In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials
We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication.
6. A History
The Breach
• 2013: Edward Snowden
• 2014: Home Depot
• 2017: Equifax
• 2018: Facebook
• 2019: Capital One
6
The Root Cause
• An insider
• Malware
• Hackers
• Hackers
• Insider at AWS
12. • Make passwords hard to get
• Then make passwords die
• Then make passwords impossible to get
• Then figure it out if there’s a data breach happening anyways
12
Let’s Prevent Some Breaches
17. Common Approaches
Pros
• Easy
• Cheap up front
• Instant access to passwords
19
Cons
• Too easy
• If breached, cost savings will be lost
• No tracking who’s viewed things
• Service must be offlined for password
rotation
• Password leak means many instances
and services offlined for password
rotation
19. • Cloudwatch - woo!
• But what if the password was leaked?
21
Observability
20. A Platform-Specific Secrets Manager
Pros
• Easy-ish
• Can use built-in identity
• Some automated password rotation
• More auditable
• Pay-as-you-go
22
Cons
• Another company has your secrets
• Password rotation isn’t easy
• Pay-as-you-go
24. A Cross-Platform Secrets Manager
Pros
• Cross-platform
• Can still use built-in identity
• Secrets only inside your company
• Encryption-as-a-service
26
Cons
• Self deploy
• Can be more complex
• Opaque pricing
29. import requests
import json
from psycopg2 import connect
vault = 'ec2-54-197-47-181.compute-1.amazonaws.com'
as_json = json.dumps({"password": "personalpassword"})
response = requests.post("http://" + vault + ":8080/v1/auth/userpass/login/student", data=as_json)
resp_json = json.loads(response.content)
token = resp_json[‘auth']['client_token']
response = requests.get("http://" + vault + “:8080/v1/database/creds/my-role", headers={'X-Vault-Token': token})
resp_json = json.loads(response.content)
username = resp_json['data']['username']
password = resp_json[‘data']['password']
print ‘username: ’ + username + “, password: ” + password # this changes every time you call the my-role endpoint! run this script twice!
conn_str = 'host=ec2-34-229-136-247.compute-1.amazonaws.com port=8080 dbname=dash user=‘ + username + ' password=' + password
conn = connect(conn_str)
cur = conn.cursor()
cur.execute("SELECT name FROM users WHERE ID=8364;")
cur.fetchone()
31
Updating Our Code
30. • Application logs
• Audit logs
• >100 performance-oriented metrics
• Identity system helps with attribution
32
Observability
31. Cross-Platform + Secret Rotation
Pros
• Easy automated password rotation
• The main approach is ephemeral
usernames and passwords
33
Cons
• Attribution can be difficult
• Modern logging frameworks log
faster than a username and password
can disappear
44. from approzium import AuthClient
from approzium.psycopg2 import connect
auth = AuthClient('54.160.35.66:8080', disable_tls=True)
conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth)
cur = conn.cursor()
cur.execute("SELECT name FROM users WHERE ID=8364;")
cur.fetchone()
46
Updating Our Code
45. • Explicitly security-oriented logs
• Identity logged at INFO level
• Suspicious activity logged at WARN level
• Explicitly security-oriented metrics
• DOS
• Fuzzing
• Impersonation
• Replay attacks
• Sniffing
47
Observability
46. Password-less Authentication
Pros
• Can use built-in identity
• Pick your secrets manager
• The main approach is unleakable
passwords
• Security-oriented observability at the
forefront
• SDK
• Free extra layer to add
48
Cons
• Self deploy
• Can be more complex
• Dynamic secrets not yet supported
49. A History
The Breach
• 2013: Edward Snowden
• 2014: Home Depot
• 2017: Equifax
• 2018: Facebook
• 2019: Capital One
52
The Root Cause
• An insider
• Malware
• Hackers
• Hackers
• Insider at AWS
50. Scenario: Hackers
• Your company has a portal that people log into.
• You run it using a framework like Apache Struts, the Spring framework, Django, React,
etc.
• A serious vulnerability is announced.
• An unauthenticated remote attacker begins exploiting the vulnerability by executing
malicious code on effected instances (or containers).
• One of their first actions is planting a script on every instance (or container) that is
executed every hour by a cron job, and all it does is call out to somewhere to get
arbitrary code, and it executes it.
• You install a patch or update to resolve the vulnerability.
53
51. Scenario: Hackers
The hacker snoops around on your instance and finds a configuration file like this:
APPROZIUM_URL=ec2-100-26-168-97.compute-1.amazonaws.com
APPROZIUM_PORT=8080
PG_URL=ec2-34-229-136-247.compute-1.amazonaws.com
PG_PORT=8080
PG_DB_NAME=dash
PG_USER_NAME=student
54
53. from approzium import AuthClient
from approzium.psycopg2 import connect
auth = AuthClient('54.160.35.66:8080', disable_tls=True)
conn = connect('host=52.5.163.43 port=8080 dbname=dash user=student', authenticator=auth)
cur = conn.cursor()
cur.execute("SELECT * FROM pg_catalog.pg_tables WHERE schemaname != 'pg_catalog' AND schemaname !=
‘information_schema';")
cur.execute("SELECT * FROM users;")
cur.fetchone()
56
They Make Code Just Like Yours!!!
54. 57
Yo, the database
said to hash the pass
with “efgh”, what’s
the challenge
response?
Yo, the database
said to hash the pass
with “ijkl”, what’s
the challenge
response?
58. Strategies
You Should
• Provide a way for employees to share secret information securely
• Consider giving short-lived passwords
• Give the minimum access needed to perform a job
• Set minimum password complexity levels
• Include your whole organization
• Encrypt data at rest
61
61. Defense in Depth
Defense in depth is a concept used in Information security in
which multiple layers of security controls (defense) are placed
throughout an information technology (IT) system. Its intent is to
provide redundancy in the event a security control fails or a
vulnerability is exploited.
64