Ein Security Bitte

Transcript

1. Building Better Castles Ben Hughes Etsy @benjammingh

2. @benjammingh Building better sand castles • I work at Etsy,

   yes that Etsy. • Yes we have a seemingly large security team. • We do “some” webops, arguably devops some days too. • My German is terrible. • No one cares about this slide.

3. @benjammingh Building better sand castles • Intro (we’re here) •

   Users/laptops/the two people with “workstations”. • Servers/systems. • Data - that small topic. • Conclusions

4. @benjammingh Securing laptops (and users)

5. The landscape has changed. https://www.flickr.com/photos/andraspasztor

6. The landscape has changed. https://www.flickr.com/photos/andraspasztor

7. None

8. What? ! That’s an advert ! A paid advert !

   For “TextWrangler”?!

9. Sink holes!

10. None

11. IPv6 (it’s big outside of America)

12. @benjammingh Building better sand castles • http://labs.neohapsis.com/2013/07/30/picking-up-the- slaac-with-sudden-six/ • http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/

    configuration/15-2mt/ip6-15-2mt-book/ip6-ra- guard.html • http://resources.infosecinstitute.com/slaac-attack/ • https://github.com/Neohapsis/suddensix

13. @benjammingh Building better sand castles Oprah says “And you get

    an IDS….” • On most desktop OSes (Linux/ OSX/Windows… I have no idea about Windows) you can use the firewall like an IDS. • PF example: pass log quick proto { tcp, udp } to any port { 6881, 31337, $badport }

14. Servers! https://www.flickr.com/photos/stalker_cz/

15. Patching…

16. https://twitter.com/TimDenike/status/162973991034826752

17. https://www.blackhat.com/docs/eu-14/materials/eu-14-Kemerlis-Ret2dir-Deconstructing-Kernel-Isolation.pdf

18. None

19. @benjammingh Building better sand castles Uptime security solutions!

20. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/

21. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php

22. @benjammingh Building better sand castles Uptime security solutions! • SELinux

    - ‘setenforce 0’ as it’s also known as. • http://stopdisablingselinux.com/ • grsecurity - set of hardening patches to Linux. • http://grsecurity.net/features.php • Ksplice - https://www.ksplice.com/ scariest fix ever.

23. @benjammingh Building better sand castles • There will always be

    un-patched machines. Realities of the situation:

24. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. Realities of the situation:

25. @benjammingh Building better sand castles • There will always be

    un-patched machines. • Breeches will occur. • Knowing they happened is much better than not knowing. Realities of the situation:

26. @benjammingh Building better sand castles Bundesdatenschutzgesetz warning!

27. None

28. @benjammingh Building better sand castles • Linux kernel auditd events.

    • http://people.redhat.com/sgrubb/audit/ (driest page ever) • Mangled with some python because auditd is awful. • (will open source this, once the bugs are out. Pinkie swear) • Use Mozilla’s https://github.com/mozilla-it/audit-cef • Pay https://www.threatstack.com/ if you “Cloud”. • Throw in ELK/syslog/giant file to grep through.

29. @benjammingh Building better sand castles More awesome auditd stuff purely

    for people downloading the slides: • http://security.blogoverflow.com/2013/01/a-brief- introduction-to-auditd/ • http://blog.threatstack.com/labs/2014/8/21/threat-stack- vs-redhat-auditd-showdown • http://www.slideshare.net/MarkEllzeyThomas/

30. https://www.flickr.com/photos/jdhancock Data

31. Backups

32. @benjammingh Building better sand castles • Don’t ship your DB

    backups off unencrypted. • Don’t use symmetric encryption, because the key will live with the backup (probably). Backups

33. Canaries

34. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. “Animal sentinel”

35. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. “Animal sentinel”

36. @benjammingh Building better sand castles • Put obvious “fake” data

    in data stores, use IDS to detect them in places they should never go. • Operational uses too. Spotting non-TLS LDAP traffic. • Load Balancer Canary “Animal sentinel”

37. To Conclude

38. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. Conclusions

39. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. Conclusions

40. @benjammingh Building better sand castles • Laptops/users trust the environment.

    This isn’t always good. • Servers don’t have to run so blindly, there’s a wealth of information in the Linux kernel. • Be careful with data. Help it be careful with you. Conclusions

41. @benjammingh Building better sand castles Questions? (Hah! As if we

    have time…) https://www.codeascraft.com/ https://github.com/etsy/ https://www.etsy.com/