Principles of Secure System Design

John ScrimsherCISO / Head of IT @ Damballajps@damballa.com

This is a unique presentation of non-unique ideas

›Information gathered from multiple sources, including speakers own experiences›Todd Merritt: https://dzone.com/articles/9-software-security-design›Gary McGraw: http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security

›Google: Principles of Secure System Design

The Buzz

Initial Considerations

› Start with the weakest link› Do not trust by default› Assume secrets are not safe› Assume network is dirty› Ask for help / borrow others ideas

9 Primary Principles of Secure System Design

1. Principle of Least Authority2. Fail Securely3. Economy of mechanism (KISS Principle)4. Mediate Completely5. Open Design (vs. security by obscurity)6. Separation of Duties / Privileges7. Least Common Mechanism8. Psychological Acceptability9. Defense in Depth

Principle of Least Authority

› Need to know basis› Only grant the permissions required to complete the task requested

Fail Securely

› Fail Open: Service continues to work when mechanism fails› Fail Closed: Service ceases work when mechanism fails› Fail Securely: Fail in the manner which provides security of life and intellectual property

Open

Closed

Economy of Mechanism

› KISS Principle - Keep it as simple and small as possible› Complexity is the enemy of security› Design and Implementation errors may result in unauthorized access that would not be noticed

until normal use.› Complexity may also break access where needed

Ankita Thaker, Maze door lock

Mediate Completely

› All access requests should be validated for authorization› Prevent backdoor or “go-around” access

Psychological Acceptability

› If users perceive that security is hindering their job, they are more likely to go around the process

› Perceived value in their job will increase utilization

Open Design

› Do not rely upon obscurity› Eventually someone will stumble upon it› Don’t get stuck in the trap of “its behind our firewall, so that’s good enough”

Rendering by Jonathan L.: http://www.blendernation.com/2012/07/14/cabin-in-the-woods/

Separation of Duties / Privileges

› Prevents Fraud and Error› Quality Control (Integrity of data)› Examples (includes people with access to

these roles / environments):− Development and Production

Environments− Database Admin (DBA) vs. System

Admin

Least Common Mechanism

› Separate sessions for separate users› Similar to Separation of Duties› Do not share resources where not required

− Internal Authentication for internal resources, External Authentication for External resources

− This is a why we need Complete Mitigation

Defense In Depth

› Layered Approach to Security› Requires multiple attack types to penetrate

9 Primary Principles of Secure System Design

1. Principle of Least Authority2. Fail Securely3. Economy of mechanism (KISS Principle)4. Mediate Completely5. Open Design (vs. security by obscurity)6. Separation of Duties / Privileges7. Least Common Mechanism8. Psychological Acceptability9. Defense in Depth

Whats Missing?

›Password Management›Two Factor Authentication›Encryption›Data In Motion vs. At Rest›I am sure you can think of more….

Threat Discovery Center processes nearly 15% of

the world’s Internet traffic daily

Protect more than ½ billion devices daily

Founded by data scientists &

researchers in 2006

DAMBALLA: Specialists in Advanced Threat Detection

Product innovation:4 patents; 12

pending

Global deployments andcustomers on five

continents

Customers in every vertical market

AUTOMATE DETECTION AND RESPONSE

Advanced Threat Detection

Automate Discovery and validation

without human intervention

DetectUnknown threats that hide from traditional controls & assess

risk / impact of infection

RespondAutomatically, with

indisputable evidence to prevent loss