Tweet
Tweet

Slide 1

Slide 1 text

Blue teams security engineering @vixentael

Slide 2

Slide 2 text

@vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers training

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Real risk Compliance demands 1999 @vixentael

Slide 5

Slide 5 text

Business Risk Compliance demands 2018 @vixentael

Slide 6

Slide 6 text

“Bad security” leads to reputation risks (Equifax) legal responsibility (GDPR, HIPAA, PCI DSS) operations (Google, Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html competitors advantage @vixentael

Slide 7

Slide 7 text

financial damage “Bad security” leads to @vixentael

Slide 8

Slide 8 text

twitter.com/c_pellegrino/status/981409466242486272 @vixentael @vixentael

Slide 9

Slide 9 text

@vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

Slide 10

Slide 10 text

@vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

Slide 11

Slide 11 text

mln records 0 200 400 600 800 1,000 February March April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael

Slide 12

Slide 12 text

mln records 0 200 400 600 800 1,000 February March April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael

Slide 13

Slide 13 text

financial damage “Bad security” leads to @vixentael

Slide 14

Slide 14 text

Blue team

Slide 15

Slide 15 text

Proactive vs reactive Secure Development Secure Architecture Secure Operations Processes Pentests / Audits Compliance Incident Response @vixentael

Slide 16

Slide 16 text

Blue team The Security Stakeholder (defining the what and what not) The Evangelist (raising the bar) The Security Expert (helping with the how) Security Automation (continuous security) Incident response, investigations and forensics https://xebia.com/blog/being-an-agile-security-officer/ @vixentael

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

prevent business risks against company assets Blue team @vixentael

Slide 21

Slide 21 text

Assets we protect 1. Sensitive data 2. Encryption keys 3. Credentials 4. Technical credentials 5. ACL 6. Systems and nodes @vixentael

Slide 22

Slide 22 text

@vixentael is any kind of data, that will break business objectives or prosperity of those who use data, if leaked. Sensitive data – @vixentael

Slide 23

Slide 23 text

Confidentiality Integrity Availability CIA triad @vixentael

Slide 24

Slide 24 text

Processes we protect Continuity Capacity Availability } Component security Technical assets security SRE practices @vixentael

Slide 25

Slide 25 text

Business risk is the possibility a company will have lower than anticipated profits or experience a loss rather than taking a profit. @vixentael

Slide 26

Slide 26 text

Risks - unauthorized access - use - disclosure - disruption - modification - inspection - recording - destruction - Strategic risks - Operational risks - Reputational risks - Compliance risks @vixentael

Slide 27

Slide 27 text

Risks Can’t we just fix all the bugs? - unauthorized access - use - disclosure - disruption - modification - inspection - recording - destruction @vixentael

Slide 28

Slide 28 text

Secret of pragmatic security 1. Focus on real risks 2. Prioritize: - impact - probability @vixentael

Slide 29

Slide 29 text

InfoSec processes - Planning: Risk assessment - Building: - Secure Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael

Slide 30

Slide 30 text

InfoSec processes - Planning: Risk assessment - Building: - Secure Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael

Slide 31

Slide 31 text

Secure development, secure architecture, secure coding

Slide 32

Slide 32 text

Secure software development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project @vixentael

Slide 33

Slide 33 text

SSDLC -distills common sense from experience
 of building secure software. -prescribes methodologies which covers 
 most risks in most cases. -is a good start. @vixentael

Slide 34

Slide 34 text

Risk evaluation Risk assessment Threat model Security plan Secure coding Security verification Secure operations SSDLC Response @vixentael

Slide 35

Slide 35 text

Risk evaluation Risk assessment Threat model Security plan Secure coding Security verification Secure operations SSDLC Response Requirements Design/architecture Development Testing Operations @vixentael

Slide 36

Slide 36 text

Secure architecture prevents the infosec-related business risks in a consistent, pre-designed structure that corresponds to the business goals. @vixentael

Slide 37

Slide 37 text

Addressing security risks at architecture level 1. Designing systems that focus on preventing risks instead of focusing on preventing vulnerabilities. 2. Implement security in cost-efficient, maintainable and verifiable way. @vixentael

