Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out
1. Building Bridges:
Forcing Hackers and
Business to “Hug it Out”
Andrew Hay, CISSP, The 451 Group
Chris Nickerson, CISSP, Lares Consulting
2. About
•Andrew Hay • Chris Nickerson
• Senior Analyst, The 451 • Founder & Principal
Group Security Consultant,
Lares Consulting
• Analyst, Author,
Speaker, Blogger, and • Red Team and Social
more! Engineering Expert
3. Change Log
• History:
• Started as an argument a discussion
at ShmooCon 2010
• Idea to turn whining discussion into a
talk from BSidesBoston 2010
• Perfected Presented again at
BSidesLasVegas in July 2010
• Perfected at SOURCE Barcelona in
November 2010
4. Why Talk About This?
• This talk shouldn‟t need to exist!
• But the industry obviously needs
it
• We‟re all adults (well, most of us)
• Business leaders should
understand their staff
• Employees should understand
why the business needs to do
5. Overview
• The View From The Trenches
• The View From The Business
• The Problems
• The Way to Fix The Problem
• Questions?
6. The View From
The Trenches
• Management is clueless
• They don‟t CARE about
security
• They will only do the “bare
minimum”
• They play golf and waste time
in meetings all day
7. The View From
The Trenches (continued)
• They don‟t respond when I
show them how important it is
• We…
• Are overworked
• Get all the blame
• Don‟t get the respect we
deserve
8. The View From
The Business
• Hackers don‟t have a clue
• They don‟t care about the
business
• They don‟t understand the
economic challenges
• They surf the Internet and talk
to their “friends” on {IRC,
Twitter, Newsgroups} all day
9. The View From
The Business
• They don‟t listen when I tell
them how dangerous it is
• We…
• Put in long hours
• Answer to the business
stakeholders
• Don‟t get the respect we
deserve
10. The Problems
• Pure Security vs. Business Security
• Cost vs. Completeness
• Scope vs. “Hackers Don't Have Scope”
• Downtime vs. Patch to Secure
• Feature Release vs. Secure
Development
• Compromise Disclosure vs. Potential
Financial Devastation
• Compliance vs. Security
11. Pure Security vs.
Business Security
• View from the trenches
• Security is an ever changing
field/ not constrained by dated
academic theories
• A secure environment is the
goal but never really gonna
happen
• Its secure when it can‟t be
hacked
• It requires 24/7 support
12. Pure Security vs.
Business Security
• View from the business
• Security is defined by the CIA
triad
• Availability (typically) trumps
Integrity and Confidentiality
• The cost of operating securely
should not be detrimental to the
company‟s bottom line
• The budget can not be
expanded just because there
are new threats
13. Cost vs.
Completeness
• View from the trenches
• Completeness should be the
goal
• Budget should be flexible to
accommodate
• We must test ALL devices
• We must look at every level
(Network,App,Code, etc..)
• The test/testers you bought
SUCK
14. Cost vs.
Completeness
• View from the business
• Fixed cost for project / no
wiggle room
• Budget dictates the depth, you
don‟t!
• The only thing in scope are the
machines holding (insert here)
<PCI,PHI,etc..> Data on them
• I only have to do a Web App
test OR Code review not both. It
says it right here in the
standard.
15. Scope vs.
“Hackers Don't Have Scope”
• View from the trenches
• Scope is a guideline / ROE may
need to be adjusted as required
• We will attack any asset that
you own. What‟s on it doesn‟t
matter.
• You must test everything on the
box/app, not just what that
dumb compliance sheet tells
you
• SE is out of scope? WHY? Real
16. Scope vs.
“Hackers Don't Have Scope”
• View from the business
• ROE non-negotiable / paid to
adhere to scope
• We know what we want tested
and what is important for the
business
• Scope creep does not benefit
the business
• Political ramifications of
“testing” our people is a large
liability.
