Puppet Labs Operations alumni. → First used Puppet on the 0.26 branch. → Has only been in big trouble with the phone company once. 2 https://twitter.com/skullmandible/status/411281851131523072 3 — @benjammingh for PuppetConf 2016
→ Reality, and infosec's aversion to it. → What to actually focus on, to be more secure, but less hipster. → Security myopia and the best being the enemy of the good. 4 — @benjammingh for PuppetConf 2016
to Infiltrate → Vendor Sponsorship. (Note however, it is Black Friday soon www.etsy.com) → Me reading out breach reports. → Nessus. 5 — @benjammingh for PuppetConf 2016
of Five Eyes/OPM, this hopefully and somewhat obviously does not apply to you. Also stop listening to funny haired people who work at yarn websites for your security advice! Smash the 1%, eat the rich! 7 — @benjammingh for PuppetConf 2016
nmap/zmap looking for mongodb/mssql/etc) → Script kiddies (the above, but with a tutorial) → Bug Bounties (hand wave 80% of attacks on your website?) → Red Teams/Pen tests (every... 6 months? maybe?) 24 — @benjammingh for PuppetConf 2016
→ Hackers in it for the lols (needs no explaination) → Hacktivists (I remain unconvinced these are real → Hacking for profit (not for fun. See China) 25 — @benjammingh for PuppetConf 2016
"Blackphone 2: 'NSA Proof' Android Phone For Privacy Seekers Now Available For Preorder" "NSA-proof your e-mail in 2 hours" "How NSA-Proof Are VPN Service Providers?" 27 — @benjammingh for PuppetConf 2016
house large DNS provider, DDoS is a really expensive thing, defacement is not as big. → A political party website, DDoS is just annoying, defacement could be huge. 35 — @benjammingh for PuppetConf 2016
having your mail shared with a 'zine is annoying. → If you're a presidential candidate, your mail being public could endanger an election. 36 — @benjammingh for PuppetConf 2016
you or someone else (hi Stripe) → PII or other user data. → Laptop being stolen (please tell me they're encrypted and passworded...) → Annoying people from Lizard Squad on IRC, and suffering a large DDoS. 37 — @benjammingh for PuppetConf 2016
→ Zerodium had a $1M bounty for full remote end to end compromise. → Apple's own bug bounty for certain things in in the $100,000s range. → Maybe someone in your company has one of these iPhone devices? 46 — @benjammingh for PuppetConf 2016
dollars you're totally getting owned. → if your attacker has $1m spare to spend on just an exploit. → and owning you is worth >$1m. → oh yeah, and there's no cheaper way to do it. 48 — @benjammingh for PuppetConf 2016
have financial motives. → Defense is about raising those costs. → (whilst still allowing your company to continue to make money) 49 — @benjammingh for PuppetConf 2016
is not new, is not bleeding edge, is not glamorous, but boy howdy it works" - Verizon 2016 Data Breach Investigations Report 58 — @benjammingh for PuppetConf 2016
you: → buy cheap crappy keys but replace your locks in your whole house every month? or → buy decent (cough European) locks and not worry about it. 61 — @benjammingh for PuppetConf 2016
you can guess the others. → It'll be written down as it changes all the time. → Has much less entropy so they can remember it. → Second one is hashcat proof, the first one is not. 67 — @benjammingh for PuppetConf 2016
tie in to Duo to be a second factor. → no more having to find your phone (I know, life is hard...) → Can also generate & store SSH/GPG RSA keys. → Now have U2F/FIDO for, well, Dropbox, GitHub, and Google 70 — @benjammingh for PuppetConf 2016
want to sell you. → 99% of people entering details vs. 9% of people entering details isn't all that helpful. → (But still try to reduce it) 77 — @benjammingh for PuppetConf 2016
leet security team who talk down to people when they report a phishing email. That will be the last time they bother to report anything to you. 79 — @benjammingh for PuppetConf 2016
people will just do it anyway. → "Shadow" teams spin up, and just avoid all your safeguards. → you block all outbound traffic bar the proxy, someone will run corkscrew. 80 — @benjammingh for PuppetConf 2016
not most skilled down. → Be realistic about your threat model. → Whilst its cool to defend against people with bigger budgets. Actually defending is better than trying and failing. 83 — @benjammingh for PuppetConf 2016
exciting maybe wins. → Yes, you won't get a BlackHat talk out of them, but you will be more secure. → Attackers want to win, Defenders can definitely win if they pick the right fight. 84 — @benjammingh for PuppetConf 2016