SlideShare ist ein Scribd-Unternehmen logo

Accruent insights 2014 2014-04-28 - v8 - final

Major Hayden
Major Hayden
TechnologieBusiness
1 von 42
Downloaden Sie, um offline zu lesen
EVADE THE BREACHBY CHANGING THE WAY YOU THINK ABOUT INFORMATION SECURITY MAJOR HAYDEN RACKSPACE @majorhayden FOR ACCRUENT INSIGHTS 2014, AUSTIN, TEXAS PHOTO CREDIT: CURTIS GREGORY PERRY [bit.ly/1k5ajws]
ABOUT MAJOR • Born in Austin • At Rackspace since 2006 • Focused on Linux engineering, software development and information security • Two kids and four chinchillas
THIS IS A CHINCHILLA THEY ARE AMAZING PETS AND I COULD TALK ABOUT THEM FOR A LONG TIME
AGENDA Presentation 30 minutes Q&A 30 minutes
Let's cover some critical concepts
SECURITY ISN'T EASY
YOUR BUSINESS DOESN'T EXIST TO BE SECURE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
SECURITY HAS NO FINISH LINE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
Reports that say...that something hasn't happened are always interesting to me, because as we know, there are known knowns; ! there are things that we know that we know. We also know there are known unknowns; ! that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.
 
 —Donald Rumsfeld, United States Secretary of Defense PUBLIC DOMAIN PHOTO BY THE UNITED STATES ARMY
THREE DEFENSIVE LAYERS PreventativeMake yourself a hard target DetectiveKnow when danger is on your doorstep CorrectiveRemove the threat and repair the damage PROCESSIMPROVEMENT ! FEEDBACKLOOP
We can apply these layers to something we all know well
How do we protect our homes? PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms* *
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms PREVENTATIVE
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms DETECTIVE
PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms CORRECTIVE
You now know two other concepts
DEFENSE IN DEPTHASSUME THE WORST AND BUILD LAYERS OF DEFENSE PHOTO CREDIT: SZEKE [bit.ly/1mxjkzl]
RISK MANAGEMENTINVEST YOUR TIME SPENT ON SECURITY WISELY PHOTO CREDIT: LORENZOCLICK [bit.ly/1f40rns]
Do your third party vendors invest in security as much as you do?
How will you know for sure?
IT'S NOT EASY PHOTO CREDIT: KEVIN DOOLEY [bit.ly/1ri0hej]
Let's review the facts
"Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network."
"Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system."
"Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets."
"Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network."
What can we learn from the Target breach?
Target's situation isn't unique to Target
It's your responsibility to insulate yourself from third parties
Continually test your security layers so you can trust them in an emergency
What about the vendors that don't show up on your books? PHOTO CREDIT: CLASPINGWALNUT [BIT.LY/1K5J5DT]
HOW ABOUT THE OPENSSL SOFTWARE FOUNDATION?
HEARTBLEED: A QUICK SUMMARY • Small coding error allows attackers to steal chunks of memory from remote servers • Attackers repeatedly send requests to get different data from the server • Announcement of the vulnerability was handled extremely poorly • Much of the internet is still still vulnerable almost a month after the announcements
HEARTBLEED: LESSONS LEARNED Layer your defenses Segregate server duties Make emergency plans
Rackspace has joined many other companies in support of the Core Infrastructure Initiative that provides funding for open source projects that need assistance
LET'S WRAP IT UP PHOTO CREDIT: TANAKAWHO [bit.ly/1mxiEd3]
Three takeaways: (Or, if you fell asleep during the last half hour, here's what I was talking about)
1. Layer your defenses
2. The security of your business is your business
3. Better security requires changes in people, process, and technology
THANK YOU! ! PHOTO CREDIT: STUCK IN CUSTOMS [bit.ly/1k5nqha] Blog: major.io Twitter: @majorhayden Email: major.hayden@rackspace.com

Empfohlen

ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24Major Hayden
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data SecurityMajor Hayden
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel IntegrationMajor Hayden
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talkMajor Hayden
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developersMajor Hayden
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleMajor Hayden
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorMajor Hayden
 

Empfohlen

ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24Major Hayden
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data SecurityMajor Hayden
 
Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel IntegrationMajor Hayden
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talkMajor Hayden
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developersMajor Hayden
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Major Hayden
 
Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleMajor Hayden
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorMajor Hayden
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleMajor Hayden
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleMajor Hayden
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioMajor Hayden
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible SecurityMajor Hayden
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical TalkMajor Hayden
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Major Hayden
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Major Hayden
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Weitere ähnliche Inhalte

