Presentation: Data Security Dreams and Nightmares
Share this on:
What You’ll Learn
-
Learn from the success and failure of companies who have had major security breach.
-
Hear about common mistakes made when dealing with application security.
-
Understand strategies to minimize the attack surface of your applications.
Abstract
We don’t often hear about successes of data security programs, yet failures in securing data are trumpeted by the media leading to commercial disbarment of anyone associated with a data breach. What lessons did I learn by observing and assisting with data breaches? It is not only how to avoid them, but also what can be done to emerge successfully from a bad situation. This is a thrilling ride with a behind-the-scenes look into many major data breach dynamics. Let’s learn from their mistakes, not your own.
What’s the focus of the work you do today?
We have done a lot of research over the years looking at information security, specifically around breaches. Whether it’s an honest mistake, a not so honest mistake, or pure negligence, breaches cause huge issues to a company and its victims. There’s a resulting correlation between good security and rewards.
What insight can you provide to prevent us from making the same mistakes?
Study and learn from the companies who have had breaches. How were the data security practices, and what caused the resulting breach? Was the breach resolved correctly, or were there problems with the solution? What damage did that cause the company? There’s a correlation between good security and rewards and understanding this can help you make the right decisions
What examples can you share from the major breaches you’ve uncovered?
One example is the Yahoo breach that occurred in the midst of a corporate crisis. The hackers had a very small sample that looked like Yahoo data but they didn’t actually have any data in their possession that belonged to Yahoo. Unfortunately, that affected the company’s perception and subsequent sale to Verizon.
Another example would be the Equifax breach. Their outgoing CEO blamed a single person for the breach, a single point of failure which was completely not true. It was the entire company’s environment and security practices that led to the downfall.
Can you give me an example of a breach resolved positively?
A positive incident response would be the 2014 breach of JPMorgan Chase. They disclosed quite a bit of detail about the breach and invested over $250 million in information security practice to make themselves more secure. They not only gave investors and clients peace of mind, but they’ve stayed mostly breach-free for the past 4 years. That is a huge undertaking in today’s society.
Who is the target audience for your talk?
Any person who has a stake in the information security process. Security is not a single person’s responsibility but is a multi-person effort. Everyone can learn from other companies’ mistakes that led to breaches and downfalls. Developing secure software is good in theory but it’s having a security mindset that is important.
What’s the most common mistake you see companies or people make?
Complacency. Thinking because you’ve already bought into security that you’re secure. You're not secure. You’re taking someone’s word that you’re secure. We are always coming up with new patches. You have to constantly think about improving security. Some companies are developing incentives for their developers to find security bugs. Instead of pointing fingers, they are rewarding developers for identifying honest security mistakes.
What do you feel is the most important trend in software today?
The speed of security development and the rapid deployment of solutions is changing the game. We are tired of the development of security features that takes months, leaving companies exposed for a significant amount of time.
Similar Talks
Tracks
-
Microservices: Patterns & Practices
Evolving, observing, persisting, and building modern microservices
-
Developer Experience: Level up Your Engineering Effectiveness
Improving the end to end developer experience - design, dev, test, deploy, operate/understand. Tools, techniques, and trends.
-
Modern Java Reloaded
Modern, Modular, fast, and effective Java. Pushing the boundaries of JDK 9 and beyond.
-
Modern User Interfaces: Screens and Beyond
Zero UI, voice, mobile: Interfaces pushing the boundary of what we consider to be the interface
-
Practical Machine Learning
Applied machine learning lessons for SWEs, including tech around TensorFlow, TPUs, Keras, Caffe, & more
-
Ethics in Computing
Inclusive technology, Ethics and politics of technology. Considering bias. Societal relationship with tech. Also the privacy problems we have today (e.g., GDPR, right to be forgotten)
-
Architectures You've Always Wondered About
Next-gen architectures from the most admired companies in software, such as Netflix, Google, Facebook, Twitter, Goldman Sachs
-
Modern CS in the Real World
Thoughts pushing software forward, including consensus, CRDT's, formal methods, & probalistic programming
-
Container and Orchestration Platforms in Action
Runtime containers, libraries, and services that power microservices
-
Finding the Serverless Sweetspot
Stories about the pains and gains from migrating to Serverless.
-
Chaos, Complexity, and Resilience
Lessons building resilient systems and the war stories that drove their adoption
-
Real World Security
Practical lessons building, maintaining, and deploying secure systems
-
Blockchain Enabled
Exploring Smart contracts, oracles, sidechains, and what can/cannot be done with blockchain today.
-
21st Century Languages
Lessons learned from languages like Rust, Go-lang, Swift, Kotlin, and more.
-
Empowered Teams
Safely running inclusive teams that are autonomous and self-correcting