Help the hackers get your data

HELP THE HACKERS GET YOUR DATA
@vranac - HackConf 2019

View Slide

WHOAMI
Srdjan Vranac
Founder/Team Lead @ Code4Hire
Architecture/Software consultant
I make developers uncomfortable and engineers happy
2 — @vranac - HackConf 2019

View Slide

WHOAMI

View Slide

HELP THE HACKERS GET YOUR DATA
IF YOU WANT TO EXPERIENCE SOME
VERY VERY VERY VERY VERY
UNPLEASANT THINGS AND DEPENDING
ON WHOSE DATA THEY GOT EVEN FACE
JAIL TIME

View Slide

TOO MANY SECRETS

View Slide

SECURITY IS IMPORTANT
M'KAY

View Slide

Good software engineer has
technical skills,
communications skills
AND business skills
— Antonio Peric-Mazar (Locastic CEO)

View Slide

Take off your developers hat
Focus on the business goals
less on academics
— David Cramer (Sentry CEO)
from "Mastering Duct Tape" PyCon balkan 2018

View Slide

COST AND SECURITY
ARE
AFTERTHOUGHT

View Slide

BY THINKING IN TERMS OF
COST AND EXPENSES
SECURITY STARTS TO
CLIMB MORE AND MORE ON
THE PRIORITY LIST

View Slide

LOW HANGING FRUIT

View Slide


View Slide

DATA BREACHES EXPOSED
4.1 BILLION RECORDS
IN FIRST SIX MONTHS OF
2019

View Slide

It's a s#&t show,
but you front row
— Lil Wayne, "Uproar"

View Slide

COMMON WAYS OF
REVEALING YOUR
SECRETS?

View Slide

MALICIOUS PARTY
GAINING ACCESS TO YOUR
INFRASTRUCTURE

View Slide


View Slide

You don't store your users passwords in your database,
yet the access-credentials to said database are written
down in cleartext in a file on your server. Sounds
familiar?
— Andreas Heigl

View Slide

STORY TIME!

View Slide

LESSON IN CHAOS
ENGINEERING

View Slide

HEY LOOK, IT'S GONE...

View Slide

LESSON IS ACTUALLY A
MASTERCLASS

View Slide

AN EMAIL A DAY KEEPS
THE CHAOS MONKEY AWAY

View Slide

SCORCHED EARTH POLICY

View Slide


View Slide

ENVIRONMENT VARIABLES

View Slide


View Slide

CONTAINERS!!!111

View Slide


View Slide

DOCKER SECRETS!!!

View Slide

IF OPS TEAM ALLOWS THIS!
PLEASE HAVE A TALK WITH THEM!

View Slide

CONSEQUENCES

View Slide

LIABILITY
&
CRIMINAL NEGLIGENCE

View Slide


View Slide

CERTIFICATION

View Slide

SECRETS MANAGEMENT
COST/DAMAGE CONTROL

View Slide

HOW CAN THIS SITUATION
BE IMPROVED?

View Slide

SECRETS MANAGEMENT
APPLICATIONS

View Slide

EASE OF SETUP AND
OPERATION

View Slide

SECRET ROTATION

View Slide

DYNAMIC SECRETS
{{ USERNAME }}:{{ password }}@tcp({{ mysql_server }}:3306)/{{ DATABASE }}

View Slide

ENCRYPTION
IN TRANSPORT AND AT
REST

View Slide

CHOICES OF BACKENDS

View Slide

COST

View Slide

Ansible Vault, Barbican, Chef Data Bags, Chef Vault,
Citadel, Confidant, Configuration Storage Systems
(Consul, etcd, Zookeeper), Conjur, Crypt, EJSON, Keywhiz,
Knox, Red October, Trousseau, Vault (Hashicorp)

View Slide

AWS SECRETS MANAGER

View Slide

EXAMPLE 1: PRODUCTION-SCALE WEB APPLICATION
Cost Dimensions
- 2 SSH keys per server and 5 database credentials per database.
- 2 API calls per SSH key per day. 24 API calls per database credential per day.
- 7 API calls per database credential per week to rotate credentials safely.
15 secrets (2 SSH keys * 1 load balancer
+ 2 SSH keys * 2 web servers
+ 2 SSH keys * 2 app servers
+ 5 database credentials * 1 database)
@ $0.40 / secret / month
4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
+ 5 database credentials * 1 database * 24 API calls/day * 30 days
+ 5 database credentials * 1 database * 7 API calls/week * 4 weeks) @ $0.05/10,000 calls
$6.02 TOTAL (PER MONTH)

View Slide

EXAMPLE 2: USING EPHEMERAL SECRETS TO
AUTHENTICATE MICRO SERVICES
Cost Dimensions
5M secrets (each valid for 1 hour).
2 API calls per secret per month.
Note: Since these secrets are stored in Secrets Manager for an hour,
the price per secret is calculated as
$0.40 * 1 hour / (30 days * 24 hours) = $0.00056 / secret/ hour
$2,800.00 5M secrets @ $0.00056 / secret/ hour
$50.00 10M API calls (5M secret * 2 API calls) @ $0.05/10,000 calls
$2,850.00 TOTAL (PER MONTH)

View Slide

HASHICORP VAULT

View Slide

GOOD FIT?

View Slide

SHAMIR'S SECRET
SHARING ALGORITHM

View Slide

VAULT OPERATES
EXCLUSIVELY IN A
WHITELIST MODE

View Slide

EVERYTHING IS AWESOME? RIGHT?
> sealing/unsealing
> http calls

View Slide

HOW DOES IT ALL FIT TOGETHER:
> vault token goes into config (ironic, I know)
> token gets sent to the vault server, and client token is
returned
> only retrieval of secrets granted by the ACL assigned is
possible
> when lease on client token expires, vault token is used
to obtain new one

View Slide

IN CASE OF BREACH:
> your tripwire system is triggered
> your files are downloaded (possibly config as well)
> you remove server from public
> you rotate the token generated
> you update the config
> you make server publicly available

View Slide

BUT DO YOU USE SECRET MANAGEMENT ON EVERY
PROJECT?
> user data, maybe PII, maybe not? yes
> any kind of sensitive data? yes
> any kind of payments on the system? definitely yes

View Slide

FINAL WORDS

View Slide

average cost of a large data breach (in which more than
one million records are lost) in 2018 was
$3.9 MILLION DOLLARS

View Slide

THE END

View Slide

Help the hackers get your data

Help the hackers get your data

Vranac Srdjan

More Decks by Vranac Srdjan

Other Decks in Programming

Featured

Transcript