1 / 20

Security Principles

Security Principles. Ian Kayne. For School of Computer Science, University of Birmingham 17 th November 2008. Welcome. Introductions Aim and subject matter Real world, industry examples What you would like to gain Q&A at the end

adobbs
Télécharger la présentation

Security Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Principles Ian Kayne For School of Computer Science, University of Birmingham 17th November 2008

  2. Welcome • Introductions • Aim and subject matter • Real world, industry examples • What you would like to gain • Q&A at the end NB: Some slides have been deleted from this version of the presentation.

  3. The Basics What is security?

  4. The Basics • What is not security? • Why are firewalls, IDS, content scanners etc not security? • A little hint:

  5. The Basics • The Sony PSP – ultimate security? • Closed platform • Proprietary hardware • Proprietary media (UMD) – “almost” • Code signing • Tight controls on devkits

  6. The Basics • Insecure! • Not just once, repeatedly over years • LibTIFF • Widely distributed library • Cross-platform security flaw • GTA – missing a culture of security • 3rd party company: “It’s only a game”

  7. Culture • QA can’t find flaws that aren’t normal user experience • One mistake cost £millions? • Broke Sony’s business model • Required new release of game & firmware • Enabled piracy • End-user desire (homebrew) won

  8. The Basics • What is security? • Process • Mindset • Buy-in from day one • Culture • Firewalls, IDS etc are tech enablers • Without a secure approach they’re useless

  9. The Basics • UK Government Comparison:Number of laptop & USB stick losses –v– “proper hacks” • Encryption is available but not used • Strong, clear guidelines ignored • Security: “someone else’s problem”, putting CDs in the post is fine • Missing a culture of security

  10. In The Real World • It’s not that easy • Security is a balancing act: • Security –v– cost • Security –v– delivery • Security –v– functionality • Security –v– corporate politics • Security –v– ………… • Day 1 buy-in helps to mitigate

  11. In The Real World • Security demands: • Communication • Early Involvement • Empathy • Pragmatism • (Don’t forget the technical skills!) • Most security teams/professionals don’t sit in ivory towers

  12. Pentesting PENETRATION TESTING (Finding holes in the security culture)

  13. Pen Testing • Penetration Testing • Very different to consultancy • Not like the movies! Boring work/documentation • Requires • Wide knowledge and skill set • Experience • Ability to make logic leaps • Diligence, resolve, patience, lots of coffee • Pen-tester quality varies wildly • Not a pen-tester? Understand approach to evaluate.

  14. Proxy appliance Web tier firewall App tier firewall Database server Simple Design Internet External firewall Web server

  15. SQL Injection • Occurs when unchecked input builds SQL queries • Search box input: pizza • Code builds SQL query:SELECT * FROM food WHERE type=’pizza’; • Search box input: pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza • Code builds SQL query:SELECT * FROM food WHERE type=’pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza’;

  16. Pentesting • Impact • Site shut down • Reputation damage • Lost revenue • Lost customers / goodwill • Cost to resolve • In the USA? Full disclosure may be required.

  17. Pentesting • Review: • There is no security in client-side validation • All input must be validated • Don’t allow data uploads without validation • Implement security controls correctly • IDS & Content filtering • Firewall rules – no connect out from web servers • Culture of security is most important • Not just “do it” but “do it properly & securely” • If the end user has control, there is no security

  18. Doing the Job • Career path – use it to learn the principles • Why are the principles so important? • Expect unique systems & software • No courses on “Widgets v1.0 security” • Expect unusual problems • Expect unusual solutions • Expect issues outside your comfort zone

  19. Doing the Job • Your mission, should you choose to accept it… • 95% of the time it’s (relatively) easy • Most attackers go for the easy score • The other 5% is hard – directed, tech attacks • Non-technical: empathy & pragmatism • Jack of all trades and master of some • Learn the principles, investigate the rest

  20. Review • Thank you! • Questions • Comments • Items to review • Further study

More Related