security hardening and drown attack prevention for mobile backend developers
TRANSCRIPT
![Page 1: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/1.jpg)
Security Hardening and Drown Attack Prevention for Mobile Backend Developers
6.6.2016 Jiří Danihelka
![Page 2: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/2.jpg)
2
IT Security
The high-level objectives of any IT Security activity are: Confidentiality Integrity Availability
![Page 3: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/3.jpg)
3
Customer requirements
Customers expect a high degree of IT Security, it is a basic requirement.
IT security breaches may impact very negatively customer’s reputation
More and more of our customers will expect you to have formal IT processes for development, operations and security.
![Page 4: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/4.jpg)
4
IT Security approach
Objective: To ensure top level IT Security objectives appropriate to customer’s need with a reasonable, optimal effort
Well-defined, lightweight IT Security process Consistent application of IT Security process over time:
Everybody is concerned Top-down: clear policy and instruction Bottom-up: contribution
![Page 5: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/5.jpg)
5
Key chapters of the IT Security Policy
Generic sysadmin «good practice»: passwords, access rights, starters/leavers, physical & remote access
Backup, Recovery and Disaster Recovery/Business Continuity Risk Management Security Incident Management Security in the Software Development Lifecycle:
Segregation of Environment, Data and Duties Secure Coding Quality Assurance and Vulnerability Testing Source Code Management (CI/CD)
![Page 6: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/6.jpg)
6
Security Hardening
![Page 7: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/7.jpg)
7
Security Layers
There is no such thing as 100% security. We need security in multiple layers in case something fails.
![Page 8: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/8.jpg)
8
Security layers
Automatic deployment accounts works with permissions restricted to installations directories (cannot change the operating system)
More security restriction on Firewall – critical internal servers are not available from outside
Server hosting in highly secure environment; databases are encrypted
Use cloud services
![Page 9: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/9.jpg)
9
DROWN SSL Vulnerability
![Page 10: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/10.jpg)
10
DROWN server vulnerability cross-protocol attack attacker misuses deprecated SSLv2
protocol to gain information about encryption key
obtained information is used to attack modern TLS security protocol
![Page 11: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/11.jpg)
11
DROWN ATTACK possible scenarios
![Page 12: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/12.jpg)
12
More reasons why to disable SSL protocolsUnsecure protocols can be decrypted using sniffing
![Page 13: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/13.jpg)
13
More reasons why to disable SSL protocolsAttacker in the middle can disable secure protocols
![Page 14: Security hardening and drown attack prevention for mobile backend developers](https://reader036.vdocument.in/reader036/viewer/2022062522/5889d50b1a28ab83478b52b3/html5/thumbnails/14.jpg)
14
Results of disabling SSLv2
HTTPS protocols will no longer work with some old browsers Except Internet Explorer all browsers updates automatically Internet Explorer supports TLS protocol from version 7
Windows Vista and newer do not have a problem Windows XP users can update their IE6 to version 8 Users of Windows 98 cannot use HTTPS in IE anymore