Security Hardening Isn’t the Hard Part
Track 101 – 12:35pm
Anicet Fopa Tchoffo Security Consultant @ University of Leeds
Bio
Anicet Fopa Tchoffo returns to BSides Leeds, bringing insights from his role as a Security Consultant at the University of Leeds where he’s helped secure everything from Nuclear and Biomedical research to Environmental studies and the University’s High-Performance Computing (HPC) deployments. His work spans offensive and defensive security, with a focus on threat detection, incident response, security architecture, and DevSecOps. This time, he takes on the messier half of security hardening: not changing the settings, but tracking the work, justifying the decisions, and proving both to people who weren’t in the room at the time. Outside of work, you’ll often find him attempting to navigate a snowboard (valiantly trying not to injure himself or others), pretending he still has the stamina of a pro footballer (for about 15 minutes), or enjoying a less-taxing game of badminton. Find him on LinkedIn: https://www.linkedin.com/in/anicet-tchoffo/
Talk Abstract
Every security team knows they should be hardening their systems. Most are, in some form, using some combination of CIS Benchmarks, DISA STIGs, Microsoft Security Baselines, CISA SCuBA, or vendor specific guidance. The hard part is doing it consistently, tracking it systematically, communicating it clearly, and leaving an audit trail someone who wasn’t in the room can actually follow. This talk follows one fictional organisation through the journey of taking security configuration guidance from “downloaded guide” to “auditable, reportable, organisation wide programme”. Along the way it examines what the major guide providers actually give you, what they leave you to figure out yourself, and how a practical workbook based approach can bridge that gap. The talk also walks through the automation pipeline that produces these workbooks, and shows the public library where over seven hundred are already free to download. Attendees should leave with a practical framework for thinking about hardening as an organisational discipline, not just a technical task, and a clear picture of what a usable implementation artefact looks like. Suitable for security engineers, CISOs, GRC and compliance practitioners, and anyone who has ever sent a spreadsheet to an auditor and immediately regretted it.
Intended Audience
Security engineers, Security Consultants, CISOs, GRC and compliance practitioners, and anyone who has ever sent a spreadsheet to an auditor and immediately regretted it.
How NSFW is this talk?
(How spicy is your talk in chilli's?)
Mild