Upload File

building a security culture at skyscanner 2016

47
Security in the Internet Economy How to go from nothing to something! @StuHirstInfos ec

Upload: stu-hirst

Post on 15-Apr-2017

288 views

Category:

Documents


5 download

Report

TRANSCRIPT

PowerPoint Presentation

Security in the Internet Economy How to go from nothing to something!@StuHirstInfosec

My backgroundMy Background.. @StuHirstInfosec12 years as a mainframe COBOL guy1 year in the music industry3 years at The Trainline where I moved into securityNow the IT Security Manager / Squad Lead at Skyscanner

SkyscannerSkyscanner.. backgroundOne of the worlds leading travel search engines formed in 2003Over 3 million hits a dayFlights, Hotels, Car Hire Mobile appsPowering MSNs Flight Search, plus Yahoo Japan JVOver 30 versions of the site around the globeOffices in Edinburgh, Glasgow, Miami, Beijing, Singapore, Shenzen, Budapest, Sofia, Barcelona, London100 employees in 2012, 800+ now!

Skyscanner 2013Skyscanner Security in 2013

Skyscanner 2014Skyscanner Security in 2014

Skyscanner 2015Skyscanner Security in 2015

Skyscanner 2016Skyscanner Security in 2016

Squads and Tribes

SquadsSquads (Flights Search, Car Hire iOS, Hotels android etc)Nearly 100 Squads across the business!

Are cross functional teams; usually around 3 6 people essentially a mini start-up

They look after specific parts of the Skyscanner product

Establish & improve their own processes and use their own technologies self sufficient

DevSecOpsSecDevOpsOpsSec for DevOh come on.. Security in Development

Im a developerQ. How many of our recent engineering recruits had heard of the OWASP Top 10?A. Less than 30%@StuHirstInfosec

DevOps & SecurityNOT

We dont exist to clean up the mess from Developers its a combined effort Security inbuilt in the DevOps process

So what have we done?(we dont re-invent the wheel!)

Security engineering

Some Security measures are reasonably pointless.

Two-factor

Two-Factor All The Things

VPNWindows / MAC LoginWeb portalsApps

User DataUser Data

Implemented new MINIMUM STANDARDS for user dataPrivacy BY DESIGN!Examples;Only stored in agreed places (e.g. AWS)Minimum encryptions levels when transferringSame for data at restOnly using TLSGet rid of old ciphersSegment the networkTighten up access controls to the data

Two-factor

Password solutions

LOTS of options!!!

For individual use / team use

Anti malwareEndpoint Protection

What we doWhat we do: Security Champions

@StuHirstInfosec

AWSAWS@StuHirstInfosec

HUGE learning curve!Security have had to learn about the whole product, not just security aspects; EC2 instances, Container Service, Elastic Beanstalk, Lambda, Glacier, DynamoDB etcWere now preparing training courses for AWS Best Practice in Security, based on the CIS Benchmark Standards and using info from the various White Papers available and content from the 2015 Re:Invent conference

What we doWhat we do: Code Voyagers / Ignition

1 hour specific induction sessions with all new engineersFocusing on secure developmentOWASP Top 10Trends

What we doWhat we do: Security Meet Up

@stuhirstinfosecCommunitySharing Ideas

EmployeesEmployee behaviour.blog post

PhishingPhishing part1Actually investigate them!

If theres a link, debug it where is it going?If an attachment, what does it do? Does it look to download a payload? If so, block the IPs on your firewallCheck anti-virus to see if its been picked upUse a malware sandboxerStrip the malware apart & understand what its doing

PhishingPhishingIts OPEN SOURCE! Its EASY!

What we doWhat we do: Bug BountiesLets be safe, lets get a CREST registered Pen Tester to test usWhy dont you get the public to test you? Theyre the ones thatll be hacking you

IN ONE WEEK OF A BUG BOUNTY PROGRAM, WE HAD OVER 150 SUBMISSIONS FROM 49 TESTERS

What we doWhat we do: Bug BountiescontWhy not take the main bugs found and learn how to replicate them and test against them in the future?Teach your engineers / devs to do the sameShare the knowledge / the love / the beerAny reasonable security analyst should be able to test for a SQL Injection and a XSS vulnerability plenty of online training resources to help

What we doAnnouncing failureWeekly PRODOPS ReviewNO BLAME! Its a learning exercise@StuHirstInfosec

What we doLearningCybrary, PluralSight, Twitter, Blogs

Open SourceOpen Source

FacebookNetflix wow!

Google Rappor

Virus Total amazing use it every day!

War GamesWhat we do (a bit more exciting!)

WAR GAMES!WE SET OURSELVES A TARGET TO HACK OURSELVES FOR 2 DAYS A MONTH

We drain Data Centres and try to DDoS them

We set up spoof wi-fi points and attempt Man In The Middle attacks on company phones

We try to find internal data we shouldnt have access to

AND MORE!

CultureCulture -No fear

This is the moment of my failure and I am not scared

What hasnt gone so well?

What didnt go so well?What didnt go so well?Static Code Scanning Tool invested lots of money, doesnt support the latest version of Python

What didnt go so well?What didnt go so well?Secure Coding Online Training

Im too busy!!

