Security Principles

1
Security Principles

• Ian Kayne

For School of Computer Science, University of
Birmingham 17th November 2008
2
Welcome

• Introductions
• Aim and subject matter
• Real world, industry examples
• What you would like to gain
• QA at the end
• NB Some slides have been deleted from this
  version of the presentation.

3
The Basics

• What is security?

4
The Basics

• What is not security?
• Why are firewalls, IDS, content scanners etc not
  security?
• A little hint

5
The Basics

• The Sony PSP ultimate security?
• Closed platform
• Proprietary hardware
• Proprietary media (UMD) almost
• Code signing
• Tight controls on devkits

6
The Basics

• Insecure!
• Not just once, repeatedly over years
• LibTIFF
• Widely distributed library
• Cross-platform security flaw
• GTA missing a culture of security
• 3rd party company Its only a game

7
Culture

• QA cant find flaws that arent normal user
  experience
• One mistake cost millions?
• Broke Sonys business model
• Required new release of game firmware
• Enabled piracy
• End-user desire (homebrew) won

8
The Basics

• What is security?
• Process
• Mindset
• Buy-in from day one
• Culture
• Firewalls, IDS etc are tech enablers
• Without a secure approach theyre useless

9
The Basics

• UK Government ComparisonNumber of laptop USB
  stick losses v proper hacks
• Encryption is available but not used
• Strong, clear guidelines ignored
• Security someone elses problem, putting CDs
  in the post is fine
• Missing a culture of security

10
In The Real World

• Its not that easy
• Security is a balancing act
• Security v cost
• Security v delivery
• Security v functionality
• Security v corporate politics
• Security v
• Day 1 buy-in helps to mitigate

11
In The Real World

• Security demands
• Communication
• Early Involvement
• Empathy
• Pragmatism
• (Dont forget the technical skills!)
• Most security teams/professionals dont sit in
  ivory towers

12
Pentesting

• PENETRATION TESTING
• (Finding holes in the security culture)

13
Pen Testing

• Penetration Testing
• Very different to consultancy
• Not like the movies! Boring work/documentation
• Requires
• Wide knowledge and skill set
• Experience
• Ability to make logic leaps
• Diligence, resolve, patience, lots of coffee
• Pen-tester quality varies wildly
• Not a pen-tester? Understand approach to evaluate.

14
Simple Design
Internet
External firewall
Web server
15
SQL Injection

• Occurs when unchecked input builds SQL queries
• Search box input
• pizza
• Code builds SQL querySELECT FROM food WHERE
  typepizza
• Search box input
• pizza DROP DATABASE cafeSELECT FROM food
  WHERE typepizza
• Code builds SQL querySELECT FROM food WHERE
  typepizza DROP DATABASE cafeSELECT FROM
  food WHERE typepizza

16
Pentesting

• Impact
• Site shut down
• Reputation damage
• Lost revenue
• Lost customers / goodwill
• Cost to resolve
• In the USA? Full disclosure may be required.

17
Pentesting

• Review
• There is no security in client-side validation
• All input must be validated
• Dont allow data uploads without validation
• Implement security controls correctly
• IDS Content filtering
• Firewall rules no connect out from web servers
• Culture of security is most important
• Not just do it but do it properly securely
• If the end user has control, there is no security

18
Doing the Job

• Career path use it to learn the principles
• Why are the principles so important?
• Expect unique systems software
• No courses on Widgets v1.0 security
• Expect unusual problems
• Expect unusual solutions
• Expect issues outside your comfort zone

19
Doing the Job

• Your mission, should you choose to accept it
• 95 of the time its (relatively) easy
• Most attackers go for the easy score
• The other 5 is hard directed, tech attacks
• Non-technical empathy pragmatism
• Jack of all trades and master of some
• Learn the principles, investigate the rest

20
Review

• Thank you!
• Questions
• Comments
• Items to review
• Further study