Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

An appeal to take security seriously as we build larger and larger systems in the cloud processing more and more data.

E50d396533a9455ba01a4827868598e9?s=128

Elliot Murphy

October 28, 2014
Tweet

Transcript

  1. 2.

    – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

    electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
  2. 3.
  3. 4.
  4. 6.

    – US Senator John D Rockefeller, Chairman of Committee with

    oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”
  5. 8.
  6. 9.

    Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

    & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
  7. 10.
  8. 11.

    Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view
  9. 12.
  10. 13.

    Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated
  11. 17.

    Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html
  12. 18.

    • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories
  13. 19.

    Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment
  14. 20.

    Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London
  15. 22.

    Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it
  16. 23.

    Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence
  17. 24.

    Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits
  18. 28.

    • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD