Security Revisited: What can we learn from

Transcription

Security Revisited: What can we learn from
(Cloud) Security Revisited
What can we learn from Edward Snowden
mag. Borut Žnidar
Security consultant
borut.znidar@astec.si
Astec d.o.o.
Stegne 31
SI-1000 Ljubljana
T: 01 / 200 83 00
E: info@astec.si
W: www.astec.si
Slika
The NSA, as viewed by Edward Snowden
Spying on pretty much everything on
Internet
• 20 billion „record events“ daily,
• Available to NSA analysts in 60 minutes
Breaking most encryption on the Internet
Stable of exploits designed to break into
specifically targeted computers
NSA shares this technology with others
“Five eyes” group: USA, Canada, UK, Australia, New
Zealand
The NSA capabilities
Breaking most encryption on the Internet
• Agreement to spy, with Telco companies in US & UK
• Network devices with included surveillance
• Backdoors and weakened encryption implementations
DES key length,
CryptoAG,
_NSAKEY in Windows NT,
Lotus Notes key,
Dual_EC_DRBG random generator in Windows Vista,
SHA-3?
• Attack against Tor network
• Find Tor users
Firefox vulnerability
• Hacking, e.g. NSA+UK
FOXACID
BelgaCom (EU institutions)
• Quantum Insert attack: MitM to Google servers
FOXACID
• FOXACID
• Vast set of exploits: from unknown and unpatched to known
• http://baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html
• Risk analysis: cost-benefit on target value and technical sophistication
What about Us?
How to Remain Secure Against the NSA (Bruce Schneier):
1. Hide in the network. E.g. Tor
The less obvious you are, the safer you are.
Encrypt your communications.
E.g. TLS, IPsec. You're much better protected
2.
than if you communicate in the clear.
3.
If you have something really important,
use an Air Gap.
Might not be bulletproof, but it's pretty good.
4.
Be suspicious of commercial encryption software,
especially from large vendors.
Try to use public-domain encryption that has to be compatible with
other implementations.
5.
•
•
•
TLS vs. BitLocker.
Prefer symmetric cryptography over public-key cryptography.
Prefer discrete-log-based systems over elliptic-curve systems.
What about Cloud Security
NSA is hunting information, wherever they are
Additional (new) challenges for Clouds…
…but is on-premise IT doing any better?
Still, there are areas, that Cloud Security must address
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Access control,
Data management at rest,
Data protection in motion,
Encryption key management,
Know who’s accessing what,
Limit data access based on user context,
Risk based approach for accessing resources
in the cloud,
Intelligent network protection,
Regular security scanning and penetration testing
on applications and endpoint devices,
Add security intelligence in cloud.
NSA was pulled out on the clear
Knowing their activities is bad,
but not knowing it before was worse
Math is Good, Code is Subverted –
Let‘s put pressure on the vendors
Cloud is not the target – Information is
Is it time for EU Security?

Similar documents

Slides

Slides • So NSA are probably within their rights to deep packet inspect at the terminations of international cables/sat-links. • But, it seems, that is not what they did: AT&T provided National Security A...

More information

Understanding Encryption and Cloud Security

Understanding Encryption and Cloud Security If you have additional questions about IaC, compliance, governance and best practices when it comes to validating networks, be sure to contact the experts at prancer.

More information