There is no security

(and it feels just fine)

Jonathan Care@arashiyama

http://uk.linkedin.com/in/computercrime/

@arashiyama

No Security: wtf?

@arashiyama

kill off misconceptions

@arashiyama

get past the sales talk

@arashiyama

expose the cyber

@arashiyama

We really do care about security and privacy…

@arashiyama

@arashiyama

Meanwhile …

@arashiyama

@arashiyama

What do IT guys actually care about?

@arashiyama Credit: 451 Research

@arashiyama

three faces of information security

@arashiyama

compliance

@arashiyama

business enablement

@arashiyama

real infosec

@arashiyama

Security fail #1 : PCI DSS

@arashiyama

Most breaches web-commerce based

@arashiyama

Although compromised PEDs are fun too

@arashiyama

Security fail #2 : ICS/SCADA

@arashiyama

Note: I will not visit you in prison if you get into trouble trying out this stuff. Also, SCADA systems control things that are IMPORTANT and should not be fscked with lightly

@arashiyama

http://bit.ly/lyMi35Siemens, SIMATIC HMI, XP277, 6AV6 643-0CD01-1AX0, HW: 0, SW: V 1 1 2

@arashiyama

http://bit.ly/jTlKsL(What temperature would you like your HVAC today?)

@arashiyama

Wide open webcams?

@arashiyama

Oh yeah.

@arashiyama

Security fail #3 : Consumers

@arashiyama

ecommerce

@arashiyama

SaaS

@arashiyama

(we are all consumers)

@arashiyama

Security fail #4 – Software (!)

@arashiyama

Heartbleed

@arashiyama

ShellShock

@arashiyama

@arashiyama

@arashiyama

So, how’s YOUR software dev doing?

@arashiyama

@arashiyama

Conclusions:

@arashiyama

1.All software has bugs.

@arashiyama

2. Bugs will be discovered

@arashiyama

3. Some bugs will have a security impact

@arashiyama

4. Product owners continue to value functionality over security

@arashiyama

5. Investors place little value on security and privacy

@arashiyama

6. End users trust vendors

@arashiyama

What can we do?

@arashiyama

PROTECT

DETECTRESPOND

@arashiyama

SANS Top 20 Critical Controls

@arashiyama

Policy, processes & guidelines

InfoSec checkpoints in project lifecycle

Threat Model

Risk Appetite / Risk Tolerance

Secure Software Environment

Operational Security Controls

Continuous Vulnerability Scan –Fix

Penetration Testing / Red teaming

Malware

IDS / IPS

Firewalls

Centralised Logging (SIEM)

Threat Intelligence

PROTECT

DETECTRESPOND

Incident Response (Threat Model)

Incident Response (“Bluebird”)

Exec-level(press, clients)

“Forensic Readiness”

Update PROTECT model

@arashiyama

Secure Software Environment - BSIMM

@arashiyama

Secure Software

Environment

Governance

Intelligence

SSDL Touchpoints

Deployment

Strategy and Metrics

Compliance and Policy

Training

Attack Models

Security Features and Design

Standards and Requirements

Architecture Analysis

Code Review

Security Testing

Penetration Testing

Software Environment

Configuration Mgmt / Vulnerability Mgmt

@arashiyama