SlideShare ist ein Scribd-Unternehmen logo

[Austria] Security by Design

OWASP EEE
OWASP EEE

Security by Design. Thomas Bleier

Internet
1 von 16
Downloaden Sie, um offline zu lesen
14.10.2015 © Thomas Bleier 1 Thomas Bleier Security by Design OWASP EEE 14.10.2015 Definition of „Security“ • Webster: „The quality or state of being secure as o Freedom from danger o Freedom from fear or anxiety o Freedom from the prospect of being laid off“ • In IT typically defined by o Confidentiality o Integrity o Availability • „Security“ means different things to different people especially also in IT  2 14.10.2015
14.10.2015 © Thomas Bleier 2 Confidentiality • Only authorized users are able to access information and/or systems • Confidentiality vs. Privacy • Privacy: protect the person • Confidentiality: protect the organisation/information • Confidentiality of the content of information vs. Confidentiality of the source or destination of information (Metadata) 3 14.10.2015 Integrity • Prevention of malicious manipulation of systems and/or data • Integrity of the content o Protection against change • Integrity of the source of information (Authenticity) o Protection against faking wrong information • Trust ist based on the integrity of information and/or systems 4 14.10.2015
14.10.2015 © Thomas Bleier 3 Availability • Ensure that information and/or systems can be used by authorized users when needed • An important aspect of security especially in terms of business… • In cyber-physical systems (ICS, etc.) availability often has a hight priority than confidentiality or integrity 5 14.10.2015 Other aspects of „Security“ • Non-repudiation of information or actions • Resilience – recover from security problems • Trustworthiness – trust into a system • Anonymity of information or actions • Protection against unwanted information or actions 6 14.10.2015
14.10.2015 © Thomas Bleier 4 Security is not absolute • Security level compared to peers • Security level of a system • Breadth and lowest point is crucial, not the highest point… 14.10.2015 Risk • ISO 73:2002: Risk: combination of the probability […] of an event […] and its consequence 8 14.10.2015 Risk = Threat x Vulnerability X Impact Likelihood
14.10.2015 © Thomas Bleier 5 Security vs. Safety • No „100%“ security/validation possible • Example: • Invalid input may crash a system with a probability of 1 to 10^15 • Safety: probably acceptable • Security: an attacker looks for exactly this case 14.10.2015 Security by Design Principles Best Practice – „Avoid known errors!“ 14.10.2015 © Thomas Bleier 10
14.10.2015 © Thomas Bleier 6 Defense in Depth • Don‘t put all eggs in one basket! • Multiple layers of defense • Diverse strategies • Attacker has to overcome multiple barriers • More likely detected… • Examples: o Access Control and Encryption to protect data o Web Application Firewalls o Protocol switches/translations 11 14.10.2015 Secure the weakest link • Attackers usually choose the simplest way o Making already secure parts more secure does not help • Find the „weak links“ o e.g. via Threat Analysis • Risk-Managmenet is essential o Think like an attacker… • Examples: o Why trying to break the SSL-Encryption when using a trojan on the client is much easier? o Why trying to attack the Firewall when you can access the database directly via SQL-injection? 12 14.10.2015
14.10.2015 © Thomas Bleier 7 Least Privilege • For each activity, use only minimal required privileges • Rights based on task, not role/identity • Granularity of assignment e.g. Posix vs. modern ACL • Temporal execution of activities with higher privileges • Examples: o User Accounts – Unix vs. Windows vs. UAC o Sandboxing – Adobe Reader, Chrome Plugins, etc. o Privileged Ports in Unix (<1024) – daemons should drop root privileges 13 14.10.2015 Open Design • No „Security by Obscurity“ o Security of a system must not depend on not knowing how it was implemented • Kerkhoff-Principle for encryption o Always assume that an attacker has complete knowledge about the system • But: concealing the internal structure of a system can be an additional layer of protection o e.g: Network – do not publish internal network infos (DNS, NAT) • Examples: o Encryption Algorithms - AES, Hash-Algorithms - SHA-3 o Mifare RFID-Chip: proprietary algorithm, broken by reverse engineering 14 14.10.2015
14.10.2015 © Thomas Bleier 8 Economy of Mechanism • Security mechanisms should be as simple as possible • KISS – „Keep it simple, stupid“ • Fewer functionality means less that can go wrong… • Also no unnecessary security functionality • Reduces errors in implementation, but also in configuration and usage • Makes validation easier • Examples: o Microkernel-Architectures o Security Appliances – „function bloat“ 15 14.10.2015 Compartmentalization • Separation of system into sealed compartments • Security breaches in one area do not necessarily lead to a whole system compromise • Curtailment of successful attacks • Examples: o Network-Segmentation o Virtualization (Hypervisor, Zones, Jails, etc.) o Diginotar: public CA and Gov. CA in the same trust zone 16 14.10.2015
14.10.2015 © Thomas Bleier 9 Detect – Deter – Prevent • No security system is perfect • If you can‘t prevent succesful attacks, you should at least detect them… • Traceability of activities in a system and correlation to actors • Deterrence • Different gradients: o Detect – e.g. forensics o Deter – detection and prosecution is daunting o Detect and Recover – attack was succesful, but impact is minimized o Prevent – attack prohibited 17 14.10.2015 Detect – Deter – Prevent • Examples: o Antivirus, IDS/IPS o Credit Cards – analysis of transactions o Bookkeeping – double-entry accounting o Logging and analysis of transactions in the finance industry 18 14.10.2015
14.10.2015 © Thomas Bleier 10 Secure defaults • „Secure“ settings should be the default • Less secure settings have to be activated deliberately • Blacklisting vs. Whitelisting • Examples: o Access Control: „default deny“ o Network/Firewall: all ports blocked, selectively open o Operating system: no services active by default 19 14.10.2015 Separation of Duties/Privileges • Decision should not be based on a single condition • More checks means more chances that a security breach can be detected • Security vs. Availability • Example: o Four-eyes principle o Two-factor authentication 20 14.10.2015
14.10.2015 © Thomas Bleier 11 Least common mechanism • Different systems/system parts should not depend on the same security system • Problem of information transfer via „covert channels“ • Assumptions in one case are probably invalid in another case • Examples: o Single Sign On – central authentication mechanisms o Passwort-Recovery on websites o Authentication via other services (Facebook, etc.) 21 14.10.2015 Example: Apple iCloud / Amazon Hack • August 2012: How Apple and Amazon Security Flaws Led to my Epic Hacking o http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ o iCloud – Apple Cloud Service for iPhone (Backup, Sync, etc.) o Protected by a password o Reset of the password is possible via Apple Support o For this you need your invoice address and the last 4 digits of your credit card • How do you get this information? o Call Amazon Support: „I‘d like to add a new credit card“ o Need: account name, E-Mail, invoice address o Call Amazon Support again, tell them you lost your E-Mail account o Need: account name, invoice address and credit card number o Log in to Amazon account via password reset o Access to last orders – last 4 digits of credit card used to pay 22 14.10.2015
14.10.2015 © Thomas Bleier 12 Completely Mediated Access • Every access to a system has to be checked o Not only the first/front/user/etc. • No bypass of access control o Developer access o Performance optimizations • Examples o Web Application Firewall o Maintenance-Passwords in various devices/appliances 23 14.10.2015 Fail secure • In the event of an error a security mechanism should be in the „secure“ state • Examples: o Typical example of software code: o Railway vs. airplane o // this should never happen... o // fixme later 24 14.10.2015 DWORD dwRet = IsAccessAllowed(...); if (dwRet == ERROR_ACCESS_DENIED) { // Security check failed. // Inform user that access is denied. } else { // Security check OK. }
14.10.2015 © Thomas Bleier 13 Psychological acceptability • Security mechanisms should not be a (big) obstacle • UI for security has to be simple o otherwise it will not be used o or circumvented • Security mechanism should not penalize users who obey the rules • Design goal: „secure“ usage should be „natural“, „unsecure“ usage should be „unnatural“ • Examples: o Passwords: Length, Complexity, Lifecycle vs. Post-It o Browser – certificate warnings 25 14.10.2015 „Good enough“ – Security Economics • A „perfect“ security system is typically not necessary o also not feasible/affordable o Too strong focus on one area  negligence in other areas  weakest Link • „There are no secure systems, only degrees of insecurity“ (Adi Shamir) • „It‘s all about risk“ – a good risk analysis should be at the beginning of every security concept • An absolute secure system that cannot be used has the same value than a system without any security 26 14.10.2015
14.10.2015 © Thomas Bleier 14 Resilience – what happens after an attack??? • Preventing an attack is not enough • The system has to stay operational, even after a successful attack • Example: o Content Scrambling System (DRM of the DVD) system was broken after reverse engineering of a single player o Better: Advanced Access Content System (BlueRay) a single broken player (key) can be blocked  system survives 27 14.10.2015 Social Engineering • Effort to break a system vs. Effort to reach a goal… • If technical hurdles get too high  Social Engineering o see Kevin Mitnick • Microsoft Security Intelligence Report 2011: o Nearly half of all malware infections involve some kind of „user interaction“ 28 14.10.2015
14.10.2015 © Thomas Bleier 15 Security has a price The right balance is important! 29 14.10.2015 Security Convenience Functionality Performance Security has a price… 30 14.10.2015 http://support.microsoft.com/kb/276304/en-us
14.10.2015 © Thomas Bleier 16 Security by Design - Literature • Ross Anderson: Security Engineering, 2008 • Bruce Schneier: Secrets & Lies, 2000 • NIST SP 800-27 – Engineering Principles for Information Technology Security • Bruce Schneier: Beyond Fear, 2006 • David Rice: Geekonomics, 2008 • Viega, McGraw: Building Secure Software, 2001 • Saltzer, Schroeder: The Protection of Information in Computer Systems, 1975 31 14.10.2015 Questions? © Thomas Bleier 32 Thomas Bleier Dipl.-Ing. MSc zPM CISSP CISA CISM CEH Senior Security Architect, Teamlead Security Professional Services T-Systems Austria GmbH thomas.bleier@t-systems.at | +43 676 8642 8587 thomas@bleier.at | +43 664 3400559

