Help the hackers get your data

Help the hackers get your data

In May 2018 something happened to the internet, GDPR came online,
and suddenly users in the EU had a lot more rights to their digital privacy,
which is awesome. But on the flip side the implementation of the GDPR and
procedures regarding it, are very vague and were meant to be written as
we go along, with whatever comes up as best practices.
Books and talks have been written and given about the data encryption, problems
encountered with event sourcing systems, questionaries about the purposes of
collecting user data... So many words and hours of many lives spent...
Yet, something has been overlooked, something so basic, we do not even notice it.
If you are working on an enterprise-class project or on other large projects,
you might have an infra team that would deal with this and tell you what you need
to do to be secure (at least good ones will)
But... if you are working on smaller projects, and you have mom and pop shops
to support, you deserve the same level of security bigger projects have...
I am talking about secrets and credentials management for your application, the most
overlooked aspect of any application.
This talk gives you a look at secrets management and security from the business side of things and tries to give you actionable information on how to talk to your clients, and bosses about this subject

F2d82b268a7cbccc9809c939428df64f?s=128

Vranac Srdjan

October 13, 2019
Tweet

Transcript

  1. HELP THE HACKERS GET YOUR DATA @vranac - HackConf 2019

  2. WHOAMI Srdjan Vranac Founder/Team Lead @ Code4Hire Architecture/Software consultant I

    make developers uncomfortable and engineers happy 2 — @vranac - HackConf 2019
  3. WHOAMI 3 — @vranac - HackConf 2019

  4. HELP THE HACKERS GET YOUR DATA IF YOU WANT TO

    EXPERIENCE SOME VERY VERY VERY VERY VERY UNPLEASANT THINGS AND DEPENDING ON WHOSE DATA THEY GOT EVEN FACE JAIL TIME 4 — @vranac - HackConf 2019
  5. TOO MANY SECRETS 5 — @vranac - HackConf 2019

  6. SECURITY IS IMPORTANT M'KAY 6 — @vranac - HackConf 2019

  7. Good software engineer has technical skills, communications skills AND business

    skills — Antonio Peric-Mazar (Locastic CEO) 7 — @vranac - HackConf 2019
  8. Take off your developers hat Focus on the business goals

    less on academics — David Cramer (Sentry CEO) from "Mastering Duct Tape" PyCon balkan 2018 8 — @vranac - HackConf 2019
  9. COST AND SECURITY ARE AFTERTHOUGHT 9 — @vranac - HackConf

    2019
  10. BY THINKING IN TERMS OF COST AND EXPENSES SECURITY STARTS

    TO CLIMB MORE AND MORE ON THE PRIORITY LIST 10 — @vranac - HackConf 2019
  11. LOW HANGING FRUIT 11 — @vranac - HackConf 2019

  12. 12 — @vranac - HackConf 2019

  13. DATA BREACHES EXPOSED 4.1 BILLION RECORDS IN FIRST SIX MONTHS

    OF 2019 13 — @vranac - HackConf 2019
  14. It's a s#&t show, but you front row — Lil

    Wayne, "Uproar" 14 — @vranac - HackConf 2019
  15. COMMON WAYS OF REVEALING YOUR SECRETS? 15 — @vranac -

    HackConf 2019
  16. MALICIOUS PARTY GAINING ACCESS TO YOUR INFRASTRUCTURE 16 — @vranac

    - HackConf 2019
  17. 17 — @vranac - HackConf 2019

  18. 18 — @vranac - HackConf 2019

  19. 19 — @vranac - HackConf 2019

  20. You don't store your users passwords in your database, yet

    the access-credentials to said database are written down in cleartext in a file on your server. Sounds familiar? — Andreas Heigl 20 — @vranac - HackConf 2019
  21. STORY TIME! 21 — @vranac - HackConf 2019

  22. LESSON IN CHAOS ENGINEERING 22 — @vranac - HackConf 2019

  23. HEY LOOK, IT'S GONE... 23 — @vranac - HackConf 2019

  24. LESSON IS ACTUALLY A MASTERCLASS 24 — @vranac - HackConf

    2019
  25. AN EMAIL A DAY KEEPS THE CHAOS MONKEY AWAY 25

    — @vranac - HackConf 2019
  26. SCORCHED EARTH POLICY 26 — @vranac - HackConf 2019

  27. 27 — @vranac - HackConf 2019

  28. ENVIRONMENT VARIABLES 28 — @vranac - HackConf 2019

  29. 29 — @vranac - HackConf 2019

  30. 30 — @vranac - HackConf 2019

  31. CONTAINERS!!!111 31 — @vranac - HackConf 2019

  32. 32 — @vranac - HackConf 2019

  33. DOCKER SECRETS!!! 33 — @vranac - HackConf 2019

  34. IF OPS TEAM ALLOWS THIS! PLEASE HAVE A TALK WITH

    THEM! 34 — @vranac - HackConf 2019
  35. CONSEQUENCES 35 — @vranac - HackConf 2019

  36. LIABILITY & CRIMINAL NEGLIGENCE 36 — @vranac - HackConf 2019

  37. 37 — @vranac - HackConf 2019

  38. CERTIFICATION 38 — @vranac - HackConf 2019

  39. SECRETS MANAGEMENT COST/DAMAGE CONTROL 39 — @vranac - HackConf 2019

  40. HOW CAN THIS SITUATION BE IMPROVED? 40 — @vranac -

    HackConf 2019
  41. SECRETS MANAGEMENT APPLICATIONS 41 — @vranac - HackConf 2019

  42. EASE OF SETUP AND OPERATION 42 — @vranac - HackConf

    2019
  43. SECRET ROTATION 43 — @vranac - HackConf 2019

  44. DYNAMIC SECRETS {{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE

    }} 44 — @vranac - HackConf 2019
  45. ENCRYPTION IN TRANSPORT AND AT REST 45 — @vranac -

    HackConf 2019
  46. CHOICES OF BACKENDS 46 — @vranac - HackConf 2019

  47. COST 47 — @vranac - HackConf 2019

  48. Ansible Vault, Barbican, Chef Data Bags, Chef Vault, Citadel, Confidant,

    Configuration Storage Systems (Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz, Knox, Red October, Trousseau, Vault (Hashicorp) 48 — @vranac - HackConf 2019
  49. AWS SECRETS MANAGER 49 — @vranac - HackConf 2019

  50. EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION Cost Dimensions - 2 SSH

    keys per server and 5 database credentials per database. - 2 API calls per SSH key per day. 24 API calls per database credential per day. - 7 API calls per database credential per week to rotate credentials safely. 15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web servers + 2 SSH keys * 2 app servers + 5 database credentials * 1 database) @ $0.40 / secret / month 4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days + 5 database credentials * 1 database * 24 API calls/day * 30 days + 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls $6.02 TOTAL (PER MONTH) 50 — @vranac - HackConf 2019
  51. EXAMPLE 2: USING EPHEMERAL SECRETS TO AUTHENTICATE MICRO SERVICES Cost

    Dimensions 5M secrets (each valid for 1 hour). 2 API calls per secret per month. Note: Since these secrets are stored in Secrets Manager for an hour, the price per secret is calculated as $0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour $2,800.00 5M secrets @ $0.00056 / secret/ hour $50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls $2,850.00 TOTAL (PER MONTH) 51 — @vranac - HackConf 2019
  52. HASHICORP VAULT 52 — @vranac - HackConf 2019

  53. GOOD FIT? 53 — @vranac - HackConf 2019

  54. SHAMIR'S SECRET SHARING ALGORITHM 54 — @vranac - HackConf 2019

  55. VAULT OPERATES EXCLUSIVELY IN A WHITELIST MODE 55 — @vranac

    - HackConf 2019
  56. EVERYTHING IS AWESOME? RIGHT? > sealing/unsealing > http calls 56

    — @vranac - HackConf 2019
  57. HOW DOES IT ALL FIT TOGETHER: > vault token goes

    into config (ironic, I know) > token gets sent to the vault server, and client token is returned > only retrieval of secrets granted by the ACL assigned is possible > when lease on client token expires, vault token is used to obtain new one 57 — @vranac - HackConf 2019
  58. IN CASE OF BREACH: > your tripwire system is triggered

    > your files are downloaded (possibly config as well) > you remove server from public > you rotate the token generated > you update the config > you make server publicly available 58 — @vranac - HackConf 2019
  59. BUT DO YOU USE SECRET MANAGEMENT ON EVERY PROJECT? >

    user data, maybe PII, maybe not? yes > any kind of sensitive data? yes > any kind of payments on the system? definitely yes 59 — @vranac - HackConf 2019
  60. FINAL WORDS 60 — @vranac - HackConf 2019

  61. average cost of a large data breach (in which more

    than one million records are lost) in 2018 was $3.9 MILLION DOLLARS 61 — @vranac - HackConf 2019
  62. THE END 62 — @vranac - HackConf 2019