Mehr von Major Hayden

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleMajor Hayden
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleMajor Hayden
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioMajor Hayden
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible SecurityMajor Hayden
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical TalkMajor Hayden
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015Major Hayden
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Major Hayden
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Major Hayden
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 

Mehr von Major Hayden (12)

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and Ansible
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 

Kürzlich hochgeladen

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Kürzlich hochgeladen (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

Accruent insights 2014 2014-04-28 - v8 - final

  • 1. EVADE THE BREACHBY CHANGING THE WAY YOU THINK ABOUT INFORMATION SECURITY MAJOR HAYDEN RACKSPACE @majorhayden FOR ACCRUENT INSIGHTS 2014, AUSTIN, TEXAS PHOTO CREDIT: CURTIS GREGORY PERRY [bit.ly/1k5ajws]
  • 2. ABOUT MAJOR • Born in Austin • At Rackspace since 2006 • Focused on Linux engineering, software development and information security • Two kids and four chinchillas
  • 3. THIS IS A CHINCHILLA THEY ARE AMAZING PETS AND I COULD TALK ABOUT THEM FOR A LONG TIME
  • 7. YOUR BUSINESS DOESN'T EXIST TO BE SECURE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
  • 8. SECURITY HAS NO FINISH LINE INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"
  • 9. Reports that say...that something hasn't happened are always interesting to me, because as we know, there are known knowns; ! there are things that we know that we know. We also know there are known unknowns; ! that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.
 
 —Donald Rumsfeld, United States Secretary of Defense PUBLIC DOMAIN PHOTO BY THE UNITED STATES ARMY
  • 10. THREE DEFENSIVE LAYERS PreventativeMake yourself a hard target DetectiveKnow when danger is on your doorstep CorrectiveRemove the threat and repair the damage PROCESSIMPROVEMENT ! FEEDBACKLOOP
  • 11. We can apply these layers to something we all know well
  • 12. How do we protect our homes? PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]
  • 13. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms* *
  • 14. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms PREVENTATIVE
  • 15. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms DETECTIVE
  • 16. PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi] We lock our doors We put our lights on timers We close the blinds We install security cameras We join the neighborhood watch We set our security alarm We have our alarm monitored We buy homeowner's insurance ! We buy firearms CORRECTIVE
  • 17. You now know two other concepts
  • 18. DEFENSE IN DEPTHASSUME THE WORST AND BUILD LAYERS OF DEFENSE PHOTO CREDIT: SZEKE [bit.ly/1mxjkzl]
  • 19. RISK MANAGEMENTINVEST YOUR TIME SPENT ON SECURITY WISELY PHOTO CREDIT: LORENZOCLICK [bit.ly/1f40rns]
  • 20. Do your third party vendors invest in security as much as you do?
  • 21. How will you know for sure?
  • 22. IT'S NOT EASY PHOTO CREDIT: KEVIN DOOLEY [bit.ly/1ri0hej]
  • 24. "Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network."
  • 25. "Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system."
  • 26. "Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets."
  • 27. "Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network."
  • 28. What can we learn from the Target breach?
  • 30. It's your responsibility to insulate yourself from third parties
  • 31. Continually test your security layers so you can trust them in an emergency
  • 32. What about the vendors that don't show up on your books? PHOTO CREDIT: CLASPINGWALNUT [BIT.LY/1K5J5DT]
  • 33. HOW ABOUT THE OPENSSL SOFTWARE FOUNDATION?
  • 34. HEARTBLEED: A QUICK SUMMARY • Small coding error allows attackers to steal chunks of memory from remote servers • Attackers repeatedly send requests to get different data from the server • Announcement of the vulnerability was handled extremely poorly • Much of the internet is still still vulnerable almost a month after the announcements
  • 35. HEARTBLEED: LESSONS LEARNED Layer your defenses Segregate server duties Make emergency plans
  • 36. Rackspace has joined many other companies in support of the Core Infrastructure Initiative that provides funding for open source projects that need assistance
  • 37. LET'S WRAP IT UP PHOTO CREDIT: TANAKAWHO [bit.ly/1mxiEd3]
  • 38. Three takeaways: (Or, if you fell asleep during the last half hour, here's what I was talking about)
  • 39. 1. Layer your defenses
  • 40. 2. The security of your business is your business
  • 41. 3. Better security requires changes in people, process, and technology
  • 42. THANK YOU! ! PHOTO CREDIT: STUCK IN CUSTOMS [bit.ly/1k5nqha] Blog: major.io Twitter: @majorhayden Email: major.hayden@rackspace.com