understanding online security
TRANSCRIPT
Goals
➔Understand Internet security basics
➔Better equipped to protect yourself online
➔Prepared to implement basic software security
➔Able to research security topics
Overview
➔Internet Technology
➔Attack Vectors
➔Common Attacks
➔Security Principles & Terminology
➔Safety & Security Tips
Michael Dowden
➔Education◆ BS Computer Science
◆ MBA Entrepreneurship
➔Experience◆ Software Development and IT since 1992
◆ 12+ years software security
◆ Full Stack - Hardware to User Interface
◆Worked with 60+ organizations in multiple industries
Senior Principal Consultant & Software Architecture Lead @ CSpring
HT
TP
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
Email / Website / Hack / XSS / CSRF
Permissions / Injection / DDoS / Hack
Man in the Middle
Social Engineering
Attack V
ecto
rs..
.and
mo
de
s o
f d
eliv
ery
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
Email / Website / Hack / XSS / CSRF
Permissions / Injection / DDoS / Hack
Man in the Middle
Social Engineering
Softw
are
Mitig
ation
HTTPS / VPN / Tor
Headers / CSRF / Password Managers
/ Public Key Encryption
Encryption / Authentication /
Authorization
Least Privilege / Training
DNS Hijacking
➔Redirect domain name to fake address
➔Used to:
◆ Collect data & credentials
◆ Steal money
➔Protection:
◆ Disable open relay on DNS servers
◆ DNSSEC
216.58.216.206
111.22.33.213
Browser
google.com
DNS Server
Bad Search
Site
Man-in-the-Middle
➔Eavesdropping or dual authentication
➔Used to:
◆ Defeat encryption and authentication
◆ Steal data
◆ Act on behalf of the user
➔Protection:
◆ Public key infrastructure such as TLS over TCP
Normal Connection
Compromised Connections
Clickjacking
➔Subvert mouse clicks
➔Used to:◆ Redirect to foreign sites
◆ Bypass browser security
◆ Modify privacy settings
➔Protection:◆ Proper use of X-Frame-Options
◆ Client-side frame detection
CSRF (Cross-Site Request Forgery)
➔Impersonate user to the server
➔Used to:
◆ Coerce user action
◆ Transfer control or resources
➔Protection:
◆ Unpredictable token in each request
◆ Use framework built-in defenses
Client
Attacker
Server
Server
XSS (Cross-Site Scripting)
➔Verbatim display of user-submitted content
➔Used to:◆ Steal personal information
◆ Hijack sessions or Install Trojans
◆ Redirect to foreign sites
➔Protection:◆ Encode all user-provided data
◆ Use safe JavaScript APIs (never eval)
Client
Client
Server
Server
(SQL) Injection
➔Verbatim user-submitted content in query
➔Used to:◆ Steal data
◆ Corrupt data
➔Protection:◆ Prepared statements
◆ Escape user input
https://xkcd.com/327/
Distributed Denial of Service
Website
Legitimate User
➔Flood a website with traffic
➔Used to:
◆ Shut down targeted website
◆ Block traffic from the website
◆ Extort payments
➔Protection:
◆ Firewalls block attacking traffic
Social Engineering
➔Simply ask someone for their credentials
➔Used to:
◆ Obtain credentials
◆ Access secure systems
➔Protection:
◆ Training
◆ Never tell anyone your passwords https://xkcd.com/538/
Key Objectives
➔ Ensure users are who they claim to be…with every request
➔ Users can do what they need…but no more
➔ Data is kept safe
➔ Communication is kept private
Authentication
➔Identity
➔Something you Know (password)
➔Something you Are (biometrics)
➔Something you Have (security key)
Natalie Curtiss : Grandmother? (https://flic.kr/p/7VqQPa)
Authorization
➔Restrict access to specific data
➔Access levels:
◆ View
◆ Change
◆ Delete
➔Rules applied based upon ID trust
Obscurity
➔Can’t put the cat back in the bag
➔Security requires shared algorithms
➔Implementation accuracy requires public review
➔Unpredictable level of risk
Which box holds
the prize?
Cryptography
➔Mathematically provable complexity
➔Cryptographic hash
➔Symmetric encryption
➔Public-key encryption
➔Transport Layer Security (https)
Public Private
Public Private
Encrypts
Decrypts
Verifies
Chain of Trust
➔Digital Signatures
➔Certificates
➔Only sign certificates you know
➔Only accept certificates you trust
Minimum Developer Responsibility
➔HTTPS
➔Password Protection
◆Hashing for Auth
◆AES for System Logins
➔OWASP Top 10 - https://owasp.org
Password Protection
➔Hash, don’t encrypt
◆ Secure algorithm (SHA512, bcrypt)
➔Salt
◆ Two salts - row and app
➔Iterate
◆ Key derivation (PBKDF2, bcrypt)
➔Go slow!
+
1000x
1. Click “forgot password”
2. Enter identification
3. Receive email
4. Click link
5. Enter security key(s)
6. Enter new password
Change Password
Website Security Form
Password FormNew Password
Networking Tips
➔Always use a Router with Firewall
➔Secure your WiFi
➔Don’t connect to unknown WiFi networks
➔Use VPN over unsecured WiFi
Email Tips
➔Don’t open email from an unknown sender
➔Never open unexpected attachments in your email
➔Avoid clicking links in an email
Website Tips
➔Always log out when finished
➔Keep your browser up-to-date (Chrome, Firefox, Opera)
➔Don’t submit information to unsecure connection
Password Tips
➔Use a Password Manager (LastPass, 1Password, KeePass)
➔Use long and complex passwords (30 random characters)
➔Use 2-factor authentication when available
➔Change compromised passwords
Tools
➔LastPass - https://www.lastpass.com/
➔Have I been pwnd? - https://haveibeenpwned.com/
➔Abine Blur - https://www.abine.com/index.html
Why aren’t all systems secure?
➔Education & Training
➔Weakest Link
➔Trade-offs
➔Moving Target
➔Laws & Politics
Security decisions
➔What are we protecting?
➔What is the likelihood of attack?
➔What are the risks of security failure?
➔What are the probable attack vectors?
➔How will we detect and report breaches?
➔Don’t forget the ethics!
How does online security help people?
➔Restrict access to financial assets
➔Protect your identity and personal information
➔Defend against device takeover
➔Shelter citizens from oppressive governments
➔Preserve 1st, 4th, and 5th amendment rights
Resources
➔Troy Hunthttps://www.troyhunt.com/
➔Brian Krebshttps://krebsonsecurity.com/
➔WIRED Threat Levelhttps://www.wired.com/category/threatlevel
➔Pluralsighthttps://pluralsight.com/browse/information-cyber-security
Michael Dowden
@mrdowden
linkedin.com/in/mdowden
plus.google.com/+MichaelDowden
lanyrd.com/profile/mrdowden/