I delivered this presentation at the University of the Incarnate Word in San Antonio, Texas, to a group of students studying information security. They're learning plenty about the technical aspects of information security, but I wanted to talk to them about the non-technical aspects as well. This presentation is meant to be a low-tech, more social introduction on how to handle security within a large organization.
3. Major Hayden
Principal Architect at Rackspace
Fedora Security Team
Package maintainer
Fedora Planet blogger
Former board member
Ambassador
Ansible
Python
OpenStack
Xen/KVM/Containers
Information Security
4. Major Hayden
Principal Architect at Rackspace
GIAC Certified Unix Security Administrator
Paper: Securing Linux Containers
http://bit.ly/securinglinuxcontainers
GIAC Security Essentials Certification
Red Hat Certified Architect
17. “Security is mission-critical for us
and it’s how we maintain
our customers’ trust.”
These are your allies.
Share your intelligence with them frequently.
They must be ”read into” what’s happening.
Highlight their accomplishments and efforts
to your leadership and theirs
at every possible opportunity.
18. “Security is really important,
but we have lots of features to release.
We will get to it.”
These people see security as a bolt-on,
value-added product feature.
Share methods for building in security from the start.
Make it easier for this group to build secure systems
through technical standards.
19. “I opened this weird file from
someone I didn’t know
and now my computer is acting funny.”
This group is your biggest risk.
Take steps to prevent them from being able
to make mistakes in the first place.
Regularly send high-level communication
to this group with useful information
in a friendly format.
20. Lesson 2:
Spend the majority of your time and money
on detection and response capabilities
21. Make it easier to detect an intruder
and respond to the intrusion
Don’t let your
intruders act like this:
Make them
act more like this:
22. Ensure that if an attacker
gains access to your network,
you know about the intrusion
and how to respond
Automation,
aggregation, alerting
Firewall logs
Netflow
data/analysis
Intrusion Detection
Systems (IDS)
Server logs
Authentication
logs
Physical security
devices
Immediate,
coordinated response
23. Incident communication
Use broad communication that
hints at urgency without sharing details.
Share the details with your allies in the business.
25. After an incident:
Don’t talk about people*.
Don’t talk about what could have been done.
Don’t talk about vendors.
* No matter how delicate you are, you will eventually “call the baby ugly”.
26. Assume the worst will happen again.
Design processes and technologies to
reduce its impact in the future.
This is an iterative process.
30. “If your system doesn’t pass this PCI-DSS audit,
we won’t be able to take credit cards.
We know what that means.”
31. “We have a technical standard
for public-facing environments
that you need to meet,
and we have some tools
to self-assess your systems.”
32. Technical people can easily
digest technical standards, but
not lengthy compliance documents.
Design a standard so that an environment
can meet multiple compliance programs
if it is followed carefully.
38. Information security thrives on frequent,
honest, meaningful communication
more than anything else.
Security incidents will happen.
How you respond to them is critical.
Design systems that prevent people
from making mistakes in the first place.
39. Switch: How to Change Things
When Change is Hard
Chip & Dan Heath
When you want to make change
happen, this book will help you
focus your thinking. It has some
great frameworks and situational
examples.
40. Winning With People
John Maxwell
Building relationships requires
learning a lot about yourself first.
This book is broken into five
sections that gradually take you
through how to have stronger,
lasting relationships with others.
41. The Phoenix Project
Gene Kim, Kevin Behr, and George Spafford
A must for anyone working in IT.
It’s a modern spin on Goldratt’s
classic, The Goal, that focuses on
a new IT executive that is in over
his head. Security and
compliance issues play a big role
in how he works within his
business.
43. Image Credits
Bank safe on title slide: By Alvesgaspar (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via
Wikimedia Commons
Honduran TIGRES soldiers: United States Special Operations Command (Flickr: https://flic.kr/p/qweJtn, CC-BY 2.0)
Longhorn cattle: Evelyn Simak [CC BY-SA 2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons
NORAD: By NORAD (government website) [Public domain], via Wikimedia Commons
Iterative process diagram: By Aflafla1 [CC0], via Wikimedia Commons