rise of the evangelists: creating hybrid roles and cultivating the hacker mentality in your team
TRANSCRIPT
Rise of the Evangelists: Creating Hybrid Roles and Cultivating the Hacker Mentality in Your Team
Matt Torbin | Principal Software Engineer/Security Evangelist | RSA
Who am I? Why am I here?• Principal Software Engineer / Security Evangelist for RSA
• Front-End/Full Stack developer for … a very long time
• Ridiculously passionate about information security
• STRONGLY believe in the power of hybrid roles within development teams (a.k.a. “T-Shaped Skills”)
• Proud to be part of the infosec community:“Ich bin ein Hacker!”
• Active Gamer / Recovering WoW player (HORDE FTW)
• Born in Pittsburgh, PA but home will ALWAYS be Philly!
Before I start, a BIG THANK YOU to Lesley and Johnny
“You’re Right: This Sucks”
Johnny Xmas
Lesley Carhart (a.k.a. hacks4pancakes)
Security controls are lacking…• Anthem (Feb 2015):
• What: 37.5 million records stolen • Why: database was not encrypted.
• Yahoo (2014, disclosed Sept 2016): • What: 500 million accounts stolen • Why: Security was a secondary concern
• Dyn (Oct 2016): • What: Largest attack of its kind • Why: Vulnerabilities in IoT devices
• AdultFriendFinder (Oct 2016): • What: 412 million accounts stolen • Why: Data at rest was not stored securely
“AdultFriendFinder network hack exposes 412 million accounts” http://www.zdnet.com/article/adultfriendfinder-network-hack-exposes-secrets-of-412-million-users/
“Dyn DDoS attack sheds new light on the growing IoT problem” http://readwrite.com/2016/10/24/dyn-ddos-attack-sheds-new-light-on-the-growing-iot-problem-dl4/
“Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say” http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0
“Health Insurer Anthem Didn’t Encrypt Data in Theft” http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560
… and the situation isn’t getting better.
“2015 Internet Crime Report” Federal Bureau of Investigation, 2015 https://pdf.ic3.gov/2015_IC3Report.pdf
Our inability to keep up leaves our organizations vulnerable to attacks.
Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf
“Direct and Measurable Damage”
Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf
This includes massive financial losses.
“2015 Internet Crime Report” Federal Bureau of Investigation, 2015 https://pdf.ic3.gov/2015_IC3Report.pdf
As an industry we are not keeping up with the hiring demand...• As of 2015, cybersecurity job postings were up 91%. • Austin, Columbus and Denver have seen an over
150% increase in growth. • ALL of the top 10 cities by growth have seen over
120% increases. • 60% of ISACA and RSA Conference study respondents
believe their current staff can only adequately handle “simple cybersecurity incidents.”
• In 2015 approximately 209,000 cybersecurity jobs WENT UNFILLED; • ISACA/RSA Study: Budget was NOT an issue • “Most applicants submitting resumes did not have
adequate skills”
“State of Cybersecurity Implications for 2016” ISACA, 2016. http://www.isaca.org/cyber/Documents/state-of-cybersecurity_res_eng_0316.pdfVanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdfDan Restuccia, “Job Market Intelligence: Cybersecurity Jobs, 2015” Burning Glass Technologies, 2015. http://burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf
“Direct and Measurable Damage”
Vanson Bourne, “Hacking the Skills Shortage” Center for Strategic and International Studies, 2016. http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf
State Data for 2015
Dan Restuccia, “Job Market Intelligence: Cybersecurity Jobs, 2015” Burning Glass Technologies, 2015. http://burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf
Short Term Objectives• AUTOMATE what you can.
• Add static code analysis tools / attack proxies to automated builds • DEF CON 24: Cyber Grand Challenge • Vendors like RSA, SIEMplify
• EVANGELIZE information security behavior within organizations • Offer internal training on core security concepts • “Gameify” bug hunting with CTFs
• OFFER TRAINING. OFFER TRAINING. OFFER TRAINING. OFFER TRAINING.
• Employers are starting to realize the value • Specialized training can be expensive • Should include cross training and industry knowledge
• BROADEN roles within development teams • The days of siloing are over • Development now includes some QA;
it should also include some security • HIRE more broadly for greater wins.
• Not every diamond comes in the same shape and size. • Not all roles really require “x years of experience” or “x degree”
How to Develop with A Hacker Mentality (and mentor like a boss!)• THINK like an attacker
• How would I go about attacking this system? • What might this system allow me to do that I
shouldn’t be allowed to do? • Once I have exploited the system, what more can I
obtain? • DEVELOP expecting to be attacked
• Retain strict control on what input is acceptable for API endpoints and user-supplied data submission.
• TEST a system not with success in mind, but with failure • I know that this feature is supposed to do X, but I’m
going to try Y. • I know this feature is only supposed to accept X, but
I’m going to give it Y and see what happens. • MENTOR. MENTOR. MENTOR
Long Term Objectives• INCREASE diversity in our
community • WISP: Women in Security and Privacy
• INCREASE spending on cybersecurity programs from a governmental level • In order to remain competitive, we
need to remain relevant • RAISE AWARENESS of opportunities
within the industry at schools. • We need more highly-trained security
engineers graduating into the industry.
In this field, it’s OK to be
• If you don’t know how to break it, you CANNOT properly defend it.
• Attackers don’t play by the rules; don’t develop by the rules.
• RESPONSIBLE DISCLOSURE: • The proper, professional, ethical
and moral thing to do • You won’t always get a “thank you” • BE VERY MINDFUL of USC 1030:
Computer Fraud and Abuse Act
Additional Resources• GOVERNMENT
• FBI’s Internet Crime Complain Center • Homeland Security • US-CERT • USC 1030: Computer Fraud and Abuse Act • National Initiative Cybersecurity Education
• NON-PROFIT • OWASP • WISP • EFF
• MEETUPS • Bay Area Cyber Security Meetup • Bay Area OWASP • Bay Area Cybersecurity Startups • simpleCrypto Academy
• CONVENTIONS • DEF CON • BlackHat • RSA Conference • APPSEC USA • ShmooCon
• THANK YOUS • Slide Reviewers: fox, RDegges,
KatyKat, CodeSoda • Background created by HashBox on
DeviantArt
/** * |=========================================| * | Twitter | twitter.com/pennsylfornia | * |-----------------------------------------| * | Tumblr | pennsylforniageek.tumblr.com | * |-----------------------------------------| * | LinkedIn | linkedin.com/in/mtorbin | * |=========================================| **/