PowerPoint Presentation
Security in the Internet Economy How to go from nothing to something!@StuHirstInfosec
My backgroundMy Background.. @StuHirstInfosec12 years as a mainframe COBOL guy1 year in the music industry3 years at The Trainline where I moved into securityNow the IT Security Manager / Squad Lead at Skyscanner
SkyscannerSkyscanner.. backgroundOne of the worlds leading travel search engines formed in 2003Over 3 million hits a dayFlights, Hotels, Car Hire Mobile appsPowering MSNs Flight Search, plus Yahoo Japan JVOver 30 versions of the site around the globeOffices in Edinburgh, Glasgow, Miami, Beijing, Singapore, Shenzen, Budapest, Sofia, Barcelona, London100 employees in 2012, 800+ now!
Skyscanner 2013Skyscanner Security in 2013
Skyscanner 2014Skyscanner Security in 2014
Skyscanner 2015Skyscanner Security in 2015
Skyscanner 2016Skyscanner Security in 2016
Squads and Tribes
SquadsSquads (Flights Search, Car Hire iOS, Hotels android etc)Nearly 100 Squads across the business!
Are cross functional teams; usually around 3 6 people essentially a mini start-up
They look after specific parts of the Skyscanner product
Establish & improve their own processes and use their own technologies self sufficient
DevSecOpsSecDevOpsOpsSec for DevOh come on.. Security in Development
Im a developerQ. How many of our recent engineering recruits had heard of the OWASP Top 10?A. Less than 30%@StuHirstInfosec
DevOps & SecurityNOT
We dont exist to clean up the mess from Developers its a combined effort Security inbuilt in the DevOps process
So what have we done?(we dont re-invent the wheel!)
Security engineering
Some Security measures are reasonably pointless.
Two-factor
Two-Factor All The Things
VPNWindows / MAC LoginWeb portalsApps
User DataUser Data
Implemented new MINIMUM STANDARDS for user dataPrivacy BY DESIGN!Examples;Only stored in agreed places (e.g. AWS)Minimum encryptions levels when transferringSame for data at restOnly using TLSGet rid of old ciphersSegment the networkTighten up access controls to the data
Two-factor
Password solutions
LOTS of options!!!
For individual use / team use
Anti malwareEndpoint Protection
What we doWhat we do: Security Champions
@StuHirstInfosec
AWSAWS@StuHirstInfosec
HUGE learning curve!Security have had to learn about the whole product, not just security aspects; EC2 instances, Container Service, Elastic Beanstalk, Lambda, Glacier, DynamoDB etcWere now preparing training courses for AWS Best Practice in Security, based on the CIS Benchmark Standards and using info from the various White Papers available and content from the 2015 Re:Invent conference
What we doWhat we do: Code Voyagers / Ignition
1 hour specific induction sessions with all new engineersFocusing on secure developmentOWASP Top 10Trends
What we doWhat we do: Security Meet Up
@stuhirstinfosecCommunitySharing Ideas
EmployeesEmployee behaviour.blog post
PhishingPhishing part1Actually investigate them!
If theres a link, debug it where is it going?If an attachment, what does it do? Does it look to download a payload? If so, block the IPs on your firewallCheck anti-virus to see if its been picked upUse a malware sandboxerStrip the malware apart & understand what its doing
PhishingPhishingIts OPEN SOURCE! Its EASY!
What we doWhat we do: Bug BountiesLets be safe, lets get a CREST registered Pen Tester to test usWhy dont you get the public to test you? Theyre the ones thatll be hacking you
IN ONE WEEK OF A BUG BOUNTY PROGRAM, WE HAD OVER 150 SUBMISSIONS FROM 49 TESTERS
What we doWhat we do: Bug BountiescontWhy not take the main bugs found and learn how to replicate them and test against them in the future?Teach your engineers / devs to do the sameShare the knowledge / the love / the beerAny reasonable security analyst should be able to test for a SQL Injection and a XSS vulnerability plenty of online training resources to help
What we doAnnouncing failureWeekly PRODOPS ReviewNO BLAME! Its a learning exercise@StuHirstInfosec
What we doLearningCybrary, PluralSight, Twitter, Blogs
Open SourceOpen Source
FacebookNetflix wow!
Google Rappor
Virus Total amazing use it every day!
War GamesWhat we do (a bit more exciting!)
WAR GAMES!WE SET OURSELVES A TARGET TO HACK OURSELVES FOR 2 DAYS A MONTH
We drain Data Centres and try to DDoS them
We set up spoof wi-fi points and attempt Man In The Middle attacks on company phones
We try to find internal data we shouldnt have access to
AND MORE!
CultureCulture -No fear
This is the moment of my failure and I am not scared
What hasnt gone so well?
What didnt go so well?What didnt go so well?Static Code Scanning Tool invested lots of money, doesnt support the latest version of Python
What didnt go so well?What didnt go so well?Secure Coding Online Training
Im too busy!!
What didnt go so well?What didnt go so well?Our first Bug Bounty scheme
They sent me Qualys scans yay!
Findings/Musings
StatsNot everything is critical!Simple and quick wins are GOOD wins!
Try and increase the likelihood of an employee telling you about an event or potential attack
Run attack simulations. Break something before someone else does!FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATSIF YOU GO FROM 48% TO 32% ON FIRE, YOURE STILL ON FIRE!(Zane Lackey, ex-Etsy)
Past Vs FutureJust because you have done something a certain way in the past, doesnt mean it has to be that way in the future
e.g. pen testing vs bug bounty
What next?What next?Focus on what you can do, not necessarily what youd like to do
Discover your crown jewels. Protect that!
Build defences around real-world attack patterns. Focus on who is going after you!
EMPLOY MORE PEOPLE!
Some thoughts to leave you with
ScaremongeringSecurity Scaremongering
What next?Employ more people!Proactive Security, not ReactiveA lot of companies are merely performing gap analysis and plugging the gaps (or not!)
At Skyscanner, weve split our strategy into two streams; Product and Corporate and we identify the major risks for each of those
What next?Dont lie!
I took on a role where the guy before me had DRASTICALLY under-estimated how far they were from PCI compliance.
If you deal with Boards/Execs its better they know the real position even if its a sh*t-storm
Some thoughts to take awayReward peopleFor making you aware of issues.You feel good, they feel good & theyre likely to tell others.
What next?Shout about your successes!Security is as important as any other business unitSo shout about successes you have Positive PR across the business
thank you@stuhirstinfosec
EdinburghQuartermile One15 Lauriston PlaceEdinburgh EH3 9ENGlasgow5th floor, 151-155 St Vincent St, Glasgow G2 5NWSingaporeNo. 08-01&04 & 09-048th floor, Robinson Point, 39 Robinson Rd, SingaporeBeijingLevel 19, Tower E2, Oriental Plaza, No. 1 East Chang An Avenue, Dong Cheng District, Beijing 100738Miami1395 Brickell Ave, Suite 900, Miami, Florida 33131BarcelonaC/Esteve Terradas, 21, Bajos 3a - 08023 Barcelona, Espaa