Security

Transcript

1. Security at Ravelin 2017 Leonard Austin | 2017-03-17 ravelin.com

2. Summary Accreditation • Accreditation is important to increase clients’ trust

   • Accreditation IS NOT an assessment of security • Effective security is baked into everyday process and actually improves workflow • Security evolves and is everyone's responsibility PCI DSS ISO 27001 ravelin.com

3. ravelin.com Cost of Security

4. Financial The cost of licence fees, extra servers, new laptops

   etc. Relatively unimportant as we have insurance for laptops/hardware and we don’t own servers and cost for security products are cheap-ish (e.g. YubiKey). Cost of Security

5. ravelin.com Cost of Security Time Pretty important factor. We are

   a start-up and time is probably our biggest constraint. Lots of competing priorities and security has to be prioritised along side other work.

6. Cost of Security Friction Essentially, the level of annoyance genuine

   users have to go through to gain access. Too hard and humans will just circumvent because we are all lazy. This is super important. Good security has less friction. Note: don’t confuse friction with resistance to change (RTC). RTC should be completely ignored when deciding whether to implement security measures.

7. ravelin.com Current Measures Attack/Defend/Cost

8. Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers 2FA +

   1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) VPN + 2FA, Bastion, Limited Privileges, Password on keys 1 + 2 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 *Fraudulent Requests Trusted user via 3rd party auth - *Phishing 2FA TOTP (kind-of but not really) - Unauthorised DB Access Secrets stored inside a KMS - *Network Breach Single point of entry (VPN+Bastion) 0 + 2

9. Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers 2FA +

   1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) VPN + 2FA, Bastion, Limited Privileges, Password on keys 1 + 2 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 *Fraudulent Requests Trusted user via 3rd party auth - *Phishing 2FA TOTP (kind-of but not really) - Unauthorised DB Access Secrets stored inside a KMS - *Network Breach Single point of entry (VPN+Bastion) 0 + 2

10. ravelin.com 2017 More Security & Less Friction

11. Security ravelin.com Phishing FIDO U2F Fraudulent Requests (Invoice/ACL) 2 Unique

    Channel Authorisation (TUCA) Unauthorised Data Access Secrets stored inside a KMS & Zero Trust Network Network Breach Remove SSH Keys New Machine Class: SECURE Hack Ravelin Day Internal resource to attempt to breach our own network and access data Zero Trust Network Sign Builds Encrypt all s2s comms TLS with signed certs

12. Security Phishing Drill Results Phishing is the attempt to obtain

    sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

13. Security Phishing - U2F Chrome/Firefox Only (iPhone users warning) You

    won’t be able to use your Google Account on your iPhone's Mail, Calendar, or Contact apps. Security Key doesn't work with apps that come on your iPhone, but you can use Google apps instead.

14. E.g. 1. Requester messages via slack 2. Approver challenges with

    TUCA 3. Requester messages via (email, sms, in person, phone) 4. Approver actions request TUCA When Movement of money Username/password resets Anything ACL related ravelin.com Security Fraudulent Requests - TUCA Policy

15. Unauthorised Data Access • GCP Key Management Service - not

    just for keys • Operational config stored securely (KMS) • Restrict access to KMS to only select machines • KMS Features a. Generate AES256 encryption keys b. Wrap secrets up to 64KiB in size c. Audit Logging enabled ravelin.com Security

16. Security No SSH Keys with added Magic • No SSH

    keys • No VPN • No self signed certs • No OpenVPN registration • All the goodness of full fat access without the friction • Jump from bastion to internal network • Secured with U2F from the console dashboard • Port 22 blocked for the internet

17. Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers U2F +

    1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) Console SSH to bastion (jump) then to internal network 1 + 1 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 Fraudulent Requests 2 Unique Channel Authorisation (TUCA) 0 + 1 Phishing U2F 1 + 1 Unauthorised DB Access Secrets stored inside a KMS & Zero Trust Network 2 + 0 Network Breach Console SSH & Zero Trust Network 3 + 0

18. Zero Trust Network 2017 ravelin.com

19. Encryption with Alice and Bob ravelin.com

20. SSL ravelin.com

21. About us Zero Trust • Sign Builds • Encrypt all

    service 2 service comms • TLS with signed certs • CA • Queue Data asymmetrically encrypted • Disable root access • New Machine Class of “SECURE” ◦ No SSH ◦ Only instance with KMS Access ◦ File integrity monitoring ◦ KMS Credentials stored in memory ◦ Manually bootstrapped ravelin.com

22. Hack Ravelin Day Internal resource to attempt to access data

    from within our own zero trust network ravelin.com Security Roadmap

23. Thank you Security, whoop ravelin.com