Slide 38

Slide 38 text

Trust 1. System’s trust is equal to trust to the weakest link. 2. Good architecture allocates trust appropriate to practical constraints. @vixentael

Slide 39

Slide 39 text

perimeter firewall access control internal network Trust authentication internal access control access/key management configuration management code encryption node security @vixentael

Slide 40

Slide 40 text

Threats Threats are technical opportunities to materialize business risk in chosen architectures. Combined with actual trust and position of weak components they create attack vectors. @vixentael

Slide 41

Slide 41 text

Attack surface – the combination of nodes, processes and applications that need to be compromised for damage to be done. Attack surface is created by components that open potential opportunity to inflict damage and materialize business risk, along with their risk level. @vixentael

Slide 42

Slide 42 text

Managing attack surface Goal of security architecture is appropriate management of attack surface: observability minimization control attack surface @vixentael

Slide 43

Slide 43 text

data Defense in depth encryption authorization authentication / access control @vixentael

Slide 44

Slide 44 text

Bottom-up vs top-down maintain analyze risks, security plan SSDLC iterate find weakest part fix @vixentael

Slide 45

Slide 45 text

@vixentael Secure Development – a process of choosing and implementing security controls appropriate to business risks. @vixentael

Slide 46

Slide 46 text

Security controls Proactive: 
 - prevent risk Reactive: 
 - detect incident
 - correct / limit damage Physical Procedural Technical Legal @vixentael

Slide 47

Slide 47 text

Proactive + Reactive Data security Application security Infrastructure security Monitoring Intrusion detection Vulnerability management @vixentael

Slide 48

Slide 48 text

Proactive controls Data security encryption Access security authentication, firewalls, OS Node security firewalls, compartmentalization, OS @vixentael

Slide 49

Slide 49 text

Data security integrity checks, authenticated crypto Access security honeypots, access logging Node security IDS, monitoring Reactive controls: detect @vixentael

Slide 50

Slide 50 text

Data security key management, backups Access security credential management, jailbans Node security infrastructural management Reactive controls: limit damage @vixentael

Slide 51

Slide 51 text

1. Identify sensitive data, understand sensitive data lifecycle, classify data. 2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Data protection 101 @vixentael

Slide 52

Slide 52 text

Encryption libraries should ★ use strong & audited crypto ★ work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage @vixentael

Slide 53

Slide 53 text

ciphers abstraction level complexity libraries suites @vixentael Encryption libraries

Slide 54

Slide 54 text

libsodium themis tink @vixentael 3DES AES-256-GCM Salsa20 ChaCha ZeroKit Hermes Vault Ciphers libraries Suites Acra

Slide 55

Slide 55 text

@vixentael

Slide 56

Slide 56 text

@vixentael Core principles Principle of least privilege. “Secure by default”. Compartmentalization. Access separation. Echelonization. Defense in depth, security measures escalate with sensitivity/risk. Independent defences. No single point of security failure. @vixentael

Slide 57

Slide 57 text

@vixentael Core principles Balance security with usability. Break usability too much - security control will be overridden or broken. Log everything. Or be like ¯\_(ツ)_/¯ when things go bad. Have a contingency plan. Nobody is perfect. Have incident reaction plan from day 0. @vixentael

Slide 58

Slide 58 text

Ensuring security Monitoring Automated security testing Automated security verification Security-conscious SLOs and metrics IDS SIEM Security-centric tests SAST / DAST Dependency monitoring Automated vulnerability scanning Automated OSINT @vixentael

Slide 59

Slide 59 text

Problems with implementing security practices control override, angry users performance penalty additional operations lost access Usability vs security: Performance vs security: Maintainability vs security: Reliability vs security: @vixentael

Slide 60

Slide 60 text

#owaspkyiv @vixentael

Slide 61

Slide 61 text

Home reading https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as a Product https://www.cossacklabs.com/blog/hiring-external-security-team.html Hiring External Security Team: What You Need To Know https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html What Do We Really Need To Encrypt. Cheatsheet

Slide 62

Slide 62 text

Community https://github.com/sapran/Ukraine-infosec-conferences Ukrainian security events BSides, OWASP, UISGCon, NoNameCon, WIA, WWCode Kyiv – search in Facebook

Slide 63

Slide 63 text

@vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers training