My presentation from the 2014 MacIT conference.

1. Essential Security & Risk
Fundamentals
Alison Gianotto

2. Who Am I?
• (Former) CTO/CSO of noise!
• 20 years in IT and software
development!
• Security Incident Response Team
(SIRT) !
• MacIT presenter in 2012!
• Survivor of more corporate
security audits than I care to
remember!
• @snipeyhead on Twitter

4. What is Security?!
Let’s start with what security is not.

5. • Security isn’t a thing you add on at the
end or a project.!
• Security isn’t “But… I have a firewall!”!
• Security isn’t a thing you’re ever “done”
with.
What Security Isn’t!

6. • Security is not the same as compliance.You
can be compliant and not be secure. (Just
ask Target.)!
• Security is not one person in your
organization.!
• Security is not an outsourced consultant
or consulting agency.
What Security Isn’t!

7. • Security is an ongoing group effort. !
• Security is where you start, not where you
finish.!
• Security is understanding and protecting your
valuable assets, information and people. !
• Security is multi-layered (defense-in-depth)
What Security Is!

8. What is Risk?!
Let’s start with what risk is not.

9. • Risk management isn’t something that has to
hinder innovation.!
• Risk management doesn’t have to be boring.!
• Managing risk isn’t one person’s job.!
• Risk isn’t just “hackers”
What Risk !
Management Isn’t!

10. • Risk tolerance is not singular.What
qualified as acceptable risk to your
company will not be the same as
acceptable risk to another company.
What Risk !
Management Isn’t!

11. • Risk management is a tool that helps you make
intelligent, informed decisions.!
• Risk management is your entire team’s
responsibility.!
• Risk is absolutely unavoidable. Being informed
will help you make the best choices for your
organization.
What Risk Management Is!

12. Security CIA Triad!
Confidentiality, Integrity & Availability
• Confidentiality is a set of rules that limits access to information.!
• Integrity is the assurance that the information is trustworthy and
accurate.!
• Availability is a guarantee of ready access to the information by
authorized people.

13. Confidentiality!
Making sure the right people can access sensitive data
and the wrong people cannot.

14. Confidentiality Examples
• Passwords. (boo!)!
• Data encryption (at rest and in
transmission.)!
• Two-factor authentication/
biometrics. (Yay!)!
• Group/user access permissions!
• CorporateVPN!
• IP Whitelisting!
• SSH keys

15. Confidentiality Risk Examples!
• Lack of control over content
your employees put on third-
party servers. (Basecamp, etc.)!
• Lack of control over password
requirements for third-party
vendors.!
• Shared passwords!
• Exploitable scripts uploaded to
web servers.!
• Lost/stolen smartphones, tablets
and laptops!
• Inadequate exit process

16. Confidentiality: Control/Possession!
Do you remain in control of your resources?

17. Control Examples!
1) A software program can be duplicated without the
manufacturer's permission; they are not in control of that software
anymore. *cough* Adobe source code *cough*!
!
2)You know your password, but who and what else has possession
of it, too?

18. Integrity!
Maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.!
!
Ensures that information is not modified or altered
intentionally or by accident.

19. Integrity Risk Examples!
• Data loss due to hardware
failure (server crash!)!
• Software bug that
unintentionally deletes/modifies
data!
• Data alteration via authorized
persons (human error)!
• Data alteration via unauthorized
persons (hackers)!
• No backups or no way to verify
the integrity of the backups you
have!
• Third-party vendor with
inadequate security

20. Integrity:Authenticity!
How can you be sure that the person you’re talking
to is who he or she claims to be?

21. Availability!
All systems and information resources must be "up
and running" as per the needs of the organization.

22. Availability Risk Examples!
• DDoS attacks!
• Third-party service failures!
• Hardware failures!
• Software bugs!
• Untested software patches!
• Natural disasters!
• Man-made disasters

23. Availability: Utility!
! ! An employee who had encrypted data leaves the company. !
!
! You still have possession of the data, but you do not have the
key to decrypt the contents, so you do not have the use or
utility of it.!

24. Getting Risky
• How bad will it be if this component fails?!
• What other components will this affect if it fails?!
• How likely is it that it will fail?!
• What are the ways it could fail?!
• What can we do in advance to prevent/reduce chances or impact of failure?

25. Getting Risky
• How can we consistently test that this component is healthy?!
• How will we know if it has failed?!
• How can we structure this component to be monitor-able through an external
system? (A status JSON/XML script generated, HTTP status codes, etc -
anything you can attach a status monitor to.)!
• How can we structure this component to fail more gracefully? (Firing an alert
and redirecting instead of 500 error, for example)

26. Risk Matrix Components
• Type!
• Third-Party!
• Dataflow diagram ID!
• Description!
• Triggering Action!
• Consequence of Service Failure!
• Risk of Failure!
• User Impact!
• Method used for monitoring this risk!
• Efforts to Mitigate in Case of Failure!
• Contact info

27. Risk Matrix

28. ThingsYou Can Start Doing
TODAY

29. • Start every project risk-first.!
• Build a clear inventory of surface areas and their value. Get stakeholders
involved.!
• Start using a risk matrix for every major project or product!
• Trust your gut. If something doesn’t look right, it probably isn’t.

30. • Keep your systems as simple as possible. Document them.!
• Don't abstract code/systems if you don’t have to. Premature optimization
is the devil. Build light and refactor as needed.!
• Get to know your user's behavior. Use things like Google Analytics and
heatmapping to understand what users do on your site. Be suspicious if
it changes for no apparent reason.

31. • Increased transparency reduces risk across departments. Consider
devops.!
• Automate EVERYTHING - Casper, DeployStudio, Boxen, etc. (Chef,
Vagrant,Ansible, Salt or Fabric for server management.)!
• If you develop software, automate your deployment and configuration
management. Chatops FTW! !
• Log (almost!) EVERYTHING. Know where your logs are. Use a central
logging server if at all possible.

32. • Always employ the principles of “least privilege.”!
• Rely on role-based groups for OD/AD, email accounts, etc.!
• Consider who has access to your social media accounts. Use an SMMS
to manage access instead of giving out passwords.!
• Consider who has access to third-party services where billing
information is available via account management settings.

33. • Be proactive in educating your company’s staff about security. Measure
results.!
• Teach your users about password security, social engineering!
• Set your users up with a good password manager like LastPass or
1Password!
• Always be aware of single points of failure. (“Bus factor”, Maginot Line)

34. • Create a reliable data backup plan and TEST IT. (MORE THAN ONCE.)!
• Create a Business Continuity Plan.!
• Create an Incident Response Plan.Test it.!
• Create a Disaster Recovery Plan.TEST IT. (Seriously.)

35. • Give preference to vendors that integrate with your AD/OD.!
• Create a vendor management policy. Insist (and document) that your
vendors comply with your requirements, or find a new vendor. !
• Make sure you understand what happens when third-party services fail
or behave unexpectedly.

36. Thank you!
Alison Gianotto!
snipe@snipe.net!
@snipeyhead!