Essential Security & Risk Fundamentals

Alison Gianotto

Who Am I?• (Former) CTO/CSO of noise!

• 20 years in IT and software development!

• Security Incident Response Team (SIRT) !

• MacIT presenter in 2012!

• Survivor of more corporate security audits than I care to remember!

• @snipeyhead on Twitter

What is Security?!Let’s start with what security is not.

• Security isn’t a thing you add on at the end or a project.!

• Security isn’t “But… I have a firewall!”!

• Security isn’t a thing you’re ever “done” with.

What Security Isn’t!

• Security is not the same as compliance. You can be compliant and not be secure. (Just ask Target.)!

• Security is not one person in your organization.!

• Security is not an outsourced consultant or consulting agency.

What Security Isn’t!

• Security is an ongoing group effort. !

• Security is where you start, not where you finish.!

• Security is understanding and protecting your valuable assets, information and people. !

• Security is multi-layered (defense-in-depth)

What Security Is!

What is Risk?!Let’s start with what risk is not.

• Risk management isn’t something that has to hinder innovation.!

• Risk management doesn’t have to be boring.!

• Managing risk isn’t one person’s job.!

• Risk isn’t just “hackers”

What Risk !Management Isn’t!

• Risk tolerance is not singular. What qualified as acceptable risk to your company will not be the same as acceptable risk to another company.

What Risk !Management Isn’t!

• Risk management is a tool that helps you make intelligent, informed decisions.!

• Risk management is your entire team’s responsibility.!

• Risk is absolutely unavoidable. Being informed will help you make the best choices for your organization.

What Risk Management Is!

Security CIA Triad!Confidentiality, Integrity & Availability

• Confidentiality is a set of rules that limits access to information.!

• Integrity is the assurance that the information is trustworthy and accurate.!

• Availability is a guarantee of ready access to the information by authorized people.

Confidentiality!Making sure the right people can access sensitive data

and the wrong people cannot.

Confidentiality Examples• Passwords. (boo!)!

• Data encryption (at rest and in transmission.)!

• Two-factor authentication/biometrics. (Yay!)!

• Group/user access permissions!

• Corporate VPN!

• IP Whitelisting!

• SSH keys

Confidentiality Risk Examples!• Lack of control over content

your employees put on third-party servers. (Basecamp, etc.)!

• Lack of control over password requirements for third-party vendors.!

• Shared passwords!

• Exploitable scripts uploaded to web servers.!

• Lost/stolen smartphones, tablets and laptops!

• Inadequate exit process

Confidentiality: Control/Possession!Do you remain in control of your resources?

Control Examples!1) A software program can be duplicated without the manufacturer's permission; they are not in control of that software anymore. *cough* Adobe source code *cough*!!

2) You know your password, but who and what else has possession of it, too?

Integrity!Maintaining the consistency, accuracy, and

trustworthiness of data over its entire life cycle.!!

Ensures that information is not modified or altered intentionally or by accident.

Integrity Risk Examples!• Data loss due to hardware

failure (server crash!)!

• Software bug that unintentionally deletes/modifies data!

• Data alteration via authorized persons (human error)!

• Data alteration via unauthorized persons (hackers)!

• No backups or no way to verify the integrity of the backups you have!

• Third-party vendor with inadequate security

Integrity: Authenticity!How can you be sure that the person you’re talking

to is who he or she claims to be?

Availability!All systems and information resources must be "up and running" as per the needs of the organization.

Availability Risk Examples!• DDoS attacks!

• Third-party service failures!

• Hardware failures!

• Software bugs!

• Untested software patches!

• Natural disasters!

• Man-made disasters

Availability: Utility!! ! An employee who had encrypted data leaves the company. !

!

! You still have possession of the data, but you do not have the key to decrypt the contents, so you do not have the use or utility of it.!

Getting Risky

• How bad will it be if this component fails?!

• What other components will this affect if it fails?!

• How likely is it that it will fail?!

• What are the ways it could fail?!

• What can we do in advance to prevent/reduce chances or impact of failure?

Getting Risky• How can we consistently test that this component is healthy?!

• How will we know if it has failed?!

• How can we structure this component to be monitor-able through an external system? (A status JSON/XML script generated, HTTP status codes, etc - anything you can attach a status monitor to.)!

• How can we structure this component to fail more gracefully? (Firing an alert and redirecting instead of 500 error, for example)

Risk Matrix Components• Type!

• Third-Party!

• Dataflow diagram ID!

• Description!

• Triggering Action!

• Consequence of Service Failure!

• Risk of Failure!

• User Impact!

• Method used for monitoring this risk!

• Efforts to Mitigate in Case of Failure!

• Contact info

Risk Matrix

Things You Can Start Doing TODAY

• Start every project risk-first.!

• Build a clear inventory of surface areas and their value. Get stakeholders involved.!

• Start using a risk matrix for every major project or product!

• Trust your gut. If something doesn’t look right, it probably isn’t.

• Keep your systems as simple as possible. Document them.!

• Don't abstract code/systems if you don’t have to. Premature optimization is the devil. Build light and refactor as needed.!

• Get to know your user's behavior. Use things like Google Analytics and heatmapping to understand what users do on your site. Be suspicious if it changes for no apparent reason.

• Increased transparency reduces risk across departments. Consider devops.!

• Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef, Vagrant, Ansible, Salt or Fabric for server management.)!

• If you develop software, automate your deployment and configuration management. Chatops FTW! !

• Log (almost!) EVERYTHING. Know where your logs are. Use a central logging server if at all possible.

• Always employ the principles of “least privilege.”!

• Rely on role-based groups for OD/AD, email accounts, etc.!

• Consider who has access to your social media accounts. Use an SMMS to manage access instead of giving out passwords.!

• Consider who has access to third-party services where billing information is available via account management settings.

• Be proactive in educating your company’s staff about security. Measure results.!

• Teach your users about password security, social engineering!

• Set your users up with a good password manager like LastPass or 1Password!

• Always be aware of single points of failure. (“Bus factor”, Maginot Line)

• Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)!

• Create a Business Continuity Plan.!

• Create an Incident Response Plan. Test it.!

• Create a Disaster Recovery Plan. TEST IT. (Seriously.)

• Give preference to vendors that integrate with your AD/OD.!

• Create a vendor management policy. Insist (and document) that your vendors comply with your requirements, or find a new vendor. !

• Make sure you understand what happens when third-party services fail or behave unexpectedly.

Thank you!Alison Gianotto!snipe@snipe.net!

@snipeyhead!