Thinking Evil Thoughts
1 like1,124 views
This document discusses threat modeling and how to properly scope security assessments. It provides examples of how threat modeling can be applied, including getting the full scope of the system correct and identifying risks. The document warns that developer laptops and conferences pose security risks and outlines some mitigation approaches like two-factor authentication and separation of duties. The overall message is that modern development approaches require keeping security top of mind.
![(without introducing more risk)
$ curl -s https://api.github.com/users/<username>/events/public
| jq '.[].payload.commits[0].author.email'
| sort
| uniq
| grep -v "null"
Email from GitHub user](https://image.slidesharecdn.com/thinkingevilthoughts-160905083401/85/Thinking-Evil-Thoughts-74-320.jpg)
Thinking Evil Thoughts
- 1. (without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling
- 2. (without introducing more risk) @garethr
- 3. (without introducing more risk) Gareth Rushgrove
- 4. (without introducing more risk) This Talk What to expect
- 5. - What is threat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove
- 6. Introduce some security language to help you navigate the domain Gareth Rushgrove
- 7. Dive straight into examples Gareth Rushgrove
- 8. Empower you to ask questions more than provide easy answers Gareth Rushgrove
- 9. (without introducing more risk) Threat modeling A brief introduction
- 10. Gareth Rushgrove a procedure for optimizing network security by identifying objectives and vulnerabilities THREAT MODELING
- 11. - Determine scope - Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling
- 12. Inside each of us, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ”Eric Burdon
- 13. (without introducing more risk) Think evil.
- 14. (without introducing more risk) Getting the scope rights Avoiding gaps in your threat model
- 15. Ignoring part of your system when considering security is a common mistake Gareth Rushgrove
- 16. Gareth Rushgrove the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE
- 17. (without introducing more risk) Example What is Production? Gareth Rushgrove
- 18. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?
- 19. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER
- 20. LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING
- 21. Do you protect your CI stack as well as your production database? Gareth Rushgrove
- 22. Could I execute a query on your production database if I compromised your CI server? Gareth Rushgrove
- 23. Example Third party services Gareth Rushgrove
- 24. Gareth Rushgrove an entity which facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY
- 25. Gareth Rushgrove a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY
- 26. Gareth Rushgrove
- 27. Why Serverless is a bad name Gareth Rushgrove
- 28. (without introducing more risk) There are still servers somewhere Gareth Rushgrove
- 29. How you think about the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove
- 30. Why NoOps is a bad name Gareth Rushgrove
- 33. How you think about operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove
- 34. Your attack surface is bigger than you think Gareth Rushgrove
- 35. (without introducing more risk) Identifying risks The need to understand your system
- 36. Differences in how you perceive a system and how it actually works can be used to exploit it Gareth Rushgrove
- 38. Out systems are immutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ”A possibly naive developer
- 39. Gareth Rushgrove unchanging over time or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE
- 40. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
- 41. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
- 42. (without introducing more risk) Gareth Rushgrove $ docker run -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
- 43. (without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
- 44. (without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
- 45. (without introducing more risk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
- 46. (without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
- 47. (without introducing more risk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove
- 48. (without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove
- 49. (without introducing more risk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove
- 50. (without introducing more risk) Hacking conferences Looking for vulnerabilities
- 51. Let’s assume your applications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.
- 52. - Penetration testing - Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove
- 53. Gareth Rushgrove How secure is your laptop?
- 54. - Hand maintained configuration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove
- 55. Can you push new Docker images from your laptop? Gareth Rushgrove
- 56. Can you create jobs on your Jenkins instance from your laptop? Gareth Rushgrove
- 57. Can you launch new replication controllers from your laptop? Gareth Rushgrove
- 58. Can you release new functions to Lambda from your laptop? Gareth Rushgrove
- 60. (without introducing more risk) As a hacker how do I own your laptop? The fun stuff
- 61. Where can I find hundreds of developer laptops… Gareth Rushgrove
- 62. Developer Conferences are a Target Rich Environment Gareth Rushgrove
- 63. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK
- 64. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?
- 65. Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work
- 66. Devices exist to man-in-the-middle wireless networks Gareth Rushgrove
- 67. Who has ever picked up a USB memory stick at a conference? Gareth Rushgrove
- 68. Gareth Rushgrove
- 69. USB devices exist which will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove
- 70. (without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
- 71. Local databases
- 72. Lots of people here are on Twitter and using the conference hashtag Gareth Rushgrove
- 73. Lots of people here are on GitHub with the same username Gareth Rushgrove
- 74. (without introducing more risk) $ curl -s https://api.github.com/users/<username>/events/public | jq '.[].payload.commits[0].author.email' | sort | uniq | grep -v "null" Email from GitHub user
- 75. an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING
- 76. Hi <your name> Great to see you at <conference name here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.
- 77. (without introducing more risk) So you’re saying we’re all doomed? This is quite depressing now I think about it
- 78. Part of threat modeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove
- 79. - 2 factor authentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove
- 80. having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES
- 81. a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE
- 82. Gareth Rushgrove a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)
- 83. Once you understand the threat you can seek out specific guidance Gareth Rushgrove
- 85. - Protect data in transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
- 86. Education. Education. Education. Gareth Rushgrove
- 87. Gareth Rushgrove
- 88. (without introducing more risk) Conclusions If all you remember is…
- 89. With Cloud Native approaches developers are nearer to production than ever before Gareth Rushgrove
- 90. The efficiency of modern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove
- 91. Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove
- 92. Threat modeling should be part of your development process Gareth Rushgrove
- 93. Gareth Rushgrove
- 95. Gareth Rushgrove
- 96. (without introducing more risk) Thanks And any questions?