What didnt go so well?What didnt go so well?Our first Bug Bounty scheme

They sent me Qualys scans yay!

Findings/Musings

StatsNot everything is critical!Simple and quick wins are GOOD wins!

Try and increase the likelihood of an employee telling you about an event or potential attack

Run attack simulations. Break something before someone else does!FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATSIF YOU GO FROM 48% TO 32% ON FIRE, YOURE STILL ON FIRE!(Zane Lackey, ex-Etsy)

Past Vs FutureJust because you have done something a certain way in the past, doesnt mean it has to be that way in the future

e.g. pen testing vs bug bounty

What next?What next?Focus on what you can do, not necessarily what youd like to do

Discover your crown jewels. Protect that!

Build defences around real-world attack patterns. Focus on who is going after you!

EMPLOY MORE PEOPLE!

Some thoughts to leave you with

ScaremongeringSecurity Scaremongering

What next?Employ more people!Proactive Security, not ReactiveA lot of companies are merely performing gap analysis and plugging the gaps (or not!)

At Skyscanner, weve split our strategy into two streams; Product and Corporate and we identify the major risks for each of those

What next?Dont lie!

I took on a role where the guy before me had DRASTICALLY under-estimated how far they were from PCI compliance.

If you deal with Boards/Execs its better they know the real position even if its a sh*t-storm

Some thoughts to take awayReward peopleFor making you aware of issues.You feel good, they feel good & theyre likely to tell others.

What next?Shout about your successes!Security is as important as any other business unitSo shout about successes you have Positive PR across the business

thank you@stuhirstinfosec

EdinburghQuartermile One15 Lauriston PlaceEdinburgh EH3 9ENGlasgow5th floor, 151-155 St Vincent St, Glasgow G2 5NWSingaporeNo. 08-01&04 & 09-048th floor, Robinson Point, 39 Robinson Rd, SingaporeBeijingLevel 19, Tower E2, Oriental Plaza, No. 1 East Chang An Avenue, Dong Cheng District, Beijing 100738Miami1395 Brickell Ave, Suite 900, Miami, Florida 33131BarcelonaC/Esteve Terradas, 21, Bajos 3a - 08023 Barcelona, Espaa


Nuclear Safety & Security Culture in Pakistan

THack @ WIT - Skyscanner presentation

16 INFORMATION SECURITY CULTURE · 2017-09-26 · Information Security Culture 205 organisational culture plays an important role when implementing information security [ANDROO, CONNOO,

Code First: Girls - A presentation by Emily Stewart, Skyscanner

Building a culture of security

Content + communities 2017 - Skyscanner Case Study

Optimizing Content Caching at Skyscanner

Agile @Skyscanner : From Theory to Practice

JANET BALNEAVES - SKYSCANNER: OUR JOURNEY FROM TRADITIONAL MARKETING TO GROWTH

Professionalism and CBRN Security Culture

Google Maps, Skyscanner and eStreaming APIs for collecting

Ruckus Security Culture for Activists

Conversion Camp: The complexity of love and conversions, Skyscanner

The Security Culture Conference 2016

Experimentation At Skyscanner By Colin McFarland

Skyscanner: Abandoning conventional wisdom for hypegrowth

Skyscanner for Business: Affiliate Business Models

lessons from Skyscanner AI from zero to production · Skyscanner • Powering flights, hotels and car hire. • Average 70m unique monthly visitors • Over 70m app downloads. About

Culture Book - trustyou.com · 3,500 hotels. Also, 2015 marks the year where we have strengthened our important partnerships with important industry players, such as Kayak, Skyscanner,

Top 10 things to do in Colombo | Skyscanner

IAEA Nuclear Security Series 7 - Nuclear Security Culture

Security Culture - International Civil Aviation …...security culture – reporting helps to understand what is going on in security. A strong culture also supports peers challenging

Session I Introduction Opening of the Security Culture ... Culture Workshop.pdfsecurity culture, alongside the development of human capital, skill and competency. Security Culture

A Conceptual Model to Understand Information Security Culture · Information security culture is a subculture in regards to content. Security culture encompasses all socio-cultural

CASE STUDY Skyscanner and Kenshoo: Six Years of a ...€¦ · Skyscanner enjoys the same performance, time and efficiency savings from Yandex as it does from Google, via Kenshoo

SIEM the Skyscanner Way - SplunkConf

Understanding and Measuring Information Security Culture ...eprints.qut.edu.au/64070/1/Mohammed_Al_Natheer_Thesis.pdf · Understanding and Measuring Information Security Culture in

Cyber Security Culture in organisations

Security Culture

Culture, Identity and Security: An Overview

Omari Whyne (Skyscanner) – Usabilla Exchange April '15

Transforming the National Security CultureTransforming The naTional securiTy culTure Language and Culture – The importance of language and culture in counterinsurgency and irregular

SomeSQL at Skyscanner - Scaling in a changing world of databases and hardware

Culture, Citizen Security, and Football

GDPR and Security Culture: Measuring effectiveness