How to Build a Secure System and Keep it Secure in the Face of Changing Requirements

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

GDS Michael Brunton-Spall Building secure software and keeping it secure in the face of changing requirements

Slide 3

Slide 3 text

GDS Michael Brunton-Spall This guidance is in alpha

Slide 4

Slide 4 text

GDS Michael Brunton-Spall I am a civil servant

Slide 5

Slide 5 text

GDS Michael Brunton-Spall I work for the Government Digital Service

Slide 6

Slide 6 text

GDS Michael Brunton-Spall Publishing

Slide 7

Slide 7 text

GDS Michael Brunton-Spall Transactions

Slide 8

Slide 8 text

GDS Michael Brunton-Spall API's

Slide 9

Slide 9 text

GDS Michael Brunton-Spall Agile

Slide 10

Slide 10 text

GDS Michael Brunton-Spall Security vs Information Risk

Slide 11

Slide 11 text

GDS Michael Brunton-Spall Why bother?

Slide 12

Slide 12 text

GDS Michael Brunton-Spall What are the threats?

Slide 13

Slide 13 text

GDS Michael Brunton-Spall Data loss and theft

Slide 14

Slide 14 text

GDS Michael Brunton-Spall 14 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.nbcnews.com/id/8985989/#.VQgdgWSsU8Z http://news.bbc.co.uk/1/hi/uk/7103911.stm

Slide 15

Slide 15 text

GDS Michael Brunton-Spall 15 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.techweekeurope.co.uk/workspace/nhs-researchers-lose-laptop-with-8m-patients-r ecords-31810 http://www.bbc.co.uk/news/technology-15690187

Slide 16

Slide 16 text

GDS Michael Brunton-Spall 16 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.pcworld.com/article/252647/reborn_lulzsec_claims_hack_of_dating_site_for_military_personnel.html http://www.nydailynews.com/news/national/russians-ukrainian-charged-largest-hacking-spree-u-s-history-article- 1.1408948

Slide 17

Slide 17 text

GDS Michael Brunton-Spall 17 GDS Michael Brunton-Spall http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Slide 18

Slide 18 text

GDS Michael Brunton-Spall http://zed0.co.uk/crossword/

Slide 19

Slide 19 text

GDS Michael Brunton-Spall Criminal users on the internet

Slide 20

Slide 20 text

GDS Michael Brunton-Spall GameOver/Zeus Banking Malware

Slide 21

Slide 21 text

GDS Michael Brunton-Spall http://www.stateoftheinternet.com/resources-web-security-threat-advisories-2014-zeus-zbot-malware-crimeware.html

Slide 22

Slide 22 text

GDS Michael Brunton-Spall "FBI Fraud Scheme Zeus Trojan" by FBI. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

GDS Michael Brunton-Spall 24 GDS Michael Brunton-Spall http://www.theverge.com/a/anatomy-of-a-hack

Slide 25

Slide 25 text

GDS Michael Brunton-Spall Advanced Persistent Threats

Slide 26

Slide 26 text

GDS Michael Brunton-Spall 26 GDS Michael Brunton-Spall https://www2.fireeye.com/fin4.html

Slide 27

Slide 27 text

GDS Michael Brunton-Spall Watering Hole Attacks http://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/

Slide 28

Slide 28 text

GDS Michael Brunton-Spall http://securelist.com/blog/research/66779/the-darkhotel-apt/ http://blog.kaspersky.co.uk/darkhotel-apt/ 28 GDS Michael Brunton-Spall

Slide 29

Slide 29 text

GDS Michael Brunton-Spall The state of information security

Slide 30

Slide 30 text

GDS Michael Brunton-Spall BS7799-1:1999

Slide 31

Slide 31 text

GDS Michael Brunton-Spall ISO27001:2005

Slide 32

Slide 32 text

GDS Michael Brunton-Spall Accreditation Certification Approval to operate

Slide 33

Slide 33 text

GDS Michael Brunton-Spall PCI

Slide 34

Slide 34 text

GDS Michael Brunton-Spall How do we deal with this?

Slide 35

Slide 35 text

GDS Michael Brunton-Spall Traditional model

Slide 36

Slide 36 text

GDS Michael Brunton-Spall

Slide 37

Slide 37 text

GDS Michael Brunton-Spall How do we deal with changes?

Slide 38

Slide 38 text

GDS Michael Brunton-Spall 38 GDS Michael Brunton-Spall

Slide 39

Slide 39 text

GDS Michael Brunton-Spall Agile changes everything

Slide 40

Slide 40 text

GDS Michael Brunton-Spall Only do what's needed now

Slide 41

Slide 41 text

GDS Michael Brunton-Spall Release It!

Slide 42

Slide 42 text

GDS Michael Brunton-Spall MVP and iterate

Slide 43

Slide 43 text

GDS Michael Brunton-Spall A security nightmare!

Slide 44

Slide 44 text

GDS Michael Brunton-Spall How can we deal with it?

Slide 45

Slide 45 text

GDS Michael Brunton-Spall Investigated projects across government

Slide 46

Slide 46 text

GDS Michael Brunton-Spall Variety of approaches

Slide 47

Slide 47 text

GDS Michael Brunton-Spall … and that's ok

Slide 48

Slide 48 text

GDS Michael Brunton-Spall A new world of security

Slide 49

Slide 49 text

GDS Michael Brunton-Spall Principles over rules

Slide 50

Slide 50 text

GDS Michael Brunton-Spall The UK Government published 8 principles

Slide 51

Slide 51 text

GDS Michael Brunton-Spall Accept uncertainty

Slide 52

Slide 52 text

GDS Michael Brunton-Spall Security as part of the team

Slide 53

Slide 53 text

GDS Michael Brunton-Spall Understand the risks

Slide 54

Slide 54 text

GDS Michael Brunton-Spall Trust decision making

Slide 55

Slide 55 text

GDS Michael Brunton-Spall Security is part of everything

Slide 56

Slide 56 text

GDS Michael Brunton-Spall User experience is important

Slide 57

Slide 57 text

GDS Michael Brunton-Spall Audit decisions

Slide 58

Slide 58 text

GDS Michael Brunton-Spall Understand big picture impact

Slide 59

Slide 59 text

GDS Michael Brunton-Spall But what do they mean?

Slide 60

Slide 60 text

GDS Michael Brunton-Spall Let's get practical

Slide 61

Slide 61 text

GDS Michael Brunton-Spall National Insurance Claim

Slide 62

Slide 62 text

GDS Michael Brunton-Spall User submits their details and claim

Slide 63

Slide 63 text

GDS Michael Brunton-Spall Company confirms details via 2nd channel

Slide 64

Slide 64 text

GDS Michael Brunton-Spall User gets paid

Slide 65

Slide 65 text

GDS Michael Brunton-Spall System is currently paper based for users mainframe based for staff

Slide 66

Slide 66 text

GDS Michael Brunton-Spall This team is going to digitise the service

Slide 67

Slide 67 text

GDS Michael Brunton-Spall Embed security on the team

Slide 68

Slide 68 text

GDS Michael Brunton-Spall Choose security model that's appropriate

Slide 69

Slide 69 text

GDS Michael Brunton-Spall Understand the threats

Slide 70

Slide 70 text

GDS Michael Brunton-Spall Hackers break in and steal data from database

Slide 71

Slide 71 text

GDS Michael Brunton-Spall Fraudsters submit false claims

Slide 72

Slide 72 text

GDS Michael Brunton-Spall Educate decision makers to risks

Slide 73

Slide 73 text

GDS Michael Brunton-Spall Make risk decisions on a per story basis

Slide 74

Slide 74 text

GDS Michael Brunton-Spall Example

Slide 75

Slide 75 text

GDS Michael Brunton-Spall “Allow user to enter bank details to be paid by bank transfer”

Slide 76

Slide 76 text

GDS Michael Brunton-Spall Adds risk

Slide 77

Slide 77 text

GDS Michael Brunton-Spall “Add 2 factor authentication to staff login system”

Slide 78

Slide 78 text

GDS Michael Brunton-Spall Counters risk

Slide 79

Slide 79 text

GDS Michael Brunton-Spall “Allow user to enter multiple holiday periods”

Slide 80

Slide 80 text

GDS Michael Brunton-Spall Risk neutral

Slide 81

Slide 81 text

GDS Michael Brunton-Spall What do you do about the risk?

Slide 82

Slide 82 text

GDS Michael Brunton-Spall “Allow user to enter bank details to be paid by bank transfer”

Slide 83

Slide 83 text

GDS Michael Brunton-Spall Avoid

Slide 84

Slide 84 text

GDS Michael Brunton-Spall Don't do it, use cheques instead

Slide 85

Slide 85 text

GDS Michael Brunton-Spall Transfer

Slide 86

Slide 86 text

GDS Michael Brunton-Spall Use a banking third party

Slide 87

Slide 87 text

GDS Michael Brunton-Spall Accept

Slide 88

Slide 88 text

GDS Michael Brunton-Spall Just do it

Slide 89

Slide 89 text

GDS Michael Brunton-Spall Mitigate

Slide 90

Slide 90 text

GDS Michael Brunton-Spall Encrypt bank details on submission using public key cryptography

Slide 91

Slide 91 text

GDS Michael Brunton-Spall How much extra work is that?

Slide 92

Slide 92 text

GDS Michael Brunton-Spall Accept for now, add a story to backlog to mitigate

Slide 93

Slide 93 text

GDS Michael Brunton-Spall Feature flags and feature releases

Slide 94

Slide 94 text

GDS Michael Brunton-Spall Risk evaluation

Slide 95

Slide 95 text

GDS Michael Brunton-Spall R = Impact * Likelihood

Slide 96

Slide 96 text

GDS Michael Brunton-Spall What does it cost to lose data/customers etc

Slide 97

Slide 97 text

GDS Michael Brunton-Spall How likely is it to happen

Slide 98

Slide 98 text

GDS Michael Brunton-Spall Is the business owner willing to take the risk?

