cyber security webinar 6 - how to build systems that resist attacks?
TRANSCRIPT
1
BUILDING SECURE SYSTEMSHow to build systems that resist attacks
CYBER SECURITYWEBINAR PART 6JARNO NIEMELÄ F-SECURE3th of December 2015
CYBER SECURITY WEBINAR SERIES - PART 6
© F-Secure2
• INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS• DEFENDING SERVERS• DEFENDING NETWORKS• RESPONDING TO AN INCIDENT• BUILDING SECURE SYSTEMS NOW
RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
3
BUILDING SECURE
SYSTEMSJARNO NIEMELÄ
SENIOR RESEARCHERF-SECURE
There Are No Perfect Systems
It is impossible to build a system that would not have any flaws
But you can build systems that are very difficult to break Security as a Core requirement Security and software architecture Use safe programming practices and OS capabilities Make sure also security is tested Isolate each process using sandboxes or other virtualization Avoid processing clear text data Use ready code, but keep track of the security status of all third party libraries you use Audit your code either internally or use a consultant
© F-Secure4
Security as a Core requirement
You get what you ask for, and have in contract No matter whether it is internal development or contractor This means that security has to be in RFPs and system requirements Otherwise development will self optimize, which is to do as little as possible
Security goals and targets have to be a part of the process Have security as part of your request for proposals when ordering software And have it in the requirements documentation when developing in-house Microsoft Software Development Life Cycle https://www.microsoft.com/en-us/sdl/
The earlier you plan security in, the cheaper it will be in the long run
© F-Secure5
Security And Software Architecture
There are many similarities between software and building architecture Fixing security problems when software is in production is 60 times more expensive
than preventing it at design stage Soo Hoo K, Sudbury AW, & Jaquith AR, Secure Business Quarterly, 5 pp, Q2 2001
Modularization is the core of good and secure architecture Isolate functions into their own modules
Make sure each module has only the access that it needs
Do security and threat modeling Think how your system can be attacked, and how you could mitigate those vectors
© F-Secure6
Security Standards
One way to get security in software is to follow some security standards ISO27k standards http://www.iso27001security.com/
PCI-DSS https://www.pcisecuritystandards.org/security_standards/
Common Criteria https://www.commoncriteriaportal.org/cc/
However merely following a standard does not guarantee security Standards are at the same time very extensive, and too high level
This means that following f.ex ISO standards is useful, and some customers require it
Especially large contracts require an audit that a standard is followed
But no standard can really ensure implementation quality
© F-Secure7
Use Safe ProgrammingFavor safe languages for the task at hand
C# over C++, Java over Python, Python over PHP or Perl
Haskell and Rust have better built in safety, but it’s difficult to find programmers
Make sure programmers have safe programming training
Follow security best practices for the language your company uses https://www.owasp.org/ https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards
Enable every security option provided by the OS and compiler DEP, ASLR, GS, SafeSEH, etc https://msdn.microsoft.com/en-us/library/k3a3hzw7.aspx
© F-Secure8
Treat Incoming Data With Caution
Most vulnerabilities are essentially data input problems Attacker was able to feed data that the programmer was not expecting
Thus all incoming data needs to be treated with caution Any code reading and handling data needs to be carefully reviewed
Filter out any data that you do not need
Example: Barcode readers are basically USB keyboards that read barcode The input is read and transmitted as keypresses over USB
Unless the receiver program filters input, the attacker can execute code with barcode
© F-Secure9
http://www.slideshare.net/PacSecJP/hyperchem-ma-badbarcode-en1109nocommentfinal
Make Sure That Security Is Tested
Testing very easily focuses only on verifying that a program works correctly Security testing tries to break software in ways never seen in real use
Use static and runtime code analysis tools to find out potential vulnerabilities https://www.owasp.org/index.php/Static_Code_Analysis
Use fuzzing analysis to find crashes and vulnerabilities https://www.owasp.org/index.php/Fuzzing http://lcamtuf.coredump.cx/afl/
Read hacking books for your environment, and try the methods on your software
© F-Secure10
Sandbox Every ProcessIt is very likely that an attacker will find an exploitable vulnerability
But that does not need to be the end of the world
Use sandboxing or app virtualization techniques to isolate every component For Linux use AppArmor, Grsecurity, TOMOYO For Windows use access control to run process with minimum privileges
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374860(v=vs.85).aspx Or use Chromium sandbox https://www.chromium.org/developers/design-documents/sandbox/ Windows Server 2016 container model also looks very promising
Once code runs in a sandbox you can control access to every resource Allow only what the code needs, deny everything else
© F-Secure11
Avoid Processing Clear TextStore only data that you need
In recent data leaks there has been a ton of data that should have been deleted
Hash information where the original data is not needed Hash both user name and password, have cleartext username in memory not in DB Use slow key derivation functions (PBKDF2, Scrypt, Bcrypt) with >1M iterations
Do not communicate cleartext data to frontend In most of cases it’s the frontend that gets compromised Isolate data behind API, encrypt data coming to frontend with users password Thus if attacker is able to compromise frontend, he cannot use the data without PW
© F-Secure12
Use Libraries Where PossibleThe less your team has to code the less there is to fix
Use public libraries when there are good options available
Especially avoid writing own crypto (unless you have real experts, that is)
However be aware of the security history of the code you use How many known vulnerabilities there have been in the past?
What is the impression they give of code quality, were they beginner mistakes?
How quick was the patch provided after a vulnerability was found
Know where to get updates and take them into use as soon as possible
© F-Secure13
Sign Your CodeUse digital signatures for every binary, and verify signatures
Update tampering attacks are trivial if updates are not verified
Thus you need to verify that code is signed, and pin to CA certificate
Digital signature verification protects also against viruses, tampering and cracking
But do make sure that you store code signing cert securely
Digital signatures help to avoid AV false alarms Some vendors trust signatures blindly, which is not good but useful for SW dev
Others use signatures to build reputation, and trust well known signatures
© F-Secure14
Audit Your CodePerform internal or external audits on your code
Audit does not guarantee quality, but it helps to maintain it
Make sure that audit discoveries lead to improvements
But an audit at end of the project is a very expensive way to get quality Focus on programmer education and constant improvement
Whenever there is a problem, do root cause analysis and learn from it
Encourage environment that promotes professional engineering
© F-Secure15
ConclusionsSecurity is not about following some standard
Although standards do help a lot
Security is about doing things right Make sure security is a part of requirements
Make sure security is a core requirement in architecture
Make sure software production is done with security in mind
Isolate every component as well as possible
Test your software, not only that it works, but try to attack it
Be reachable when someone wants to report a security bug
© F-Secure16
THANK YOU FOR YOUR PARTICIPATION!
17
The Recording will be available at the BUSINESS SECURITY INSIDER
https://business.f-secure.com/https://business.f-secure.com