EVADE THE BREACHBY CHANGING THE WAY YOU THINK ABOUT INFORMATION SECURITY

MAJOR HAYDEN RACKSPACE @majorhayden

FOR ACCRUENT INSIGHTS 2014, AUSTIN, TEXAS PHOTO CREDIT: CURTIS GREGORY PERRY [bit.ly/1k5ajws]

ABOUT MAJOR• Born in Austin

• At Rackspace since 2006

• Focused on Linux engineering, software development and information security

• Two kids and four chinchillas

THIS IS A CHINCHILLATHEY ARE AMAZING PETS AND I COULD TALK ABOUT THEM FOR A LONG TIME

AGENDA

Presentation 30 minutes

Q&A 30 minutes

Let's cover some critical concepts

SECURITY ISN'T EASY

YOUR BUSINESS DOESN'T EXIST TO BE SECURE

INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"

SECURITY HAS NO FINISH LINE

INSPIRED BY KEITH PALMGREN'S "13 ABSOLUTE TRUTHS OF SECURITY"

Reports that say...that something hasn't happened are always interesting to me,

because as we know, there are known knowns;

!there are things that we know that we know. We also know there are known unknowns;

!that is to say

we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.

—Donald Rumsfeld, United States Secretary of Defense

PUBLIC DOMAIN PHOTO BY THE UNITED STATES ARMY

THREE DEFENSIVE LAYERS

PreventativeMake yourself a hard target

DetectiveKnow when danger is on your doorstep

CorrectiveRemove the threat and repair the damage

PR

OC

ES

S IM

PR

OV

EM

EN

T

!F

EE

DB

AC

K L

OO

P

We can apply these layers to something

we all know well

How do we protect our homes?

PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]

PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]

We lock our doors

We put our lights on timers

We close the blinds

We install security cameras

We join the neighborhood watch

We set our security alarm

We have our alarm monitored

We buy homeowner's insurance

!

We buy firearms**

PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]

We lock our doors

We put our lights on timers

We close the blinds

We install security cameras

We join the neighborhood watch

We set our security alarm

We have our alarm monitored

We buy homeowner's insurance

!

We buy firearms

PREVENTATIVE

PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]

We lock our doors

We put our lights on timers

We close the blinds

We install security cameras

We join the neighborhood watch

We set our security alarm

We have our alarm monitored

We buy homeowner's insurance

!

We buy firearms

DETECTIVE

PHOTO CREDIT: DPREVITE [bit.ly/1mC8QBi]

We lock our doors

We put our lights on timers

We close the blinds

We install security cameras

We join the neighborhood watch

We set our security alarm

We have our alarm monitored

We buy homeowner's insurance

!

We buy firearms

CORRECTIVE

You now know two other concepts

DEFENSE IN DEPTHASSUME THE WORST AND BUILD LAYERS OF DEFENSE

PHOTO CREDIT: SZEKE [bit.ly/1mxjkzl]

RISK MANAGEMENTINVEST YOUR TIME SPENT ON SECURITY WISELY

PHOTO CREDIT: LORENZOCLICK [bit.ly/1f40rns]

Do your third party vendors invest in

security as much as you do?

How will you know for sure?

IT'S NOT EASY

PHOTO CREDIT: KEVIN DOOLEY [bit.ly/1ri0hej]

Let's review the facts

"Target gave network access to a third-party

vendor, a small Pennsylvania HVAC

company, which did not appear to follow broadly accepted

information security practices. The vendor’s weak security allowed

the attackers to gain a foothold

in Target’s network."

"Target appears to have

failed to respond to multiple automated

warnings from the company’s

anti-intrusion software that the

attackers were installing malware

on Target’s system."

"Attackers who infiltrated Target’s

network with a vendor credential

appear to have successfully moved from

less sensitive areas of Target’s network to

areas storing consumer data, suggesting that

Target failed to properly isolate its most sensitive

network assets."

"Target appears to have

failed to respond to multiple warnings from the company’s

anti-intrusion software regarding the

escape routes the attackers planned

to use to exfiltrate data

from Target’s network."

What can we learn from the Target breach?

Target's situation isn't unique

to Target

It's your responsibility to insulate yourself from third parties

Continually test your security layers so

you can trust them in an emergency

What about the vendors that

don't show up on your books?

PHOTO CREDIT: CLASPINGWALNUT [BIT.LY/1K5J5DT]

HOW ABOUT THE OPENSSL SOFTWARE

FOUNDATION?

HEARTBLEED: A QUICK SUMMARY

• Small coding error allows attackers to steal chunks of memory from remote servers

• Attackers repeatedly send requests to get different data from the server

• Announcement of the vulnerability was handled extremely poorly

• Much of the internet is still still vulnerable almost a month after the announcements

HEARTBLEED: LESSONS LEARNED

Layer your defenses

Segregate server duties

Make emergency plans

Rackspace has joined many other

companies in support of the Core Infrastructure Initiative

that provides funding for open source projects that

need assistance

LET'S WRAP IT UP

PHOTO CREDIT: TANAKAWHO [bit.ly/1mxiEd3]

Three takeaways:

(Or, if you fell asleep during the last half hour,

here's what I was talking about)

1. Layer your defenses

2. The security of your business is your business

3. Better security requires changes in people, process,

and technology

THANK YOU! !

PHOTO CREDIT: STUCK IN CUSTOMS [bit.ly/1k5nqha]

Blog: major.io Twitter: @majorhayden Email: major.hayden@rackspace.com