200 likes | 214 Vues
This presentation delves into security principles and real-world examples, emphasizing the importance of a security culture. Learn about pentesting, SQL injection, and the impacts of security breaches. Discover the significance of career paths in cybersecurity and the need to prioritize security in all aspects of technology. Gain valuable insights and strategies for implementing secure practices in today's digital landscape.
E N D
Security Principles Ian Kayne For School of Computer Science, University of Birmingham 17th November 2008
Welcome • Introductions • Aim and subject matter • Real world, industry examples • What you would like to gain • Q&A at the end NB: Some slides have been deleted from this version of the presentation.
The Basics What is security?
The Basics • What is not security? • Why are firewalls, IDS, content scanners etc not security? • A little hint:
The Basics • The Sony PSP – ultimate security? • Closed platform • Proprietary hardware • Proprietary media (UMD) – “almost” • Code signing • Tight controls on devkits
The Basics • Insecure! • Not just once, repeatedly over years • LibTIFF • Widely distributed library • Cross-platform security flaw • GTA – missing a culture of security • 3rd party company: “It’s only a game”
Culture • QA can’t find flaws that aren’t normal user experience • One mistake cost £millions? • Broke Sony’s business model • Required new release of game & firmware • Enabled piracy • End-user desire (homebrew) won
The Basics • What is security? • Process • Mindset • Buy-in from day one • Culture • Firewalls, IDS etc are tech enablers • Without a secure approach they’re useless
The Basics • UK Government Comparison:Number of laptop & USB stick losses –v– “proper hacks” • Encryption is available but not used • Strong, clear guidelines ignored • Security: “someone else’s problem”, putting CDs in the post is fine • Missing a culture of security
In The Real World • It’s not that easy • Security is a balancing act: • Security –v– cost • Security –v– delivery • Security –v– functionality • Security –v– corporate politics • Security –v– ………… • Day 1 buy-in helps to mitigate
In The Real World • Security demands: • Communication • Early Involvement • Empathy • Pragmatism • (Don’t forget the technical skills!) • Most security teams/professionals don’t sit in ivory towers
Pentesting PENETRATION TESTING (Finding holes in the security culture)
Pen Testing • Penetration Testing • Very different to consultancy • Not like the movies! Boring work/documentation • Requires • Wide knowledge and skill set • Experience • Ability to make logic leaps • Diligence, resolve, patience, lots of coffee • Pen-tester quality varies wildly • Not a pen-tester? Understand approach to evaluate.
Proxy appliance Web tier firewall App tier firewall Database server Simple Design Internet External firewall Web server
SQL Injection • Occurs when unchecked input builds SQL queries • Search box input: pizza • Code builds SQL query:SELECT * FROM food WHERE type=’pizza’; • Search box input: pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza • Code builds SQL query:SELECT * FROM food WHERE type=’pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza’;
Pentesting • Impact • Site shut down • Reputation damage • Lost revenue • Lost customers / goodwill • Cost to resolve • In the USA? Full disclosure may be required.
Pentesting • Review: • There is no security in client-side validation • All input must be validated • Don’t allow data uploads without validation • Implement security controls correctly • IDS & Content filtering • Firewall rules – no connect out from web servers • Culture of security is most important • Not just “do it” but “do it properly & securely” • If the end user has control, there is no security
Doing the Job • Career path – use it to learn the principles • Why are the principles so important? • Expect unique systems & software • No courses on “Widgets v1.0 security” • Expect unusual problems • Expect unusual solutions • Expect issues outside your comfort zone
Doing the Job • Your mission, should you choose to accept it… • 95% of the time it’s (relatively) easy • Most attackers go for the easy score • The other 5% is hard – directed, tech attacks • Non-technical: empathy & pragmatism • Jack of all trades and master of some • Learn the principles, investigate the rest
Review • Thank you! • Questions • Comments • Items to review • Further study