Slide 99

Slide 99 text

GDS Michael Brunton-Spall How long for?

Slide 100

Slide 100 text

GDS Michael Brunton-Spall What sorts of mitigations might we use?

Slide 101

Slide 101 text

GDS Michael Brunton-Spall “Allow user to enter bank details to be paid by bank transfer”

Slide 102

Slide 102 text

GDS Michael Brunton-Spall Against hackers stealing the data

Slide 103

Slide 103 text

GDS Michael Brunton-Spall “Encrypt the data” - Prevent

Slide 104

Slide 104 text

GDS Michael Brunton-Spall “Transaction monitoring” - Detect

Slide 105

Slide 105 text

GDS Michael Brunton-Spall “Store data only while session is live” - Compensate

Slide 106

Slide 106 text

GDS Michael Brunton-Spall Against fraudsters inputing false data

Slide 107

Slide 107 text

GDS Michael Brunton-Spall “Check bank details against claim details” - Detect

Slide 108

Slide 108 text

GDS Michael Brunton-Spall “Only pay the same account once a year” - Prevent

Slide 109

Slide 109 text

GDS Michael Brunton-Spall “Don't pay until second channel supplies details”

Slide 110

Slide 110 text

GDS Michael Brunton-Spall Deter, Prevent, Correct, Recover, Detect, Compensate

Slide 111

Slide 111 text

GDS Michael Brunton-Spall Record decision in a log

Slide 112

Slide 112 text

GDS Michael Brunton-Spall … probably a wiki

Slide 113

Slide 113 text

GDS Michael Brunton-Spall What about big picture impact?

Slide 114

Slide 114 text

GDS Michael Brunton-Spall Most information disclosure risks are business process

Slide 115

Slide 115 text

GDS Michael Brunton-Spall Can a case worker add/replace bank account details with their own details

Slide 116

Slide 116 text

GDS Michael Brunton-Spall … without getting caught?

Slide 117

Slide 117 text

GDS Michael Brunton-Spall Can we automate this?

Slide 118

Slide 118 text

GDS Michael Brunton-Spall Ideas

Slide 119

Slide 119 text

GDS Michael Brunton-Spall Connect the risk log to the story tracker

Slide 120

Slide 120 text

GDS Michael Brunton-Spall When a story is played, the risks get updated

Slide 121

Slide 121 text

GDS Michael Brunton-Spall It's clear what current risk is

Slide 122

Slide 122 text

GDS Michael Brunton-Spall Misuse cases

Slide 123

Slide 123 text

GDS Michael Brunton-Spall As a fraudster, When I submit a fake claim for £1000, A payment for £1000 gets authorised

Slide 124

Slide 124 text

GDS Michael Brunton-Spall Expected to fail

Slide 125

Slide 125 text

GDS Michael Brunton-Spall Really fun to write

Slide 126

Slide 126 text

GDS Michael Brunton-Spall Define a set of threat actors

Slide 127

Slide 127 text

GDS Michael Brunton-Spall External Attacker, Internal Attacker, Insider, Fraudster etc.

Slide 128

Slide 128 text

GDS Michael Brunton-Spall Executed like other user acceptance tests

Slide 129

Slide 129 text

GDS Michael Brunton-Spall Give confidence that a story hasn't had an impact elsewhere

Slide 130

Slide 130 text

GDS Michael Brunton-Spall Gives confidence in business process

Slide 131

Slide 131 text

GDS Michael Brunton-Spall Attack Trees

Slide 132

Slide 132 text

GDS Michael Brunton-Spall https://www.schneier.com/paper-secure-methodology.pdf

Slide 133

Slide 133 text

GDS Michael Brunton-Spall Think as an attacker

Slide 134

Slide 134 text

GDS Michael Brunton-Spall Evaluate Risk, Access, Effectiveness

Slide 135

Slide 135 text

GDS Michael Brunton-Spall Identify most efficient countermeasures

Slide 136

Slide 136 text

GDS Michael Brunton-Spall Use attack trees to pick misuse cases to automate

Slide 137

Slide 137 text

GDS Michael Brunton-Spall In summary

Slide 138

Slide 138 text

GDS Michael Brunton-Spall We have a duty of care to our users

Slide 139

Slide 139 text

GDS Michael Brunton-Spall Choose the right process for you Apply some basic principles Dedicate someone to it Align security and delivery

Slide 140

Slide 140 text

GDS Michael Brunton-Spall We're still learning, so let us know if this works for you or not

Slide 141

Slide 141 text

GDS Michael Brunton-Spall Michael Brunton-Spall Technical Architect Government Digital Service @bruntonspall [email protected]