Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Secure the Coding - ISACA Denver Chapter

advertisement 
Secure the CODE
Secure the DATA
Benjamin Stephan
Director of Incident Management
FishNet Security
www.FishNetSecurity.com
Benjamin.Stephan@FishNetSecurity.com
Agenda







Purpose
Data Storage and Risk
Analogy
Technical Details
Prevention
Threat
Questions
Purpose
 Why is secure coding and secure development such an
important issue?
 Can you read binary?
 When was the last time you used ASCII in a conversation?
 Applications are the utilities by which data is captured,
manipulated, transformed, interpreted, etc.
 Without applications, data is retained in raw formats, the
purpose and meaning of which are difficult to discern.
Purpose
 Can you read this?
 Or this?
 You might be able to recognize letters or words, but even
then, what is their purpose?
Purpose
 Applications are the means by which the “digital age”
functions. Without applications, the data is just a “1” or “0”.
 Users depend on applications to help them understand the
data.
 Why then must we secure the application?
 What does this data mean:
 “<CC_POST> 4321100000034251</CC_POST><EXP>0201</EXP>”
 “http://www.fakeurl.com?uname=john_doe&pass=let_me_in”
Purpose
 Applications are the governors of the underlying data. As
such, the security of the data is dependent on the security
of the application that governs that data.
 If the application fails to provide proper protection of the
information then the risk of compromise is significantly
increased.
 Secure the CODE
 Secure the DATA
Where is the data stored?
 Data is stored in two general formats:
 Non-volatile: Data that is stored in a format that is not easily lost,
changed, or deleted is called “non-volatile”.
 Examples:
 Hard Drive, USB Drive, Floppy Disk, DVD, CD
 Volatile: Data that is easily lost, changed, or deleted is called
“volatile”.
 Examples:
 RAM, SDRAM, DRAM, “computer memory”
Data is data, right?
 Time = money
 Data = lots of money
 Types of data that can generate money:





Bank balances
Credit Card Numbers
Social Security Numbers
Credentials
Etc.
 Dishonest individuals steal data to sell it or use it for
malicious intent.
What data is more at risk?
 Previously, attackers were more interested in large data
repositories such as databases, old hard drives, backup
tapes, etc.
 Many regulatory compliance and security framework
initiatives have identified “non-volatile” repositories as
high risk and require compliant entities to ensure proper
security.
 PCI, SOX, ISO, CobiT, ITIL, HIPAA
 Attackers know this and have started looking elsewhere for the
data.
What data is more at risk?
 If the “non-volatile” data is secured then what is the other
option?
 Volatile data or memory
 How secure is volatile memory?
 How much data can the attacker gain?
 Is the memory that interesting to an attacker?
Penny Analogy
 The penny jar on the counter
 Concept: “Take a penny
or leave a penny”
Penny Analogy
 The tip jar on the counter
 Concept: “Give extra cash
for services rendered, NEVER
take money”
Penny Analogy
 What if there was a “money bucket”
on the counter?
 Could you resist?
Penny Analogy
 What is the correlation?
 The container = volatile memory
 Penny jar = 256 megs of RAM
 Tip jar = 4 gigs of RAM
 Money bucket = 32+ gigs of RAM
 Reasoning
 Losses incurred by the penny jar are minimal and who cares if you
steal a penny.
 Losses by the tip jar are nominal and people know you better not
steal from it.
 Losses from the money bucket can cause substantial damage.
WARNING TECHNICAL DETAILS!!!!!
 Volatile memory poses a risk to sensitive data.
 Memory scraping: Attackers have learned to leverage legitimate tools
used to “dump” the contents of RAM and search through it using
query utilities like General | Regular Expression | Print (GREP).




FDPro
Dumpchk.exe (review dump files)
CurrProcess
Zero Dump
 Operating systems such as Microsoft Windows, utilize “swap files” to
help expand the functionality of RAM. The data that was in RAM is
migrated to a “non-volatile” file (pagefile.sys). The data remains there
until it is overwritten or securely deleted.
 The OS does not clean up after itself!
WARNING TECHNICAL DETAILS!!!!!
 Volatile memory poses a risk to sensitive data.
 Some operating systems support “hibernation” functions, which
copy the contents of RAM to a local file (hiberfil.sys; Microsoft
Windows). This allows for the device to return to the previous
state before hibernation.
 Many “server” class operating systems also store the contents of
RAM to the hard drive when shutting down. This is done to help
expedite the boot process.
How do you protect your data?
 Encryption
 Versions of Microsoft Windows Vista and Microsoft Windows 7
offer pagefile.sys encryption.
 However, as with most encryption, there is the possibility of increased
latency and overhead of key management.
 Secure deletion
 There are open source and inexpensive options to securely “wipe”
the swap files at specified intervals.
How do you protect your data?
 Preventative development techniques
 Proper coding techniques will allow for the probability of insecure
storage to be greatly reduced. Rather than addressing the data
after the fact, protect the data at all times.
 Constructors: Prior to using a variable, ensure that the contents of the
allocated memory are securely deleted.
 Encrypted variable contents: Do not store ANY sensitive data (even in
memory) in an unencrypted format. Decrypt the data prior to access
and encrypt immediately after access.
 Destructors: When the contents of the variable are no longer needed,
securely delete the allocated memory.
How do you protect your data?
 There are various encryption tools to help support secure
coding practices:




Microsoft .NET
Chilkat (http://www.chilkatsoft.com/crypt-library.asp)
Crypto++ (http://www.cryptopp.com/)
Etc.
Is this really a threat?







Attack of the RAM scrapers
(http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID
=222002720)
15 most common attacks
(http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222001216)
 #14: RAM Scraper
Vectored memory attack via ram scraping (https://infosecurity.us/?p=12210)
Defending against RAM scraper malware
(http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1381236,00.html)
Securing data from RAM scrapers
(http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1381236,00.html)
Cold boot attacks
(http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html)
(http://hackaday.com/2008/02/21/breaking-disk-encryption-with-ram-dumps/)
RAM-scraping attacks are a rising (but preventable) threat
(http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1381609,00.html)
Questions??
Benjamin Stephan
EnCE CISSP PCI/PA-QSA QIRA QFI
Director of Incident Management
Benjamin.Stephan@FishNetSecurity.com
888.732.9406
Related documents
cRIO-902x Series Letter of Volatility
cRIO-902x Series Letter of Volatility
Memory - Jack Ou
Memory - Jack Ou
Review for Test 2
Review for Test 2
is112Ch05
is112Ch05
Static Memory - Electrical and Computer Engineering
Static Memory - Electrical and Computer Engineering
Jeopardy
Jeopardy
The Important Book
The Important Book
Introduction to computer: storing instructions and information
Introduction to computer: storing instructions and information
Instruction Set Architecture
Instruction Set Architecture
Download
advertisement