rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model - atlseccon2011
TRANSCRIPT
Ultimate Hack
Rafal M. Los ...aka „Wh1t3Rabbit“
AtlSecCon – March 2011
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes
here
Manipulating Layers 8 & 9 [Management & Budget] of the OSI Model
Hi …I‟m the Wh1t3 RabbitTwitter: “Wh1t3Rabbit”
Blog: http://hp.com/go/white-rabbit
Practical Experience?
•IT since 1995
•InfoSec since 1999
•Built & led AppSec Program in Fortune 100
•More years doing then talking
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes
here
(seriously)
Rules for this talk
1. Participate
2. Share your thoughts
3. If you share, be honest with your
answers
4. There is an assignment at the end…
CAUTION: The contents
in this talk may make
you uncomfortable as an
information security
professional.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
A riddle:
What does an Information
Security team DO?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes
here
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Does senior
management respect
and support
Information Security‟s
vision & efforts?
…or just deal
with you?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
(what we tell ourselves)
Our Goal as InfoSec Professionals
7
•“secure the business”
•“reduce risk”
•“deploy security measures”
•“protect the company”
•“keep threats out”
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
When management hears this…
Our Goal as InfoSec Professionals
8
•“secure the business” from what?
•“reduce risk” of what?
•“deploy security measures” why?
•“protect the company” from what?
•“keep threats out” of where? (and why?)
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
“the secret layers”
Layers 8 & 9
Management
necessary for…
•Organizational buy-in
•Push change from the top
•Create shift in policy & culture
•Credibility
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Budget
necessary for…
•Required for staff, gear
•Persuasion
•Education
•Seed effort
So … you NEED
Management &
Budget
…but how do
you manipulate
them to your
ends?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes
here
Getting what you want at
Layers 8 & 9
My 7 Secrets to Success
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes
here
What does your business do?
Align to the Business
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Understand completely
and comprehensively
what your organization
does, how it makes
money, and how it
evolves.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
12
Go work as a business analyst
Walk a mile...
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
If you want to
understand why
business analysts do
strange/insecure things
–go be one of them for a
while.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
13
Rewards balance
consequences
Carrot & Stick
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Neither rewards, or
consequences alone will
reach your ends; a sane
balance must be found
between push and pull of
your security goals.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
14
Segment your security practice
Advisory vs. Operations
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Separate our the „advise‟
from the „do‟ parts of
Information Security to
achieve higher credibility
and better resource
utilization.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
15
Meet your new best friends
Risk, Compliance, Legal
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Align with the 3 most
powerful parts of any
organization; adopt their
methods and leverage
each others capabilities
and expertise.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
16
Business must need it
Business-driven ‟security‟
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Allow your business to
come to the conclusion
that it requires your
assistance to meet
business goals and
customer demands.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
17
“Just sign here to accept risk”
Leverage Accountability
Situation
First line of copy goes here.
• First level bullet goes here and can be quite long
– Second level bullet goes here. Try to keep
bullet lists simple
o Third level bullet goes here. Use no more than you need to
explain your point
Objective
Few things are more
powerful than the risk of
being held accountable
for your actions; advise
on risk and allow a
business owner to
accept that risk with a
simple signature.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
18
They‟ve worked for me, they may work for you
These are my secrets to succeeding
19
Try this at home ...but make sure you are rational.
• There is no silver bullet, we‟re not baking cookies
• Every organization is different, approaches vary
–Some assembly required, batteries not included
–No warranties, no returns
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here