Frank S. Rietta, 
 M.S. Information Security ! rietta.com/blog @frankrietta on Twitter ! February 5, 2015 Understanding & Defending Against Data Breaches, as a Practicing Software Developer 

Slides are up at SpeakerDeck http://bit.ly/1yOalxL 

Is XYZ secure? • Ask three questions: 1. Secure against what? 2. What is the worst thing that can happen? 3. Compared to what alternative? 

What is security? 

“Security is not a functional requirement” - A graduate school professor 

Security is not a functional requirement 

Risks and risk management. 

Confidentiality! Integrity Availability 

Commercial Information Classifications 1. Public: Public information 2. Internal Use: Confidential business information 3. Confidential: Information that customers consider confidential 4. Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential! 5. Highly Sensitive: Encryption keys, server secrets, staff/admin passwords 

Users can feel a privacy breach even if the terms and conditions spell out in mouse print that they agree to such sharing. This is a yellow line violation. 

TN § 47-18-2107 
 Release of personal consumer information • (1) "Breach of the security of the system" means unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.… • (A) "Personal information" means an individual's first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted: • (i) Social security number; • (ii) Driver license number; or • (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;… 

TN § 47-18-2110
 Protecting social security numbers from disclosure A. [Any business] that has obtained a federal social security number for a legitimate business or governmental purpose shall make reasonable efforts to protect that social security number from disclosure to the public. Social security numbers shall not: A. …(2) Be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted; B. (3) Be required to log onto or access an Internet web site, unless used in combination with a password or other authentication device; … B. On and after January 1, 2009, a violation of subsection (a) is a Class B misdemeanor. Each violation of subsection (a) shall constitute a separate offense. 

A litany of data breaches 

Anthem Blue Cross • Announced last night - 2/4/2015 • Attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/ social security numbers, street addresses, email addresses and employment information, including income data. (Forbes) • In the wake of the attack, Anthem has reset the passwords of all employees with higher-level access to its data systems, and has blocked all access that involves only one password, Mr. Miller said. (Wass Street Journal) • 80 million people potentially affected 

bit.ly • In May, 2014, the offsite database backup was compromised. All data, including users’ API keys and hashed passwords were exposed • The backup database was not encrypted • It turns out that the attackers gained access to the database backup through a compromised employee account • If bit.ly had been using 2-factor authentication on employee accounts, this attack would likely have never taken place 

Buffer App 
 (through MongoHQ) • Attackers gained access to plaintext Facebook and Twitter access tokens of users of the Buffer social media management profile 

Humana’s Atlanta breach • In May, 2014, without regard to an IT strategy that included laptops with full drive encryption, an employee in Atlanta also copied patient health data to a USB disk • Furthermore, the employee left the laptop and the unencrypted external disk in a vehicle were it was stolen by a thief • Because unencrypted data has left the custody of the company and is in the hands of a thief and the data is not encrypted, this is a data breach of private health information. 

Target & Home Depot • Massive credit card data breaches • One of the reasons that will finally lead to the implementation of smartcard-based credit cards in the United States. 

A secure file upload system example 

As a Pawn Shop Clerk, I scan a copy of the customer’s drivers’ license because the company is required by law to keep this record at least two years from the date we purchase a used valuable from a customer. 

Security facts for this story • Data is an image of a drivers’ license, PII by law • Protected by State Law?: ! • Yes! • Avoid storing it?: • No • Retention Period: • 2 Years 

• At the conclusion of the data retention period, a record should show that the system did collect the required information, but that it has been deleted in the ordinary course of business at the conclusion of the retention period. • With public key encryption using GnuPG, the server will have never had the key needed to decrypt an encrypted drivers license. 

Design considerations • Protect data with encryption and access control • Automatically delete after the expiration date • Log authorized access to the file • The project is already using Paperclip, so let’s stick with that • The application and it’s API endpoints are already SSL-only with Strict Transport Security turned on • Assume the company already knows about GnuPG encryption so that authorized people can decrypt on their duly authorized computers 

Controller! Upload and Download actions Paperclip Filter! Encrypt with GnuPG rather than resize images. Server has no decryption key available. Model! Secure Attachment to track file record and the delete_at date Private OpenStack Files Container! Expiration Date Set on Each File, No Publicly Accessible URL Access Control CanCan Ability Definitions 

models/SecureAttachment.rb Notice the processors and styles options to has_attached_file 

lib/paperclip_processors/ pgp_encrypt_to_finance_team.rb A simple encryption filter using the gpgme gem, that interfaces with GnuPG on the server 

Stored on an OpenStack Files Container Automatic Delete, Random File Names that give no information about the file. Amazon S3 would work as well. 

Decrypting a particular drivers’ license image file 

YubiKey Neo OpenPGP Smart Card & FIDO Two Factor Tokens! 

Professional Ethics what is your reasonable standard of due care? 

Practical Countermeasures • Have a Defense in Depth strategy, that includes multiple concurrent countermeasures. • Use Secure HTTP Headers and enable SSL-only with Strict-Transport Security on all production sites • Include security concerns in your user story writing and ALWAYS ask about ways to change the business model to avoid PII. • Run automated audit tools, such as Brakeman, Bundler-audit, Code Climate, and Linters 

Thanks! When cryptography is outlawed, bayl bhgynjf juyy unir cevinpl. 

Frank S. Rietta, M.S. Information Security • My blog, where I write on security and other topics • https://rietta.com/blog • On Twitter • https://twitter.com/frankrietta • Learn more about Rietta’s community sponsorship, including the Atlanta Ruby Users’ Group videos • https://rietta.com/community