Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

E50d396533a9455ba01a4827868598e9?s=47 Elliot Murphy
October 28, 2014
Programming
0
45

Safeguarding Sensitive Data in the Cloud - SPANCONF London 2014

An appeal to take security seriously as we build larger and larger systems in the cloud processing more and more data.

E50d396533a9455ba01a4827868598e9?s=128

Elliot Murphy

October 28, 2014
Tweet

Want more?

E50d396533a9455ba01a4827868598e9?s=48 statik
0
28
E50d396533a9455ba01a4827868598e9?s=48 statik
0
120
E50d396533a9455ba01a4827868598e9?s=48 statik
2
100
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
1
100
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
55
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
60
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
4
120
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
3
140
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
210
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
2
390
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
110
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
200

Transcript

  1. 1.

    safeguarding sensitive data in the cloud Elliot Murphy CTO, CommonGround

  2. 2.

    – Cory Doctorow in 2008 http://www.theguardian.com/technology/2008/jan/15/data.security “We should treat personal

    electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back”
  3. 3.
    None
  4. 4.
    None
  5. 5.

    –The Guardian http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app- tracking-users “Revealed: how Whisper app tracks ‘anonymous’

    users”
  6. 6.

    – US Senator John D Rockefeller, Chairman of Committee with

    oversight over the Federal Trade Commission and consumer protection issues http://www.rockefeller.senate.gov/public/index.cfm/files/serve? File_id=a9d102ef-ac4a-445e-8a49- fc0f0377960e&SK=B8C08E13132161C24B2074067EF20FD5 “Unfortunately, recent media accounts have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy”
  7. 7.

    US HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

  8. 8.
    None
  9. 9.

    Attacked from the inside • Wireless (802.11b/g/n) high gain Bluetooth

    & USB Ethernet adapters • Fully-automated NAC/802.1x/ Radius bypass • One-click EvilAP, stealth mode & passive recon • Kali linux
  10. 10.
    None
  11. 11.

    Snoopy proof of concept • Drones collect probe SSIDs •

    Offer rogue access points with matching SSID • traffic transparently proxied via squid and logged • SSLstrip removes https • mitmproxy injection into web pages • https://wigle.net to map from probe to GPS • Google maps street view
  12. 12.

    FOOD

  13. 13.

    Not-so-nice restaurants • Widely varying resources • Widely varying education

    levels • Widely varying local customs and challenges • Extremely competitive • Price pressure • Many workers, minimal training • Workers may not be motivated
  14. 14.

    Acceptable level of risk

  15. 15.

    Acceptable level of risk

  16. 16.

    Acceptable level of risk Wash your hands

  17. 17.

    Acceptable level of risk “CDC estimates that each year in

    the US roughly 1 in 6 (or 48 million people) gets sick, 128,000 are hospitalized, and 3,000 die of foodborne diseases” source: http://www.cdc.gov/ foodsafety/facts.html
  18. 18.

    • Wash your hands • Go for walks • Play

    with others • Run in circles • Tell stories
  19. 19.

    Wash your hands • Use a password manager • Use

    multi-factor authentication, particularly on your password manager, DNS, and Email • Develop basic fluency in using encryption. Understand what options exist, and the human factors at play. • Use full disk encryption (even on your mobile devices) • Use encryption on all data in flight and at rest. This includes connections inside your application (webapp to backend) • Run the rest of the steps in order to customize this list for your environment
  20. 20.

    Crash course in encryption Everything reduces to a key management

    problem Shamir secret sharing, N-of-M splits Homomorphic encryption exists Data you don’t have can’t get stolen Attend Real World Crypto Jan 2015 in London
  21. 21.

    Go for walks

  22. 22.

    Go for walks keylogger on a sysadmins laptop stolen ssh

    private key engineer accidentally adds a SQL injection Someone with access to data goes rogue and sells it
  23. 23.

    Go for walks This is called risk assessment The fictional

    reasonable person Hand rule or http://en.wikipedia.org/wiki/ Calculus_of_negligence
  24. 24.

    Play with others Group cognition Elevation of privilege game, Cornucopia

    game https://www.owasp.org/index.php/ OWASP_Cornucopia 3rd party pentests and audits
  25. 25.

    Run in circles

  26. 26.

    Tell stories

  27. 27.

    Tell stories https://www.owasp.org/ https://www.feistyduck.com/books/bulletproof-ssl- and-tls/ https://training.catalyze.io • https://github.com/catalyzeio/policies

  28. 28.

    • Wash your hands - take reasonable basic precautions •

    Go for walks - schedule time to reflect on your risk • Play with others - engage in group problem solving around threat modeling • Run in circles - run an OODA loop • Tell stories - help your colleagues value meaningful security and reject FUD