secure the code secure the data l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Secure the CODE Secure the DATA PowerPoint Presentation
Download Presentation
Secure the CODE Secure the DATA

Loading in 2 Seconds...

play fullscreen
1 / 21

Secure the CODE Secure the DATA - PowerPoint PPT Presentation


  • 254 Views
  • Uploaded on

Secure the CODE Secure the DATA. Benjamin Stephan Director of Incident Management FishNet Security www.FishNetSecurity.com Benjamin.Stephan@FishNetSecurity.com. Agenda. Purpose Data Storage and Risk Analogy Technical Details Prevention Threat Questions. Purpose.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure the CODE Secure the DATA' - barr


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure the code secure the data

Secure the CODESecure the DATA

Benjamin Stephan

Director of Incident Management

FishNet Security

www.FishNetSecurity.com

Benjamin.Stephan@FishNetSecurity.com

agenda
Agenda
  • Purpose
  • Data Storage and Risk
  • Analogy
  • Technical Details
  • Prevention
  • Threat
  • Questions
purpose
Purpose
  • Why is secure coding and secure development such an important issue?
    • Can you read binary?
    • When was the last time you used ASCII in a conversation?
  • Applications are the utilities by which data is captured, manipulated, transformed, interpreted, etc.
  • Without applications, data is retained in raw formats, the purpose and meaning of which are difficult to discern.
purpose4
Purpose
  • Can you read this?
  • Or this?
  • You might be able to recognize letters or words, but even then, what is their purpose?
purpose5
Purpose
  • Applications are the means by which the “digital age” functions. Without applications, the data is just a “1” or “0”.
  • Users depend on applications to help them understand the data.
    • Why then must we secure the application?
    • What does this data mean:
      • “<CC_POST> 4321100000034251</CC_POST><EXP>0201</EXP>”
      • “http://www.fakeurl.com?uname=john_doe&pass=let_me_in”
purpose6
Purpose
  • Applications are the governors of the underlying data. As such, the security of the data is dependent on the security of the application that governs that data.
  • If the application fails to provide proper protection of the information then the risk of compromise is significantly increased.
  • Secure the CODE
  • Secure the DATA
where is the data stored
Where is the data stored?
  • Data is stored in two general formats:
    • Non-volatile: Data that is stored in a format that is not easily lost, changed, or deleted is called “non-volatile”.
      • Examples:
        • Hard Drive, USB Drive, Floppy Disk, DVD, CD
    • Volatile: Data that is easily lost, changed, or deleted is called “volatile”.
      • Examples:
        • RAM, SDRAM, DRAM, “computer memory”
data is data right
Data is data, right?
  • Time = money
  • Data = lots of money
  • Types of data that can generate money:
    • Bank balances
    • Credit Card Numbers
    • Social Security Numbers
    • Credentials
    • Etc.
  • Dishonest individuals steal data to sell it or use it for malicious intent.
what data is more at risk
What data is more at risk?
  • Previously, attackers were more interested in large data repositories such as databases, old hard drives, backup tapes, etc.
  • Many regulatory compliance and security framework initiatives have identified “non-volatile” repositories as high risk and require compliant entities to ensure proper security.
    • PCI, SOX, ISO, CobiT, ITIL, HIPAA
    • Attackers know this and have started looking elsewhere for the data.
what data is more at risk10
What data is more at risk?
  • If the “non-volatile” data is secured then what is the other option?
    • Volatile data or memory
  • How secure is volatile memory?
  • How much data can the attacker gain?
  • Is the memory that interesting to an attacker?
penny analogy
Penny Analogy
  • The penny jar on the counter
  • Concept: “Take a penny

or leave a penny”

penny analogy12
Penny Analogy
  • The tip jar on the counter
  • Concept: “Give extra cash

for services rendered, NEVER

take money”

penny analogy13
Penny Analogy
  • What if there was a “money bucket”

on the counter?

  • Could you resist?
penny analogy14
Penny Analogy
  • What is the correlation?
    • The container = volatile memory
      • Penny jar = 256 megs of RAM
      • Tip jar = 4 gigs of RAM
      • Money bucket = 32+ gigs of RAM
    • Reasoning
      • Losses incurred by the penny jar are minimal and who cares if you steal a penny.
      • Losses by the tip jar are nominal and people know you better not steal from it.
      • Losses from the money bucket can cause substantial damage.
warning technical details
WARNING TECHNICAL DETAILS!!!!!
  • Volatile memory poses a risk to sensitive data.
    • Memory scraping: Attackers have learned to leverage legitimate tools used to “dump” the contents of RAM and search through it using query utilities like General | Regular Expression | Print (GREP).
      • FDPro
      • Dumpchk.exe (review dump files)
      • CurrProcess
      • Zero Dump
    • Operating systems such as Microsoft Windows, utilize “swap files” to help expand the functionality of RAM. The data that was in RAM is migrated to a “non-volatile” file (pagefile.sys). The data remains there until it is overwritten or securely deleted.
      • The OS does not clean up after itself!
warning technical details16
WARNING TECHNICAL DETAILS!!!!!
  • Volatile memory poses a risk to sensitive data.
    • Some operating systems support “hibernation” functions, which copy the contents of RAM to a local file (hiberfil.sys; Microsoft Windows). This allows for the device to return to the previous state before hibernation.
    • Many “server” class operating systems also store the contents of RAM to the hard drive when shutting down. This is done to help expedite the boot process.
how do you protect your data
How do you protect your data?
  • Encryption
    • Versions of Microsoft Windows Vista and Microsoft Windows 7 offer pagefile.sys encryption.
      • However, as with most encryption, there is the possibility of increased latency and overhead of key management.
  • Secure deletion
    • There are open source and inexpensive options to securely “wipe” the swap files at specified intervals.
how do you protect your data18
How do you protect your data?
  • Preventative development techniques
    • Proper coding techniques will allow for the probability of insecure storage to be greatly reduced. Rather than addressing the data after the fact, protect the data at all times.
      • Constructors: Prior to using a variable, ensure that the contents of the allocated memory are securely deleted.
      • Encrypted variable contents: Do not store ANY sensitive data (even in memory) in an unencrypted format. Decrypt the data prior to access and encrypt immediately after access.
      • Destructors: When the contents of the variable are no longer needed, securely delete the allocated memory.
how do you protect your data19
How do you protect your data?
  • There are various encryption tools to help support secure coding practices:
    • Microsoft .NET
    • Chilkat (http://www.chilkatsoft.com/crypt-library.asp)
    • Crypto++ (http://www.cryptopp.com/)
    • Etc.
is this really a threat
Is this really a threat?
  • Attack of the RAM scrapers (http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222002720)
  • 15 most common attacks (http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222001216)
    • #14: RAM Scraper
  • Vectored memory attack via ram scraping (https://infosecurity.us/?p=12210)
  • Defending against RAM scraper malware (http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1381236,00.html)
  • Securing data from RAM scrapers (http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1381236,00.html)
  • Cold boot attacks

(http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html)

(http://hackaday.com/2008/02/21/breaking-disk-encryption-with-ram-dumps/)

  • RAM-scraping attacks are a rising (but preventable) threat (http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1381609,00.html)
questions
Questions??

Benjamin Stephan

EnCE CISSP PCI/PA-QSA QIRA QFI

Director of Incident Management

Benjamin.Stephan@FishNetSecurity.com

888.732.9406