Security Hardening and Drown Attack Prevention for Mobile Backend Developers

6.6.2016 Jiří Danihelka

2

IT Security

The high-level objectives of any IT Security activity are: Confidentiality Integrity Availability

3

Customer requirements

Customers expect a high degree of IT Security, it is a basic requirement.

IT security breaches may impact very negatively customer’s reputation

More and more of our customers will expect you to have formal IT processes for development, operations and security.

4

IT Security approach

Objective: To ensure top level IT Security objectives appropriate to customer’s need with a reasonable, optimal effort

Well-defined, lightweight IT Security process Consistent application of IT Security process over time:

Everybody is concerned Top-down: clear policy and instruction Bottom-up: contribution

5

Key chapters of the IT Security Policy

Generic sysadmin «good practice»: passwords, access rights, starters/leavers, physical & remote access

Backup, Recovery and Disaster Recovery/Business Continuity Risk Management Security Incident Management Security in the Software Development Lifecycle:

Segregation of Environment, Data and Duties Secure Coding Quality Assurance and Vulnerability Testing Source Code Management (CI/CD)

6

Security Hardening

7

Security Layers

There is no such thing as 100% security. We need security in multiple layers in case something fails.

8

Security layers

Automatic deployment accounts works with permissions restricted to installations directories (cannot change the operating system)

More security restriction on Firewall – critical internal servers are not available from outside

Server hosting in highly secure environment; databases are encrypted

Use cloud services

9

DROWN SSL Vulnerability

10

DROWN server vulnerability cross-protocol attack attacker misuses deprecated SSLv2

protocol to gain information about encryption key

obtained information is used to attack modern TLS security protocol

11

DROWN ATTACK possible scenarios

12

More reasons why to disable SSL protocolsUnsecure protocols can be decrypted using sniffing

13

More reasons why to disable SSL protocolsAttacker in the middle can disable secure protocols

14

Results of disabling SSLv2

HTTPS protocols will no longer work with some old browsers Except Internet Explorer all browsers updates automatically Internet Explorer supports TLS protocol from version 7

Windows Vista and newer do not have a problem Windows XP users can update their IE6 to version 8 Users of Windows 98 cannot use HTTPS in IE anymore