Five things I learned about information security

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p>Major HaydenUniversity of the Incarnate Word - November 2, 2015</p><p>Five lessons I learnedabout information security</p></li><li><p>A bit about me</p></li><li><p>Major HaydenPrincipal Architect at Rackspace</p><p>Fedora Security TeamPackage maintainer</p><p>Fedora Planet bloggerFormer board member</p><p>Ambassador</p><p>AnsiblePython</p><p>OpenStackXen/KVM/ContainersInformation Security</p></li><li><p>Major HaydenPrincipal Architect at Rackspace</p><p>GIAC Certified Unix Security Administrator</p><p>Paper: Securing Linux Containers</p><p>GIAC Security Essentials Certification</p><p>Red Hat Certified Architect</p><p></p></li><li><p></p><p></p><p></p></li><li><p>Agenda</p><p>How did I get intoinformation security?</p><p>Five lessons learned(many of them learned the hard way)</p><p>Final thoughts(and some required reading)</p></li><li><p>How did I get intoinformation security?</p></li><li><p>How did I stumble intoinformation security?</p></li><li><p>I sent an angry emailafter a security incident.</p><p>Special note: this is not a recommended method for getting into an information security career.</p></li><li><p>Impromptu calendar invitation fromthe Chief Security Officer (CSO) arrives</p></li><li><p>Im totally fired.</p></li><li><p>Lesson 1:Information security requires</p><p>lots of communication and relationships</p></li><li><p>People within businesses generallyfall into one of three security mindsets:</p></li><li><p>Security is mission-critical for usand its how we maintain</p><p>our customers trust.</p><p>These are your allies.</p><p>Share your intelligence with them frequently.They must be read into whats happening.</p><p>Highlight their accomplishments and effortsto your leadership and theirs</p><p>at every possible opportunity.</p></li><li><p>Security is really important,but we have lots of features to release.</p><p>We will get to it.</p><p>These people see security as a bolt-on,value-added product feature.</p><p>Share methods for building in security from the start.</p><p>Make it easier for this group to build secure systemsthrough technical standards.</p></li><li><p>I opened this weird file fromsomeone I didnt know</p><p>and now my computer is acting funny.</p><p>This group is your biggest risk.</p><p>Take steps to prevent them from being ableto make mistakes in the first place.</p><p>Regularly send high-level communicationto this group with useful information</p><p>in a friendly format.</p></li><li><p>Lesson 2:Spend the majority of your time and money</p><p>on detection and response capabilities</p></li><li><p>Make it easier to detect an intruderand respond to the intrusion</p><p>Dont let your intruders act like this:</p><p>Make themact more like this:</p></li><li><p>Ensure that if an attackergains access to your network,you know about the intrusion</p><p>and how to respond</p><p>Automation, aggregation, alerting</p><p>Firewall logs</p><p>Netflow data/analysis</p><p>Intrusion Detection Systems (IDS)</p><p>Server logs</p><p>Authentication logs</p><p>Physical security devices</p><p>Immediate, coordinated response</p></li><li><p>Incident communication</p><p>Use broad communication thathints at urgency without sharing details.</p><p>Share the details with your allies in the business.</p></li><li><p>Lesson 3:People, process, and technology</p><p>must be in sync</p></li><li><p>After an incident:</p><p>Dont talk about people*.</p><p>Dont talk about what could have been done.</p><p>Dont talk about vendors.</p><p>* No matter how delicate you are, you will eventually call the baby ugly.</p></li><li><p>Assume the worst will happen again.Design processes and technologies to</p><p>reduce its impact in the future.</p><p>This is an iterative process.</p></li><li><p>Lesson 4:Set standards, not policies.</p></li><li><p>Use a little psychology todrive the behavior you truly want:</p><p>a more secure infrastructure</p></li><li><p>Compare these two methods ofcommunicating with the business:</p></li><li><p>If your system doesnt pass this PCI-DSS audit,we wont be able to take credit cards.</p><p>We know what that means.</p></li><li><p>We have a technical standardfor public-facing environments</p><p>that you need to meet,and we have some tools</p><p>to self-assess your systems.</p></li><li><p>Technical people can easilydigest technical standards, but</p><p>not lengthy compliance documents.</p><p>Design a standard so that an environmentcan meet multiple compliance programs</p><p>if it is followed carefully.</p></li><li><p>Lesson 5:Dont take security incidents personally.</p></li><li><p>Security incidents highlightareas for improvement.</p><p>They also give you a better ideaof what attackers want from your business.</p></li><li><p>Take the time to do athorough root cause analysis.</p><p>Adjust spending, priorities, and tasksbased on what you find.</p></li><li><p>Final thoughts</p></li><li><p>Information security thrives on frequent,honest, meaningful communication</p><p>more than anything else.</p><p>Security incidents will happen.How you respond to them is critical.</p><p>Design systems that prevent peoplefrom making mistakes in the first place.</p></li><li><p>Switch: How to Change Things When Change is HardChip &amp; Dan Heath</p><p>When you want to make change happen, this book will help you focus your thinking. It has some great frameworks and situational examples.</p></li><li><p>Winning With PeopleJohn Maxwell</p><p>Building relationships requires learning a lot about yourself first. This book is broken into five sections that gradually take you through how to have stronger, lasting relationships with others.</p></li><li><p>The Phoenix ProjectGene Kim, Kevin Behr, and George Spafford</p><p>A must for anyone working in IT. Its a modern spin on Goldratts classic, The Goal, that focuses on a new IT executive that is in over his head. Security and compliance issues play a big role in how he works within his business.</p></li><li><p>Thank you!majorhayden</p><p></p><p></p></li><li><p>Image Credits</p><p>Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (], via </p><p>Wikimedia Commons</p><p>Honduran TIGRES soldiers: United States Special Operations Command (Flickr:, CC-BY 2.0)</p><p>Longhorn cattle: Evelyn Simak [CC BY-SA 2.0 (], via Wikimedia Commons</p><p>NORAD: By NORAD (government website) [Public domain], via Wikimedia Commons</p><p>Iterative process diagram: By Aflafla1 [CC0], via Wikimedia Commons</p><p></p></li></ul>