Lean Security for Small or Medium Sized Business

Presented at AppSec USA 2014, Sept. 18, 2014, 2 p.m. (45 minutes)

For a small or medium sized business (SMB) the fallout from a security or privacy incident can be at best a PR nightmare. At their worst it can cause irrecoverable damage and end your business by impacting sales or ad revenue. Your user base may take a hit. You may need to draft a blog post or email your customers describing the incident and asking them to change passwords. A key culprit is budget constraints - as a SMB you are allocating resources to innovating, creating, and improving your product. Security, while important, isn't always the primary objective.

Our talk will introduce a simple framework for SMBs to focus their security efforts. We will then discuss a common scenario applicable to most SMBs that employs our framework; and leverages it to introduce cheap and effective security mechanisms that provide prevention, limitation, detection, and response capabilities. The key take away will be the thought process and sample techniques that can enable a SMB to take their rag-tag security outfit and turn it into a business enabler.


Presenters:

  • Anson Gomes - Senior Security Consultant - iSEC Partners
    Anson Gomes is a security researcher and consultant at iSEC Partners. He specializes in web applications and web services security, network security, mobile application security, and architecture reviews. He has led numerous assessments for applications written in languages such as Java, .NET, PHP, and Objective C. In his spare time, Anson spends his time researching cloud systems, custom protocols, and embedded devices. He is passionate about red teaming and social engineering. Anson has also given multiple presentations both locally at NYC and at major conferences such as Black Hat. He lives in New York City.
  • Jonathan Chittenden - iSEC Partners
    Prior to his employment with iSEC, Jonathan worked for the Air Force as a civilian. His roles consisted of reverse engineering malware for both signature and exploitation development. This experience enabled Jonathan to be comfortable working at a low-level with unknown protocols and binaries. During this time, he also assisted in the development of an open-source intelligence application to be used to identify indicators of compromise. During his employment with iSEC Partners, Jonathan has been tasked with a variety of engagements. Of which his memorable projects include performing assessments of a novel application container and custom kernel modules to be used for virtualization. Jonathan has also collaborated and presented on a tool called AWS Scout. Scout helps automate security assessments of several Amazon Web Services. The tool was showcased at Blackhat USA 2012 Arsenal and OWASP AppSec 2012 conference. Recently Jonathan gave a turbo talk at Blackhat USA 2013 on an embedded system called Twine, which covered analysis and findings of the research project. Jonathan graduated with a M.S. in Cyber Security from NYU: Polytechnic and a BBA in Infrastructure Assurance and Information Security from UTSA.Anson Gomes is a security consultant/researcher at iSEC Partners, an information security firm specializing in application, network, and mobile security. Prior to working at iSEC, Anson worked as a software developer and graduated with a M.S. in Computer Science from NYU: Polytechnic.

Links:

Similar Presentations: