SSL Is Not A Secure Architecture

Greg Sternberg, CISSPSolutions/Security ArchitectJeppesen

29 Jan 2013

Filename.ppt | 2

A Bit About Myself

Old I’ve used punch cards, PL/1

and PDPs If it involves computers I’ve

probably done itFormer “status hacker”

Wrong side of the tracksStudy Psychology as a HobbySolutions/Security/Enterprise Architect @ Jeppesen

Boeing companyBoard member of the Denver chapter of ISSACISSP and TOGAF certifiedInfragard member

Filename.ppt | 3

Agenda

When Success is BadSSL Will Solve World HungerUnderstanding The PlayersKnowledge is a Good ThingThink BadSecure Architectural PrinciplesIf You're Lost, Your Priorities ChangeWe're All In This TogetherZen Moments (a.k.a. Q&A)

Organic Growth

Filename.ppt | 4

In The Beginning Mainframe, users working

on the machines, physical security

Let There Be Users Client/Server, users

working on the network, IDS, anti-virus

We’re Not In The Computer Center Anymore

SOA, users working from home, EDP, VPN

But Now...

Do You Know Where Your Data Is?(or A Pirate’s Cornucopia)

Filename.ppt | 5

SSL Will Solve Everything(just “get r' done!”)

Filename.ppt | 6

Only protects transfers And only if used

Proliferation of certificates Symantec alone has 811,511 650 CAs

Implementation problems My Client/Server code is 400

LoC At 1 bug per 10 lines of

code…Expect too much from users

Securing Your Architecture

Filename.ppt | 7

No "silver bullet" There are always trade-offs and risks

Story: We had too many entries into our systems so

we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.

Securing Your Architecture

Filename.ppt | 8

No "silver bullet" There are always trade-offs and risks

Story: We had too many entries into our systems so

we eliminated all but one entry into our network. However that got compromised and we suffered a break-in. Turns out we helped the malware authors buy simplifying our system.

On the plus side since we had significantly fewer things to log and monitor so we caught the intrusion much faster than we would have - assuming we could have caught it in the old system at all.

Looking at Architecture From a Malware Point of View

Filename.ppt | 9

Security has to be right all the time; malware only once

– And they're better fundedMalware is:

Everything we want to beSocial engineers

Know our users better than we doThey understand our psychology

Prospect Theory Small change blindness “It won't happen to me” “I've always done it this way” We don't like to admit when we

messed up

You Can't Protect What You Don't Know

Filename.ppt | 10

Silos are malware's best friend Two heads are better than one Learn from someone else's

mistakesKnow your company

What is your company's architectural/security/... goals?

Know your company business(es) What are its drivers? What does it think about

architecture & security?Know your system(s)

What are threats, vulnerabilities, ...Never assume

“You must ask the right questions”

Think Bad(a.k.a. channeling your inner hacker)

Filename.ppt | 11

xkcd comics

•Understand the system as well as the system of systems

holistic•Think about the elephant•Think outside the boxData has three environmentsDifferent strokes for different folksEvaluate C.I.A.(A.)Consider effort

Make your architecture harder to crack than the architecture next door

Secure Architecture Principles

Filename.ppt | 12

Business Focused What are the business requirements? Your job is not to make the business secure it's to keep the

business profitable Always show benefit to the company

Appropriate Effective vs. right Avoid security for security's sake Avoid diminishing returns

Professional (political) lobbyist Chinese fortune cookie

“The beginning is the most important part of the work.” – PlatoWe all need direction

Even if it's wrong

“If You Don't Know Where You Are Going, Any Road Will Get You There.”

Filename.ppt | 13

Have a Strategy “The task of strategy is an efficient

use of the available resources for the achievement of the main goal.”

Have a Plan Avoid the TSA Paradigm Polarize not just Layer

Prepare for Paradigm Shifts Deprimiterization Targeted and Silent malware Social attacks

Humans are Visual Targeted pictures

Take shameless (but responsible) advantage of events

Don't Forget

Simplify "That's been one of my mantras -- focus

and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. " - Jobs

Knowledge is a Wonderful Thing Know when things are added to your

architectureWhat not to do is Wonderful Too

Don't reinvent the wheelThe 'Circle of Security'

a.k.a. The Circle of LifeLearning from Malware

“Know your enemy and know yourself...” - Sun Tzu

Users Are Human Too

Filename.ppt | 15

Computers are IntimidatingOne Size Doesn't Fit AllSomething Will Go WrongFail Securely and LoudlyKnow Thine Enemy; For They Are UsImpatience / Lack of KnowledgeOopsYour Job is Security; Not Your Users'

“Make It So”

1. Know what is required/mandated/… Must have a business justification Did I contribute toward the bottom line?

1 Have an agenda (a.k.a. plan) Do I have a plan? Does anyone know what my strategy is?

1. Have a picture(s) A picture is worth a 1000 words Is it tailored?

2. Work for agreement You must be a professional political lobbyist Who is helping me?

3. Rinse & Repeat What didn't I get done? Never surrender

Filename.ppt | 16

Filename.ppt | 17

Questions, Comments, Suggestions, …(and some Zen Moments)

Security is a river not a roadThe most secure things are those not there"I say, let your affairs be as two or three, and not a hundred or a thousand; instead of a million count half a dozen, and keep your accounts on your thumb-nail.“ – ThoreauSomething will go wrong – expect it; embrace it; work with it

Supporting Slides

Filename.ppt | 19

References

OWASP Application Security Architecture Cheat Sheet - https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet

Symantec achieves highest number of SSL certificates issued globally - http://www.nationmultimedia.com/technology/Symantec-achieves-highest-number-of-SSL-certificat-30186424.html

Serge Egelman, Lorrie Faith Cranor, and Jason Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings - http://repository.cmu.edu/cgi/viewcontent.cgi?article=1061&context=hcii

David Dunning and Justin Kruger, “Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments”, Journal of Personality and Social Psychology”, 1999 - http://www.scirp.org/Journal/PaperDownload.aspx?paperID=883&fileName=Psych.20090100004_39584049.pd

Andrew Jones, “How do you make information security user friendly?” - http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=7286&context=ecuworks

Jericho Forum Data Protection – Problem Statement and Requirements for Future Solutions - https://www2.opengroup.org/ogsys/catalog/W12C

Oops, I Learned Something(a.k.a. poor man’s governance)

Positive vs. Negative Positive reinforcement: the adding of a pleasant outcome to

increase a certain behavior or response Positive punishment: the adding of an unpleasant outcome

to decrease a certain behavior or response. Negative reinforcement: the taking away of an unpleasant

outcome to increase certain behavior or response. Negative punishment (omission training): the taking away of

an a pleasant outcome to decrease a certain behavior“This Isn’t Your Father’s Security”Repeat, repeat, repeat, repeat, improve, repeat, repeat, …

Testing *can* be funCommunicate Accidental Learning

Filename.ppt | 20

Filename.ppt | 21

Still Crazy After All These Years

During a breach at rockyou.com where 32 million passwords were stolen it was discovered: 30% of the passwords were six characters or smaller 60% were passwords created from a limited set of alphanumeric

characters 50% of the users had used easily guessable names, common slang

words, adjacent keyboard keys and consecutive digits as their passwords

A study of password habits in 2007 found that users still choose the weakest they can get away with, much as they did three decades earlier

Filename.ppt | 22

"It Won't Happen To Me."

“Put on a happy face”“I wouldn’t let it happen that way”The more you know the less you think you know The reverse is scary: The less you know the more you think you know

Filename.ppt | 23

The Trust Factor

Trust is an action involving the voluntary placement of a trustee at the disposal of the person being trusted with no real commitment from the trustee

People instinctively trust other peopleIf the person being trusted is trustworthy then the person doing the trusting is better off; conversely if the person being trusted is untrustworthy then the person doing the trusting is worse off

Trust allows actions which are otherwise not possible

Filename.ppt | 24

Small Change Blindness

As long as the changes in our environment occur slowly, we adapt to it, and are unlikely to detect the change

Sitting in front of a computer we are blissfully unaware of what is happening 'behind the curtains'

From a security forum: “…Telling the average computer user to look out for suspicions activity

doesn't work because most of the time the haven't any idea what activity is considered suspicions. ‘My hard drive light went on - should I worry ?’ or ‘My game paused for a moment - should I worry ?’"

“…if I'm running a quad core computer I probably wouldn't notice a bot running on my system”

Filename.ppt | 25

Risking Gains and Accepting Losses

When it comes to evaluating gains or losses people have a built in heuristic against risking gains or accepting losses Put another way – it’s not whether

you win or lose it’s how you frame the question

Called Prospect Theory, this is best demonstrated by an experiment put together by Daniel Kahneman and Amos Tversky

Filename.ppt | 26

“I’ve Always Done It This Way”

Habitual thinking and behavior are a result of powerful neural pathways in our brains and memories that are automatically and unconsciously accessed

Unconscious thought processes can predetermine, without an individual's awareness, decision-making bias and actual decision-making

Emotions are the key driver to decision-making, not logical, analytical thought; our logical processes are often only rational justifications for emotional decisions