The security mindset securing social media integrations and social learning for blackboard learn


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The security mindset securing social media integrations and social learning for blackboard learn

  1. 1. The Security Mindset and Social Learning Franco Antico, Software Architect Blackboard
  2. 2. ABOUT ME Franco Antico Software Architect Blackboard I am a software architect on the Bb Learn security team.
  3. 3. WHAT WE ARE GOING TO LEARN TODAY Security mindset, approaches and best practices Bb security operations around Social Learning and the Blackboard Cloud Enable the Blackboard Cloud with confidence
  4. 4. SECURITY MINDSET What is the security mindset? Why does it matter? What practices are the most effective at securing applications and services we use daily?
  5. 5. SECURITY MINDSET: A PERSPECTIVE The security mindset is a way of looking at the operation of a system. It’s a matter of perspective that starts by asking and answering security questions: How does an attacker see our system/service/processes/etc.? What do they see? (attack surface) How do we secure our system in response?
  6. 6. SECURITY MINDSET: A PERSPECTIVE Security issues don’t tend to be random. Both an attacker’s intent and opportunity shape the most likely exploits. The safeguards and protections we implement shouldn’t be random either. These Countermeasures should match the real threat level.
  7. 7. SECURITY MINDSET: WHY IT MATTERS The world waits for no one. What was secure today may not be secure tomorrow. Technology changes, some of this is trendy, some is here to stay and represents a new model, a new way of doing things; e.g., Social Media A process that promotes continual evaluation, learning and evolution of the security posture is the best bet to manage this change.
  8. 8. SECURITY MINDSET: APPROACHES How can we apply the security mindset in practice? Security Assessments provide a great vehicle to evaluate the security of a system in a comprehensive way fueled by the security mindset. Each assessment is a project with defined triggers, inputs, deliverables and is part of the SDLC. The assessment’s goal is to provide actionable security recommendations based on sound and consistent analysis.
  9. 9. SECURITY ASSESSMENTS Establish the scope of the assessment Selection of Evaluation Level • Basic: Lower Risk • Moderate: Medium Risk • Rigorous: High Risk (e.g., new integrations) Evaluation Level drives scope and deliverables
  10. 10. SECURITY ASSESSMENTS Security Assessments have two main components: • Analytic Reviews (Design and Code) • Penetration Testing and Static Analysis The assessment can proceed with a high degree of parallelism. Each component breaks down to largely independent tasks. We will focus today on the Analytic items
  11. 11. SECURITY ASSESSMENTS Threat Modeling is the central analytic process of the assessment. Threat Modeling provides an effective means to identify, measure and manage security risk. The threat modeling process pairs identified threats with countermeasure recommendations. The countermeasure aspect is what closes the loop on threat-vulnerability pair and makes the threat model actionable.
  12. 12. THREAT MODELING Purpose: To analyze the security risks for a given system or entity from a number of perspectives. Threat Model: An Analytic Flow • Identify Assets and Actors • Modeling Methodologies: MS STRIDE, DREAD • Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST • Identify Key Architecture Characteristics (e.g., APIs) • Attack Surface Analysis (e.g., System Integration Points) • Technology Specific Considerations (e.g., OAuth)
  13. 13. THREAT MODELING Threat Model: (continued) • Diagrams • Data Flow Diagram • Attack Tree • Threat Library • Categorization vs. Scoring (Threat vs. Vulnerability) • STRIDE • DREAD • CWE (Common Weakness Enumeration) • CVSS (Common Vulnerability Scoring System)
  14. 14. THREAT MODELING: ASSETS AND ACTORS Identify Assets and Actors What are the actors' motivations? What risks do well motivated actors pose to our system?
  15. 15. THREAT MODELING: ASSETS AND ACTORS Asset Description Data Any data associated with the system (e.g., student grade data.) Reputation Reputation with customers and communities. Infrastructure The architectural components of the system. These can be services, systems and may impact both software and hardware.
  16. 16. THREAT MODELING: ASSETS AND ACTORS Actor Description Attacker External entity with no direct connection to the system. The attacker may be a human (individual or organized group) or some autonomous entity (bot, script.) Malicious User Registered user attempting to violate terms of use or perform other inappropriate actions. Malicious Insider A person who has special access to the system.
  17. 17. MODELING METHODOLOGIES Microsoft STRIDE – Categorizing S – Spoofing identity T – Tampering with data R – Repudiation (deny action taken) I – Information disclosure D – Denial of service E – Elevation of privilege
  18. 18. MODELING METHODOLOGIES DREAD– Scoring (Categorizing) D – Damage R – Reproducibility (involvement) E – Exploitability (required skill) A – Affected users D – Discoverability Each component scored [Low, Med, High]. Higher scores are bad. Final score is average of the components.
  19. 19. MODELING KNOWLEDGE BASES OWASP • Open Web Application Security Project • Countermeasure guidelines and frameworks (ESAPI) • Top 10 List (2013 List recently released) NIST • National Institute of Standards and Technology • Cryptographic recommendations CSA and ENISA • Cloud Security Alliance and European Network and Information Security Agency • Cloud security
  22. 22. THREAT MODEL IN ACTION The following threat model items represent general threats facing social media and cloud integrations. These are the kinds of threats that we consider during development and test.
  23. 23. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation An attacker alters an API message either at the source, en-route or at the destination. Attack Vectors Countermeasures 1. Message intercepted in transit. 1. API level message signature, hashing or MAC protection. Each tier that processes an API message, including routing, should add to the signature envelope. SSL alone will not guarantee message integrity for all cases: non-SSL scenarios, message tampering after SSL termination. A.1.1 API Message Integrity
  24. 24. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation, Denial of Service An attacker intercepts an API message and retransmits (replays) the message at a later time to compromise the system. Attack Vectors Countermeasures 1. Message intercepted and replayed. Attacker captures a wall post message and replays the message in an effort to crash the system or impair performance. 1. Include a one-time nonce with each API message. Note, the nonce can be included in the API signature referenced in A.1.1. A.1.2 API Message Misuse
  25. 25. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Repudiation, Denial of Service An attacker or malicious executes a well timed Denial of Service attack in an attempt to compromise a given user's profile. Attack Vectors Countermeasures 1. Attacker launches large scale flood of API messages targeting the API infrastructure, user's profile left in unknown state, potentially locking user out of profile. 1. Ensure API message resilience where the system can recover from messages lost in transit. A.1.5 API Resilience
  26. 26. THREAT MODELING IN ACTION: SOCIAL MEDIA Social Media Threats (from Threat Library): Threats Description Spoofing, Information Disclosure An external attacker compromises a user's Twitter/FB account and subsequently launches an attack attempting to exploit social learn users. Attack Vectors Countermeasures An external attacker adds malicious JavaScript to a user's Twitter description by exploiting a vulnerability in Twitter. The attacker then launches a CSRF attack against other users in the compromised user's follower (or potential follower) list. Any data coming from an external applications must be sanitized before processing. Moreover, as a final fallback measure, the system should escape any data (externally sourced or not) prior to display. EI.1.2 Data Input Validation
  27. 27. THREAT MODELING IN ACTION: SOCIAL MEDIA Threats Description Spoofing, Information Disclosure, Denial of Service 1. A malicious user attempts to perform a denial of service attack on the system through an avatar upload. 2. An external attacker gains access to a student's avatar image despite the student's privacy social learn settings. Attack Vectors Countermeasures 1. A malicious user attempts to compromise the service by uploading a 100MB avatar image either through the file upload or external social network, e.g. Twitter (assume this vector is possible via a vulnerability in Twitter.) A variation of this vector could be embedding malicious code in a standard sized avatar with the goal of distributing the attack through the browser's rendering of the image. Potential attacks include attempting to exploit jpeg buffer overflow or ICC profile corruption vulnerabilities. 1. Implement a server-side check on the avatar size: reject any avatar image that is suspiciously large. Also, to address a potential "evil" avatar image, use a security vetted image toolkit to load and validate the avatar. 2. Provide authorization controls that guard the delivery of the avatar. Tie the avatar ACL to the profile privacy settings, i.e., only allow an open avatar for public privacy scenarios. The scope of public should address the visibility of avatars and other data are public: any legitimate user can view the avatar/data vs. any one on the internet can view the data. EI.1.4 Avatar Security
  28. 28. THREAT MODELING IN ACTION: CLOUD Cloud Threats (from Threat Library): Threats Description Spoofing, Repudiation, Information Disclosure An attacker or malicious user is able to impersonate a user through via their session id even after logout. Attack Vectors Countermeasures 1. Using the browser's history and attacker discovers a user's session and gains access to the system as that user. 1. Ensure that logout invalidates all relevant cross-system sessions in as synchronous a manner as possible. S.1.2 Cross System Logout
  29. 29. SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth: a standard for granting authorization across platforms and content delivery modalities OAuth: protects passwords by providing an API for authorizing API access OAuth is a reality of social media. Developers leverage OAuth because that is what the service providers implement (FB, Twitter, etc.)
  30. 30. SOCIAL MEDIA TECHNOLOGY: OAUTH Key OAuth roles: Resource Owner (or End User) • Someone with a Facebook account (identity, credentials) Resource Server • Facebook service itself Client • Facebook App
  31. 31. SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth is flow based: Two-Legged vs. Three-Legged. Here is diagram from Google Apps Marketplace that shows the gist of an OAuth 2.0 Three-Legged flow that is most applicable to social media: dmin/en/cpanel/3-legged-oauth-diagram.png Resource Owner (End User)  User Resource Server  Google Client  Web application
  32. 32. OAUTH TAKEAWAYS What to look for: • Transparency of data usage • Support of opt-in model • Ability to turn integrations on and off
  33. 33. BLACKBOARD CLOUD Are folks familiar with the Blackboard Cloud? Anyone have the Bb Cloud enabled currently?
  34. 34. BLACKBOARD CLOUD What is the Blackboard cloud? Why should I turn on the Cloud? How do I turn on the Cloud?
  35. 35. WHAT IS THE BLACKBOARD CLOUD The Blackboard Cloud is a platform for delivering new capabilities and extensions to Learn. Blackboard manages the Cloud. The new cloud-based capabilities are optional, and require activation by an administrator.
  36. 36. WHAT IS THE BLACKBOARD CLOUD The Cloud consists of three feature sets: Blackboard Cloud Services • Software Updates, Inline Assignment Grading and enhanced tools to foster Social Learning. Cloud Profiles & Tools • basic Profiles (called Profile Cards), the People tool, and enhancements to the Posts tool Social Profiles & Tools • full Profiles, Spaces, Messages, and enhancements to Profile Cards, People tool, and the Posts tool
  37. 37. WHY SHOULD I TURN ON THE CLOUD? • More Rapid Innovation & Responsiveness • Scalability with Less Cost to You • Future Cross-institution / Global capabilities • Enhanced Educational Experience • It’s Secure, provides Privacy Control (Cloud Profile private by default) and Transparency of Data Usage
  38. 38. SOCIAL MEDIA DATA USAGE TRANSPARENCY Bb Cloud usage of Twitter and Facebook user data: Facebook/Twitter: profile picture (avatar), “about me” text (description) Facebook only: Facebook specific email address us/Cloud/Cloud_Management/Administrator/Cloud_FA Q (Under Are there Facebook and Twitter integrations with a user profile?)
  39. 39. HOW DO I TURN ON THE CLOUD Enabling the cloud goes in a certain order. This is like activating different layers in an architecture. The feature sets build on one another. 1.Blackboard Cloud Services 2.Cloud Profiles & Tools 3.Social Profiles & Tools Cloud Profiles and Social Learning Tools are NOT automatically enabled once the Blackboard Cloud is enabled.
  40. 40. TURNING ON BLACKBOARD CLOUD SERVICES Administrator Panel, under Cloud Management, click Cloud Connector.
  41. 41. TURNING ON BLACKBOARD CLOUD SERVICES Set the External URL of your Learn instance, a Description and the Instance Type:
  42. 42. ENABLING CLOUD PROFILES AND TOOLS On the Administrator Panel, under Cloud Management, click Cloud Profiles and Tools.
  43. 43. ENABLING CLOUD PROFILES AND TOOLS The cloud tools are off by default:
  44. 44. ENABLING CLOUD PROFILES AND TOOLS We can then turn them on:
  45. 45. ENABLING CLOUD PROFILES AND TOOLS Same thing for the Cloud Tools (can also turn on Twitter and FB):
  46. 46. ENABLING SOCIAL PROFILES AND TOOLS With Cloud Profiles and Tools On, go Administrator Panel, under Cloud Management, click Cloud Profiles and Tools to find:
  47. 47. ENABLING SOCIAL PROFILES AND TOOLS After you click On, you can manage the Social Settings:
  48. 48. ENABLING SOCIAL PROFILES AND TOOLS Here is what things will look after you enable the entire Cloud:
  49. 49. ENABLING THE CLOUD More details @ us/Cloud/Cloud_Management/Administrator Under Cloud FAQs and Cloud Management (Licensing, Firewall implications, setting specifics, etc.)
  50. 50. DO THIS NEXT Turn on the Blackboard Cloud with confidence: • Blackboard Cloud Services • Cloud Profiles and Tools • Social Profiles and Tools
  51. 51. THANK YOU! Franco Antico Software Architect Blackboard
  52. 52. REFERENCES AND ADDITIONAL INFORMATION STRIDE and DREAD: •’ OWASP: • • Latest Top-10 List: %2010%20-%202013.pdf NIST: •
  54. 54. REFERENCES AND ADDITIONAL INFORMATION Data Flow Diagrams: • • Visio tool: ng.aspx Attack Trees: • • OAuth: •
  55. 55. REFERENCES AND ADDITIONAL INFORMATION Google Apps Marketplace: • wer=2538798 CVSSv2 Calculator: • CWE •