Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ein Security Bitte

Bea Hughes
October 23, 2014

Ein Security Bitte

DevOps Days Berlin 2014

Video at http://vimeo.com/album/3093746/video/110133596

"So you've bought yourselves a top of the line devops appliance. Everything is great. But, from what you've heard from Twitter, the next thing you need is a security. My talk is about the next steps. To get from zero to well at least better than most of the industry.

Security from the application side, the CI/CD side, and the network/infrastructure end. Topics such as

making builds more trustworthy.
IDS that isn't a complete waste of €100,000.
detect XSS with this one weird trick.
the one firewall per child project.
They'll be humour, cat GIFs and some cool technical ideas."

Bea Hughes

October 23, 2014
Tweet

More Decks by Bea Hughes

Other Decks in Technology

Transcript

  1. @benjammingh Building better sand castles • I work at Etsy,

    yes that Etsy. • Yes we have a seemingly large security team. • We do “some” webops, arguably devops some days too. • My German is terrible. • No one cares about this slide.
  2. @benjammingh Building better sand castles • Intro (we’re here) •

    Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions
  3. @benjammingh Building better sand castles • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/ • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/

    configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix
  4. @benjammingh Building better sand castles Oprah says “And you get

    an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }
  5. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/
  6. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php
  7. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php • Ksplice - https://www.ksplice.com/ scariest fix ever.
  8. @benjammingh Building better sand castles • There will always be

    un-patched machines. Realities of the situation:
  9. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. Realities of the situation:
  10. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:
  11. @benjammingh Building better sand castles • Linux kernel auditd events.

    • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/mozilla-it/audit-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.
  12. @benjammingh Building better sand castles More awesome auditd stuff purely

    for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/
  13. @benjammingh Building better sand castles • Don’t ship your DB

    backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups
  14. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. “Animal sentinel”
  15. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”
  16. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. • Load Balancer Canary “Animal sentinel”
  17. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions
  18. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. • Be careful with data. Help it be careful with you. Conclusions
  19. @benjammingh Building better sand castles Questions? (Hah! As if we

    have time…) https://www.codeascraft.com/ https://github.com/etsy/ https://www.etsy.com/