Embed Size (px)
Citation preview
The Security Mindset and Social Learning
Franco Antico, Software ArchitectBlackboard
ABOUT ME
Franco AnticoSoftware [email protected]
I am a software architect on the Bb Learn security team.
WHAT WE ARE GOING TO LEARN TODAY
Security mindset, approaches and best practices
Bb security operations around Social Learning and the Blackboard Cloud
Enable the Blackboard Cloud with confidence
SECURITY MINDSET
What is the security mindset?
Why does it matter?
What practices are the most effective at securing applications and services we use daily?
SECURITY MINDSET: A PERSPECTIVE
The security mindset is a way of looking at the operation of a system.
It’s a matter of perspective that starts by asking and answering security questions:
How does an attacker see our system/service/processes/etc.? What do they see? (attack surface)
How do we secure our system in response?
SECURITY MINDSET: A PERSPECTIVE
Security issues don’t tend to be random.
Both an attacker’s intent and opportunity shape the most likely exploits.
The safeguards and protections we implement shouldn’t be random either.
These Countermeasures should match the real threat level.
SECURITY MINDSET:WHY IT MATTERS
The world waits for no one. What was secure today may not be secure tomorrow.
Technology changes, some of this is trendy, some is here to stay and represents a new model, a new way of doing things; e.g., Social Media
A process that promotes continual evaluation, learning and evolution of the security posture is the best bet to manage this change.
SECURITY MINDSET: APPROACHES
How can we apply the security mindset in practice?
Security Assessments provide a great vehicle to evaluate the security of a system in a comprehensive way fueled by the security mindset. Each assessment is a project with defined triggers, inputs, deliverables and is part of the SDLC.
The assessment’s goal is to provide actionable security recommendations based on sound and consistent analysis.
SECURITY ASSESSMENTS
Establish the scope of the assessment
Selection of Evaluation Level• Basic: Lower Risk
• Moderate: Medium Risk
• Rigorous: High Risk (e.g., new integrations)
Evaluation Level drives scope and deliverables
SECURITY ASSESSMENTS
Security Assessments have two main components: • Analytic Reviews (Design and Code)• Penetration Testing and Static Analysis
The assessment can proceed with a high degree of parallelism. Each component breaks down to largely independent tasks.
We will focus today on the Analytic items
SECURITY ASSESSMENTS
Threat Modeling is the central analytic process of the assessment.
Threat Modeling provides an effective means to identify, measure and manage security risk. The threat modeling process pairs identified threats with countermeasure recommendations.
The countermeasure aspect is what closes the loop on threat-vulnerability pair and makes the threat model actionable.
THREAT MODELING
Purpose: To analyze the security risks for a given system or entity from a number of perspectives.
Threat Model: An Analytic Flow• Identify Assets and Actors• Modeling Methodologies: MS STRIDE, DREAD• Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST• Identify Key Architecture Characteristics (e.g., APIs)• Attack Surface Analysis (e.g., System Integration Points)• Technology Specific Considerations (e.g., OAuth)
THREAT MODELING
Threat Model: (continued)• Diagrams
• Data Flow Diagram• Attack Tree
• Threat Library• Categorization vs. Scoring (Threat vs. Vulnerability)
• STRIDE• DREAD• CWE (Common Weakness Enumeration)• CVSS (Common Vulnerability Scoring System)
THREAT MODELING: ASSETS AND ACTORS
Identify Assets and Actors
What are the actors' motivations?
What risks do well motivated actors pose to our system?
THREAT MODELING: ASSETS AND ACTORS
Asset Description
Data Any data associated with the system (e.g., student grade data.)
Reputation Reputation with customers and communities.
Infrastructure The architectural components of the system. These can be services, systems and may impact both software and hardware.
THREAT MODELING: ASSETS AND ACTORS
Actor Description
Attacker External entity with no direct connection to the system. The attacker may be a human (individual or organized group) or some autonomous entity (bot, script.)
MaliciousUser
Registered user attempting to violate terms of use or perform other inappropriate actions.
MaliciousInsider
A person who has special access to the system.
MODELING METHODOLOGIES
Microsoft STRIDE – Categorizing
S – Spoofing identity
T – Tampering with data
R – Repudiation (deny action taken)
I – Information disclosure
D – Denial of service
E – Elevation of privilege
MODELING METHODOLOGIES
DREAD– Scoring (Categorizing)
D – Damage
R – Reproducibility (involvement)
E – Exploitability (required skill)
A – Affected users
D – Discoverability Each component scored [Low, Med, High]. Higher scores are bad. Final score is average of the components.
MODELING KNOWLEDGE BASES
OWASP• Open Web Application Security Project • Countermeasure guidelines and frameworks (ESAPI)• Top 10 List (2013 List recently released)
NIST• National Institute of Standards and Technology• Cryptographic recommendations
CSA and ENISA• Cloud Security Alliance and European Network and
Information Security Agency• Cloud security
DATA FLOW DIAGRAM:THE BB SYSTEM ADMIN REGISTERS A LEARN INSTANCE WITH THE CLOUD
ATTACK TREEDIAGRAM: IMPERSONATE USER
THREAT MODEL IN ACTION
The following threat model items represent general threats facing social media and cloud integrations. These are the kinds of threats that we consider during development and test.
