Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
9 likes4,829 views
The document discusses the challenges posed by new technologies that, while improving team efficiency, also introduce security vulnerabilities. It emphasizes the importance of recognizing risk factors and maintaining security practices in development environments. Additionally, it advocates for a culture of security awareness, highlighting the significance of protecting sensitive data and verifying system access.
Why We Can't Have Nice Things, A Tale of Woe and a Hope For the Future
- 1. Why We Can’t Have Nice Things A Tale of Woe, and Hope for the Future Pete Cheslock @petecheslock
- 8. Pete Cheslock Not an InfoSec Twitters: @petecheslock theshipshow.com threatstack.com
- 9. – President Josiah Bartlet "The most costly disruptions always happen when something we take completely for granted stops working for a minute."
- 10. @petecheslock
- 11. @petecheslock
- 12. @petecheslock
- 13. @petecheslock
- 14. @petecheslock
- 15. @petecheslock
- 16. @petecheslock
- 17. @petecheslock
- 18. @petecheslock
- 19. @petecheslock It’s time that we recognize that all these new tools which are helping to enable our teams to work so well are also introducing new attack vectors.
- 20. @petecheslock risk = (threat) x (probability) x (business impact) http://sysadvent.blogspot.com/2014/12/day-24-12-days-of-secdevops.html - Jen Andre
- 21. @petecheslock What data are you sending? What happens if that system is compromised?
- 22. @petecheslock WE TAKE SECURITY SERIOUSLY http://blog.b3k.us/2012/01/24/some-rules.html “These are not features: Security, Availability, Performance.” - Benjamin Black
- 23. @petecheslock
- 24. @petecheslock
- 25. @petecheslock
- 26. @petecheslock https://github.com/codahale/sneaker https://vaultproject.io https://github.com/square/keywhiz https://github.com/LuminalOSS/credstash https://github.com/oleiade/trousseau - Storing sensitive data https://github.com/cloudflare/redoctober - High value secrets https://github.com/jschauma/jass - really helpful tool for sharing of secrets using SSH keys.
- 27. @petecheslock
- 28. @petecheslock
- 29. @petecheslock Keep It Simple Skip the ITIL IR Plan for now
- 31. @petecheslock
- 32. @petecheslock
- 33. @petecheslock
- 34. @petecheslock
- 35. @petecheslock “FWIW, I have most of a sub-key implementation done, but that still won’t solve your problem, as it will be years before that implementation is widely deployed…”
- 36. @petecheslock Compile your Source Build a Package Sign the Package Test the Package Deploy the Package You can’t hate the curl bash and be OK deploying from Github
- 38. @petecheslock
- 39. @petecheslock
- 40. @petecheslock
- 42. @petecheslock
- 43. @petecheslock Safe Access to Production
- 44. @petecheslock – Mark Burgess “Every time someone logs onto a system interactively, they compromise everyone's knowledge of that system”
- 46. @petecheslock auditd + OSSEC …and SELinux http://stopdisablingselinux.com/
- 47. @petecheslock Controlled Access Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf Labeled Security Protection Profile http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf National Industrial Security Program Operating Manual (NISPOM) http://www.fas.org/sgp/library/nispom.htm Security Technical Implementation Guides http://iase.disa.mil/stigs/Pages/index.aspx
- 49. @petecheslock
- 50. @petecheslock
- 51. @petecheslock Start Small Identify High Risks
- 52. @petecheslock Security Culture is People
- 53. @petecheslock
- 54. @petecheslock