You built a security castle but you forgot the bridge...

Soraya Viloria Montes de Oca

@GeekChickUK

now your users are climbing up the walls

DisclaimerThe views expressed in this presentation are the views of the speaker and do not reflect the views or policies of her present or past employers.

The cases and examples while inspired in real life, are the result of her crazy imagination.

The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' parental efforts.

Some slides may vary from live presentation due to restrictions and © license permissions

Let’s not dwell on that

IT projects #fail75% of all IT projects fail...

UK Projects£12.7bn National Programme for IT (NHS)£7.1bn Defence Information Infrastructure (DII)£5bn National Identity Scheme£400m Libra system (for magistrates' courts)

Gartner‘s reports plus various other articles

Is it really a \o/ #win?To be successful you need to aim beyond the aims of

“completing on time and in budget”.

IMHO

Once upon a time...

You built a security castle

If you don’t understand...

Users

Users

Assets

Assets

Get ready for a battle

If you don’t understand...“Users” vs. “Service desk”

“Service desk” vs.

“Systems Ops”

“Systems Ops” vs. “InfoSec” “Users” vs. “InfoSec”

Users

Assets

The battle..will be lost

One shoe...doesn’t fit all

Good security understands that

Users are not homogenous

they access different information

... in a variety of ways

And different assets...

...have different values

Would you put the same resources and efforts to protects these?

If too tight security is soon...

...undermined

What do we hear?

You are costing us money

We can live with the risk

Your position of advisory

To succeed the business will soon sell your castle

The original cartoon had to be removed as the license was only for live presentation

By week 112

© se

cure

-uk.

imrw

orld

wid

e.co

m

You have more holes than a colander

Without the buy-in

The security battle will be lost

UsersUsers

Board

I.T

Time for a quick game?Let’s suggest a secure solution which will enable Occupational Therapy (OT) team to provide medical care to patients somewhere in... Scotland

Info you haveDocumentation:

1. The blueprints of the sites

2. Hospitals3. GP

surgeries/clinics4. NPLS networks5. Organisational

chartsEven..6. Job Descriptions

Some security architects start and finish here...

Take a closer lookOccupational Therapy Team

To build security that lasts

Occupational therapy careers are instrumental in teaching individuals who suffer from a physical, mental, emotional, or developmental disability to develop, to recover or to maintain the tasks of daily living along with work skills if needed.

In practice very different functions and 5+ different positions

Take a closer lookOccupational Therapy Team

Not everything is what it seems

Some work at the hospital Others at GP surgeries or clinics Others support patients at home and goes back to base once a month

which means very different infrastructure & tools

How can you achieve work targets if

You can’t perform same tasks at the same speed?

Look deeper...

The same team doesn’t have the same tools

Desktop Laptop ToughbookFull drive encryption X XEnd point encryption X X XNo local privileges X X XOff line drive mode on XUSB disable X XCD/DVD (disabled) X N/ASD Cards slot XCamera (internal) some XConnectivity ETH ETH/Wi-Fi WiFi/3G/

GRPSAccess LAN LAN/VPN/

RASVPN/RAS

and deeper...

Same speeds?

Many GP practices are struggling with inadequate broadband speeds over N3.......the majority of practices, with up to 49 network devices, are now limited to a 1Mb ADSL connection with upstream rates of 288kb/s...

NHS broadband leaves GPs in slow lane© 2006 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED

Based at hospital you get top speeds but...

Could you upload videos of patients from a GP surgery or using 3G?

And your point is?In order to make your castle stand the test of timeGet to know who your users are and the assets you are

protectingDesign a security model that fits the organisation’s

functional and legal requirements.Don’t build “security” that gets in the way but one

that is flexible and copes with a variety of business processes and allows the data to flow...securely

Don’t make assumptionsBalance usability & security, minimal amount of rules.

Report timeTo make a difference highlight the good and

the bad, always be constructive

Write English no matter how cool your findings are; don’t brag using technical terms

Aim to make a difference

Auditors, pentesters and the like...

and if you want to chat about security that lasts ...come and find me

Soraya Viloria Montes de Oca

@GeekChickUK

GeekChickUK ( @ ) gmail (.) com

Cheers!