Empfohlen

Any of these folks work with you?
Any of these folks work with you?Any of these folks work with you?
Any of these folks work with you?Kevin O'Connor
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small businessBDPA Charlotte - Information Technology Thought Leaders
 
Cybersecurity for CRM v0219-3
Cybersecurity for CRM v0219-3Cybersecurity for CRM v0219-3
Cybersecurity for CRM v0219-3Caston Thomas
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Enterprise Management Associates
 
Dia da Música
Dia da MúsicaDia da Música
Dia da MúsicaPaulo Antunes
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based AttacksOWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modelingOWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15Mahfuzur Rahman
 

Empfohlen

Any of these folks work with you?
Any of these folks work with you?Any of these folks work with you?
Any of these folks work with you?Kevin O'Connor
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small businessBDPA Charlotte - Information Technology Thought Leaders
 
Cybersecurity for CRM v0219-3
Cybersecurity for CRM v0219-3Cybersecurity for CRM v0219-3
Cybersecurity for CRM v0219-3Caston Thomas
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Enterprise Management Associates
 
Dia da Música
Dia da MúsicaDia da Música
Dia da MúsicaPaulo Antunes
 
[Bucharest] XML Based Attacks
[Bucharest] XML Based Attacks[Bucharest] XML Based Attacks
[Bucharest] XML Based AttacksOWASP EEE
 
[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modeling[Lithuania] Introduction to threat modeling
[Lithuania] Introduction to threat modelingOWASP EEE
 
RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15RESUME OF MAHFUZUR RAHMAN_Oct' 15
RESUME OF MAHFUZUR RAHMAN_Oct' 15Mahfuzur Rahman
 
[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalryOWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable inputOWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injectionsOWASP EEE
 
Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Hannah Jane del Castillo
 
Internet of Things Security
Internet of Things SecurityInternet of Things Security
Internet of Things SecurityThom. Poole
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business NSUGSCIS
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
biometrics and cyber security
biometrics and cyber securitybiometrics and cyber security
biometrics and cyber securityKarthiga Manisekaran
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
001 ho basic computer
001 ho basic computer001 ho basic computer
001 ho basic computerFranklin Sondakh
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterAtlantic Training, LLC.
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptxmishogelashvili28
 

Weitere ähnliche Inhalte

Andere mochten auch

[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalryOWASP EEE
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontendOWASP EEE
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable inputOWASP EEE
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actorsOWASP EEE
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injectionsOWASP EEE
 

Andere mochten auch (8)

[Lithuania] I am the cavalry
[Lithuania] I am the cavalry[Lithuania] I am the cavalry
[Lithuania] I am the cavalry
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities[Russia] Node.JS - Architecture and Vulnerabilities
[Russia] Node.JS - Architecture and Vulnerabilities
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps[Lithuania] DigiCerts and DigiID to Enterprise apps
[Lithuania] DigiCerts and DigiID to Enterprise apps
 
[Russia] Give me a stable input
[Russia] Give me a stable input[Russia] Give me a stable input
[Russia] Give me a stable input
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
[Russia] MySQL OOB injections
[Russia] MySQL OOB injections[Russia] MySQL OOB injections
[Russia] MySQL OOB injections
 

Ähnlich wie [Austria] Security by Design

Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Hannah Jane del Castillo
 
Internet of Things Security
Internet of Things SecurityInternet of Things Security
Internet of Things SecurityThom. Poole
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business NSUGSCIS
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterAtlantic Training, LLC.
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
 
security introduction and overview lecture1 .pptx
security introduction and overview lecture1 .pptxsecurity introduction and overview lecture1 .pptx
security introduction and overview lecture1 .pptxnagwaAboElenein
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptshahadd2021
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 

Ähnlich wie [Austria] Security by Design (20)

Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)Internet Issues (How to Deal on Internet Security)
Internet Issues (How to Deal on Internet Security)
 
Internet of Things Security
Internet of Things SecurityInternet of Things Security
Internet of Things Security
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
 
biometrics and cyber security
biometrics and cyber securitybiometrics and cyber security
biometrics and cyber security
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
001 ho basic computer
001 ho basic computer001 ho basic computer
001 ho basic computer
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
security introduction and overview lecture1 .pptx
security introduction and overview lecture1 .pptxsecurity introduction and overview lecture1 .pptx
security introduction and overview lecture1 .pptx
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 

Mehr von OWASP EEE

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploitedOWASP EEE
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through GamificationOWASP EEE
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification systemOWASP EEE
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product securityOWASP EEE
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to preventOWASP EEE
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...OWASP EEE
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!OWASP EEE
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!OWASP EEE
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSideOWASP EEE
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple SandboxOWASP EEE
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 

Mehr von OWASP EEE (17)

[Austria] ZigBee exploited
[Austria] ZigBee exploited[Austria] ZigBee exploited
[Austria] ZigBee exploited
 
[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan[Austria] How we hacked an online mobile banking Trojan
[Austria] How we hacked an online mobile banking Trojan
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification[Cluj] Information Security Through Gamification
[Cluj] Information Security Through Gamification
 
[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system[Cluj] A distributed - collaborative client certification system
[Cluj] A distributed - collaborative client certification system
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
[Russia] Building better product security
[Russia] Building better product security[Russia] Building better product security
[Russia] Building better product security
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 
[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...[Hungary] Survival is not mandatory. The air force one has departured are you...
[Hungary] Survival is not mandatory. The air force one has departured are you...
 
[Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers![Hungary] Secure Software? Start appreciating your developers!
[Hungary] Secure Software? Start appreciating your developers!
 
[Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid![Bucharest] Your intents are dirty, droid!
[Bucharest] Your intents are dirty, droid!
 
[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide[Bucharest] #DontTrustTheDarkSide
[Bucharest] #DontTrustTheDarkSide
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security
 
[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox[Bucharest] Reversing the Apple Sandbox
[Bucharest] Reversing the Apple Sandbox
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 

Kürzlich hochgeladen

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 

Kürzlich hochgeladen (20)

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 

[Austria] Security by Design

  • 1. 14.10.2015 © Thomas Bleier 1 Thomas Bleier Security by Design OWASP EEE 14.10.2015 Definition of „Security“ • Webster: „The quality or state of being secure as o Freedom from danger o Freedom from fear or anxiety o Freedom from the prospect of being laid off“ • In IT typically defined by o Confidentiality o Integrity o Availability • „Security“ means different things to different people especially also in IT  2 14.10.2015
  • 2. 14.10.2015 © Thomas Bleier 2 Confidentiality • Only authorized users are able to access information and/or systems • Confidentiality vs. Privacy • Privacy: protect the person • Confidentiality: protect the organisation/information • Confidentiality of the content of information vs. Confidentiality of the source or destination of information (Metadata) 3 14.10.2015 Integrity • Prevention of malicious manipulation of systems and/or data • Integrity of the content o Protection against change • Integrity of the source of information (Authenticity) o Protection against faking wrong information • Trust ist based on the integrity of information and/or systems 4 14.10.2015
  • 3. 14.10.2015 © Thomas Bleier 3 Availability • Ensure that information and/or systems can be used by authorized users when needed • An important aspect of security especially in terms of business… • In cyber-physical systems (ICS, etc.) availability often has a hight priority than confidentiality or integrity 5 14.10.2015 Other aspects of „Security“ • Non-repudiation of information or actions • Resilience – recover from security problems • Trustworthiness – trust into a system • Anonymity of information or actions • Protection against unwanted information or actions 6 14.10.2015
  • 4. 14.10.2015 © Thomas Bleier 4 Security is not absolute • Security level compared to peers • Security level of a system • Breadth and lowest point is crucial, not the highest point… 14.10.2015 Risk • ISO 73:2002: Risk: combination of the probability […] of an event […] and its consequence 8 14.10.2015 Risk = Threat x Vulnerability X Impact Likelihood
  • 5. 14.10.2015 © Thomas Bleier 5 Security vs. Safety • No „100%“ security/validation possible • Example: • Invalid input may crash a system with a probability of 1 to 10^15 • Safety: probably acceptable • Security: an attacker looks for exactly this case 14.10.2015 Security by Design Principles Best Practice – „Avoid known errors!“ 14.10.2015 © Thomas Bleier 10
  • 6. 14.10.2015 © Thomas Bleier 6 Defense in Depth • Don‘t put all eggs in one basket! • Multiple layers of defense • Diverse strategies • Attacker has to overcome multiple barriers • More likely detected… • Examples: o Access Control and Encryption to protect data o Web Application Firewalls o Protocol switches/translations 11 14.10.2015 Secure the weakest link • Attackers usually choose the simplest way o Making already secure parts more secure does not help • Find the „weak links“ o e.g. via Threat Analysis • Risk-Managmenet is essential o Think like an attacker… • Examples: o Why trying to break the SSL-Encryption when using a trojan on the client is much easier? o Why trying to attack the Firewall when you can access the database directly via SQL-injection? 12 14.10.2015
  • 7. 14.10.2015 © Thomas Bleier 7 Least Privilege • For each activity, use only minimal required privileges • Rights based on task, not role/identity • Granularity of assignment e.g. Posix vs. modern ACL • Temporal execution of activities with higher privileges • Examples: o User Accounts – Unix vs. Windows vs. UAC o Sandboxing – Adobe Reader, Chrome Plugins, etc. o Privileged Ports in Unix (<1024) – daemons should drop root privileges 13 14.10.2015 Open Design • No „Security by Obscurity“ o Security of a system must not depend on not knowing how it was implemented • Kerkhoff-Principle for encryption o Always assume that an attacker has complete knowledge about the system • But: concealing the internal structure of a system can be an additional layer of protection o e.g: Network – do not publish internal network infos (DNS, NAT) • Examples: o Encryption Algorithms - AES, Hash-Algorithms - SHA-3 o Mifare RFID-Chip: proprietary algorithm, broken by reverse engineering 14 14.10.2015
  • 8. 14.10.2015 © Thomas Bleier 8 Economy of Mechanism • Security mechanisms should be as simple as possible • KISS – „Keep it simple, stupid“ • Fewer functionality means less that can go wrong… • Also no unnecessary security functionality • Reduces errors in implementation, but also in configuration and usage • Makes validation easier • Examples: o Microkernel-Architectures o Security Appliances – „function bloat“ 15 14.10.2015 Compartmentalization • Separation of system into sealed compartments • Security breaches in one area do not necessarily lead to a whole system compromise • Curtailment of successful attacks • Examples: o Network-Segmentation o Virtualization (Hypervisor, Zones, Jails, etc.) o Diginotar: public CA and Gov. CA in the same trust zone 16 14.10.2015
  • 9. 14.10.2015 © Thomas Bleier 9 Detect – Deter – Prevent • No security system is perfect • If you can‘t prevent succesful attacks, you should at least detect them… • Traceability of activities in a system and correlation to actors • Deterrence • Different gradients: o Detect – e.g. forensics o Deter – detection and prosecution is daunting o Detect and Recover – attack was succesful, but impact is minimized o Prevent – attack prohibited 17 14.10.2015 Detect – Deter – Prevent • Examples: o Antivirus, IDS/IPS o Credit Cards – analysis of transactions o Bookkeeping – double-entry accounting o Logging and analysis of transactions in the finance industry 18 14.10.2015
