1. InfoconDB
  2. Dutch hacker camps
  3. Still Hacking Anyway (SHA2017)
  4. Playing defence is complicated: What goes into playing defence and what can be holding you down

Playing defence is complicated: What goes into playing defence and what can be holding you down

Presented at Still Hacking Anyway (SHA2017), Aug. 7, 2017, 1:15 p.m. (60 minutes)

What kind of work goes into implementing secure services? Service providers have to comply to the law, protect their users, worry about reputation, need to deal with vulnerability management, patch management and above all: business continuity. Researchers and attackers target the infrastructure for their own gain and suppliers have their own go-to-market drive which limits the amount of QA on their products. Various services are build upon existing or new foundations. They have to comply to the same company wide policies, like the security policy. In this talk I will give an insight on what goes into the technical analyses, generic preventative measures and provide example on how to use a technical oriented company wide policy to your advantage. #DeviceSecurity #NetworkSecurity #Politics What kind of work goes into implementing secure services? Service providers have to comply to the law, protect their users, worry about reputation, need to deal with vulnerability management, patch management and above all: business continuity. Researchers and attackers target the infrastructure for their own gain and suppliers have their own go-to-market drive which limits the amount of QA on their products. Various services are build upon existing or new foundations. They have to comply to the same company wide policies, like the security policy. In this talk I will give an insight on what goes into the technical analyses, generic preventative measures and provide example on how to use a technical oriented company wide policy to your advantage. A bunch of service look the same, but what goes into a proper analyses. It can get pretty complicated quickly. And how do you deal with legacy? This is where risk management, pentest reports, policy, law, monitoring capabilities and incident capability collide.

Presenters:

  • Oscar Koeroo
    I'm a technology, security, privacy type of guy that really likes to dive into the technical bits with a feel for international politics on the subjects. I currently work at KPN in the Chief Information Security Office in the Strategy and Policy team. There I am responsible for developing the KPN Security Policy on technical matters, like cryptographic principals and usage in applications, network design, Identity and Access Management, application security and other topics that are related to (information) security. I give advise on how to deal with the implementation of the policies on the infrastructure and application on which these are imposed. I love open data, open standards, open source and a transparant society. I'm a technology, security, privacy type of guy that really likes to dive into the technical bits with a feel for international politics on the subjects. I currently work at KPN in the Chief Information Security Office in the Strategy and Policy team. There I am responsible for developing the KPN Security Policy on technical matters, like cryptographic principals and usage in applications, network design, Identity and Access Management, application security and other topics that are related to (information) security. I give advise on how to deal with the implementation of the policies on the infrastructure and application on which these are imposed. I've build up quite some expertise in the (practical) usage of SSL/TLS with Public Key Infrastructure and I like talking about why this works as it does and where the shortcomings are. Previously I've work for Nikhef, the national sub-atomic physics lab. The Physics Data Processing team is responsible for various security topics and high performance networking to aid and defend High Throughput Computing, High Performance Computing, Grid Computing and Cloud Computing each in a multi-domain and international collaboration in science communities. My activities revolved around international certificate authority (CA) policies and its enforcement, responsible for the implementation of authentication, authorization and advanced account mapping tooling used for multiple large scale international and national computing infrastructures. Techniques involved we're X.509, PKI, VOMS (Virtual Organisation and Management System), detailed POSIX account mapping and privilege separation, OpenSSL extensions and plug-ins, XACMLv2 and XACMLv3, OAUTH and OAUTH2, Shibboleth, etc for computing and mass-storage utilities. Besides this regular line of work I was also part of a international emergency triage team. This team assessed vulnerabilities to scope the potential harm to the global infrastructure, before it moved towards the international collaboration of CERT teams responsible for grid computing infrastructure for the Large Hadron Collider collaborations. The most fun project was to develop three generations of botnets to train CERTs with. With minimal information the CERT teams had to follow the procedures on communications towards the incident coordinators and use their local infrastructure procedures.

Links: