This document discusses designing secure infrastructure for high-growth products. It covers security in product design, identifying attack surfaces and common vectors. It also discusses security in infrastructure design with layers of perimeter defense, OS and server protection and information protection. Applied cybersecurity examples show how to implement web application firewalls and block malicious traffic with open source tools at minimal cost and CPU usage while maintaining high performance.

1. Designing Secure Infrastructure
for high-growth product
Rabu, 09 Agustus 2017

2. Rendra Perdana
Head Infrastructure & Security
Principal Engineer
#indonesiaBangga

3. 3
Current Cybersecurity Landscape
Security In Product Design
Security In Infrastructure Design
Applied Cybersecurity In Action
Agenda

4. 4
Security In Product Design
Security and UX

5. 5
Security In Product Design
Security and UX
Security is shared responsibility
So how product team can help ?

6. 6
Security In Product Design
Security and UX
Security can't be separated from product design.
Thus security is built-in function, not bolt-on.

7. 7
Security In Product Design
Security and UX
Identify the "sugar" Identify attack surface

8. 8
Security In Product Design
Security and UX Identify the "sugar"
What can be stealed ?
digital wallet, stored CVV, user profile
What can be abused ?
Voucher code, Checkout loophole

9. 9
Security In Product Design
Security and UX
What can be stealed ?
Digital wallet - verification on withdrawal
Stored CVV - provides option to remove remembered card
User profile - hide from public, notification-on-change
Identify the "sugar"

10. 10
Security In Product Design
Security and UX
What can be abused ?
Trivial voucher code, make it complex, enforce rules
Checkout loophole - item on cart valid for given voucher ?
Clear and easy-to-find Terms & Conditions are important
Identify the "sugar"

11. 11
Security and UX
Common Attack Vector
Login / Signup Page
Forget Password
Uneven security implementation
Identify Attack Surface
Security In Product Design

12. 12
Security and UX
Login Page
Password Policy Captcha
Security In Product Design
Identify Attack Surface

13. 13
Security and UX
Sign Up Page
Should we allow temporary emails
or unusual country domain?
Encourage SSO login
Security In Product Design
Identify Attack Surface

14. 14
Security and UX
Forget Password Method:
Reset Password Link
Short lifespan (max. 24h)
One-time useUnique & Random
Token have at least 64 chars
https://(domainname)/click?upn=plcsQfOjjLd9LuiKK6o3B15uVuUSrfoDqpg00N...
Security In Product Design
Identify Attack Surface

15. 15
Security and UX
Uneven Security Implementation
Web desktop/mobile login
with 2FA (two-factor authentication)
Security In Product Design
Identify Attack Surface

16. 16
Security and UX
Uneven Security Implementation
Mobile Apps login
without 2FA (two-factor authentication)
Security In Product Design
Identify Attack Surface

17. 17
Current Cybersecurity Landscape
Attack Vector Metrics
Let's go [tech]nical

18. 18
Current Cybersecurity Landscape
Current Attack Vector Metrics
Cybersecurity in E-Commerce

19. 19
Current Cybersecurity Landscape
Cybersecurity in E-Commerce
Challenges
New business model
No / Relaxed regulation
Manpower scarcity
Pressure of high-growth

20. 20
Current Cybersecurity Landscape
Attack Vector Metrics
L7 Attack

21. 21
Current Cybersecurity Landscape
Attack Vector Metrics
91%
5%
4%
Desktop Mobile API

22. 22
Current Cybersecurity Landscape
Attack Vector Metrics
99%
1%
403 Response IP Blocking

23. 23
Current Cybersecurity Landscape
Attack Vector Metrics
52%
28%
20%
SQL Injection XSS Others (OS/Server Exploit)

24. 24
Current Cybersecurity Landscape
Attack Vector Metrics
L3-L6 Attack

25. 25
Current Cybersecurity Landscape
Attack Vector Metrics
5.037.802
Packet blocked when maliciously accessing
mataharimall.com environment platform

26. 26
Current Cybersecurity Landscape
Attack Vector Metrics
12.618.000
Packet blocked from blacklisted IP's
(Known botnet, DNSBL, internal blacklisting, etc)

27. 27
Current Cybersecurity Landscape
Attack Vector Metrics
DDOS
Distributed Denial-of-Service

28. 28
Current Cybersecurity Landscape
Attack Vector Metrics
Volumetric

29. 29
Current Cybersecurity Landscape
Attack Vector Metrics
Application

30. 30
Current Cybersecurity Landscape
Attack Vector Metrics
99.43%
0.57%
Volumetric Application

31. 31
Security In Infrastructure Design
Performance
Security

32. 32
Security In Infrastructure Design
C I A
Confidentiality. Integrity. Availability.
Security

33. 33
Security In Infrastructure Design
Perimeter Defense
OS and Servers Protection
Host Protection
Information Protection
4 Layers of Security
(defense in-depth)
Security

34. 34
Security
Security In Infrastructure Design
Perimeter Defense
Understand your perimeter
1. Setup remote probe
2. List all public ip and scan them regularly
3. Investigate any changes
"See how public sees you"
https://github.com/nccgroup/port-scan-automation

35. 35
Security
Security In Infrastructure Design
Perimeter Defense
Understand your services
1. Limit visible open port from public
2. Beware of legacy services
3. Investigate any changes
"Understand what you serve"

36. 36
Security
Security In Infrastructure Design
Once upon a time...
There's pwnage
Perimeter Defense

37. 37
Security
Security In Infrastructure Design
Case Studies
Complete pwnage
NMAP -T0 -sS -sV -O -A -p1-65535 (target)

38. 38
Security
Security In Infrastructure Design
Case Studies
Complete pwnage

39. 39
Security
Security In Infrastructure Design
Case Studies
Complete pwnage

40. 40
Security
Security In Infrastructure Design
Case Studies
Complete pwnage

41. 41
Security
Security In Infrastructure Design
Case Studies
Complete pwnage

42. 42
Security
Security In Infrastructure Design
OS and Servers Protection
Staging Functional Test
Performance Test
Monitor - Rollback
Canary
Production
Patch Considerations

43. 43
Security
Security In Infrastructure Design
OS and Servers Protection
Once upon a time...
There's pwnage

44. 44
Security
Security In Infrastructure Design
Case Studies
Serverppop0 0pP p`pp0Pp!mp0pollaboration ServerWPoMG4;gx5U2>1/H@>U@Os`o
ap@o0!ipWkRproute:proto=imapssl;user=wiraxxx@xxxco.id192.168.1.67:7993n.a9/PWp0p2C(nppRkapDpPp
!qppppppp*p0pzM192.168.1.67__infraware-p-email__7 LOGIN {30}wira136P0@o0o1oo00oollaboration Serverdoppp@0mAp
Heartbleed... on BANK !

45. 45
Security
Security In Infrastructure Design
Host Protections
1. List of accounts and ACL to access prod
2. Setup immutable logging (auditd)
3. Create documentation and changelog
4. Sent logs to SIEM to analyze abnormal activities
Access Control
"Be in control about who can get in and watchful on what they do"

46. 46
Security Information Protection
Platform
DDOS Protection
Layer
Infrastructure Protection
Layer
Application Protection
Layer
DLP
Security In Infrastructure Design

47. 47
Security Information Protection
DDOS Protection
Layer
Security In Infrastructure Design
On cloud ?
Use native DDOS protection
from your cloud vendor.
On bare metal ?
Contact your ISP
Use high performance NIC
Use auto IRQ assignment

48. 48
Applied Cybersecurity In Action
Security
On standard setup:
1500+ https request per second per cpu core

49. 49
Current Cybersecurity Landscape
Security
location / {
...
include /usr/local/.../nginx/conf/conf.d/luaphase.rules;
...
}
WAF up and running in matter of minutes for new sites.
New attack? Integrate new rules within minutes.

50. 50
Current Cybersecurity Landscape
0
Number of Security Appliances
0
Cost for proprietary devices
Security

51. 51
Current Cybersecurity Landscape
3,000+
Firewall Rules
Security

52. 52
Current Cybersecurity Landscape
6,000,000+
Total IP Blocked
Security

53. 53
Current Cybersecurity Landscape
2%
CPU Usage
Security

54. 54
Current Cybersecurity Landscape
Security
https://github.com/firehol/blocklist-ipsets
https://github.com/openresty/openresty

55. 55
Current Cybersecurity Landscape
Performance
Performance

56. 56
Current Cybersecurity Landscape
Performance
CAP Theorem
Consistency. Availability. Partitioning.

57. 57
Current Cybersecurity Landscape
Performance
Load Balancer
App Server
Datasource

58. Current Cybersecurity Landscape
Performance
Datasource Slave
Datasource Master
App Server App ServerApp Server
Datasource Slave

59. Current Cybersecurity Landscape
Performance
Datasource Master
App Server
Datasource Slave
App Server
Datasource Slave

60. Current Cybersecurity Landscape
Performance
App Server
Datasource Slave

61. Current Cybersecurity Landscape
Performance
How "much" is ~370 Gbps?
SOLRCache ~ 1,000,000 query per second @ 7ms latency
REDIS (TCP) ~ 100,000 GET/SET per second @ 15 ms latency
REDIS (SOCK) ~ 260,000 GET/SET per second @ 1 ms latency
Constrain is on CPU

62. Current Cybersecurity Landscape
Performance
Last but not least:
MONITOR
Machine Metrics (trends and estimates)
App Runtime Metrics (what error and how much)
ALERTING
Setup 2-stage threshold (warning - error)
Hint: Telegram is faster and more practical than SMS

63. 63