THREAT MODELING IN ACTION: APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation An attacker alters an API message either at the source, en-route or at the destination.
Attack Vectors Countermeasures
1. Message intercepted in transit.
1. API level message signature, hashing or MAC protection. Each tier that processes an API message, including routing, should add to the signature envelope. SSL alone will not guarantee message integrity for all cases: non-SSL scenarios, message tampering after SSL termination.
A.1.1 API Message Integrity
THREAT MODELING IN ACTION: APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation, Denial of Service
An attacker intercepts an API message and retransmits (replays) the message at a later time to compromise the system.
Attack Vectors Countermeasures
1. Message intercepted and replayed. Attacker captures a wall post message and replays the message in an effort to crash the system or impair performance.
1. Include a one-time nonce with each API message. Note, the nonce can be included in the API signature referenced in A.1.1.
A.1.2 API Message Misuse
THREAT MODELING IN ACTION: APIS
API Threats (from Threat Library):
Threats Description
Repudiation, Denial of Service An attacker or malicious executes a well timed Denial of Service attack in an attempt to compromise a given user's profile.
Attack Vectors Countermeasures
1. Attacker launches large scale flood of API messages targeting the API infrastructure, user's profile left in unknown state, potentially locking user out of profile.
1. Ensure API message resilience where the system can recover from messages lost in transit.
A.1.5 API Resilience
THREAT MODELING IN ACTION: SOCIAL MEDIA
Social Media Threats (from Threat Library):
Threats Description
Spoofing, Information Disclosure An external attacker compromises a user's Twitter/FB account and subsequently launches an attack attempting to exploit social learn users.
Attack Vectors Countermeasures
An external attacker adds malicious JavaScript to a user's Twitter description by exploiting a vulnerability in Twitter. The attacker then launches a CSRF attack against other users in the compromised user's follower (or potential follower) list.
Any data coming from an external applications must be sanitized before processing. Moreover, as a final fallback measure, the system should escape any data (externally sourced or not) prior to display.
EI.1.2 Data Input Validation
THREAT MODELING IN ACTION: SOCIAL MEDIA
Threats Description
Spoofing, Information Disclosure, Denial of Service
1. A malicious user attempts to perform a denial of service attack on the system through an avatar upload.
2. An external attacker gains access to a student's avatar image despite the student's privacy social learn settings.
Attack Vectors Countermeasures
1. A malicious user attempts to compromise the service by uploading a 100MB avatar image either through the file upload or external social network, e.g. Twitter (assume this vector is possible via a vulnerability in Twitter.) A variation of this vector could be embedding malicious code in a standard sized avatar with the goal of distributing the attack through the browser's rendering of the image. Potential attacks include attempting to exploit jpeg buffer overflow or ICC profile corruption vulnerabilities.
1. Implement a server-side check on the avatar size: reject any avatar image that is suspiciously large. Also, to address a potential "evil" avatar image, use a security vetted image toolkit to load and validate the avatar.
2. Provide authorization controls that guard the delivery of the avatar. Tie the avatar ACL to the profile privacy settings, i.e., only allow an open avatar for public privacy scenarios. The scope of public should address the visibility of avatars and other data are public: any legitimate user can view the avatar/data vs. any one on the internet can view the data.
EI.1.4 Avatar Security
THREAT MODELING IN ACTION: CLOUD
Cloud Threats (from Threat Library):
Threats Description
Spoofing, Repudiation, Information Disclosure
An attacker or malicious user is able to impersonate a user through via their session id even after logout.
Attack Vectors Countermeasures
1. Using the browser's history and attacker discovers a user's session and gains access to the system as that user.
1. Ensure that logout invalidates all relevant cross-system sessions in as synchronous a manner as possible.
S.1.2 Cross System Logout
SOCIAL MEDIA TECHNOLOGY:OAUTH
OAuth: a standard for granting authorization across platforms and content delivery modalities
OAuth: protects passwords by providing an API for authorizing API access
OAuth is a reality of social media. Developers leverage OAuth because that is what the service providers implement (FB, Twitter, etc.)
SOCIAL MEDIA TECHNOLOGY:OAUTH
Key OAuth roles:
Resource Owner (or End User)• Someone with a Facebook account (identity, credentials)
Resource Server • Facebook service itself
Client • Facebook App
SOCIAL MEDIA TECHNOLOGY:OAUTH
OAuth is flow based: Two-Legged vs. Three-Legged. Here is diagram from Google Apps Marketplace that shows the gist of an OAuth 2.0 Three-Legged flow that is most applicable to social media:
http://www.google.com/support/enterprise/static/gapps/art/admin/en/cpanel/3-legged-oauth-diagram.png
Resource Owner (End User) UserResource Server GoogleClient Web application
OAUTH TAKEAWAYS
What to look for:
• Transparency of data usage
• Support of opt-in model
• Ability to turn integrations on and off
BLACKBOARD CLOUD
Are folks familiar with the Blackboard Cloud?
Anyone have the Bb Cloud enabled currently?
BLACKBOARD CLOUD
What is the Blackboard cloud?
Why should I turn on the Cloud?
How do I turn on the Cloud?
WHAT IS THE BLACKBOARD CLOUD
The Blackboard Cloud is a platform for delivering new capabilities and extensions to Learn.
Blackboard manages the Cloud.
The new cloud-based capabilities are optional, and require activation by an administrator.
WHAT IS THE BLACKBOARD CLOUD
The Cloud consists of three feature sets:
Blackboard Cloud Services• Software Updates, Inline Assignment Grading and
enhanced tools to foster Social Learning.
Cloud Profiles & Tools• basic Profiles (called Profile Cards), the People tool,
and enhancements to the Posts tool
Social Profiles & Tools• full Profiles, Spaces, Messages, and enhancements
to Profile Cards, People tool, and the Posts tool
WHY SHOULD I TURN ON THE CLOUD?
• More Rapid Innovation & Responsiveness
• Scalability with Less Cost to You
• Future Cross-institution / Global capabilities
• Enhanced Educational Experience
• It’s Secure, provides Privacy Control (Cloud Profile private by default) and Transparency of Data Usage
SOCIAL MEDIA DATA USAGE TRANSPARENCY
Bb Cloud usage of Twitter and Facebook user data:
Facebook/Twitter: profile picture (avatar), “about me” text (description)
Facebook only: Facebook specific email address
https://help.blackboard.com/en-us/Cloud/Cloud_Management/Administrator/Cloud_FAQ(Under Are there Facebook and Twitter integrations with a user profile?)
HOW DO I TURN ON THE CLOUD
Enabling the cloud goes in a certain order. This is like activating different layers in an architecture. The feature sets build on one another.
1.Blackboard Cloud Services
2.Cloud Profiles & Tools
3.Social Profiles & Tools
Cloud Profiles and Social Learning Tools are NOT automatically enabled once the Blackboard Cloud is enabled.
TURNING ON BLACKBOARD CLOUD SERVICES
Administrator Panel, under Cloud Management, click Cloud Connector.
TURNING ON BLACKBOARD CLOUD SERVICES
Set the External URL of your Learn instance, a Description and the Instance Type:
ENABLING CLOUD PROFILES AND TOOLS
On the Administrator Panel, under Cloud Management, click Cloud Profiles and Tools.
ENABLING CLOUD PROFILES AND TOOLS
The cloud tools are off by default:
ENABLING CLOUD PROFILES AND TOOLS
We can then turn them on:
ENABLING CLOUD PROFILES AND TOOLS
Same thing for the Cloud Tools (can also turn on Twitter and FB):
ENABLING SOCIAL PROFILES AND TOOLS
With Cloud Profiles and Tools On, go Administrator Panel, under Cloud Management, click Cloud Profiles and Tools to find:
ENABLING SOCIAL PROFILES AND TOOLS
After you click On, you can manage the Social Settings:
ENABLING SOCIAL PROFILES AND TOOLS
Here is what things will look after you enable the entire Cloud:
ENABLING THE CLOUD
More details @ help.blackboard.com:
https://help.blackboard.com/en-us/Cloud/Cloud_Management/Administrator
Under Cloud FAQs and Cloud Management
(Licensing, Firewall implications, setting specifics, etc.)
DO THIS NEXT
Turn on the Blackboard Cloud with confidence:
• Blackboard Cloud Services
• Cloud Profiles and Tools
• Social Profiles and Tools
REFERENCES AND ADDITIONAL INFORMATION
STRIDE and DREAD: • http://msdn.microsoft.com/en-us/library/ff648644.aspx’
OWASP: • https://www.owasp.org/• Latest Top-10 List:
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
NIST: • http://www.nist.gov/information-technology-portal.cfm
REFERENCES AND ADDITIONAL INFORMATION
FISMA: • http://csrc.nist.gov/groups/SMA/fisma/index.html
CSA: • https://cloudsecurityalliance.org/
ENISA: • http://www.enisa.europa.eu/
REFERENCES AND ADDITIONAL INFORMATION
Data Flow Diagrams: • http://en.wikipedia.org/wiki/Data_flow_diagram• Visio tool: http://www.microsoft.com/security/sdl/adopt/
threatmodeling.aspx
Attack Trees: • http://en.wikipedia.org/wiki/Attack_tree• http://www.schneier.com/paper-attacktrees-ddj-ft.html
OAuth:• http://oauth.net/
REFERENCES AND ADDITIONAL INFORMATION
Google Apps Marketplace:• http://support.google.com/a/bin/answer.py?hl=en&ans
wer=2538798
CVSSv2 Calculator:• http://nvd.nist.gov/cvss.cfm?calculator&version=2
CWE• http://cwe.mitre.org/
