Design for Security
-
Upload
hyungyu-kim -
Category
Documents
-
view
33 -
download
1
Transcript of Design for Security
![Page 1: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/1.jpg)
Design for SecuritySota Ogo, HyunGyu Kim
Derek Willms, Chong Tae Chon
![Page 2: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/2.jpg)
Design for SecurityAgenda
• About Security
• Breach Cases
• Best Practices
• Use Cases (Solutions)
• Challenges
• Remaining Open Questions/Issues
• Q&A
![Page 3: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/3.jpg)
About Security• What is Security?
• The method of protecting electronic information or software from unauthorized changes or attacks
• Why is Security important?
• As an individual• Private data is stored on the Internet
• Credit Cards, Bank Accounts, money Transactions, Phone numbers, Home Address, etc.
• As a company• Build and keep trust with customers
• Prevent legal expenses
• Protect business reputation
Security
Privacy
TrustSaving
Reputation
![Page 4: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/4.jpg)
Breach Cases• Heartland Payment System (2008)
• SQL Injection – 160 millions of credit cards leaked
• Linkedin (2012)
• Most of 6.5 million unsalted hashes in a few days
• Impairment Resources (2010)
• 2 PCs were stolen with medical records of 14,000 patients
Hundreds
of Million
Bankrupt
3+ Million
![Page 5: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/5.jpg)
Use Cases(Solutions)• Case 1: Heartland Payment System
• SQL injection
• Frontend: Use framework or libraries to validate and encrypt user input
• Backend : Use data abstraction layer
• Case 2: Linkedin
• *Unsalted SHA-1 Hashing
• Salting
![Page 6: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/6.jpg)
Password Security: Encrypting vs Hashing• Encrypting
• Two way function that is reversible
DecryptEncryptHello! aSd21r Hello!
![Page 7: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/7.jpg)
• Hashing
• One way function that is irreversible
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
![Page 8: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/8.jpg)
• Linkedin Hashed Password
![Page 9: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/9.jpg)
![Page 10: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/10.jpg)
• Salting
• Eliminates password redundancy
• Converts simple passwords to more difficult ones
• Eliminates the use of Dictionary Search
• Tae has an unsalted password of hellohash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
• Sota, Sam, and Derek all have the same passwords but they are salted.
hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab
hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007
![Page 11: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/11.jpg)
Use Cases(Solutions)• Case 1: Heartland Payment System
• SQL injection
• Frontend: Use framework or libraries to validate and encrypt user input
• Backend : Use data abstraction layer
• Case 2: Linkedin
• *Unsalted SHA-1 Hashing
• Distributed Credential Protection
• Case 3: Impairment Resources
• Physical theft
• Locate servers and computers in secure area
• Encrypt hard-drives and use password
![Page 12: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/12.jpg)
Best Practices• Always design with security in mind
• Think like a potential malicious user
• High-level Principles
• Design your code modularly
• Test extensively (in an automated way if possible)
• Defense in depth: more than one subsystem before the core system
• Establish effective audit trails and logs
• Include fail safes
• Follow Industry Standards
![Page 13: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/13.jpg)
Challenges• There are many different types of security
vulnerabilities.
• Security systems are constantly changing.
• Many websites made prior to 2008 are vulnerable to SQL injection and session hijacking.
• Software must be designed with security in mind from the start.
• An article on Think Progress,
“American banks and retailers don’t want to spend the money to upgrade to more secure technology. Instead, the U.S. spends billions of dollars to bounce back from a breach—about $5.4 million per incident, according to the study” (Williams).
![Page 14: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/14.jpg)
Remaining Open Questions/Issues• How to keep up with evolving security threats.
• How should laws evolve to prosecute offenders of security breaches.
• Can we ever reach 100% security?
• How can we educate programmers to be conscious of security threats.
• How can we educate programmers to refrain from developing malicious programs.
![Page 15: Design for Security](https://reader036.fdocuments.net/reader036/viewer/2022062420/55c6a551bb61ebc2168b4693/html5/thumbnails/15.jpg)
Q & A