Major HaydenUniversity of the Incarnate Word - November 2, 2015
Five lessons I learnedabout information security
A bit about me
Major HaydenPrincipal Architect at Rackspace
Fedora Security TeamPackage maintainer
Fedora Planet bloggerFormer board member
Ambassador
AnsiblePython
OpenStackXen/KVM/ContainersInformation Security
Major HaydenPrincipal Architect at Rackspace
GIAC Certified Unix Security Administrator
Paper: Securing Linux Containershttp://bit.ly/securinglinuxcontainers
GIAC Security Essentials Certification
Red Hat Certified Architect
icanhazip.comicanhazptr.com
icanhaztrace.comicanhazproxy.comicanhazepoch.com
icanhaztraceroute.com
Agenda
How did I get intoinformation security?
Five lessons learned(many of them learned the hard way)
Final thoughts(and some required reading)
How did I get intoinformation security?
How did I stumble intoinformation security?
I sent an angry emailafter a security incident.
Special note: this is not a recommended method for getting into an information security career.
Impromptu calendar invitation fromthe Chief Security Officer (CSO) arrives
“I’m totally fired.”
Lesson 1:Information security requires
lots of communication and relationships
People within businesses generallyfall into one of three security mindsets:
“Security is mission-critical for usand it’s how we maintain
our customers’ trust.”
These are your allies.
Share your intelligence with them frequently.They must be ”read into” what’s happening.
Highlight their accomplishments and effortsto your leadership and theirs
at every possible opportunity.
“Security is really important,but we have lots of features to release.
We will get to it.”
These people see security as a bolt-on,value-added product feature.
Share methods for building in security from the start.
Make it easier for this group to build secure systemsthrough technical standards.
“I opened this weird file fromsomeone I didn’t know
and now my computer is acting funny.”
This group is your biggest risk.
Take steps to prevent them from being ableto make mistakes in the first place.
Regularly send high-level communicationto this group with useful information
in a friendly format.
Lesson 2:Spend the majority of your time and money
on detection and response capabilities
Make it easier to detect an intruderand respond to the intrusion
Don’t let your intruders act like this:
Make themact more like this:
Ensure that if an attackergains access to your network,you know about the intrusion
and how to respond
Automation, aggregation, alerting
Firewall logs
Netflow data/analysis
Intrusion Detection Systems (IDS)
Server logs
Authentication logs
Physical security devices
Immediate, coordinated response
Incident communication
Use broad communication thathints at urgency without sharing details.
Share the details with your allies in the business.
Lesson 3:People, process, and technology
must be in sync
After an incident:
Don’t talk about people*.
Don’t talk about what could have been done.
Don’t talk about vendors.
* No matter how delicate you are, you will eventually “call the baby ugly”.
Assume the worst will happen again.Design processes and technologies to
reduce its impact in the future.
This is an iterative process.
Lesson 4:Set standards, not policies.
Use a little psychology todrive the behavior you truly want:
a more secure infrastructure
Compare these two methods ofcommunicating with the business:
“If your system doesn’t pass this PCI-DSS audit,we won’t be able to take credit cards.
We know what that means.”
“We have a technical standardfor public-facing environments
that you need to meet,and we have some tools
to self-assess your systems.”
Technical people can easilydigest technical standards, but
not lengthy compliance documents.
Design a standard so that an environmentcan meet multiple compliance programs
if it is followed carefully.
Lesson 5:Don’t take security incidents personally.
Security incidents highlightareas for improvement.
They also give you a better ideaof what attackers want from your business.
Take the time to do athorough root cause analysis.
Adjust spending, priorities, and tasksbased on what you find.
Final thoughts
Information security thrives on frequent,honest, meaningful communication
more than anything else.
Security incidents will happen.How you respond to them is critical.
Design systems that prevent peoplefrom making mistakes in the first place.
Switch: How to Change Things When Change is HardChip & Dan Heath
When you want to make change happen, this book will help you focus your thinking. It has some great frameworks and situational examples.
Winning With PeopleJohn Maxwell
Building relationships requires learning a lot about yourself first. This book is broken into five sections that gradually take you through how to have stronger, lasting relationships with others.
The Phoenix ProjectGene Kim, Kevin Behr, and George Spafford
A must for anyone working in IT. It’s a modern spin on Goldratt’s classic, The Goal, that focuses on a new IT executive that is in over his head. Security and compliance issues play a big role in how he works within his business.
Image Credits
Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via
Wikimedia Commons
Honduran TIGRES soldiers: United States Special Operations Command (Flickr: https://flic.kr/p/qweJtn, CC-BY 2.0)
Longhorn cattle: Evelyn Simak [CC BY-SA 2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons
NORAD: By NORAD (government website) [Public domain], via Wikimedia Commons
Iterative process diagram: By Aflafla1 [CC0], via Wikimedia Commons
Recommended
