Upload
allyson-lawson
View
227
Download
4
Tags:
Embed Size (px)
Citation preview
SSL Is Not A Secure Architecture
Greg Sternberg, CISSPSolutions/Security ArchitectJeppesen
29 Jan 2013
Filename.ppt | 2
A Bit About Myself
Old I’ve used punch cards, PL/1
and PDPs If it involves computers I’ve
probably done itFormer “status hacker”
Wrong side of the tracksStudy Psychology as a HobbySolutions/Security/Enterprise Architect @ Jeppesen
Boeing companyBoard member of the Denver chapter of ISSACISSP and TOGAF certifiedInfragard member
Filename.ppt | 3
Agenda
When Success is BadSSL Will Solve World HungerUnderstanding The PlayersKnowledge is a Good ThingThink BadSecure Architectural PrinciplesIf You're Lost, Your Priorities ChangeWe're All In This TogetherZen Moments (a.k.a. Q&A)
Organic Growth
Filename.ppt | 4
In The Beginning Mainframe, users working
on the machines, physical security
Let There Be Users Client/Server, users
working on the network, IDS, anti-virus
We’re Not In The Computer Center Anymore
SOA, users working from home, EDP, VPN
But Now...
SSL Will Solve Everything(just “get r' done!”)
Filename.ppt | 6
Only protects transfers And only if used
Proliferation of certificates Symantec alone has 811,511 650 CAs
Implementation problems My Client/Server code is 400
LoC At 1 bug per 10 lines of
code…Expect too much from users
Securing Your Architecture
Filename.ppt | 7
No "silver bullet" There are always trade-offs and risks
Story: We had too many entries into our systems so
we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.
Securing Your Architecture
Filename.ppt | 8
No "silver bullet" There are always trade-offs and risks
Story: We had too many entries into our systems so
we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.
On the plus side since we had significantly fewer things to log and monitor so we caught the intrusion much faster than we would have - assuming we could have caught it in the old system at all.
Looking at Architecture From a Malware Point of View
Filename.ppt | 9
Security has to be right all the time; malware only once
– And they're better fundedMalware is:
Everything we want to beSocial engineers
Know our users better than we doThey understand our psychology
Prospect Theory Small change blindness “It won't happen to me” “I've always done it this way” We don't like to admit when we
messed up
You Can't Protect What You Don't Know
Filename.ppt | 10
Silos are malware's best friend Two heads are better than one Learn from someone else's
mistakesKnow your company
What is your company's architectural/security/... goals?
Know your company business(es) What are its drivers? What does it think about
architecture & security?Know your system(s)
What are threats, vulnerabilities, ...Never assume
“You must ask the right questions”
Think Bad(a.k.a. channeling your inner hacker)
Filename.ppt | 11
xkcd comics
•Understand the system as well as the system of systems
holistic•Think about the elephant•Think outside the boxData has three environmentsDifferent strokes for different folksEvaluate C.I.A.(A.)Consider effort
Make your architecture harder to crack than the architecture next door
Secure Architecture Principles
Filename.ppt | 12
Business Focused What are the business requirements? Your job is not to make the business secure it's to keep the
business profitable Always show benefit to the company
Appropriate Effective vs. right Avoid security for security's sake Avoid diminishing returns
Professional (political) lobbyist Chinese fortune cookie
“The beginning is the most important part of the work.” – PlatoWe all need direction
Even if it's wrong
“If You Don't Know Where You Are Going, Any Road Will Get You There.”
Filename.ppt | 13
Have a Strategy “The task of strategy is an efficient
use of the available resources for the achievement of the main goal.”
Have a Plan Avoid the TSA Paradigm Polarize not just Layer
Prepare for Paradigm Shifts Deprimiterization Targeted and Silent malware Social attacks
Humans are Visual Targeted pictures
Take shameless (but responsible) advantage of events
Don't Forget
Simplify "That's been one of my mantras -- focus
and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. " - Jobs
Knowledge is a Wonderful Thing Know when things are added to your
architectureWhat not to do is Wonderful Too
Don't reinvent the wheelThe 'Circle of Security'
a.k.a. The Circle of LifeLearning from Malware
“Know your enemy and know yourself...” - Sun Tzu
Users Are Human Too
Filename.ppt | 15
Computers are IntimidatingOne Size Doesn't Fit AllSomething Will Go WrongFail Securely and LoudlyKnow Thine Enemy; For They Are UsImpatience / Lack of KnowledgeOopsYour Job is Security; Not Your Users'
“Make It So”
