Rise of the Evangelists: Creating Hybrid Roles and Cultivating the Hacker Mentality in Your Team

Matt Torbin | Principal Software Engineer/Security Evangelist | RSA

Who am I? Why am I here?• Principal Software Engineer / Security Evangelist for RSA

• Front-End/Full Stack developer for … a very long time

• Ridiculously passionate about information security

• STRONGLY believe in the power of hybrid roles within development teams (a.k.a. “T-Shaped Skills”)

• Proud to be part of the infosec community:“Ich bin ein Hacker!”

• Active Gamer / Recovering WoW player (HORDE FTW)

• Born in Pittsburgh, PA but home will ALWAYS be Philly!

Before I start, a BIG THANK YOU to Lesley and Johnny

“You’re Right: This Sucks”

Johnny Xmas

Lesley Carhart (a.k.a. hacks4pancakes)

Security controls are lacking…• Anthem (Feb 2015):

• What: 37.5 million records stolen • Why: database was not encrypted.

• Yahoo (2014, disclosed Sept 2016): • What: 500 million accounts stolen • Why: Security was a secondary concern

• Dyn (Oct 2016): • What: Largest attack of its kind • Why: Vulnerabilities in IoT devices

• AdultFriendFinder (Oct 2016): • What: 412 million accounts stolen • Why: Data at rest was not stored securely

“AdultFriendFinder network hack exposes 412 million accounts” http://www.zdnet.com/article/adultfriendfinder-network-hack-exposes-secrets-of-412-million-users/

“Dyn DDoS attack sheds new light on the growing IoT problem” http://readwrite.com/2016/10/24/dyn-ddos-attack-sheds-new-light-on-the-growing-iot-problem-dl4/

“Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say” http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0

“Health Insurer Anthem Didn’t Encrypt Data in Theft” http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560

… and the situation isn’t getting better.

“2015 Internet Crime Report” Federal Bureau of Investigation, 2015 https://pdf.ic3.gov/2015_IC3Report.pdf

Our inability to keep up leaves our organizations vulnerable to attacks.

Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf

“Direct and Measurable Damage”

Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf

This includes massive financial losses.

“2015 Internet Crime Report” Federal Bureau of Investigation, 2015 https://pdf.ic3.gov/2015_IC3Report.pdf

As an industry we are not keeping up with the hiring demand...• As of 2015, cybersecurity job postings were up 91%. • Austin, Columbus and Denver have seen an over

150% increase in growth. • ALL of the top 10 cities by growth have seen over

120% increases. • 60% of ISACA and RSA Conference study respondents

believe their current staff can only adequately handle “simple cybersecurity incidents.”

• In 2015 approximately 209,000 cybersecurity jobs WENT UNFILLED; • ISACA/RSA Study: Budget was NOT an issue • “Most applicants submitting resumes did not have

adequate skills”

“State of Cybersecurity Implications for 2016” ISACA, 2016. http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdfVanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdfDan Restuccia, “Job Market Intelligence: Cybersecurity Jobs, 2015” Burning Glass Technologies, 2015. http://burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf

“Direct and Measurable Damage”

Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf

State Data for 2015

Dan Restuccia, “Job Market Intelligence: Cybersecurity Jobs, 2015” Burning Glass Technologies, 2015. http://burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf

Short Term Objectives• AUTOMATE what you can.

• Add static code analysis tools / attack proxies to automated builds • DEF CON 24: Cyber Grand Challenge • Vendors like RSA, SIEMplify

• EVANGELIZE information security behavior within organizations • Offer internal training on core security concepts • “Gameify” bug hunting with CTFs

• OFFER TRAINING. OFFER TRAINING. OFFER TRAINING. OFFER TRAINING.

• Employers are starting to realize the value • Specialized training can be expensive • Should include cross training and industry knowledge

• BROADEN roles within development teams • The days of siloing are over • Development now includes some QA;

it should also include some security • HIRE more broadly for greater wins.

• Not every diamond comes in the same shape and size. • Not all roles really require “x years of experience” or “x degree”

How to Develop with A Hacker Mentality (and mentor like a boss!)• THINK like an attacker

• How would I go about attacking this system? • What might this system allow me to do that I

shouldn’t be allowed to do? • Once I have exploited the system, what more can I

obtain? • DEVELOP expecting to be attacked

• Retain strict control on what input is acceptable for API endpoints and user-supplied data submission.

• TEST a system not with success in mind, but with failure • I know that this feature is supposed to do X, but I’m

going to try Y. • I know this feature is only supposed to accept X, but

I’m going to give it Y and see what happens. • MENTOR. MENTOR. MENTOR

Long Term Objectives• INCREASE diversity in our

community • WISP: Women in Security and Privacy

• INCREASE spending on cybersecurity programs from a governmental level • In order to remain competitive, we

need to remain relevant • RAISE AWARENESS of opportunities

within the industry at schools. • We need more highly-trained security

engineers graduating into the industry.

In this field, it’s OK to be

• If you don’t know how to break it, you CANNOT properly defend it.

• Attackers don’t play by the rules; don’t develop by the rules.

• RESPONSIBLE DISCLOSURE: • The proper, professional, ethical

and moral thing to do • You won’t always get a “thank you” • BE VERY MINDFUL of USC 1030:

Computer Fraud and Abuse Act

Additional Resources• GOVERNMENT

• FBI’s Internet Crime Complain Center • Homeland Security • US-CERT • USC 1030: Computer Fraud and Abuse Act • National Initiative Cybersecurity Education

• NON-PROFIT • OWASP • WISP • EFF

• MEETUPS • Bay Area Cyber Security Meetup • Bay Area OWASP • Bay Area Cybersecurity Startups • simpleCrypto Academy

• CONVENTIONS • DEF CON • BlackHat • RSA Conference • APPSEC USA • ShmooCon

• THANK YOUS • Slide Reviewers: fox, RDegges,

KatyKat, CodeSoda • Background created by HashBox on

DeviantArt

/** * |=========================================| * | Twitter | twitter.com/pennsylfornia | * |-----------------------------------------| * | Tumblr | pennsylforniageek.tumblr.com | * |-----------------------------------------| * | LinkedIn | linkedin.com/in/mtorbin | * |=========================================| **/