Life as an enterprise security geek from underground. (What enterprises want security researcher to do at work? -- How to survive)
1 like627 views
Seungjin Lee, CEO of Grayhash, discusses the challenges of enterprise security, highlighting issues such as numerous attack points, the complexity of managing third-party products, and the need for continuous security vigilance. He emphasizes the importance of communication skills for security engineers, the difficulties in protecting large infrastructures, and the necessity of prioritizing security measures despite inherent complexities. The talk also touches on the different security experiences between small and large firms and concludes with an open invitation for questions or job inquiries.
![Public server security
• Last example, there are 500,000 servers that have public IP
• The whole security team spends one year to pen-testing those
• Not likely, but, let’s assume here 500,000 servers are totally safe now
• Tremendous job, however, you can’t do this everyday / forever
• And the next day, one programmer leaves ‘phpmyadmin’ with default
credential on public web server
• Or test code - <?php system($_GET[“cmd”]); ?>](https://image.slidesharecdn.com/d-5-181126035512/85/Life-as-an-enterprise-security-geek-from-underground-What-enterprises-want-security-researcher-to-do-at-work-How-to-survive-12-320.jpg)
Life as an enterprise security geek from underground. (What enterprises want security researcher to do at work? -- How to survive)
- 1. Life as an enterprise security geek from underground (What enterprises want security researcher to do at work?) SeungJin Lee (GrayHash) @beist
- 2. About me • CEO of GRAYHASH (Information security consulting company) • Entered in information security field in 2000 • Advisor for SAMSUNG SDS and Cyber Command previously • Speaking at popular security conferences in USA, CANADA, GERMANY • Review board member of BLACKHAT and CODEBLUE • Hunter x hunter, nama-biru lover
- 3. TEAM GRAYHASH • Grayhash has been working at LINE as a special partner since April • Currently 8 members from Grayhash involved with LINE projects • Job duties • Product security, infra pen-testing, security design • Skillset • Programming, network, operating systems, hacking/security
- 4. About this talk • Sharing experience of working for big companies as a consultant team • Hard part as a security engineer at big firm • Very common and general issues when you work for big firms • No single line of code but some technical background covered • What things you need to know to be a good security engineer • And why enterprise security is usually harder..
- 5. Why it is harder • Because you have too many attack points to protect at big firms • Servers, laptops, mobiles, embedded systems, IoT • The big number of employees • A lot of software • And 3rd parties (Supply chain attack things) • Plus, big infrastructure
- 6. More specifically • Development side • “I can’t code on a laptop which is not connected to the internet” • However, not everyone knows how to protect oneself • “I can’t always code without a break” • And people easily go surf the malicious websites without notice • Believe or not, developers have every sensitive information • Also, hacking people is much easier than hacking servers nowadays
- 7. More specifically • Infrastructure side • “I want to access the wiki, mail, git server of our company at home” • “I also need to access the live server so that i can maintain at home” • “I need to put my module on servers so that I can monitor everything” • … And once any single person gets hacked, everything will be hacked • VPN, 2FA don’t perfectly save your computer
- 8. More specifically • Spaghetti business services • “We started our company with this awesome service!” • “Let’s do make more services to get more customers” • “Make more and more API, use one single database, big data wins!” • You will realize you don’t know how you securely isolate each service • Complexity went too far
- 9. More specifically • 3rd party products • “We focus on our service, if we need other features, just buy, there are a ton of useful products already. Don’t re-invent.” • Then, companies buy security, network, accounting, business logic products without any concern of security • You don’t know how much one is secure/insecure because you didn’t make it • Hacking concern because of vulnerable 3rd party products is what every big company is facing, no exception
- 10. Development and deployment • Let’s have some practical examples • Let’s think that there is one perfect developer who makes secure code, but • What if the developer’s laptop gets hacked • What if the code on git he/she uploaded is manipulated after the upload • What if the build server gets hacked - Code can be modified before build • What if the compiled .jar gets maliciously modified
- 11. Dedicated network for servers • Another example, you make dedicated network for servers for security • Only 100 people who have VPN credentials can access the network, but • You’re not sure if the VPN product is truly secure • You may protect well 99 of 100, but can’t protect 50/50 • Your git enterprise server is not in the dedicated network • And the server pulls out the code from it to build • Every server in the dedicated network has installed 3rd party AV client • And where is the master server of the AV clients?
- 12. Public server security • Last example, there are 500,000 servers that have public IP • The whole security team spends one year to pen-testing those • Not likely, but, let’s assume here 500,000 servers are totally safe now • Tremendous job, however, you can’t do this everyday / forever • And the next day, one programmer leaves ‘phpmyadmin’ with default credential on public web server • Or test code - <?php system($_GET[“cmd”]); ?>
- 13. Security at small firm • We used to work at small firms for years as well • Much easier and simpler • A few of external software used • No strong access control needed for every server • A small number of main asset to protect • Everyone used 2FA and never visited malicious websites • Easier to educate about information security • Hard to hack even for skilled hackers
- 14. Security at enterprise • We should say that we can’t protect everything • But there are still things that you can make your company safer • What are important things for enterprise security?
- 15. Infrastructure tools security • Most of big companies have infra-tools widely used at work • Like, most of servers installed the tool to monitor the server status • Or, PMS, up to date software version • And assume that if the tool has a *backdoor-like* bug • Then, all your company servers could get hacked • Review the code very actively and put through QA test • One of the most priorities of our job
- 16. Controllable products • Anything can’t be 100% secure • Assume that hackers will find 0 days of things one day • If you can’t make an action in time, you’ll have much trouble • Every service and product that your company is using should be in your hand • Update the software, make hot fixes • Not every 3rd party vendor makes patches in time • What can you do?
- 17. Hacked employees • Even highly skilled hackers get hacked sometimes • Big companies have multiple jobs • Many of them are not engineers • It’s reasonable to think that some employees are already hacked or soon • Which means there is no “private-network” • Your “private-network” is almost like the Internet • Almost no big company is doing perfectly on internal security
- 18. Defense in depth • Defense in depth should be everywhere • Especially, for highly confidential servers • Your back-end should be safe even though the front-end got hacked • Example: Springframework 0day comes out, what can you do? • For this, very simple but deeply considered ACL rules needed
- 19. Continuous red-teaming • Your team may find 100 security bugs at a night • But your team can’t do this for years everyday • Sustainable red-teaming is needed • Since new service / product out everyday • Automated systems make your life much easier but they’re not perfect • One of top priorities: Always ready to hire highly talented engineers
- 20. Difficult part at work • As an enterprise security geek • Do I hate to talk with others? • Do I love only cyber avatars? • Very nice try, but wrong
- 21. Hikikomori at work • What is one of most important things for a security engineer at firm? • Most of non security engineers may think • Top notch programming, kernel, assembly, geeky mindset • Actually, communication skill • Because we find problems that others make • Which means we always need to talk to them to fix
- 22. Being an evil for good • Also, we need to know how to convince people • As we always need others to do things that they don’t like • Example: “You must code on this laptop, only and no internet.” • (Yes, a bit extreme example) • To persuade them, we first need to understand them and their work
- 23. Pretend to be a genius • Multiple code languages, web frameworks, databases, operating systems • Each team may prefer different development environment • C, C++, PHP, Go, Swift, Java, Python, Erlang, Apache, nginx, tomcat, … • But the security team is relatively smaller • And we should enough know about the things to review the code • Like, learn about swift today and review swift code tomorrow
- 24. Want to be rich • Keeping strong motivation is not easy • Because we basically work on others’ work • Which means not having the ownership of the product / service • This is why skilled security engineers sometimes fall into mannerism
- 25. Final note • But, nonetheless, we’re trying to be better • Doing good security != Finding hardcore 0-days • Finding typical 10 bugs might be 10 times better than one awesome bug • Most important things • Knowing how to work with others • Having good communication skill • Following release schedule of product in time
- 26. Final note • Doing good security is difficult • Luckily, LINE engineers catch up really fast • This talk is not specifically talking about the situation of LINE • But more about general security issues that big firms are having
- 27. If you have questions • Shoot me an email: [email protected] • Twitter: @beist • Or in person after this stage! • There is a Q/A room • If you’re looking for a security engineer job, we’re hiring.