  • 10. 14.10.2015 © Thomas Bleier 10 Secure defaults • „Secure“ settings should be the default • Less secure settings have to be activated deliberately • Blacklisting vs. Whitelisting • Examples: o Access Control: „default deny“ o Network/Firewall: all ports blocked, selectively open o Operating system: no services active by default 19 14.10.2015 Separation of Duties/Privileges • Decision should not be based on a single condition • More checks means more chances that a security breach can be detected • Security vs. Availability • Example: o Four-eyes principle o Two-factor authentication 20 14.10.2015
  • 11. 14.10.2015 © Thomas Bleier 11 Least common mechanism • Different systems/system parts should not depend on the same security system • Problem of information transfer via „covert channels“ • Assumptions in one case are probably invalid in another case • Examples: o Single Sign On – central authentication mechanisms o Passwort-Recovery on websites o Authentication via other services (Facebook, etc.) 21 14.10.2015 Example: Apple iCloud / Amazon Hack • August 2012: How Apple and Amazon Security Flaws Led to my Epic Hacking o http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ o iCloud – Apple Cloud Service for iPhone (Backup, Sync, etc.) o Protected by a password o Reset of the password is possible via Apple Support o For this you need your invoice address and the last 4 digits of your credit card • How do you get this information? o Call Amazon Support: „I‘d like to add a new credit card“ o Need: account name, E-Mail, invoice address o Call Amazon Support again, tell them you lost your E-Mail account o Need: account name, invoice address and credit card number o Log in to Amazon account via password reset o Access to last orders – last 4 digits of credit card used to pay 22 14.10.2015
  • 12. 14.10.2015 © Thomas Bleier 12 Completely Mediated Access • Every access to a system has to be checked o Not only the first/front/user/etc. • No bypass of access control o Developer access o Performance optimizations • Examples o Web Application Firewall o Maintenance-Passwords in various devices/appliances 23 14.10.2015 Fail secure • In the event of an error a security mechanism should be in the „secure“ state • Examples: o Typical example of software code: o Railway vs. airplane o // this should never happen... o // fixme later 24 14.10.2015 DWORD dwRet = IsAccessAllowed(...); if (dwRet == ERROR_ACCESS_DENIED) { // Security check failed. // Inform user that access is denied. } else { // Security check OK. }
  • 13. 14.10.2015 © Thomas Bleier 13 Psychological acceptability • Security mechanisms should not be a (big) obstacle • UI for security has to be simple o otherwise it will not be used o or circumvented • Security mechanism should not penalize users who obey the rules • Design goal: „secure“ usage should be „natural“, „unsecure“ usage should be „unnatural“ • Examples: o Passwords: Length, Complexity, Lifecycle vs. Post-It o Browser – certificate warnings 25 14.10.2015 „Good enough“ – Security Economics • A „perfect“ security system is typically not necessary o also not feasible/affordable o Too strong focus on one area  negligence in other areas  weakest Link • „There are no secure systems, only degrees of insecurity“ (Adi Shamir) • „It‘s all about risk“ – a good risk analysis should be at the beginning of every security concept • An absolute secure system that cannot be used has the same value than a system without any security 26 14.10.2015
  • 14. 14.10.2015 © Thomas Bleier 14 Resilience – what happens after an attack??? • Preventing an attack is not enough • The system has to stay operational, even after a successful attack • Example: o Content Scrambling System (DRM of the DVD) system was broken after reverse engineering of a single player o Better: Advanced Access Content System (BlueRay) a single broken player (key) can be blocked  system survives 27 14.10.2015 Social Engineering • Effort to break a system vs. Effort to reach a goal… • If technical hurdles get too high  Social Engineering o see Kevin Mitnick • Microsoft Security Intelligence Report 2011: o Nearly half of all malware infections involve some kind of „user interaction“ 28 14.10.2015
  • 15. 14.10.2015 © Thomas Bleier 15 Security has a price The right balance is important! 29 14.10.2015 Security Convenience Functionality Performance Security has a price… 30 14.10.2015 http://support.microsoft.com/kb/276304/en-us
  • 16. 14.10.2015 © Thomas Bleier 16 Security by Design - Literature • Ross Anderson: Security Engineering, 2008 • Bruce Schneier: Secrets & Lies, 2000 • NIST SP 800-27 – Engineering Principles for Information Technology Security • Bruce Schneier: Beyond Fear, 2006 • David Rice: Geekonomics, 2008 • Viega, McGraw: Building Secure Software, 2001 • Saltzer, Schroeder: The Protection of Information in Computer Systems, 1975 31 14.10.2015 Questions? © Thomas Bleier 32 Thomas Bleier Dipl.-Ing. MSc zPM CISSP CISA CISM CEH Senior Security Architect, Teamlead Security Professional Services T-Systems Austria GmbH thomas.bleier@t-systems.at | +43 676 8642 8587 thomas@bleier.at | +43 664 3400559