Securing Wynyard. Impact of Security and Compliance on our Practices. Scott Whitfield Engineering Director Bryn Lewis Application Architect

Transcription

1 1

2 Securing Wynyard Impact of Security and Compliance on our Practices Scott Whitfield Engineering Director Bryn Lewis Application Architect UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND 2

3 AGENDA Wynyard Requirements Expectations Features Compliance Challenges Our approach Final Thoughts 3

4 WYNYARD Powerful Software. Fighting Serious Crime. Customers Law Enforcement, Criminal Intelligence Fortune 500, Financial Services Critical Infrastructure Solutions Investigations and Case Management (ICM) Advanced Crime Analytics (ACA) Operational Risk Management (Risk) Cyber Crime Global (NZ, Australia, US, Canada, UAE, England...) 4

5 CLIENT EXPECTATIONS Functionally rich, highly capable Usable Performant Reliable Robust Resilient Scalable Interoperable Compliant... Secure... 5

6 SECURITY REQUIREMENTS Traditional Security Features Authentication, Authorization, Roles etc. Advanced Security Features Non-repudiation Auditing navigation Entity level authorization Field level authorization Dissemination Controls Field masking, substitution Data encryption Compliance 6

7 SECURITY REQUIREMENTS COMPLIANCE Required to sell our products in certain markets RFP driven requirements Global marketplace PCI-DSS - Payment Card Industry Data Security Standard CJIS - Criminal Justice Information Services FIPS - Federal Information Processing Standard CESG - Communications Electronics Security Group ISO/IEC International Standards Organization Our attitude - Turn into business value 7

8 PCI-DSS Visa, MasterCard, American Express, Discover, JCB, and China UnionPay Objectives Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Significant Fines for Account Data Compromise (ADC) Remediation costs Increased compliance requirements 8

9 CJIS - CRIMINAL JUSTICE INFORMATION SERVICES "Risk Versus Realism" Auditing and Accountability Access Control Identification and Authentication Configuration Management Media Protection Physical Protection System and Communications Protection and Information Integrity Formal Audits Mobile devices 9

10 FIPS - FEDERAL INFORMATION PROCESSING STANDARD National Institute of Standards and Technology (NIST) Communications Security Establishment (CSE) FIPS Security Requirements for Cryptographic Modules FIPS 199 Standards for Security Categorization of Federal Information and Information Systems FIPS 200 Minimum Security Requirements for Federal Information and Information Systems 10

11 CESG - COMMUNICATIONS-ELECTRONICS SECURITY GROUP Information Security arm of GCHQ The National Technical Authority for Information Assurance Central government Health Industry Law enforcement Local government MOD Certification for Products, Systems, Services, People, Education and Training, Organisations Secure by Default program Secure by default platforms Sensitive data on consumer platforms 11

12 ISO ISO/IEC Overview and vocabulary ISO/IEC Requirements ISO/IEC Code of practice for information security controls ISO/IEC Risk management ISO/IEC Implementation guidance ISO/IEC Governance of information security ISO/IEC Guidelines for financial services ISO/IEC Guidelines for cybersecurity ISO/IEC Network security ISO/IEC Application security ISO/IEC Digital evidence investigation principles and processes 12

13 COMPLIANCE VS SECURITY Security Compliance 13

14 CHALLENGES Hearts and minds Tension between requirements Multiple deployment platforms cloud / on premise Complexity Component Integration 3 rd Party software Interpretation of Non Functional Requirements e.g. "At rest" Client capability Moving target Software security is only the start. 14

15 SECURITY VS PERFORMANCE REQUIREMENTS Data at rest encryption Data on the wire encryption Entity level access controls for soft model database Comprehensive event auditing Tamper resistant auditing Sub system authentication Architectural decisions Caching Data access and shaping of result sets Ad-hoc query & free text search NoSQL 15

16 SECURITY VS USABILITY REQUIREMENTS Password policies Aggressive session timeouts Bell LaPadula(BLP) model ACLs vs RBAC Management at scale Comprehensive event auditing Tamper resistant auditing Repeated credentials verification Complexity of deployment Complexity of operational procedures 16

17 FIPS CHALLENGES "On the wire" and "at rest" encryption Storage engine plugin in C/C++ Multiplatform *nix & Windows algorithm selection & implementation All roads lead to OpenSSL FIPS_mode_set() API options Performance impact Startup POST Throughput Source code distribution 17

18 FIPS UNEXPECTED CHALLENGES "It worked on my PC" :22:31,454 [5] ERROR xxxx.membershipprovider - System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. - --> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.MD5CryptoServiceProvider..ctor() --- End of inner exception stack trace --- "Breaking backward compatibility would be bad" // Create a new instance of the MD5CryptoServiceProvider object. var md5hasher = MD5.Create(); // Convert the input string to a byte array and compute the hash. var data = md5hasher.computehash(encoding.default.getbytes(input)); 18

19 3 RD PARTY PRODUCTS Greater dependency on 3 rd party products Productivity Not core Time to market Better than we can do Risks Who makes this product? Do we trust them? Does it have any vulnerabilities? Dependencies on other products? Will it be kept current? Examples Reporting Software SFTP 19

20 OVERCOMING THE CHALLENGES Understand your risks Attackers (Who, Motives, Methods ) Threat Model Security Principles Guide our design / architecture Guide our development and testing Security Practices Repeatable practices to reduce introduction of security vulnerabilities Based on good practice Based on lessons learned Good Advice 20

21 ATTACKERS Internal - Staff members Developers, testers, contractors, help desk, network operations Associated Organisations - Staff members Professional services, hosting providers, client staff External Hacktivists Government sponsored Ex staff members Wynyard's Competitors Wynyard's Clients' Competitors Organised Crime Groups 21

22 THREATS - STRIDE Spoofing Impersonating something or someone else. Tampering Modifying data or code Repudiation Claiming to have not performed an action Information Disclosure Exposing information to someone not authorized to see it Denial of Service Deny or degrade service to users Elevation of Privilege Gain capabilities without proper authorization 22

23 SECURITY PRINCIPLES Our Principles Defence in Depth Secure by Default No Backdoors Keep it Simple Fail Secure Trust no input Quality Least privilege Everyone is responsible for security 23

24 SECURITY PRINCIPLES - OWASP A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards 24

25 SECURITY PRINCIPLES DEFENCE IN DEPTH HTTP Headers Encryption Least Privilege Data Access Authorization Authorization Authentication Configuration Infrastructure 25

26 SECURITY PRACTICES Mandatory Design and Code Reviews Check lists Mine the issue tracking system Teachable moments Audit trail Prebugging Implementation Practices Engineering Professional services Customer operations SOUP Software of Unknown Provenance Training External Assessment 26

27 SECURITY PRACTICES - CODE REVIEWS Not just SQL Injection attacks Little used legacy configuration Discovered in review // Get the connection string details from the data context. var connectionstring = string.format("data Source={0};Initial Catalog={1};uid={2};pwd={3}", _context.connection.datasource, _context.connection.database, username, password); try { using (var connection = new SqlConnection(connectionString)) { connection.open(); return connection.state == ConnectionState.Open } } 27

28 SECURITY PRACTICES - CODE REVIEWS Complex "Swiss army knife API" for user maintenance Discovered in a "Fiddler" review Backward compatibility requirement made it worse Refactor into several new "single responsibility" methods public class UserProxy... /// <summary> /// The Password of the user. /// NOTE: Should only be used for setting the Password and never read out and emmitted /// </summary> [DataMember(EmitDefaultValue = false)] public String Password { get; set; } 28

29 SECURITY PRACTICES - REVIEWS Not just application source code Components for other teams, build process and Installation scripts Legacy ODBC reporting solution "borrowed" from another team Windows Service Client side component 600+ C/C++ files OPENSSL not updated #define OPENSSL_VERSION_NUMBER 0x fL static const char rnd_seed[] = "Robbie"; Scope for Heartbleed & Reverse Heartbleed Retired and removed from installation 29

30 SECURITY PRACTICES - SOUP PROCESS SOUP = Software Of Unknown Provenance What we look for: Licensing Pricing Quality Documentation Community Support Risk Compliance Vulnerability Monitoring 30

31 IMPACT OF COMPLIANCE ON OUR ARCHITECTURE Complexity Requirements Development Component selection Testing Release process Glass s Law; For every 25% increase in problem complexity, there is a 100% increase in solution complexity Implementation Usability Performance Encryption of data Dataset trimming Support 31

32 FINAL THOUGHTS Consider security as a first class citizen in your product architecture Understand your risks and how you will deal with them Mitigation, Acceptance? Understand your technology, frameworks and components 3 rd Party components? Understand your current and possible compliance requirements Get advice Security testing, consulting, training Security is a moving target semper vigilant Complexity is the enemy of security Prepare for when you have a breach 32

33 FINAL THOUGHTS Defenders have to close every door. Attackers only have to find one that s ajar. It s an unfair fight. (Michael Wallmansberger Wynyard CISO) 33

34 34