keys " Internal hostnames 25
Emily Gladstone Cole @unixgeekem Think AFTER you check into GitHub So you’ve checked in some sensitive information? " If you commit over it, it’s still in your commit history. " Remove that commit. " Rotate those credentials. " Use TruffleHog to search for any remaining sensitive data in your old commits. 26
Emily Gladstone Cole @unixgeekem Remember those S3 Buckets " AWS now sets S3 Buckets to be private by default. " Amazon Macie monitors S3 to find insecure buckets. " AWS Trusted Advisor will tell you about insecure buckets. " Pro Tip: the “Authenticated Users” group means anyone who has logged in to any AWS account, not just yours! 27
Emily Gladstone Cole @unixgeekem But Wait, There’s More 28 Emily Gladstone Cole @unixgeekem
Emily Gladstone Cole @unixgeekem Security Mindset What would a malicious user do? How can someone manipulate this URL? Can someone submit a modified form? What do my error messages tell an attacker about my infrastructure? 29
Emily Gladstone Cole @unixgeekem Security and Technical Debt Like logging, security is harder to do well when you’re adding it on after the fact. “I’ll set up security later” - will management let you fix that later if they don’t agree it’s important to work on security now? 30
Emily Gladstone Cole @unixgeekem 31 Please address your technical debt. Your security team can help prioritize it if you like.
Emily Gladstone Cole @unixgeekem Security technical debt is not friendly credit card debt. Security technical debt is the kind where the debt collector mails you a piece of someone precious to you as a reminder when a payment is overdue. --unixorn on Hangops 32
Emily Gladstone Cole @unixgeekem Some other good Security Practices " Use secure coding principles (OWASP can help define these). ○ Remember to sanitize those inputs (aka Data Validation) " Build security tests into your CI/CD pipeline. " External reviewers can find things you miss. " Diverse teammates bring different perspectives and make your products and company stronger. Listen to them. 33
Emily Gladstone Cole @unixgeekem Summing Up " Keeping an inventory helps for security, operations, and lifecycle management. " Perfect security can be hard. The basics aren’t. " Don’t blame users for security issues. Write/buy better tools for them instead. 34
Emily Gladstone Cole @unixgeekem TL;DR - Ops probably already is your security team’s best friend. You’re already doing most of the things I discussed, right? If not, please consider doing them. Your security team will thank you. 35
Emily Gladstone Cole @unixgeekem Thank you 36 Emily Gladstone Cole @unixgeekem
Emily Gladstone Cole @unixgeekem References " CIS Critical Security Controls: https://www.cisecurity.org/controls/ " NIST 800-53 Framework: https://nvd.nist.gov/800-53 " https://blog.rapid7.com/2017/04/19/the-cis-critical-security-controls-series/ " Rob Joyce at Enigma 2016: https://www.youtube.com/watch?v=bDJb8WOJYdA " Dylan Ayrey at BSides SF 2018: https://www.youtube.com/watch?v=TV2hHeKj4-4 " truffleHog finds secrets in GitHub repos: https://github.com/dxa4481/truffleHog " Security Training: https://www.sans.org/ " OWASP Developer Guide: https://www.owasp.org/index.php/OWASP_Guide_Project " Tech Debt from @ismonkeyuser: https://www.monkeyuser.com/2018/tech-debt/ " Cat images from pexels.com 37
Emily Gladstone Cole @unixgeekem Got Questions? " @unixgeekem on Twitter " @unixgeekem on Hangops 38
Emily Gladstone Cole @unixgeekem 39
Emily Gladstone Cole @unixgeekem 40
Emily Gladstone Cole @unixgeekem 41
Emily Gladstone Cole @unixgeekem 42

Recomendados

GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
Red team, Blue Team or White Cell
Red team, Blue Team or White CellRed team, Blue Team or White Cell
Red team, Blue Team or White CellFrank Breedijk
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 

