safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround 

– Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back” 

No content

No content

–The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’ users” 

– US Senator John D Rockefeller, Chairman of Committee with oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy” 

US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html 

No content

Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux 

No content

Snoopy proof of concept • Drones collect probe SSIDs • Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view 

FOOD 

Not-so-nice restaurants • Widely varying resources • Widely varying education levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated 

Acceptable level of risk 

Acceptable level of risk 

Acceptable level of risk Wash your hands 

Acceptable level of risk “CDC estimates that each year in the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html 

• Wash your hands • Go for walks • Play with others • Run in circles • Tell stories 

Wash your hands • Use a password manager • Use multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment 

Crash course in encryption Everything reduces to a key management problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London 

Go for walks 

Go for walks keylogger on a sysadmins laptop stolen ssh private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it 

Go for walks This is called risk assessment The fictional reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence 

Play with others Group cognition Elevation of privilege game, Cornucopia game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits 

Run in circles 

Tell stories 

Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies 

• Wash your hands - take reasonable basic precautions • Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD