Summary Accreditation ● Accreditation is important to increase clients’ trust ● Accreditation IS NOT an assessment of security ● Effective security is baked into everyday process and actually improves workflow ● Security evolves and is everyone's responsibility PCI DSS ISO 27001 ravelin.com
Financial The cost of licence fees, extra servers, new laptops etc. Relatively unimportant as we have insurance for laptops/hardware and we don’t own servers and cost for security products are cheap-ish (e.g. YubiKey). Cost of Security
ravelin.com Cost of Security Time Pretty important factor. We are a start-up and time is probably our biggest constraint. Lots of competing priorities and security has to be prioritised along side other work.
Cost of Security Friction Essentially, the level of annoyance genuine users have to go through to gain access. Too hard and humans will just circumvent because we are all lazy. This is super important. Good security has less friction. Note: don’t confuse friction with resistance to change (RTC). RTC should be completely ignored when deciding whether to implement security measures.
Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers 2FA + 1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) VPN + 2FA, Bastion, Limited Privileges, Password on keys 1 + 2 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 *Fraudulent Requests Trusted user via 3rd party auth - *Phishing 2FA TOTP (kind-of but not really) - Unauthorised DB Access Secrets stored inside a KMS - *Network Breach Single point of entry (VPN+Bastion) 0 + 2
Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers 2FA + 1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) VPN + 2FA, Bastion, Limited Privileges, Password on keys 1 + 2 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 *Fraudulent Requests Trusted user via 3rd party auth - *Phishing 2FA TOTP (kind-of but not really) - Unauthorised DB Access Secrets stored inside a KMS - *Network Breach Single point of entry (VPN+Bastion) 0 + 2
Security ravelin.com Phishing FIDO U2F Fraudulent Requests (Invoice/ACL) 2 Unique Channel Authorisation (TUCA) Unauthorised Data Access Secrets stored inside a KMS & Zero Trust Network Network Breach Remove SSH Keys New Machine Class: SECURE Hack Ravelin Day Internal resource to attempt to breach our own network and access data Zero Trust Network Sign Builds Encrypt all s2s comms TLS with signed certs
Security Phishing Drill Results Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Security Phishing - U2F Chrome/Firefox Only (iPhone users warning) You won’t be able to use your Google Account on your iPhone's Mail, Calendar, or Contact apps. Security Key doesn't work with apps that come on your iPhone, but you can use Google apps instead.
E.g. 1. Requester messages via slack 2. Approver challenges with TUCA 3. Requester messages via (email, sms, in person, phone) 4. Approver actions request TUCA When Movement of money Username/password resets Anything ACL related ravelin.com Security Fraudulent Requests - TUCA Policy
Unauthorised Data Access ● GCP Key Management Service - not just for keys ● Operational config stored securely (KMS) ● Restrict access to KMS to only select machines ● KMS Features a. Generate AES256 encryption keys b. Wrap secrets up to 64KiB in size c. Audit Logging enabled ravelin.com Security
Security No SSH Keys with added Magic ● No SSH keys ● No VPN ● No self signed certs ● No OpenVPN registration ● All the goodness of full fat access without the friction ● Jump from bastion to internal network ● Secured with U2F from the console dashboard ● Port 22 blocked for the internet
Attack Vector Defensive Measure Cost (Time/Friction)(0-3) Key Loggers U2F + 1Password 1 + 1 Stolen Hardware Encrypted Disk 0 + 0 Stolen Home Dir (~/.* .ssh .aws .gcp etc) Console SSH to bastion (jump) then to internal network 1 + 1 Stolen Physical Servers Encrypted Disk + Outsource Physical Security to Cloud Provider 0 + 0 Man in the middle Signed Certificate (TLS 1.2+) 1 + 0 Unauthorised Access to the Office No data stored in the office and treated as the internet 0 + 0 Fraudulent Requests 2 Unique Channel Authorisation (TUCA) 0 + 1 Phishing U2F 1 + 1 Unauthorised DB Access Secrets stored inside a KMS & Zero Trust Network 2 + 0 Network Breach Console SSH & Zero Trust Network 3 + 0
About us Zero Trust ● Sign Builds ● Encrypt all service 2 service comms ● TLS with signed certs ● CA ● Queue Data asymmetrically encrypted ● Disable root access ● New Machine Class of “SECURE” ○ No SSH ○ Only instance with KMS Access ○ File integrity monitoring ○ KMS Credentials stored in memory ○ Manually bootstrapped ravelin.com
leonardaustin
non97
kentosuzuki
linedevth
egmc
no24oka
unclejoe
cyberarchitect
whywaita
sansantech
guchey
finengine
bengo4com
frogandcode
iamctodd
brad_frost
hannesfritz
csswizardry
paulrobertlloyd
eileencodes
yeseniaperezcruz
nonsquared
revolveconf
lauravandoore
mojombo