Surviving the Digital World War - Security in the Modern Era [Nordic APIs 2016 Platform Summit]

Surviving the digital world warsecurity in the modern era© kristopher sandoval @sandovaleffect

Nordic APIs 2016 Platform Summit

2©2016 Kristopher Sandoval · All Rights Reserved

WHO IS KRISTOPHER?About the speaker

Kristopher Sandoval

Experience and education

What do we know about Kristopher Sandoval?

• Education primarily focusing on Information Technology, Network Administration and Data Cryptography. Extended focus on Web Development and Security.

• Author for Nordic APIs, Content Manger as a day job, musician when time allows.

Why is this important?



Who are you?Identifying the audience

Identifying the audience

personal


Professional Education

NamesInterestsFamily Connections

ProfessionEmployersPublications

Schools AttendedGradesDegreesLicensing Agencies

But this is not who you are online

You are your data

Financial data


Personal data Governmental data

Bank Account NumbersRouting InformationPersonal Account SummariesLog In DataAuthentication Data

IP AddressesMAC AddressesLog-in CredentialsPhone NumbersPersonal “Interests”Activities

Tax InformationSocial Security NumbersAddressesClearancesWage Data


The world warThe war, its victims, and its combatants

The world war

weaponsNever before has the average user had more tools of destruction at their fingertips.

Entities are not the only ones at risk – as with all warfare, civilians are threatened as well.

Victims

With each new war, technology and size of combat has increased dramatically. War is no longer fought exclusively on the battlefield with munitions – World War API is digital.

This isn’t digital only – real life and digital life are intertwined like at no point in history.

Enemies exist at every scale from individual to state actor.

Scale Enemies


Who is the Enemy?

Non-affiliated

Lizard Squad, ShadowCrew, LulzSec

Individual or group attackersTerror Groups

Cyberterrorist groups, AumShinrikyo, ISIS, Zapatistas

Ideological or PoliticalState and nation

Inter-state conflict, national warfare (Palestine/Israel)

Warfare and Sabotage


What does the enemy care about?

1 0©2016 Kristopher Sandoval · All Rights Reserved

Vvalue

What is the determined

value of the resource that

they want to attack?

Iinternal

Why are they attacking?

Is the reason economic,

political, or “for the lulz”?

Vvulnerable

Is the system vulnerable?

Are there any

implementations that

increase value while

reducing effort?

Eeffort

What effort, assuming no

further identified

vulnerabilities, will be put

forth? What’s the ROI?

What are their motivations?

In recent years, hacking has taken on adecidedly more dangerous tone. Espionageand warfare are on the rise with terror groupssuch as ISIS gaining technical knowledge, andhacktivism threatens politically motivatedattacks against services and systems withouta “dog in the fight”.

The motiviations behind hacking


Cybercrime (Economic, Criminal)

Hacktivism (Typically Political)

Espionage (State Spying)

Warfare (Terrorism and State-Level)

67%

20.8%

9.8%

2.4% Despite this increase, cybercrime still is the

#1 motivator behind hacking, and by far the

most damaging, with the average yearly cost

trending to a predicted $2T by 2019.

Who are the victims?

Individuals

The Fappening, The Snappening, Identity Theft

Users and their resources.Internet services

Playstation Network, Spotify, Facebook, Twitter, Tumblr.

Websites and databases.State resources

Data centers, nuclear generators, government resources.

Infrastructure.


Who’s The main target?

Apis and api providersThe nexus of vulnerability and value.

All of the victims share a common resource – the APIs that drive their interaction.

API providers provide the “battlefield” where the war is fought.

API providers have more power than ever before – but they must utilize it.

“[…] the next generation of terrorists will grow up in a digital world, with ever more powerful and easy-to-use hacking tools at

their disposal.”Dorothy E. Denning

“It is a fairly open secret that almost all systems can be

hacked, somehow. It is a less spoken of secret that such

hacking has actually gone quite mainstream.”

Dan Kaminsky



The weapons of warTools of combat

Vectors of attack

Internal failure• Improper internal

security policies.• Poor data retention.• Bad disclosure

processes.• Insecure physical

measures.

• Poor documentation policies.

• Inadequate load balancing.

• Not meeting system and traffic requirements.

• Inability to effectively identify malicious traffic.

External failure


• Poorly implemented endpoint resolutions.

• Insecure code dependencies.

• Coding in obsolescence.• Failure to meet

standardized levels.

Code failure

Real life Examples

Internal failureIn 2011, internal staff information and credentials were phished. This led to the master keys for all RSA SecureID security tokens being exposed.

US defense suppliers, including Lockheed Martin, were then exposed to multiple attacks.

In 2016, the BBC was DDoS’d with 602Gbps of malicious traffic.

The server did not readily identify malicious traffic, and seemingly did not balance traffic or offload to external resources.

The BBC was finally restored using the Akamai Content Delivery Network.

External failure


One of the most famous vulnerabilities of this type, Heartbleed was the result of the bugged Heartbeat Extension for OpenSSL from Robin Seggelmann. RFC 6520 (Heartbeat Extension) author Stephen Henson failed to notice the bug before introduction into OpenSSL source code.

17% of the internet’s secure web servers as of the time of disclosure were considered “vulnerable”.

Code failure


Batten down the hatchesSecuring systems

C AI

The principles of security

confidentiality


integrity availabilityProtects data from unauthorized disclosure, interception, or knowledge.

Ensures the data is accurate and representative of the data that was initially stored or marked.

Establishes that access to a resource is not restricted unduly or due to outside interference.

securing the api stronghold


3 federationEnsure encoded transmission of SSO and user federation, establish trusted credential issuance.

4 delegationRestrict delegation rights inheritance, and make sure that the privilege levels are proper from the delegating party.

1 authenticationEnsure a process of authentication to identify requesting parties to prevent spoofing. Avoid passing usernames and passwords in URLs to avoid spoofing.

2 AuthorizationAudit user levels and authorization to ensure proper access levels. Users should not be able to access all resources, and their access to functionality should be on a need basis.

Preventing and fixing code issuesConsistently check codeCheck code during each stage of the lifecycle, and consistently check for issues.

Avoid untrusted dependencies

Iteration

Production

Development

Use storied providers and proven technologies, and avoid giving process responsibility too heavily to external resources.

©2016 Kristopher Sandoval · All Rights Reserved 2 0

Review and iterateRoutinely audit code and test in a virtualized environment before shifting from iteration to production.

Correcting internal processes


3 EducateEducate staff on current threats, elaborate on current and past security issues, implement training to negate possible issues.

4 CommunicateEstablish proper error reporting processes, ensure internal bugs do not become external, establish reporting chain of command.

1 Establish internal cultureEstablish a proper internal culture of security. Rotate passwords, limit sharing of resources, attach records and responsibility to users.

2 Limit potential for damageAdhere to the Principle of Least Privilege, consistently audit activity, monitor external contacts.

Intrusion detection, load balancing, bastion hosts.hardware

Encryption, secure keystores, secure dependencies.code

Create routed opportunities for would-be hackers.honeypot

Reduce the perceived value of the target in question.visibility

fix external vulnerabilitiesThink like a criminal


What’s more attractive?

A system with front facing servers without load balancing and with passwords stored in plaintext?

Or

A system with a bastion host and load balancing system with heavy encryption and secure authentication, authorization, federation, and delegation?

Balance reward And risk

Consider the risks of your choicesConsider what content is hosted, and whether or not it exposes you to hacktivist concerns or cybercrime concerns.

Weigh the value of the integration – does your store app really need to store credit card details for a more seamless experience? Or does the threat outweigh the small benefit to the consumer?

What does your service look like from the outside?


additional solutions

Containers Encryption Universal 2-factor (U2F)

Key Validation Sanitation Oauth 2

Content Filtering Data Execution Prevention OpenID Connect

Threat Knowledge Stack Cookies JSON Identity Suite

methodologies

2 4©2016 Your Company. All Rights Reserved

Twitter - @SandovalEffect

Facebook - facebook.com/kristophermsandoval

LinkedIn - linkedin.com/in/kristophersandoval

Contact ME


Thank you!

©2016 Kristopher Sandoval · All Rights Reserved 2 6