Written by: Jessica Awsumb, Joanna Keel, and Jessica Hovland
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing An Organization)
-
Upload
centralohioissa -
Category
Technology
-
view
565 -
download
0
Transcript of Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing An Organization)
Don’t Try This at Home!!!RECURRING THEMES FROM TRYING TO SECURING AN ORGANIZATION
Jessica HebenstreitCISSP | CRISC | GCIH | GNFA
@secitup |[email protected] | www.linkedin.com/in/jessicahebenstreit
A Little About Me
16 years in security Multiple verticals Lover of memes
What more do you need to know?
I Love Memes
More Than Kanye Loves Kanye
Topics
But First! WHY? Recurring Themes TIL: Today I Learned And now….a fun video! Q & A
But First! Why? Those who don’t learn
from history are doomed to repeat it
Common themes in shared war stories
Common themes across verticals
Recurring Themes
The Right / Wrong game Secure at All Costs Tools “Save us Tool-wan
Kenobi” Policy Won’t Save You Either Eating Our Young Skipping The Basics
The Right / Wrong game
The “wrong” game to play It’s like arguing on the Internet
Not about winning or being right Know when to back down
Remember it’s about informing about risk and options You don’t have to like it (It’s not a Facebook post)
Secure at All Costs Old School Security
Mentality
Relates to Right/Wrong game
It goes back to Risk and business tolerance
Save Us Tool-wan Kenobi
You must PAY ATTENTION to the tools It’s called logging AND
MONITORING You must invest in your people
Continuously You must have proper
procedures in place You must have policies to back
you up
Policy Won’t Save You Either
Must be enforceable
Must be enforced
Must have teeth
Must be supported by and from Leadership
A “policy” that does not meet the above is not a policy
Eating Our Young It’s getting better, buuuuuuut…
We should be encouraging and welcoming
Critical shortage of info sec professionals
Women…
Skipping the Basics
Innovation and pushing the envelope is great but…
It doesn’t matter if you don’t have basics* in place Software and Hardware Inventory
Secure Configurations (Hardening standards and guidelines)
Vulnerability Management process
Controlled use of Administrative Access
* The first 5 SANS Critical Controls
This and That
Assuming compliance is enough Losing sight of the big picture Proper Risk Classification
Not everything is highest risk or most critical
Properly remediating systems Just reimage it already More on this in a moment
TIL: Today I Learned
It’s not about being right or wrong
Do the right thing for the business
Balance Risk and Security Tools won’t save you but
neither will policy Start with the basics and go
from there Support and grow fledgling
security professionals
And now… TIME FOR A FUN VIDEO
REMOVED DUE TO SIZE – CONTACT JESSICA IF YOU ARE INTERESTED IN SEEING IT
One Last Thing…
Equal Respect Initiative Executive Women’s Forum
THANK YOU!
QUESTIONS?