How to use this scenario
advertisement
MSc Cyber Security Facilitator Guide: Secure Software Development: Cryptography Introduction This guide provides: 1. 2. 3. 4. The details of the scenario Possible Learning issues Possible solutions Resources How to use this scenario The scenario relates closely to PBL2 (Banana Telecoms) and the background information is also needed. 1 Background You are a lead security consultant in a large telecommunications enterprise ‘Banana Mobile International’, the enterprise has markets within the UK, Europe, America and the Far East, and currently employs 120,000 employees globally. Your team has approximately 70 security consultants globally, which is supported by additional security subject matter experts who specialise in Cryptography, Security Engineering, Security Architecture and Governance and Risk. The firm is organised into four main lines of business: Retail in store Telephone sales (customer services) Wholesale Digital (internet). Supporting each line of business there are operational teams that cover the following areas: Marketing and Branding Accounts (customer billing) Finance (accounts) Legal Fraud Regulatory compliance Business Information Systems (BIS) Information Technology (IT Support) Telecommunication Engineering Information Security (the team you work in). The firm currently has over 200 million customers who use the company mainly for the provision of mobile phone handsets and their associated pay as you go and monthly contract SIM card packages. Recently the firm has recruited a new chief operating officer (Louise Pinstripe) who is in charge of the strategic business operating model and product lines. Despite the firm’s relative success within the traditional mobile telecommunications sector, they currently have 16% of global market and require their share price to increase from 300p per share to 400p per share over the next 3 years. Louise has been informed by her executive colleagues that they need to increase their market share from 16% to 22% within the next 2 years in order to be on target. Louise has therefore recently decided that the firm needs to embark on an ambitious programme to expand its digital and wholesale channels. Her marketing department has decided that the digital channel needs to include the following high-level customer services, so that Banana Mobile can gain a competitive advantage and entice new customers: Mobile applications to support customer account enquiry Mobile applications to support product sales of products sold by the firm Mobile applications to recruit and drive the firms brand into new markets, such as: o Location services o Payment services (peer to peer payments) o Entertainment (music and video streaming services). As is usual, Louise has delegated the programme of works to the Business Information Systems team to operate the project management office (PMO) for the delivery of the project within defined strategic phases. The annual budget for the project is set at 50,000,000 GBP. As one of the lead security consultants for the firm, it is your role to assist the programme management in the identification of security tasks, general advice and guidance, standards adherence (compliance with the firm’s security standards – which are based on the controls 2 ISO 27001:2013 Annex A controls), as well as appropriate risk identification and acceptance in accordance with the firm’s Information Security Management System (ISMS) that is also based upon ISO27001, but as yet is not fully audited to be compliant. The project team that has been assembled includes the following people: Business Analysts Solution Architects Infrastructure Architects Software Developers Test Teams Representatives from key business teams (stakeholders): o Marketing o Fraud o Legal o Regulatory compliance So far the programme has very little in terms of direction, however, Louise (who is from a software development background) has stated that the firms usual method of software development which is based on the Software/Systems Development Life Cycle (SDLC) is too verbose and bureaucratic; consequently the programme has been charged with not only developing and delivering the new products, but it has also being asked to develop a new governance process that will allow the programme to meet its high-level business requirements quickly and safely with minimal risk to the business. The project management has decided that the first year of the programme will focus on the following deliveries: Quarter 1 – construct the new governance model Quarter 2 – develop the designs for a new software product to be platformed on Android, iOS, , Windows Mobile and Blackberry (RIM) operating systems Quarter 3 – develop the customer support tools Quarter 4 – launch the product to staff. The second year will refocus the project on the release of the core mobile application to customer base, ensuring that iterative software releases include new and exciting features that realise Louise’s vision for the selling of location, payment and entertainment services. The final steer from Louise, is that the customer registrations with the new mobile applications must be as mobile as possible. Allowing customers to see an advert in the street and decide there and then that they would like to be registered to participate in the service, and register to receive services without the need to answer post delivered mailer responses. The registration process must cater for existing customers of the firm; and It must also be able to expand to extend to other customers of other mobile phone company networks. One month into the development programme at Banana Telecommunications Plc; it is widely recognised that 3 years is actually a very tight timeline in which to deliver the programme, and much emphasis has been made by the senior stakeholders within the business that the programme must deliver prototypes and methodologies within the first year. The PMO, which is panicked and is escalating all teams to mobilise dedicated resources, has therefore decided that delivery milestones for software prototypes shall be based on a 30 day cycle. They have a working prototype for a web service that will broker mobile client requests, and a mobile application. 3 Scenario During the development of the Banana Telecommunications Mobile Application, the lead software developer has asked you to provide advice and guidance on the development of a suitable encryption scheme for the protection of sensitive data at rest. The data includes: Text messages that the customer has sent [160 characters] Passwords and codes (secrets) [30 characters] Bank account details name [20 characters] Bank account details sort code [6 characters] Bank account details account number [12 characters] Card number (PAN) [16 characters] CCV [5 characters] The developer has advised you that the information will be stored in a SQL database that is hosted on a hypervisor within the firm’s strategic data centre. The firm has suffered from historical thefts of sensitive customer data, which is suspected to have been facilitated by internal infrastructure support staff. It is therefore important that the data cannot be decrypted by the maintenance staff including the DBA. The developer is thinking of using 2 Key Triple DES in ECB mode, with no padding as he has some sample code that he can re-use. Your Task Write a paper providing advice and guidance report to developer (2500 words) Identify which information should be encrypted and state why. Identify which information must not be stored. Evaluate the suitability of the chosen encryption algorithm for the task and where applicable suggest an alternative. Explain the attacks that could be leveraged against various cryptographic algorithms. Identify the tasks required for the secure implementation of cryptography, including: o Key storage o Key management (rotation, retirement). Suggest alternatives to the developer writing the encryption routine (can this be done by an off the shelf product – for example Oracle or MS SQL – if so how?). Resources 4 PCI-DSS Standards and supplemented documentation Security Engineering (Ross Anderson) ISO 27001 ISC2 – CISSP CBT NIST EAL Common Criteria Vendor documentation Oracle and Microsoft relating to TDE. Solution Students should be able to identify which information is required to be encrypted or not by reviewing the PCI-DSS standards. In addition, authentication secrets must always be encrypted. The CVV number must never be stored. The DES ECB encryption algorithm is vulnerable as it always gives the same cipher text for the same given plain text. Therefore students should advise on a different algorithm. Distinguished students will identify ‘strong cryptography’ within the PCI documentation glossary, and will advise the use of AES in CBC mode. Students should explain and provide advice on various cryptographic attacks: Known plain text attack Chosen plain text attack Adaptive chosen-ciphertext attack Cryptography is only as secure as the key, so students should identify the controls needed to protect the key, the following are all good examples given: Hardware security models Software security containers such as operating system key chains and stores Dual authentication (four eyes authentication) where by an encrypting secret is split between two individuals. Students should advise the developer on the need to rotate keys, and key management. How will access to data be maintained after the key has been changed? For high grades students will evaluate the business need for encryption over the developers desire to implement their ‘home brew’ cryptography solution. It might be better for the student to advise the use of Transparent Database Encryption; both Oracle and Microsoft have implementations of this technology, and it answers many of the complexities relating to key rotation. Distinguished students will discredit the use of a ‘developer implementation’ in favour of an off the shelf product such as Oracle, and will identify the operational controls required to implement the Oracle solution correctly (i.e. scripts for enabling it, testing it, changing the key, different types of encryption, how to protect the master secret etc). 5
