Transcript Challenges of developing a good security solution

Challenges of developing
a good security solution
Shuva Brata Deb, Consultant Software Engineer, EMC
Introduction
• Security landscape is ever evolving.
Attack vectors!
© Copyright 2015 EMC Corporation. All rights reserved.
2
Attack vector defintion
• An attack vector is a path or means by which a
hacker (or cracker) can gain access to a computer or
network server in order to deliver a payload or
malicious outcome. Attack vectors enable hackers to
exploit system vulnerabilities, including the human
element.
© Copyright 2015 EMC Corporation. All rights reserved.
3
Cloud Computing Security complexities
https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf
© Copyright 2015 EMC Corporation. All rights reserved.
5
Mobile security
• 75000 Android Apps analyzed
– 68% required permission to send SMS
– 28% has access to
SMS.
– 36% accessed user location.
– 46% its phone state (IMEI and SIM
card information).
– 10% the address book
– 4% checking the calendar
• Abuse of Android permission model
To gain access without permission.
http://www.techworld.com/news/security/android-apps-ask-for-too-many-intrusive-permissions-zscaler-analysis-finds-3530714/
© Copyright 2015 EMC Corporation. All rights reserved.
6
In secure web applications
© Copyright 2015 EMC Corporation. All rights reserved.
7
The Heartbleed BUg
• Steal
–
–
–
–
–
–
Private keys on X.509 certs
Usernames
Passwords
IMs
Emails
Documents
March 2012
To
April 2014
• Coding error.
• Only partial mitigation possible.
© Copyright 2015 EMC Corporation. All rights reserved.
8
Heartbleed bug rootcause
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0;
Full fix : https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3#diff-2
© Copyright 2015 EMC Corporation. All rights reserved.
9
APT: Advanced Persistent Threat
• Advanced
–
–
–
–
–
–
–
–
–
Sophisticated techniques
Exploit multiple 0-days
Multiple hacking tools used.
Targets orgs/nations
Business/political motives
Custom made attack
Well funded
Motivated
Multi person job.
© Copyright 2015 EMC Corporation. All rights reserved.
• Persistent
–
–
–
–
–
–
Continuous monitoring
Extracting data
Undetectable
Looks normal on surface
Low and slow
Attackers are guided by
external entities
11
STUXNET, the World’s First Digital Weapon
© Copyright 2015 EMC Corporation. All rights reserved.
12
http://www.wired.com/wp-content/uploads/2014/11/Ahmadinejad-at-Natanz.jpg
© Copyright 2015 EMC Corporation. All rights reserved.
13
http://www.wired.com/wp-content/uploads/2014/11/stuxnet.png
© Copyright 2015 EMC Corporation. All rights reserved.
14
Security Domains; ISC2 view
• Access Control
• Telecom & Network
• Governance and Risk Mgmt
• Software Devlopment Security
• Security Architecture & Design
• Cryptography
• Operations Security
• Business Continuity & DR
• Legal Regulations & Compliance
• Physical Secuirty
© Copyright 2015 EMC Corporation. All rights reserved.
15
Security domains; Software solution’s view
• Privacy
• Data Lost Prevention
• Big data analytics in Security.
• Identity and Authentication
• Malware
• Advanced Persistent Threats
• Network Security
• Forensics
• Packet and Log analysis
• Cyber fraud
© Copyright 2015 EMC Corporation. All rights reserved.
16
Security Development Lifecycle
Security Engineering Focus
© Copyright 2015 EMC Corporation. All rights reserved.
17
SDL Resources
The IEEE Computer
Society Center for
Secure Design
Sadosky Foundation, Twitter, Cigital, RSA, Google, University of
Washington, George Washington University, Cigital, McAfee, Part
of Intel Security Group, Harvard University, Athens University of
Economics and Business, EMC, HP
http://cybersecurity.ieee.org/center-for-secure-design.html
© Copyright 2015 EMC Corporation. All rights reserved.
18
A simple casting problem … that lead to …
…
horizontal_veloc_sensor: float;
horizontal_veloc_bias: integer;
begin
Float = 64 bit
Integer = 16 bit (32767)
Cost: Rs: 46,000 crores
sensor_get (horizontal_veloc_sensor);
horizontal_veloc_bias: = integer (horizontal_veloc_sensor);
...
exception
When numeric_error => calculate_vertical_veloc ();
when others => use_irs1 ();
end;
© Copyright 2015 EMC Corporation. All rights reserved.
19
Ariane 5 Flight 501, June 4, 1996
© Copyright 2015 EMC Corporation. All rights reserved.
20
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.