Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

E50d396533a9455ba01a4827868598e9?s=47 Elliot Murphy
October 28, 2014
Programming
0
48

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

An appeal to take security seriously as we build larger and larger systems in the cloud processing more and more data.

E50d396533a9455ba01a4827868598e9?s=128

Elliot Murphy

October 28, 2014
Tweet

More Decks by Elliot Murphy

See All by Elliot Murphy
E50d396533a9455ba01a4827868598e9?s=48 statik
0
32
E50d396533a9455ba01a4827868598e9?s=48 statik
0
130
E50d396533a9455ba01a4827868598e9?s=48 statik
2
110
E50d396533a9455ba01a4827868598e9?s=48 statik
0
100
E50d396533a9455ba01a4827868598e9?s=48 statik
0
99
E50d396533a9455ba01a4827868598e9?s=48 statik
2
190

Other Decks in Programming

See All in Programming
F0493f5bcb4cc9fdccc54ae3e8ab6bd0?s=48 matsu7874
0
170
841002bf24bb562253de7eb3c17ceae6?s=48 kyomo
1
150
933291444e456bfb511a66a2fa9c6929?s=48 j5ik2o
1
340
0b8ad408b31cb9d5cff2828086c65d58?s=48 temoki
5
2.3k
E35e0e7d3f6105befd7096b7ee558911?s=48 nishikawasasaki
0
500
49833977598de9524fa85cacb93a42ce?s=48 philcalcado
0
110
264b44c0c6d60336f8b6a0fbab118984?s=48 mmazour
0
130
81bf9a5ec95c07c4884b334456025095?s=48 coodoo
1
1.1k
76a777ff80f30bd3b390e275cce625bc?s=48 a_matsuda
10
2.6k
66988ef2ff1307f07c7c8d829a6dc4fa?s=48 rosariopfernandes
2
120
9da5d5cc4b6a9f28058152e28364b02a?s=48 prof18
1
130
Fccbd625997f63e7b251d9725cb905a5?s=48 futo23
2
580

Featured

See All Featured
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
12
1.3k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
27k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.6k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
70
7k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
52
1.8k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
345
20k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
71
3.5k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
55
9.2k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
293
39k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
10
630
5f83ef806155b403c3393160ce51f955?s=48 jlugia
216
16k
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
297
30k

Transcript

  1. safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround

  2. – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

    electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
  3. None
  4. None

  5. –The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’

    users”

  6. – US Senator John D Rockefeller, Chairman of Committee with

    oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”

  7. US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

  8. None

  9. Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

    & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
  10. None

  11. Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view

  12. FOOD

  13. Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated

  14. Acceptable level of risk

  15. Acceptable level of risk

  16. Acceptable level of risk Wash your hands

  17. Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html

  18. • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories

  19. Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment

  20. Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London

  21. Go for walks

  22. Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it

  23. Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence

  24. Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits

  25. Run in circles

  26. Tell stories

  27. Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies

  28. • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD