Delft University of Technology Fine-grained just-in-time ...
There is no security (and it feels just fine)
-
Upload
jonathan-care -
Category
Technology
-
view
120 -
download
5
description
Transcript of There is no security (and it feels just fine)
There is no security
(and it feels just fine)
Jonathan Care@arashiyama
http://uk.linkedin.com/in/computercrime/
@arashiyama
No Security: wtf?
@arashiyama
kill off misconceptions
@arashiyama
get past the sales talk
@arashiyama
expose the cyber
@arashiyama
We really do care about security and privacy…
@arashiyama
@arashiyama
Meanwhile …
@arashiyama
@arashiyama
What do IT guys actually care about?
@arashiyama Credit: 451 Research
@arashiyama
three faces of information security
@arashiyama
compliance
@arashiyama
business enablement
@arashiyama
real infosec
@arashiyama
Security fail #1 : PCI DSS
@arashiyama
Most breaches web-commerce based
@arashiyama
Although compromised PEDs are fun too
@arashiyama
Security fail #2 : ICS/SCADA
@arashiyama
Note: I will not visit you in prison if you get into trouble trying out this stuff. Also, SCADA systems control things that are IMPORTANT and should not be fscked with lightly
@arashiyama
http://bit.ly/lyMi35Siemens, SIMATIC HMI, XP277, 6AV6 643-0CD01-1AX0, HW: 0, SW: V 1 1 2
@arashiyama
http://bit.ly/jTlKsL(What temperature would you like your HVAC today?)
@arashiyama
Wide open webcams?
@arashiyama
Oh yeah.
@arashiyama
Security fail #3 : Consumers
@arashiyama
ecommerce
@arashiyama
SaaS
@arashiyama
(we are all consumers)
@arashiyama
Security fail #4 – Software (!)
@arashiyama
Heartbleed
@arashiyama
ShellShock
@arashiyama
@arashiyama
@arashiyama
So, how’s YOUR software dev doing?
@arashiyama
@arashiyama
Conclusions:
@arashiyama
1.All software has bugs.
@arashiyama
2. Bugs will be discovered
@arashiyama
3. Some bugs will have a security impact
@arashiyama
4. Product owners continue to value functionality over security
@arashiyama
5. Investors place little value on security and privacy
@arashiyama
6. End users trust vendors
@arashiyama
What can we do?
@arashiyama
PROTECT
DETECTRESPOND
@arashiyama
SANS Top 20 Critical Controls
@arashiyama
Policy, processes & guidelines
InfoSec checkpoints in project lifecycle
Threat Model
Risk Appetite / Risk Tolerance
Secure Software Environment
Operational Security Controls
Continuous Vulnerability Scan –Fix
Penetration Testing / Red teaming
Malware
IDS / IPS
Firewalls
Centralised Logging (SIEM)
Threat Intelligence
PROTECT
DETECTRESPOND
Incident Response (Threat Model)
Incident Response (“Bluebird”)
Exec-level(press, clients)
“Forensic Readiness”
Update PROTECT model
@arashiyama
Secure Software Environment - BSIMM
@arashiyama
Secure Software
Environment
Governance
Intelligence
SSDL Touchpoints
Deployment
Strategy and Metrics
Compliance and Policy
Training
Attack Models
Security Features and Design
Standards and Requirements
Architecture Analysis
Code Review
Security Testing
Penetration Testing
Software Environment
Configuration Mgmt / Vulnerability Mgmt
@arashiyama