Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

E50d396533a9455ba01a4827868598e9?s=47 Elliot Murphy
October 28, 2014
Programming
0
45

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

An appeal to take security seriously as we build larger and larger systems in the cloud processing more and more data.

E50d396533a9455ba01a4827868598e9?s=128

Elliot Murphy

October 28, 2014
Tweet

More Decks by Elliot Murphy

See All by Elliot Murphy
E50d396533a9455ba01a4827868598e9?s=48 statik
0
30
E50d396533a9455ba01a4827868598e9?s=48 statik
0
130
E50d396533a9455ba01a4827868598e9?s=48 statik
2
110
E50d396533a9455ba01a4827868598e9?s=48 statik
0
100
E50d396533a9455ba01a4827868598e9?s=48 statik
0
99
E50d396533a9455ba01a4827868598e9?s=48 statik
2
190

Other Decks in Programming

See All in Programming
F9e11bea0c22333596791dd0696f5d4f?s=48 daiksy
0
1.2k
817e89f88197980860f1854b74fbee25?s=48 lcdsmao
2
350
D882856fd493248c73331872a516d1b5?s=48 exsoul
1
120
60952c750afeecd81999bd62e04d53cd?s=48 pi_chan
1
160
E6143330e12cd226c3dab99f3fe8cb3e?s=48 yanaemon
1
150
C9ab1175a6981a2f67ce8d08aa17c15a?s=48 mpilquist
0
130
C302e84057a922dce0ecbe80207e3fcc?s=48 mu_zaru
0
290
0fb2ce77513181750c384115cd0bc937?s=48 ksukenobe
0
140
9fbbe5d0b8e2ee1cdc3a576b55a2d63d?s=48 uzimaru0000
0
240
Fc358d63dcdcbad7a5c29198785dec2c?s=48 naototty
1
270
Fb1b9f3d7332a7a7e262b70013b5f7dd?s=48 mtsmfm
0
120
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
0
190

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
458
270k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
101
4.8k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
295
39k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
196
19k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.2k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
164
6.7k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
61
7.4k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
240
20k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
253
36k
245cee81a9c424266e5e401d844ea881?s=48 lara
168
9.1k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
350k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
154
11k

Transcript

  1. safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround

  2. – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

    electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
  3. None
  4. None

  5. –The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’

    users”

  6. – US Senator John D Rockefeller, Chairman of Committee with

    oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”

  7. US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

  8. None

  9. Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

    & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
  10. None

  11. Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view

  12. FOOD

  13. Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated

  14. Acceptable level of risk

  15. Acceptable level of risk

  16. Acceptable level of risk Wash your hands

  17. Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html

  18. • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories

  19. Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment

  20. Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London

  21. Go for walks

  22. Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it

  23. Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence

  24. Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits

  25. Run in circles

  26. Tell stories

  27. Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies

  28. • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD