Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

Transcript

1. safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround

2. – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

   electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
3. None
4. None

5. –The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’

   users”

6. – US Senator John D Rockefeller, Chairman of Committee with

   oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”

7. US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

8. None

9. Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

   & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
10. None

11. Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view

12. FOOD

13. Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated

14. Acceptable level of risk

15. Acceptable level of risk

16. Acceptable level of risk Wash your hands

17. Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html

18. • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories

19. Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment

20. Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London

21. Go for walks

22. Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it

23. Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence

24. Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits

25. Run in circles

26. Tell stories

27. Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies

28. • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD