Top Banner
SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013
26

SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Dec 27, 2015

Download

Documents

Allyson Lawson
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

SSL Is Not A Secure Architecture

Greg Sternberg, CISSPSolutions/Security ArchitectJeppesen

29 Jan 2013

Page 2: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 2

A Bit About Myself

Old I’ve used punch cards, PL/1

and PDPs If it involves computers I’ve

probably done itFormer “status hacker”

Wrong side of the tracksStudy Psychology as a HobbySolutions/Security/Enterprise Architect @ Jeppesen

Boeing companyBoard member of the Denver chapter of ISSACISSP and TOGAF certifiedInfragard member

Page 3: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 3

Agenda

When Success is BadSSL Will Solve World HungerUnderstanding The PlayersKnowledge is a Good ThingThink BadSecure Architectural PrinciplesIf You're Lost, Your Priorities ChangeWe're All In This TogetherZen Moments (a.k.a. Q&A)

Page 4: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Organic Growth

Filename.ppt | 4

In The Beginning Mainframe, users working

on the machines, physical security

Let There Be Users Client/Server, users

working on the network, IDS, anti-virus

We’re Not In The Computer Center Anymore

SOA, users working from home, EDP, VPN

But Now...

Page 5: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Do You Know Where Your Data Is?(or A Pirate’s Cornucopia)

Filename.ppt | 5

Page 6: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

SSL Will Solve Everything(just “get r' done!”)

Filename.ppt | 6

Only protects transfers And only if used

Proliferation of certificates Symantec alone has 811,511 650 CAs

Implementation problems My Client/Server code is 400

LoC At 1 bug per 10 lines of

code…Expect too much from users

Page 7: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Securing Your Architecture

Filename.ppt | 7

No "silver bullet" There are always trade-offs and risks

Story: We had too many entries into our systems so

we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.

Page 8: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Securing Your Architecture

Filename.ppt | 8

No "silver bullet" There are always trade-offs and risks

Story: We had too many entries into our systems so

we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.

On the plus side since we had significantly fewer things to log and monitor so we caught the intrusion much faster than we would have - assuming we could have caught it in the old system at all.

Page 9: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Looking at Architecture From a Malware Point of View

Filename.ppt | 9

Security has to be right all the time; malware only once

– And they're better fundedMalware is:

Everything we want to beSocial engineers

Know our users better than we doThey understand our psychology

Prospect Theory Small change blindness “It won't happen to me” “I've always done it this way” We don't like to admit when we

messed up

Page 10: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

You Can't Protect What You Don't Know

Filename.ppt | 10

Silos are malware's best friend Two heads are better than one Learn from someone else's

mistakesKnow your company

What is your company's architectural/security/... goals?

Know your company business(es) What are its drivers? What does it think about

architecture & security?Know your system(s)

What are threats, vulnerabilities, ...Never assume

“You must ask the right questions”

Page 11: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Think Bad(a.k.a. channeling your inner hacker)

Filename.ppt | 11

xkcd comics

•Understand the system as well as the system of systems

holistic•Think about the elephant•Think outside the boxData has three environmentsDifferent strokes for different folksEvaluate C.I.A.(A.)Consider effort

Make your architecture harder to crack than the architecture next door

Page 12: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Secure Architecture Principles

Filename.ppt | 12

Business Focused What are the business requirements? Your job is not to make the business secure it's to keep the

business profitable Always show benefit to the company

Appropriate Effective vs. right Avoid security for security's sake Avoid diminishing returns

Professional (political) lobbyist Chinese fortune cookie

“The beginning is the most important part of the work.” – PlatoWe all need direction

Even if it's wrong

Page 13: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

“If You Don't Know Where You Are Going, Any Road Will Get You There.”

Filename.ppt | 13

Have a Strategy “The task of strategy is an efficient

use of the available resources for the achievement of the main goal.”

Have a Plan Avoid the TSA Paradigm Polarize not just Layer

Prepare for Paradigm Shifts Deprimiterization Targeted and Silent malware Social attacks

Humans are Visual Targeted pictures

Take shameless (but responsible) advantage of events

Page 14: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Don't Forget

Simplify "That's been one of my mantras -- focus

and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. " - Jobs

Knowledge is a Wonderful Thing Know when things are added to your

architectureWhat not to do is Wonderful Too

Don't reinvent the wheelThe 'Circle of Security'

a.k.a. The Circle of LifeLearning from Malware

“Know your enemy and know yourself...” - Sun Tzu

Page 15: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Users Are Human Too

Filename.ppt | 15

Computers are IntimidatingOne Size Doesn't Fit AllSomething Will Go WrongFail Securely and LoudlyKnow Thine Enemy; For They Are UsImpatience / Lack of KnowledgeOopsYour Job is Security; Not Your Users'

Page 16: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

“Make It So”

1. Know what is required/mandated/… Must have a business justification Did I contribute toward the bottom line?

1 Have an agenda (a.k.a. plan) Do I have a plan? Does anyone know what my strategy is?

1. Have a picture(s) A picture is worth a 1000 words Is it tailored?

2. Work for agreement You must be a professional political lobbyist Who is helping me?

3. Rinse & Repeat What didn't I get done? Never surrender

Filename.ppt | 16

Page 17: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 17

Questions, Comments, Suggestions, …(and some Zen Moments)

Security is a river not a roadThe most secure things are those not there"I say, let your affairs be as two or three, and not a hundred or a thousand; instead of a million count half a dozen, and keep your accounts on your thumb-nail.“ – ThoreauSomething will go wrong – expect it; embrace it; work with it

Page 18: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Supporting Slides

Page 19: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 19

References

OWASP Application Security Architecture Cheat Sheet - https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet

Symantec achieves highest number of SSL certificates issued globally - http://www.nationmultimedia.com/technology/Symantec-achieves-highest-number-of-SSL-certificat-30186424.html

Serge Egelman, Lorrie Faith Cranor, and Jason Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings - http://repository.cmu.edu/cgi/viewcontent.cgi?article=1061&context=hcii

David Dunning and Justin Kruger, “Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments”, Journal of Personality and Social Psychology”, 1999 - http://www.scirp.org/Journal/PaperDownload.aspx?paperID=883&fileName=Psych.20090100004_39584049.pd

Andrew Jones, “How do you make information security user friendly?” - http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=7286&context=ecuworks

Jericho Forum Data Protection – Problem Statement and Requirements for Future Solutions - https://www2.opengroup.org/ogsys/catalog/W12C

Page 20: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Oops, I Learned Something(a.k.a. poor man’s governance)

Positive vs. Negative Positive reinforcement: the adding of a pleasant outcome to

increase a certain behavior or response Positive punishment: the adding of an unpleasant outcome

to decrease a certain behavior or response. Negative reinforcement: the taking away of an unpleasant

outcome to increase certain behavior or response. Negative punishment (omission training): the taking away of

an a pleasant outcome to decrease a certain behavior“This Isn’t Your Father’s Security”Repeat, repeat, repeat, repeat, improve, repeat, repeat, …

Testing *can* be funCommunicate Accidental Learning

Filename.ppt | 20

Page 21: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 21

Still Crazy After All These Years

During a breach at rockyou.com where 32 million passwords were stolen it was discovered: 30% of the passwords were six characters or smaller 60% were passwords created from a limited set of alphanumeric

characters 50% of the users had used easily guessable names, common slang

words, adjacent keyboard keys and consecutive digits as their passwords

A study of password habits in 2007 found that users still choose the weakest they can get away with, much as they did three decades earlier

Page 22: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 22

"It Won't Happen To Me."

“Put on a happy face”“I wouldn’t let it happen that way”The more you know the less you think you know The reverse is scary: The less you know the more you think you know

Page 23: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 23

The Trust Factor

Trust is an action involving the voluntary placement of a trustee at the disposal of the person being trusted with no real commitment from the trustee

People instinctively trust other peopleIf the person being trusted is trustworthy then the person doing the trusting is better off; conversely if the person being trusted is untrustworthy then the person doing the trusting is worse off

Trust allows actions which are otherwise not possible

Page 24: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 24

Small Change Blindness

As long as the changes in our environment occur slowly, we adapt to it, and are unlikely to detect the change

Sitting in front of a computer we are blissfully unaware of what is happening 'behind the curtains'

From a security forum: “…Telling the average computer user to look out for suspicions activity

doesn't work because most of the time the haven't any idea what activity is considered suspicions. ‘My hard drive light went on - should I worry ?’ or ‘My game paused for a moment - should I worry ?’"

“…if I'm running a quad core computer I probably wouldn't notice a bot running on my system”

Page 25: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 25

Risking Gains and Accepting Losses

When it comes to evaluating gains or losses people have a built in heuristic against risking gains or accepting losses Put another way – it’s not whether

you win or lose it’s how you frame the question

Called Prospect Theory, this is best demonstrated by an experiment put together by Daniel Kahneman and Amos Tversky

Page 26: SSL Is Not A Secure Architecture Greg Sternberg, CISSP Solutions/Security Architect Jeppesen 29 Jan 2013.

Filename.ppt | 26

“I’ve Always Done It This Way”

Habitual thinking and behavior are a result of powerful neural pathways in our brains and memories that are automatically and unconsciously accessed

Unconscious thought processes can predetermine, without an individual's awareness, decision-making bias and actual decision-making

Emotions are the key driver to decision-making, not logical, analytical thought; our logical processes are often only rational justifications for emotional decisions