1. Know what is required/mandated/… Must have a business justification Did I contribute toward the bottom line?
1 Have an agenda (a.k.a. plan) Do I have a plan? Does anyone know what my strategy is?
1. Have a picture(s) A picture is worth a 1000 words Is it tailored?
2. Work for agreement You must be a professional political lobbyist Who is helping me?
3. Rinse & Repeat What didn't I get done? Never surrender
Filename.ppt | 16
Filename.ppt | 17
Questions, Comments, Suggestions, …(and some Zen Moments)
Security is a river not a roadThe most secure things are those not there"I say, let your affairs be as two or three, and not a hundred or a thousand; instead of a million count half a dozen, and keep your accounts on your thumb-nail.“ – ThoreauSomething will go wrong – expect it; embrace it; work with it
Filename.ppt | 19
References
OWASP Application Security Architecture Cheat Sheet - https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet
Symantec achieves highest number of SSL certificates issued globally - http://www.nationmultimedia.com/technology/Symantec-achieves-highest-number-of-SSL-certificat-30186424.html
Serge Egelman, Lorrie Faith Cranor, and Jason Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings - http://repository.cmu.edu/cgi/viewcontent.cgi?article=1061&context=hcii
David Dunning and Justin Kruger, “Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments”, Journal of Personality and Social Psychology”, 1999 - http://www.scirp.org/Journal/PaperDownload.aspx?paperID=883&fileName=Psych.20090100004_39584049.pd
Andrew Jones, “How do you make information security user friendly?” - http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=7286&context=ecuworks
Jericho Forum Data Protection – Problem Statement and Requirements for Future Solutions - https://www2.opengroup.org/ogsys/catalog/W12C
Oops, I Learned Something(a.k.a. poor man’s governance)
Positive vs. Negative Positive reinforcement: the adding of a pleasant outcome to
increase a certain behavior or response Positive punishment: the adding of an unpleasant outcome
to decrease a certain behavior or response. Negative reinforcement: the taking away of an unpleasant
outcome to increase certain behavior or response. Negative punishment (omission training): the taking away of
an a pleasant outcome to decrease a certain behavior“This Isn’t Your Father’s Security”Repeat, repeat, repeat, repeat, improve, repeat, repeat, …
Testing *can* be funCommunicate Accidental Learning
Filename.ppt | 20
Filename.ppt | 21
Still Crazy After All These Years
During a breach at rockyou.com where 32 million passwords were stolen it was discovered: 30% of the passwords were six characters or smaller 60% were passwords created from a limited set of alphanumeric
characters 50% of the users had used easily guessable names, common slang
words, adjacent keyboard keys and consecutive digits as their passwords
A study of password habits in 2007 found that users still choose the weakest they can get away with, much as they did three decades earlier
Filename.ppt | 22
"It Won't Happen To Me."
“Put on a happy face”“I wouldn’t let it happen that way”The more you know the less you think you know The reverse is scary: The less you know the more you think you know
Filename.ppt | 23
The Trust Factor
Trust is an action involving the voluntary placement of a trustee at the disposal of the person being trusted with no real commitment from the trustee
People instinctively trust other peopleIf the person being trusted is trustworthy then the person doing the trusting is better off; conversely if the person being trusted is untrustworthy then the person doing the trusting is worse off
Trust allows actions which are otherwise not possible
Filename.ppt | 24
Small Change Blindness
As long as the changes in our environment occur slowly, we adapt to it, and are unlikely to detect the change
Sitting in front of a computer we are blissfully unaware of what is happening 'behind the curtains'
From a security forum: “…Telling the average computer user to look out for suspicions activity
doesn't work because most of the time the haven't any idea what activity is considered suspicions. ‘My hard drive light went on - should I worry ?’ or ‘My game paused for a moment - should I worry ?’"
“…if I'm running a quad core computer I probably wouldn't notice a bot running on my system”
Filename.ppt | 25
Risking Gains and Accepting Losses
When it comes to evaluating gains or losses people have a built in heuristic against risking gains or accepting losses Put another way – it’s not whether
you win or lose it’s how you frame the question
Called Prospect Theory, this is best demonstrated by an experiment put together by Daniel Kahneman and Amos Tversky
Filename.ppt | 26
“I’ve Always Done It This Way”
Habitual thinking and behavior are a result of powerful neural pathways in our brains and memories that are automatically and unconsciously accessed
Unconscious thought processes can predetermine, without an individual's awareness, decision-making bias and actual decision-making
Emotions are the key driver to decision-making, not logical, analytical thought; our logical processes are often only rational justifications for emotional decisions