you built a security castle and forgot the bridge…now users are climbing your walls
TRANSCRIPT
You built a security castle but you forgot the bridge...
Soraya Viloria Montes de Oca
@GeekChickUK
now your users are climbing up the walls
DisclaimerThe views expressed in this presentation are the views of the speaker and do not reflect the views or policies of her present or past employers.
The cases and examples while inspired in real life, are the result of her crazy imagination.
The terminology used may not necessarily be consistent with official terms and may reflect prejudicially on her parents' parental efforts.
Some slides may vary from live presentation due to restrictions and © license permissions
Let’s not dwell on that
IT projects #fail75% of all IT projects fail...
UK Projects£12.7bn National Programme for IT (NHS)£7.1bn Defence Information Infrastructure (DII)£5bn National Identity Scheme£400m Libra system (for magistrates' courts)
Gartner‘s reports plus various other articles
Is it really a \o/ #win?To be successful you need to aim beyond the aims of
“completing on time and in budget”.
IMHO
Once upon a time...
You built a security castle
If you don’t understand...
Users
Users
Assets
Assets
Get ready for a battle
If you don’t understand...“Users” vs. “Service desk”
“Service desk” vs.
“Systems Ops”
“Systems Ops” vs. “InfoSec” “Users” vs. “InfoSec”
Users
Assets
The battle..will be lost
One shoe...doesn’t fit all
Good security understands that
Users are not homogenous
they access different information
... in a variety of ways
And different assets...
...have different values
Would you put the same resources and efforts to protects these?
If too tight security is soon...
...undermined
What do we hear?
You are costing us money
We can live with the risk
Your position of advisory
To succeed the business will soon sell your castle
The original cartoon had to be removed as the license was only for live presentation
By week 112
© se
cure
-uk.
imrw
orld
wid
e.co
m
You have more holes than a colander
Without the buy-in
The security battle will be lost
UsersUsers
Board
I.T
Time for a quick game?Let’s suggest a secure solution which will enable Occupational Therapy (OT) team to provide medical care to patients somewhere in... Scotland
Info you haveDocumentation:
1. The blueprints of the sites
2. Hospitals3. GP
surgeries/clinics4. NPLS networks5. Organisational
chartsEven..6. Job Descriptions
Some security architects start and finish here...
Take a closer lookOccupational Therapy Team
To build security that lasts
Occupational therapy careers are instrumental in teaching individuals who suffer from a physical, mental, emotional, or developmental disability to develop, to recover or to maintain the tasks of daily living along with work skills if needed.
In practice very different functions and 5+ different positions
Take a closer lookOccupational Therapy Team
Not everything is what it seems
Some work at the hospital Others at GP surgeries or clinics Others support patients at home and goes back to base once a month
which means very different infrastructure & tools
How can you achieve work targets if
You can’t perform same tasks at the same speed?
Look deeper...
The same team doesn’t have the same tools
Desktop Laptop ToughbookFull drive encryption X XEnd point encryption X X XNo local privileges X X XOff line drive mode on XUSB disable X XCD/DVD (disabled) X N/ASD Cards slot XCamera (internal) some XConnectivity ETH ETH/Wi-Fi WiFi/3G/
GRPSAccess LAN LAN/VPN/
RASVPN/RAS
and deeper...
Same speeds?
Many GP practices are struggling with inadequate broadband speeds over N3.......the majority of practices, with up to 49 network devices, are now limited to a 1Mb ADSL connection with upstream rates of 288kb/s...
NHS broadband leaves GPs in slow lane© 2006 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED
Based at hospital you get top speeds but...
Could you upload videos of patients from a GP surgery or using 3G?
And your point is?In order to make your castle stand the test of timeGet to know who your users are and the assets you are
protectingDesign a security model that fits the organisation’s
functional and legal requirements.Don’t build “security” that gets in the way but one
that is flexible and copes with a variety of business processes and allows the data to flow...securely
Don’t make assumptionsBalance usability & security, minimal amount of rules.
Report timeTo make a difference highlight the good and
the bad, always be constructive
Write English no matter how cool your findings are; don’t brag using technical terms
Aim to make a difference
Auditors, pentesters and the like...
and if you want to chat about security that lasts ...come and find me
Soraya Viloria Montes de Oca
@GeekChickUK
GeekChickUK ( @ ) gmail (.) com
Cheers!