Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Principles Ian Kayne

Published byเดือนเพ็ญ พันธุเมธา Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Principles Ian Kayne"— Presentation transcript:

1 Security Principles Ian Kayne
For School of Computer Science, University of Birmingham 17th November 2008

2 Welcome Introductions Aim and subject matter
Real world, industry examples What you would like to gain Q&A at the end NB: Some slides have been deleted from this version of the presentation. 4/7/2019

3 The Basics What is security? 4/7/2019

4 The Basics What is not security? A little hint:
Why are firewalls, IDS, content scanners etc not security? A little hint: 4/7/2019

5 The Basics The Sony PSP – ultimate security? Closed platform
Proprietary hardware Proprietary media (UMD) – “almost” Code signing Tight controls on devkits 4/7/2019

6 The Basics Insecure! LibTIFF GTA – missing a culture of security
Not just once, repeatedly over years LibTIFF Widely distributed library Cross-platform security flaw GTA – missing a culture of security 3rd party company: “It’s only a game” 4/7/2019

7 Culture QA can’t find flaws that aren’t normal user experience
One mistake cost £millions? Broke Sony’s business model Required new release of game & firmware Enabled piracy End-user desire (homebrew) won 4/7/2019

8 The Basics What is security? Firewalls, IDS etc are tech enablers
Process Mindset Buy-in from day one Culture Firewalls, IDS etc are tech enablers Without a secure approach they’re useless 4/7/2019

9 The Basics UK Government Comparison: Number of laptop & USB stick losses –v– “proper hacks” Encryption is available but not used Strong, clear guidelines ignored Security: “someone else’s problem”, putting CDs in the post is fine Missing a culture of security 4/7/2019

10 In The Real World It’s not that easy Security is a balancing act:
Security –v– cost Security –v– delivery Security –v– functionality Security –v– corporate politics Security –v– ………… Day 1 buy-in helps to mitigate 4/7/2019

11 In The Real World Security demands:
Communication Early Involvement Empathy Pragmatism (Don’t forget the technical skills!) Most security teams/professionals don’t sit in ivory towers 4/7/2019

12 (Finding holes in the security culture)
Pentesting PENETRATION TESTING (Finding holes in the security culture) 4/7/2019

13 Pen Testing Penetration Testing Very different to consultancy
Not like the movies! Boring work/documentation Requires Wide knowledge and skill set Experience Ability to make logic leaps Diligence, resolve, patience, lots of coffee Pen-tester quality varies wildly Not a pen-tester? Understand approach to evaluate. 4/7/2019

14 Simple Design Internet External firewall Proxy appliance
Web tier firewall Proxy appliance Web server App tier firewall Database server 4/7/2019

15 SQL Injection Occurs when unchecked input builds SQL queries
Search box input: pizza Code builds SQL query: SELECT * FROM food WHERE type=’pizza’; pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza Code builds SQL query: SELECT * FROM food WHERE type=’pizza’; DROP DATABASE cafe;SELECT * FROM food WHERE type=’pizza’; 4/7/2019

16 Pentesting Impact Site shut down Reputation damage Lost revenue
Lost customers / goodwill Cost to resolve In the USA? Full disclosure may be required. 4/7/2019

17 Pentesting Review: If the end user has control, there is no security
There is no security in client-side validation All input must be validated Don’t allow data uploads without validation Implement security controls correctly IDS & Content filtering Firewall rules – no connect out from web servers Culture of security is most important Not just “do it” but “do it properly & securely” If the end user has control, there is no security 4/7/2019

18 Doing the Job Career path – use it to learn the principles
Why are the principles so important? Expect unique systems & software No courses on “Widgets v1.0 security” Expect unusual problems Expect unusual solutions Expect issues outside your comfort zone 4/7/2019

19 Doing the Job Your mission, should you choose to accept it…
95% of the time it’s (relatively) easy Most attackers go for the easy score The other 5% is hard – directed, tech attacks Non-technical: empathy & pragmatism Jack of all trades and master of some Learn the principles, investigate the rest 4/7/2019

20 Review Thank you! Questions Comments Items to review Further study
4/7/2019

Download ppt "Security Principles Ian Kayne"

Similar presentations

Welcome Windows SharePoint Service 3.0. Craig Carpenter MCSE, MCT Director, Combined Knowledge.

Welcome Windows SharePoint Service 3.0. Craig Carpenter MCSE, MCT Director, Combined Knowledge.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Company small business cloud solution Client UNIVERSITY OF BEDFORDSHIRE.

Company small business cloud solution Client UNIVERSITY OF BEDFORDSHIRE.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.

BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

Similar presentations

Ads by Google