Security Principles - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Security Principles

Description:

Aim and subject matter. Real world, industry examples. What you ... Pragmatism (Don't forget the ... Non-technical: empathy & pragmatism. Jack of all trades ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 21
Provided by: iank8
Category:

less

Transcript and Presenter's Notes

Title: Security Principles


1
Security Principles
  • Ian Kayne

For School of Computer Science, University of
Birmingham 17th November 2008
2
Welcome
  • Introductions
  • Aim and subject matter
  • Real world, industry examples
  • What you would like to gain
  • QA at the end
  • NB Some slides have been deleted from this
    version of the presentation.

3
The Basics
  • What is security?

4
The Basics
  • What is not security?
  • Why are firewalls, IDS, content scanners etc not
    security?
  • A little hint

5
The Basics
  • The Sony PSP ultimate security?
  • Closed platform
  • Proprietary hardware
  • Proprietary media (UMD) almost
  • Code signing
  • Tight controls on devkits

6
The Basics
  • Insecure!
  • Not just once, repeatedly over years
  • LibTIFF
  • Widely distributed library
  • Cross-platform security flaw
  • GTA missing a culture of security
  • 3rd party company Its only a game

7
Culture
  • QA cant find flaws that arent normal user
    experience
  • One mistake cost millions?
  • Broke Sonys business model
  • Required new release of game firmware
  • Enabled piracy
  • End-user desire (homebrew) won

8
The Basics
  • What is security?
  • Process
  • Mindset
  • Buy-in from day one
  • Culture
  • Firewalls, IDS etc are tech enablers
  • Without a secure approach theyre useless

9
The Basics
  • UK Government ComparisonNumber of laptop USB
    stick losses v proper hacks
  • Encryption is available but not used
  • Strong, clear guidelines ignored
  • Security someone elses problem, putting CDs
    in the post is fine
  • Missing a culture of security

10
In The Real World
  • Its not that easy
  • Security is a balancing act
  • Security v cost
  • Security v delivery
  • Security v functionality
  • Security v corporate politics
  • Security v
  • Day 1 buy-in helps to mitigate

11
In The Real World
  • Security demands
  • Communication
  • Early Involvement
  • Empathy
  • Pragmatism
  • (Dont forget the technical skills!)
  • Most security teams/professionals dont sit in
    ivory towers

12
Pentesting
  • PENETRATION TESTING
  • (Finding holes in the security culture)

13
Pen Testing
  • Penetration Testing
  • Very different to consultancy
  • Not like the movies! Boring work/documentation
  • Requires
  • Wide knowledge and skill set
  • Experience
  • Ability to make logic leaps
  • Diligence, resolve, patience, lots of coffee
  • Pen-tester quality varies wildly
  • Not a pen-tester? Understand approach to evaluate.

14
Simple Design
Internet
External firewall
Web server
15
SQL Injection
  • Occurs when unchecked input builds SQL queries
  • Search box input
  • pizza
  • Code builds SQL querySELECT FROM food WHERE
    typepizza
  • Search box input
  • pizza DROP DATABASE cafeSELECT FROM food
    WHERE typepizza
  • Code builds SQL querySELECT FROM food WHERE
    typepizza DROP DATABASE cafeSELECT FROM
    food WHERE typepizza

16
Pentesting
  • Impact
  • Site shut down
  • Reputation damage
  • Lost revenue
  • Lost customers / goodwill
  • Cost to resolve
  • In the USA? Full disclosure may be required.

17
Pentesting
  • Review
  • There is no security in client-side validation
  • All input must be validated
  • Dont allow data uploads without validation
  • Implement security controls correctly
  • IDS Content filtering
  • Firewall rules no connect out from web servers
  • Culture of security is most important
  • Not just do it but do it properly securely
  • If the end user has control, there is no security

18
Doing the Job
  • Career path use it to learn the principles
  • Why are the principles so important?
  • Expect unique systems software
  • No courses on Widgets v1.0 security
  • Expect unusual problems
  • Expect unusual solutions
  • Expect issues outside your comfort zone

19
Doing the Job
  • Your mission, should you choose to accept it
  • 95 of the time its (relatively) easy
  • Most attackers go for the easy score
  • The other 5 is hard directed, tech attacks
  • Non-technical empathy pragmatism
  • Jack of all trades and master of some
  • Learn the principles, investigate the rest

20
Review
  • Thank you!
  • Questions
  • Comments
  • Items to review
  • Further study
Write a Comment
User Comments (0)
About PowerShow.com