Recomendados

GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
Red team, Blue Team or White Cell
Red team, Blue Team or White CellRed team, Blue Team or White Cell
Red team, Blue Team or White CellFrank Breedijk
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017Zane Lackey
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Clare Nelson, CISSP, CIPP-E
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best FriendEmilyGladstoneCole
 
Security and DevOps are Really Best Friends
Security and DevOps are Really Best FriendsSecurity and DevOps are Really Best Friends
Security and DevOps are Really Best FriendsEmilyGladstoneCole
 

Mais conteúdo relacionado

Mais procurados

OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Clare Nelson, CISSP, CIPP-E
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Cameron Townshend
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply ChainCameron Townshend
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonSSIMeetup
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 

Mais procurados (20)

OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultosObtén visibilidad completa y encuentra problemas de seguridad ocultos
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
Dev Secops Software Supply Chain
Dev Secops Software Supply ChainDev Secops Software Supply Chain
Dev Secops Software Supply Chain
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 

Semelhante a LISA18 - How to be your Security Team's Best Friend

How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best FriendEmilyGladstoneCole
 
Security and DevOps are Really Best Friends
Security and DevOps are Really Best FriendsSecurity and DevOps are Really Best Friends
Security and DevOps are Really Best FriendsEmilyGladstoneCole
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
My AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsMy AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsEmilyGladstoneCole
 
Open stack security emea launch
Open stack security emea launchOpen stack security emea launch
Open stack security emea launchJoshua McKenty
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slidesjubke
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Technically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantTechnically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantEmilyGladstoneCole
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourSplunk
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Alan Richardson
 

Semelhante a LISA18 - How to be your Security Team's Best Friend (20)

How to be your Security Team's Best Friend
How to be your Security Team's Best FriendHow to be your Security Team's Best Friend
How to be your Security Team's Best Friend
 
Security and DevOps are Really Best Friends
Security and DevOps are Really Best FriendsSecurity and DevOps are Really Best Friends
Security and DevOps are Really Best Friends
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
My AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and SolutionsMy AWS Access Key Nightmares... and Solutions
My AWS Access Key Nightmares... and Solutions
 
Open stack security emea launch
Open stack security emea launchOpen stack security emea launch
Open stack security emea launch
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slides
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Technically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliantTechnically Compliant: the best kind of compliant
Technically Compliant: the best kind of compliant
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

LISA18 - How to be your Security Team's Best Friend

  • 1. Emily Gladstone Cole @unixgeekem How to be your Security Team’s Best Friend
  • 2. Emily Gladstone Cole @unixgeekem Why listen to me talk about Ops and Security? PAST CURRENT CONTACT 2 " UNIX SysAdmin/Operations background " Transitioned to Security Incident Response/Security Research " Senior Security Engineer at " Mentor for SANS’ Women’s CyberTalent Immersion Academy " Twitter: @unixgeekem
  • 3. Emily Gladstone Cole @unixgeekem Talk Agenda 1. Introduction 2. CIS Critical Security Controls 3. More Security Thoughts Standard Disclaimer: The opinions expressed in this talk are my own and do not represent the views of my employer. Non-Standard Disclaimer: I hope you like cat photos. 3
  • 4. Emily Gladstone Cole @unixgeekem 4
  • 5. Emily Gladstone Cole @unixgeekem 5 Not Rocket Science
  • 6. Emily Gladstone Cole @unixgeekem The CIS Critical Security Controls " Industry consensus guidelines " Your security/compliance officer likes these " 3 types: Basic, Foundational, and Organizational1 6 1. #TeamOxfordComma Emily Gladstone Cole @unixgeekem
  • 7. Emily Gladstone Cole @unixgeekem 7 Hardware Inventory #1: Hardware / Asset Inventory
  • 8. Emily Gladstone Cole @unixgeekem CSC 1: Inventory and Control of Hardware Assets Questions you need to answer about your hardware/instances/containers: " Network Access Control - how do you know what’s on your network? " Automation - how do you keep your assets in a known state? " Asset Management - how do you keep track of assets? ○ No, saying “a spreadsheet” or “a database” doesn’t count 8
  • 9. Emily Gladstone Cole @unixgeekem 9 Software Inventory #2: Software Inventory
  • 10. Emily Gladstone Cole @unixgeekem CSC 2: Inventory and Control of Software Assets Questions you need to answer about your software: " What software is running/installed in your infrastructure? " Who installed the software? " What does the software do? 10
  • 11. Emily Gladstone Cole @unixgeekem Track Expiration Dates Too " Software Licenses " Domains " SSL Certificates Don’t be this site 11
  • 12. Emily Gladstone Cole @unixgeekem Vulnerability Management 12 #3: Continuous Vulnerability Management
  • 13. Emily Gladstone Cole @unixgeekem CSC 3: Continuous Vulnerability Management: Scanning " Logos create buzz! " Scan early, scan often " Authenticated and non-authenticated " Scan from inside and outside your perimeter2 13 2. If you have a perimeter
  • 14. Emily Gladstone Cole @unixgeekem 14 A digression: Threat + Vulnerability = Risk
  • 15. Emily Gladstone Cole @unixgeekem CSC 3: Continuous Vulnerability Management: Patching " Understand your risks, and remediate the serious vulnerabilities. ○ Highest risk first is the best practice ● Use your automation to ensure updates are applied everywhere. ○ Though maybe you test first before you upgrade Python/Ruby in your Production environment... 15
  • 16. Emily Gladstone Cole @unixgeekem 16 #4: Control Admin Privileges
  • 17. Emily Gladstone Cole @unixgeekem CSC 4: Controlled Use of Admin Privileges " Separate out admin accounts from user accounts if you can. " Use groups or roles. " Consider functional names for your groups. ○ “sec-logging-read-only” is more informative than “logging” 17
  • 18. Emily Gladstone Cole @unixgeekem Least Privilege, Passwords, and Passphrases Any resemblance to actual companies, existing or defunct, or actual events, is purely coincidental. What if there was a company that didn’t set a root password for their databases… What if there was a company that didn’t change default credentials to the admin interface of their website… What if there was a company that let everyone ssh in as root… 18
  • 19. Emily Gladstone Cole @unixgeekem 19 #5: Secure Default Configs
  • 20. Emily Gladstone Cole @unixgeekem CSC 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers " Base your secure configs on a security standard. " Don’t install software you don’t need to run your systems! " Use Automation/Configuration Management tools to enforce security. " Regularly evaluate the security of your Gold Images. " Transition from policies to automation as your company grows. 20
  • 21. Emily Gladstone Cole @unixgeekem 21 #6: Log All the Things, and Review the Logs
  • 22. Emily Gladstone Cole @unixgeekem CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs " Log all the things. ○ Systems, security devices, applications, access points " Collect all your logs somewhere and review them. ○ Review: not all done by hand! " Outbound traffic is always interesting. 22
  • 23. Emily Gladstone Cole @unixgeekem Plus 14 More " Email and Web Browser Protections " Malware Defenses " Limitation and Control of Network Ports, Protocols, and Services " Data Recovery Capabilities " Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches " Boundary Defense " Data Protection 23 " Controlled Access Based on the Need to Know " Wireless Access Control " Account Monitoring and Control " Implement a Security Awareness and Training Program " Application Software Security " Incident Response and Management " Penetration Tests and Red Team Exercises
  • 24. Emily Gladstone Cole @unixgeekem Data Protection: it’s been in the news a lot lately 24
  • 25. Emily Gladstone Cole @unixgeekem Think before you check into GitHub So many interesting things can be found in publicly-available GitHub repositories: " Hardcoded passwords " AWS Keys " SSH Keys " PGP Private Keys " Internal hostnames 25
  • 26. Emily Gladstone Cole @unixgeekem Think AFTER you check into GitHub So you’ve checked in some sensitive information? " If you commit over it, it’s still in your commit history. " Remove that commit. " Rotate those credentials. " Use TruffleHog to search for any remaining sensitive data in your old commits. 26
  • 27. Emily Gladstone Cole @unixgeekem Remember those S3 Buckets " AWS now sets S3 Buckets to be private by default. " Amazon Macie monitors S3 to find insecure buckets. " AWS Trusted Advisor will tell you about insecure buckets. " Pro Tip: the “Authenticated Users” group means anyone who has logged in to any AWS account, not just yours! 27
  • 28. Emily Gladstone Cole @unixgeekem But Wait, There’s More 28 Emily Gladstone Cole @unixgeekem
  • 29. Emily Gladstone Cole @unixgeekem Security Mindset What would a malicious user do? How can someone manipulate this URL? Can someone submit a modified form? What do my error messages tell an attacker about my infrastructure? 29
  • 30. Emily Gladstone Cole @unixgeekem Security and Technical Debt Like logging, security is harder to do well when you’re adding it on after the fact. “I’ll set up security later” - will management let you fix that later if they don’t agree it’s important to work on security now? 30
  • 31. Emily Gladstone Cole @unixgeekem 31 Please address your technical debt. Your security team can help prioritize it if you like.
  • 32. Emily Gladstone Cole @unixgeekem Security technical debt is not friendly credit card debt. Security technical debt is the kind where the debt collector mails you a piece of someone precious to you as a reminder when a payment is overdue. --unixorn on Hangops 32
  • 33. Emily Gladstone Cole @unixgeekem Some other good Security Practices " Use secure coding principles (OWASP can help define these). ○ Remember to sanitize those inputs (aka Data Validation) " Build security tests into your CI/CD pipeline. " External reviewers can find things you miss. " Diverse teammates bring different perspectives and make your products and company stronger. Listen to them. 33
  • 34. Emily Gladstone Cole @unixgeekem Summing Up " Keeping an inventory helps for security, operations, and lifecycle management. " Perfect security can be hard. The basics aren’t. " Don’t blame users for security issues. Write/buy better tools for them instead. 34
  • 35. Emily Gladstone Cole @unixgeekem TL;DR - Ops probably already is your security team’s best friend. You’re already doing most of the things I discussed, right? If not, please consider doing them. Your security team will thank you. 35
  • 36. Emily Gladstone Cole @unixgeekem Thank you 36 Emily Gladstone Cole @unixgeekem
  • 37. Emily Gladstone Cole @unixgeekem References " CIS Critical Security Controls: https://www.cisecurity.org/controls/ " NIST 800-53 Framework: https://nvd.nist.gov/800-53 " https://blog.rapid7.com/2017/04/19/the-cis-critical-security-controls-series/ " Rob Joyce at Enigma 2016: https://www.youtube.com/watch?v=bDJb8WOJYdA " Dylan Ayrey at BSides SF 2018: https://www.youtube.com/watch?v=TV2hHeKj4-4 " truffleHog finds secrets in GitHub repos: https://github.com/dxa4481/truffleHog " Security Training: https://www.sans.org/ " OWASP Developer Guide: https://www.owasp.org/index.php/OWASP_Guide_Project " Tech Debt from @ismonkeyuser: https://www.monkeyuser.com/2018/tech-debt/ " Cat images from pexels.com 37
  • 38. Emily Gladstone Cole @unixgeekem Got Questions? " @unixgeekem on Twitter " @unixgeekem on Hangops 38
  • 39. Emily Gladstone Cole @unixgeekem 39
  • 40. Emily Gladstone Cole @unixgeekem 40
  • 41. Emily Gladstone Cole @unixgeekem 41
  • 42. Emily Gladstone Cole @unixgeekem 42