jessica hebenstreit - don't try this at home! (things not to do when securing an organization)

Post on 12-Apr-2017

565 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Don’t Try This at Home!!!RECURRING THEMES FROM TRYING TO SECURING AN ORGANIZATION

Jessica HebenstreitCISSP | CRISC | GCIH | GNFA

@secitup |Jessica@Dehnert.us | www.linkedin.com/in/jessicahebenstreit

A Little About Me

16 years in security Multiple verticals Lover of memes

What more do you need to know?

I Love Memes

More Than Kanye Loves Kanye

Topics

But First! WHY? Recurring Themes TIL: Today I Learned And now….a fun video! Q & A

But First! Why? Those who don’t learn

from history are doomed to repeat it

Common themes in shared war stories

Common themes across verticals

Recurring Themes

The Right / Wrong game Secure at All Costs Tools “Save us Tool-wan

Kenobi” Policy Won’t Save You Either Eating Our Young Skipping The Basics

The Right / Wrong game

The “wrong” game to play It’s like arguing on the Internet

Not about winning or being right Know when to back down

Remember it’s about informing about risk and options You don’t have to like it (It’s not a Facebook post)

Secure at All Costs Old School Security

Mentality

Relates to Right/Wrong game

It goes back to Risk and business tolerance

Save Us Tool-wan Kenobi

You must PAY ATTENTION to the tools It’s called logging AND

MONITORING You must invest in your people

Continuously You must have proper

procedures in place You must have policies to back

you up

Policy Won’t Save You Either

Must be enforceable

Must be enforced

Must have teeth

Must be supported by and from Leadership

A “policy” that does not meet the above is not a policy

Eating Our Young It’s getting better, buuuuuuut…

We should be encouraging and welcoming

Critical shortage of info sec professionals

Women…

Skipping the Basics

Innovation and pushing the envelope is great but…

It doesn’t matter if you don’t have basics* in place Software and Hardware Inventory

Secure Configurations (Hardening standards and guidelines)

Vulnerability Management process

Controlled use of Administrative Access

* The first 5 SANS Critical Controls

This and That

Assuming compliance is enough Losing sight of the big picture Proper Risk Classification

Not everything is highest risk or most critical

Properly remediating systems Just reimage it already More on this in a moment

TIL: Today I Learned

It’s not about being right or wrong

Do the right thing for the business

Balance Risk and Security Tools won’t save you but

neither will policy Start with the basics and go

from there Support and grow fledgling

security professionals

And now… TIME FOR A FUN VIDEO

REMOVED DUE TO SIZE – CONTACT JESSICA IF YOU ARE INTERESTED IN SEEING IT

One Last Thing…

Equal Respect Initiative Executive Women’s Forum

THANK YOU!

QUESTIONS?

top related