17. Downtime vs.
Patch to Secure
• View from the trenches
• Patches need to be applied /
that‟s why they‟re released
• How much revenue will be lost if
this threat vector is exploited?
• Patching now may reduce
downtime due to breach later
• If you are worried about
installing the patch, test it first
• This is stupid, why isn‟t it
automated?
18. Downtime vs.
Patch to Secure
• View from the business
• The business can‟t afford
downtime to patch / disrupts
business and potential for lost
revenue
• Availability is more important
than security
• We have a network firewall and
desktop AV / should be enough
• Attackers are on the outside
• We are a
Hospital/bank/Whatever, we
CAN‟T go DOWN!
19. Feature Release vs.
Secure Development
• View from the trenches
• If we fix it now, we‟re releasing
products that are secure out of
the box / don‟t have to fix later
• Delivery timelines can shift /
they‟re just dates in MS Project
• Saving money by fixing it now.
(cite post release 100x bugfix
increase cost)
• “I won‟t put my name on this
*tantrum* *badmouth*”
20. Feature Release vs.
Secure Development
• View from the business
• Delaying release may
jeopardize our GTM strategy
• Fixes can be applied in a post-
release hotfix or in the next
minor/major release
• Development & QA time cost
money / not a money maker
• May lose money by fixing it now
• Feature profits will fund future
security enhancements
21. Compromise Disclosure vs.
Potential Financial Devastation
• View from the trenches
• It‟s our duty to report exploit
vectors to the vendors / we‟d
want others to do the same
• We got hacked, we need to tell
our customers.
• YOU are unethical if you don‟t
tell anyone
22. Compromise Disclosure vs.
Potential Financial Devastation
• View from the business
• Disclosing weaknesses
jeopardize our business!
• Let someone else report it to
the vendors / social
responsibility be damned!
• We‟re in business to make
money, not help the vendors fix
their problems
• We got hit but no sensitive
information was accessed
23. Compliance vs. Security
• View from the trenches
• Compliance IS NOT Security
• Compliance a byproduct of
being secure
• Compliance is stupid and is
someone else‟s problem
• How can one size fit all?
• How does securing 10% of our
assets and ignoring the other
90% Make us secure?
24. Compliance vs. Security
• View from the business
• Sometimes compliance is the
end goal / deemed „good
enough‟
• Our customers (who pay your
salary) REQUIRE us to be
certified
• Achieve compliance, security
should follow
• Not enough money for both but
higher risk of fines for not being
compliant
25. The Way To Fix the Problem
• Some common ground must be found
Business Hackers What we need
26. Business Needs To…
• Understand that…
• Hackers are intelligent people that are responsible enough to be
educated on the business and its issues
• Business has a large moving target to keep up with and need effective
direction
• Hackers are their first and last line of defense / They defend your
paycheck and require your support
• Provide executive support, understanding, and financial
backing for the security team or expect failure
• Security is just like ALL other business units, with out those things…they
will fail.
27. Hackers Need To…
• Learn more about the business, its operations, and how
cost plays into the decision process
• Identify the political challenges and pose their
problems/solutions in a manner that fits
• Talk in language that executives understand
• Articulate technical issues in less complex terms
• Pretend you‟re explaining to your mother
28. Both Need To…
• Learn respect and tolerance for the others skills and
problems
• Recognize that both camps bring valuable information
to the table / keep an open mind!
• Realize that neither camp should dictate best practices
but rather agree on best practices
• Understand that they have the same goals but start off
on opposite sides to get there.
30. Thank you!
Andrew Hay Chris Nickerson
Senior Analyst, The 451 Founder & Principal Security
Group, Consultant, Lares Consulting
Enterprise Security Practice
cnickerson@laresconsulting.com
ahay@the451group.com http://www.laresconsulting.com
http://www.the451group.com http://twitter.com/indi303
http://twitter.com/andrewsmhay http://exoticliability.libsyn.com/