Pro Yearly is on sale from $80 to $50! »

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

An appeal to take security seriously as we build larger and larger systems in the cloud processing more and more data.

E50d396533a9455ba01a4827868598e9?s=128

Elliot Murphy

October 28, 2014
Tweet

Transcript

  1. safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround

  2. – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

    electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
  3. None
  4. None
  5. –The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’

    users”
  6. – US Senator John D Rockefeller, Chairman of Committee with

    oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”
  7. US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

  8. None
  9. Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

    & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
  10. None
  11. Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view
  12. FOOD

  13. Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated
  14. Acceptable level of risk

  15. Acceptable level of risk

  16. Acceptable level of risk Wash your hands

  17. Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html
  18. • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories
  19. Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment
  20. Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London
  21. Go for walks

  22. Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it
  23. Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence
  24. Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits
  25. Run in circles

  26. Tell stories

  27. Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies

  28. • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD