SlideShare ist ein Scribd-Unternehmen logo

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out

Source Conference
Source Conference
TechnologieBusiness
1 von 30
Downloaden Sie, um offline zu lesen
Building Bridges: Forcing Hackers and Business to “Hug it Out” Andrew Hay, CISSP, The 451 Group Chris Nickerson, CISSP, Lares Consulting
About •Andrew Hay • Chris Nickerson • Senior Analyst, The 451 • Founder & Principal Group Security Consultant, Lares Consulting • Analyst, Author, Speaker, Blogger, and • Red Team and Social more! Engineering Expert
Change Log • History: • Started as an argument a discussion at ShmooCon 2010 • Idea to turn whining discussion into a talk from BSidesBoston 2010 • Perfected Presented again at BSidesLasVegas in July 2010 • Perfected at SOURCE Barcelona in November 2010
Why Talk About This? • This talk shouldn‟t need to exist! • But the industry obviously needs it • We‟re all adults (well, most of us) • Business leaders should understand their staff • Employees should understand why the business needs to do
Overview • The View From The Trenches • The View From The Business • The Problems • The Way to Fix The Problem • Questions?
The View From The Trenches • Management is clueless • They don‟t CARE about security • They will only do the “bare minimum” • They play golf and waste time in meetings all day
The View From The Trenches (continued) • They don‟t respond when I show them how important it is • We… • Are overworked • Get all the blame • Don‟t get the respect we deserve
The View From The Business • Hackers don‟t have a clue • They don‟t care about the business • They don‟t understand the economic challenges • They surf the Internet and talk to their “friends” on {IRC, Twitter, Newsgroups} all day
The View From The Business • They don‟t listen when I tell them how dangerous it is • We… • Put in long hours • Answer to the business stakeholders • Don‟t get the respect we deserve
The Problems • Pure Security vs. Business Security • Cost vs. Completeness • Scope vs. “Hackers Don't Have Scope” • Downtime vs. Patch to Secure • Feature Release vs. Secure Development • Compromise Disclosure vs. Potential Financial Devastation • Compliance vs. Security
Pure Security vs. Business Security • View from the trenches • Security is an ever changing field/ not constrained by dated academic theories • A secure environment is the goal but never really gonna happen • Its secure when it can‟t be hacked • It requires 24/7 support
Pure Security vs. Business Security • View from the business • Security is defined by the CIA triad • Availability (typically) trumps Integrity and Confidentiality • The cost of operating securely should not be detrimental to the company‟s bottom line • The budget can not be expanded just because there are new threats
Cost vs. Completeness • View from the trenches • Completeness should be the goal • Budget should be flexible to accommodate • We must test ALL devices • We must look at every level (Network,App,Code, etc..) • The test/testers you bought SUCK
Cost vs. Completeness • View from the business • Fixed cost for project / no wiggle room • Budget dictates the depth, you don‟t! • The only thing in scope are the machines holding (insert here) <PCI,PHI,etc..> Data on them • I only have to do a Web App test OR Code review not both. It says it right here in the standard.
Scope vs. “Hackers Don't Have Scope” • View from the trenches • Scope is a guideline / ROE may need to be adjusted as required • We will attack any asset that you own. What‟s on it doesn‟t matter. • You must test everything on the box/app, not just what that dumb compliance sheet tells you • SE is out of scope? WHY? Real
Scope vs. “Hackers Don't Have Scope” • View from the business • ROE non-negotiable / paid to adhere to scope • We know what we want tested and what is important for the business • Scope creep does not benefit the business • Political ramifications of “testing” our people is a large liability.
Downtime vs. Patch to Secure • View from the trenches • Patches need to be applied / that‟s why they‟re released • How much revenue will be lost if this threat vector is exploited? • Patching now may reduce downtime due to breach later • If you are worried about installing the patch, test it first • This is stupid, why isn‟t it automated?
Downtime vs. Patch to Secure • View from the business • The business can‟t afford downtime to patch / disrupts business and potential for lost revenue • Availability is more important than security • We have a network firewall and desktop AV / should be enough • Attackers are on the outside • We are a Hospital/bank/Whatever, we CAN‟T go DOWN!
Feature Release vs. Secure Development • View from the trenches • If we fix it now, we‟re releasing products that are secure out of the box / don‟t have to fix later • Delivery timelines can shift / they‟re just dates in MS Project • Saving money by fixing it now. (cite post release 100x bugfix increase cost) • “I won‟t put my name on this *tantrum* *badmouth*”
Feature Release vs. Secure Development • View from the business • Delaying release may jeopardize our GTM strategy • Fixes can be applied in a post- release hotfix or in the next minor/major release • Development & QA time cost money / not a money maker • May lose money by fixing it now • Feature profits will fund future security enhancements
Compromise Disclosure vs. Potential Financial Devastation • View from the trenches • It‟s our duty to report exploit vectors to the vendors / we‟d want others to do the same • We got hacked, we need to tell our customers. • YOU are unethical if you don‟t tell anyone
Compromise Disclosure vs. Potential Financial Devastation • View from the business • Disclosing weaknesses jeopardize our business! • Let someone else report it to the vendors / social responsibility be damned! • We‟re in business to make money, not help the vendors fix their problems • We got hit but no sensitive information was accessed
Compliance vs. Security • View from the trenches • Compliance IS NOT Security • Compliance a byproduct of being secure • Compliance is stupid and is someone else‟s problem • How can one size fit all? • How does securing 10% of our assets and ignoring the other 90% Make us secure?
Compliance vs. Security • View from the business • Sometimes compliance is the end goal / deemed „good enough‟ • Our customers (who pay your salary) REQUIRE us to be certified • Achieve compliance, security should follow • Not enough money for both but higher risk of fines for not being compliant
The Way To Fix the Problem • Some common ground must be found Business Hackers What we need
Business Needs To… • Understand that… • Hackers are intelligent people that are responsible enough to be educated on the business and its issues • Business has a large moving target to keep up with and need effective direction • Hackers are their first and last line of defense / They defend your paycheck and require your support • Provide executive support, understanding, and financial backing for the security team or expect failure • Security is just like ALL other business units, with out those things…they will fail.
Hackers Need To… • Learn more about the business, its operations, and how cost plays into the decision process • Identify the political challenges and pose their problems/solutions in a manner that fits • Talk in language that executives understand • Articulate technical issues in less complex terms • Pretend you‟re explaining to your mother
Both Need To… • Learn respect and tolerance for the others skills and problems • Recognize that both camps bring valuable information to the table / keep an open mind! • Realize that neither camp should dictate best practices but rather agree on best practices • Understand that they have the same goals but start off on opposite sides to get there.
Ask yourself „what have I done to bridge the gap?‟ Questions?
Thank you! Andrew Hay Chris Nickerson Senior Analyst, The 451 Founder & Principal Security Group, Consultant, Lares Consulting Enterprise Security Practice cnickerson@laresconsulting.com ahay@the451group.com http://www.laresconsulting.com http://www.the451group.com http://twitter.com/indi303 http://twitter.com/andrewsmhay http://exoticliability.libsyn.com/

Empfohlen

DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...
DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...
DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...DevOpsDays Riga
 
Jan de Vries - Becoming antifragile is more important than ever in disruptive...
Jan de Vries - Becoming antifragile is more important than ever in disruptive...Jan de Vries - Becoming antifragile is more important than ever in disruptive...
Jan de Vries - Becoming antifragile is more important than ever in disruptive...matteo mazzeri
 
The Technical Debt Trap - Michael "Doc" Norton
The Technical Debt Trap - Michael "Doc" NortonThe Technical Debt Trap - Michael "Doc" Norton
The Technical Debt Trap - Michael "Doc" NortonLeanDog
 
The Lean Enterprise
The Lean EnterpriseThe Lean Enterprise
The Lean EnterpriseRyan Dorrell
 
2004 03 31 ACS ELN Perspectives
2004 03 31 ACS ELN Perspectives2004 03 31 ACS ELN Perspectives
2004 03 31 ACS ELN PerspectivesSimon Coles
 
Technical Debt: Do Not Underestimate The Danger
Technical Debt: Do Not Underestimate The DangerTechnical Debt: Do Not Underestimate The Danger
Technical Debt: Do Not Underestimate The DangerLemi Orhan Ergin
 
12 Take Aways - Managing the Unmanageable
12 Take Aways - Managing the Unmanageable12 Take Aways - Managing the Unmanageable
12 Take Aways - Managing the UnmanageableRon Lichty
 
Mucon microservices and innovation
Mucon microservices and innovationMucon microservices and innovation
Mucon microservices and innovationGawain Hammond
 

Empfohlen

DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...
DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...
DevOpsDaysRiga 2018: Jan de Vries - Realising the power of antifragility is l...DevOpsDays Riga
 
Jan de Vries - Becoming antifragile is more important than ever in disruptive...
Jan de Vries - Becoming antifragile is more important than ever in disruptive...Jan de Vries - Becoming antifragile is more important than ever in disruptive...
Jan de Vries - Becoming antifragile is more important than ever in disruptive...matteo mazzeri
 
The Technical Debt Trap - Michael "Doc" Norton
The Technical Debt Trap - Michael "Doc" NortonThe Technical Debt Trap - Michael "Doc" Norton
The Technical Debt Trap - Michael "Doc" NortonLeanDog
 
The Lean Enterprise
The Lean EnterpriseThe Lean Enterprise
The Lean EnterpriseRyan Dorrell
 
2004 03 31 ACS ELN Perspectives
2004 03 31 ACS ELN Perspectives2004 03 31 ACS ELN Perspectives
2004 03 31 ACS ELN PerspectivesSimon Coles
 
Technical Debt: Do Not Underestimate The Danger
Technical Debt: Do Not Underestimate The DangerTechnical Debt: Do Not Underestimate The Danger
Technical Debt: Do Not Underestimate The DangerLemi Orhan Ergin
 
12 Take Aways - Managing the Unmanageable
12 Take Aways - Managing the Unmanageable12 Take Aways - Managing the Unmanageable
12 Take Aways - Managing the UnmanageableRon Lichty
 
Mucon microservices and innovation
Mucon microservices and innovationMucon microservices and innovation
Mucon microservices and innovationGawain Hammond
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017Chad Hoffmann
 
QCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable CommunicationQCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable CommunicationAndy Piper
 
Leadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling EngineersLeadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling Engineersbcantrill
 
Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113MWMantle
 
Building lean-hardware-startups
Building lean-hardware-startupsBuilding lean-hardware-startups
Building lean-hardware-startupsHAX
 
Smart Metrics
Smart Metrics Smart Metrics
Smart Metrics AgileOnTheBeach
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Managing IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore CoordinationManaging IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore CoordinationMahesh Dedhia
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Agile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of AgilityAgile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of AgilitySimon Bennett
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...Wojciech Seliga
 
Lecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADELecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADEMichael Wolfe
 
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014Zivtech, LLC
 
Kasten Engineering Culture Deck
Kasten Engineering Culture DeckKasten Engineering Culture Deck
Kasten Engineering Culture DeckNiraj Tolia
 
Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017Steven Herod
 
10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmy10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmyWojciech Seliga
 

Weitere ähnliche Inhalte

Was ist angesagt?

CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017Chad Hoffmann
 
QCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable CommunicationQCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable CommunicationAndy Piper
 
Leadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling EngineersLeadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling Engineersbcantrill
 
Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113MWMantle
 
Building lean-hardware-startups
Building lean-hardware-startupsBuilding lean-hardware-startups
Building lean-hardware-startupsHAX
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Managing IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore CoordinationManaging IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore CoordinationMahesh Dedhia
 

Was ist angesagt? (8)

CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017
 
QCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable CommunicationQCon 2014 - Principles of Reliable Communication
QCon 2014 - Principles of Reliable Communication
 
Leadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling EngineersLeadership Without Management: Scaling Organizations by Scaling Engineers
Leadership Without Management: Scaling Organizations by Scaling Engineers
 
Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113Managing Using Intuition and Rules of Thumb 050113
Managing Using Intuition and Rules of Thumb 050113
 
Building lean-hardware-startups
Building lean-hardware-startupsBuilding lean-hardware-startups
Building lean-hardware-startups
 
Smart Metrics
Smart Metrics Smart Metrics
Smart Metrics
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Managing IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore CoordinationManaging IT Projects - Onsite Offshore Coordination
Managing IT Projects - Onsite Offshore Coordination
 

Andere mochten auch

Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 

Andere mochten auch (6)

Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security Program
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 

Ähnlich wie Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out

Agile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of AgilityAgile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of AgilitySimon Bennett
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...Wojciech Seliga
 
Lecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADELecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADEMichael Wolfe
 
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014Zivtech, LLC
 
Kasten Engineering Culture Deck
Kasten Engineering Culture DeckKasten Engineering Culture Deck
Kasten Engineering Culture DeckNiraj Tolia
 
Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017Steven Herod
 
10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmy10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmyWojciech Seliga
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Evaluating Blockchain Companies
Evaluating Blockchain CompaniesEvaluating Blockchain Companies
Evaluating Blockchain CompaniesMike Slinn
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene KimGene Kim
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCAll Things Open
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Agile Product Ownership
Agile Product OwnershipAgile Product Ownership
Agile Product OwnershipDavid Michel
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Robi Sen
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing codeZivtech, LLC
 
Non traditional product financing
Non traditional product financingNon traditional product financing
Non traditional product financingTom4820
 
Starting your Startup
Starting your StartupStarting your Startup
Starting your StartupJoe Stump
 

Ähnlich wie Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out (20)

Agile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of AgilityAgile Contracting in the Second Decade of Agility
Agile Contracting in the Second Decade of Agility
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...Ten lessons I painfully learnt while moving from software developer to entrep...
Ten lessons I painfully learnt while moving from software developer to entrep...
 
Lecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADELecture on Innovation at Startups at ESADE
Lecture on Innovation at Startups at ESADE
 
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
Open Source isn't Just Good, it's Good Business - DrupalCamp Colorado 2014
 
Kasten Engineering Culture Deck
Kasten Engineering Culture DeckKasten Engineering Culture Deck
Kasten Engineering Culture Deck
 
Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017Perspectives on salesforce architecture Forcelandia talk 2017
Perspectives on salesforce architecture Forcelandia talk 2017
 
10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmy10 bezcennych lekcji dla software developera stającego się szefem firmy
10 bezcennych lekcji dla software developera stającego się szefem firmy
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Evaluating Blockchain Companies
Evaluating Blockchain CompaniesEvaluating Blockchain Companies
Evaluating Blockchain Companies
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim
 
Bootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NCBootstrapping an Open-Source Program Office at Blue Cross NC
Bootstrapping an Open-Source Program Office at Blue Cross NC
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Agile Product Ownership
Agile Product OwnershipAgile Product Ownership
Agile Product Ownership
 
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...Everything is not awesome: The rising threat of Cyber-attack and what to do a...
Everything is not awesome: The rising threat of Cyber-attack and what to do a...
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing code
 
Non traditional product financing
Non traditional product financingNon traditional product financing
Non traditional product financing
 
Starting your Startup
Starting your StartupStarting your Startup
Starting your Startup
 

Mehr von Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

Mehr von Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Kürzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Business to Hug it Out

  • 1. Building Bridges: Forcing Hackers and Business to “Hug it Out” Andrew Hay, CISSP, The 451 Group Chris Nickerson, CISSP, Lares Consulting
  • 2. About •Andrew Hay • Chris Nickerson • Senior Analyst, The 451 • Founder & Principal Group Security Consultant, Lares Consulting • Analyst, Author, Speaker, Blogger, and • Red Team and Social more! Engineering Expert
  • 3. Change Log • History: • Started as an argument a discussion at ShmooCon 2010 • Idea to turn whining discussion into a talk from BSidesBoston 2010 • Perfected Presented again at BSidesLasVegas in July 2010 • Perfected at SOURCE Barcelona in November 2010
  • 4. Why Talk About This? • This talk shouldn‟t need to exist! • But the industry obviously needs it • We‟re all adults (well, most of us) • Business leaders should understand their staff • Employees should understand why the business needs to do
  • 5. Overview • The View From The Trenches • The View From The Business • The Problems • The Way to Fix The Problem • Questions?
  • 6. The View From The Trenches • Management is clueless • They don‟t CARE about security • They will only do the “bare minimum” • They play golf and waste time in meetings all day
  • 7. The View From The Trenches (continued) • They don‟t respond when I show them how important it is • We… • Are overworked • Get all the blame • Don‟t get the respect we deserve
  • 8. The View From The Business • Hackers don‟t have a clue • They don‟t care about the business • They don‟t understand the economic challenges • They surf the Internet and talk to their “friends” on {IRC, Twitter, Newsgroups} all day
  • 9. The View From The Business • They don‟t listen when I tell them how dangerous it is • We… • Put in long hours • Answer to the business stakeholders • Don‟t get the respect we deserve
  • 10. The Problems • Pure Security vs. Business Security • Cost vs. Completeness • Scope vs. “Hackers Don't Have Scope” • Downtime vs. Patch to Secure • Feature Release vs. Secure Development • Compromise Disclosure vs. Potential Financial Devastation • Compliance vs. Security
  • 11. Pure Security vs. Business Security • View from the trenches • Security is an ever changing field/ not constrained by dated academic theories • A secure environment is the goal but never really gonna happen • Its secure when it can‟t be hacked • It requires 24/7 support
  • 12. Pure Security vs. Business Security • View from the business • Security is defined by the CIA triad • Availability (typically) trumps Integrity and Confidentiality • The cost of operating securely should not be detrimental to the company‟s bottom line • The budget can not be expanded just because there are new threats
  • 13. Cost vs. Completeness • View from the trenches • Completeness should be the goal • Budget should be flexible to accommodate • We must test ALL devices • We must look at every level (Network,App,Code, etc..) • The test/testers you bought SUCK
  • 14. Cost vs. Completeness • View from the business • Fixed cost for project / no wiggle room • Budget dictates the depth, you don‟t! • The only thing in scope are the machines holding (insert here) <PCI,PHI,etc..> Data on them • I only have to do a Web App test OR Code review not both. It says it right here in the standard.
  • 15. Scope vs. “Hackers Don't Have Scope” • View from the trenches • Scope is a guideline / ROE may need to be adjusted as required • We will attack any asset that you own. What‟s on it doesn‟t matter. • You must test everything on the box/app, not just what that dumb compliance sheet tells you • SE is out of scope? WHY? Real
  • 16. Scope vs. “Hackers Don't Have Scope” • View from the business • ROE non-negotiable / paid to adhere to scope • We know what we want tested and what is important for the business • Scope creep does not benefit the business • Political ramifications of “testing” our people is a large liability.
  • 17. Downtime vs. Patch to Secure • View from the trenches • Patches need to be applied / that‟s why they‟re released • How much revenue will be lost if this threat vector is exploited? • Patching now may reduce downtime due to breach later • If you are worried about installing the patch, test it first • This is stupid, why isn‟t it automated?
  • 18. Downtime vs. Patch to Secure • View from the business • The business can‟t afford downtime to patch / disrupts business and potential for lost revenue • Availability is more important than security • We have a network firewall and desktop AV / should be enough • Attackers are on the outside • We are a Hospital/bank/Whatever, we CAN‟T go DOWN!
  • 19. Feature Release vs. Secure Development • View from the trenches • If we fix it now, we‟re releasing products that are secure out of the box / don‟t have to fix later • Delivery timelines can shift / they‟re just dates in MS Project • Saving money by fixing it now. (cite post release 100x bugfix increase cost) • “I won‟t put my name on this *tantrum* *badmouth*”
  • 20. Feature Release vs. Secure Development • View from the business • Delaying release may jeopardize our GTM strategy • Fixes can be applied in a post- release hotfix or in the next minor/major release • Development & QA time cost money / not a money maker • May lose money by fixing it now • Feature profits will fund future security enhancements
  • 21. Compromise Disclosure vs. Potential Financial Devastation • View from the trenches • It‟s our duty to report exploit vectors to the vendors / we‟d want others to do the same • We got hacked, we need to tell our customers. • YOU are unethical if you don‟t tell anyone
  • 22. Compromise Disclosure vs. Potential Financial Devastation • View from the business • Disclosing weaknesses jeopardize our business! • Let someone else report it to the vendors / social responsibility be damned! • We‟re in business to make money, not help the vendors fix their problems • We got hit but no sensitive information was accessed
  • 23. Compliance vs. Security • View from the trenches • Compliance IS NOT Security • Compliance a byproduct of being secure • Compliance is stupid and is someone else‟s problem • How can one size fit all? • How does securing 10% of our assets and ignoring the other 90% Make us secure?
  • 24. Compliance vs. Security • View from the business • Sometimes compliance is the end goal / deemed „good enough‟ • Our customers (who pay your salary) REQUIRE us to be certified • Achieve compliance, security should follow • Not enough money for both but higher risk of fines for not being compliant
  • 25. The Way To Fix the Problem • Some common ground must be found Business Hackers What we need
  • 26. Business Needs To… • Understand that… • Hackers are intelligent people that are responsible enough to be educated on the business and its issues • Business has a large moving target to keep up with and need effective direction • Hackers are their first and last line of defense / They defend your paycheck and require your support • Provide executive support, understanding, and financial backing for the security team or expect failure • Security is just like ALL other business units, with out those things…they will fail.
  • 27. Hackers Need To… • Learn more about the business, its operations, and how cost plays into the decision process • Identify the political challenges and pose their problems/solutions in a manner that fits • Talk in language that executives understand • Articulate technical issues in less complex terms • Pretend you‟re explaining to your mother
  • 28. Both Need To… • Learn respect and tolerance for the others skills and problems • Recognize that both camps bring valuable information to the table / keep an open mind! • Realize that neither camp should dictate best practices but rather agree on best practices • Understand that they have the same goals but start off on opposite sides to get there.
  • 29. Ask yourself „what have I done to bridge the gap?‟ Questions?
  • 30. Thank you! Andrew Hay Chris Nickerson Senior Analyst, The 451 Founder & Principal Security Group, Consultant, Lares Consulting Enterprise Security Practice cnickerson@laresconsulting.com ahay@the451group.com http://www.laresconsulting.com http://www.the451group.com http://twitter.com/indi303 http://twitter.com/andrewsmhay http://exoticliability.libsyn.com/