2. ABOUT ME
Franco Antico
Software Architect
Blackboard
franco.antico@blackboard.com
I am a software architect on the Bb Learn
security team.
3. WHAT WE ARE GOING
TO LEARN TODAY
Security mindset, approaches and best
practices
Bb security operations around Social
Learning and the Blackboard Cloud
Enable the Blackboard Cloud with
confidence
4. SECURITY MINDSET
What is the security mindset?
Why does it matter?
What practices are the most effective at
securing applications and services we
use daily?
5. SECURITY MINDSET:
A PERSPECTIVE
The security mindset is a way of looking
at the operation of a system.
It’s a matter of perspective that starts by
asking and answering security questions:
How does an attacker see our
system/service/processes/etc.? What do they
see? (attack surface)
How do we secure our system in response?
6. SECURITY MINDSET:
A PERSPECTIVE
Security issues don’t tend to be random.
Both an attacker’s intent and opportunity
shape the most likely exploits.
The safeguards and protections we
implement shouldn’t be random either.
These Countermeasures should match
the real threat level.
7. SECURITY MINDSET:
WHY IT MATTERS
The world waits for no one. What was secure
today may not be secure tomorrow.
Technology changes, some of this is
trendy, some is here to stay and represents a
new model, a new way of doing things;
e.g., Social Media
A process that promotes continual
evaluation, learning and evolution of the
security posture is the best bet to manage this
change.
8. SECURITY MINDSET:
APPROACHES
How can we apply the security mindset in practice?
Security Assessments provide a great vehicle to
evaluate the security of a system in a comprehensive
way fueled by the security mindset. Each assessment
is a project with defined triggers, inputs, deliverables
and is part of the SDLC.
The assessment’s goal is to provide actionable
security recommendations based on sound and
consistent analysis.
9. SECURITY
ASSESSMENTS
Establish the scope of the assessment
Selection of Evaluation Level
• Basic: Lower Risk
• Moderate: Medium Risk
• Rigorous: High Risk (e.g., new integrations)
Evaluation Level drives scope and
deliverables
10. SECURITY
ASSESSMENTS
Security Assessments have two main components:
• Analytic Reviews (Design and Code)
• Penetration Testing and Static Analysis
The assessment can proceed with a high degree of
parallelism. Each component breaks down to largely
independent tasks.
We will focus today on the Analytic items
11. SECURITY
ASSESSMENTS
Threat Modeling is the central analytic process of
the assessment.
Threat Modeling provides an effective means to
identify, measure and manage security risk. The threat
modeling process pairs identified threats with
countermeasure recommendations.
The countermeasure aspect is what closes the loop
on threat-vulnerability pair and makes the threat
model actionable.
12. THREAT MODELING
Purpose: To analyze the security risks for a
given system or entity from a number of
perspectives.
Threat Model: An Analytic Flow
• Identify Assets and Actors
• Modeling Methodologies: MS STRIDE, DREAD
• Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST
• Identify Key Architecture Characteristics (e.g., APIs)
• Attack Surface Analysis (e.g., System Integration Points)
• Technology Specific Considerations (e.g., OAuth)
13. THREAT MODELING
Threat Model: (continued)
• Diagrams
• Data Flow Diagram
• Attack Tree
• Threat Library
• Categorization vs. Scoring (Threat vs. Vulnerability)
• STRIDE
• DREAD
• CWE (Common Weakness Enumeration)
• CVSS (Common Vulnerability Scoring System)
14. THREAT MODELING:
ASSETS AND ACTORS
Identify Assets and Actors
What are the actors' motivations?
What risks do well motivated actors pose to our
system?
15. THREAT MODELING:
ASSETS AND ACTORS
Asset Description
Data Any data associated with the system
(e.g., student grade data.)
Reputation Reputation with customers and
communities.
Infrastructure The architectural components of the
system. These can be services,
systems and may impact both
software and hardware.
16. THREAT MODELING:
ASSETS AND ACTORS
Actor Description
Attacker External entity with no direct
connection to the system. The
attacker may be a human (individual
or organized group) or some
autonomous entity (bot, script.)
Malicious
User
Registered user attempting to violate
terms of use or perform other
inappropriate actions.
Malicious
Insider
A person who has special access to
the system.
17. MODELING
METHODOLOGIES
Microsoft STRIDE – Categorizing
S – Spoofing identity
T – Tampering with data
R – Repudiation (deny action taken)
I – Information disclosure
D – Denial of service
E – Elevation of privilege
18. MODELING
METHODOLOGIES
DREAD– Scoring (Categorizing)
D – Damage
R – Reproducibility (involvement)
E – Exploitability (required skill)
A – Affected users
D – Discoverability
Each component scored [Low, Med, High]. Higher scores
are bad. Final score is average of the components.
19. MODELING
KNOWLEDGE BASES
OWASP
• Open Web Application Security Project
• Countermeasure guidelines and frameworks (ESAPI)
• Top 10 List (2013 List recently released)
NIST
• National Institute of Standards and Technology
• Cryptographic recommendations
CSA and ENISA
• Cloud Security Alliance and European Network and
Information Security Agency
• Cloud security
22. THREAT MODEL IN
ACTION
The following threat model items
represent general threats facing
social media and cloud
integrations. These are the kinds
of threats that we consider during
development and test.
23. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation
An attacker alters an API message
either at the source, en-route or at
the destination.
Attack Vectors Countermeasures
1. Message intercepted in transit.
1. API level message signature, hashing or MAC protection. Each
tier that processes an API message, including routing, should add to
the signature envelope. SSL alone will not guarantee message
integrity for all cases: non-SSL scenarios, message tampering after
SSL termination.
A.1.1 API Message Integrity
24. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation, Denial of
Service
An attacker intercepts an API message and retransmits (replays) the
message at a later time to compromise the system.
Attack Vectors Countermeasures
1. Message intercepted and replayed. Attacker captures a wall
post message and replays the message in an effort to crash the
system or impair performance.
1. Include a one-time nonce with
each API message. Note, the nonce
can be included in the API signature
referenced in A.1.1.
A.1.2 API Message Misuse
25. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Repudiation, Denial of Service
An attacker or malicious executes a well timed Denial of Service
attack in an attempt to compromise a given user's profile.
Attack Vectors Countermeasures
1. Attacker launches large scale flood of API messages targeting
the API infrastructure, user's profile left in unknown state,
potentially locking user out of profile.
1. Ensure API message resilience
where the system can recover from
messages lost in transit.
A.1.5 API Resilience
26. THREAT MODELING IN
ACTION:
SOCIAL MEDIA
Social Media Threats (from Threat Library):
Threats Description
Spoofing, Information Disclosure
An external attacker compromises a user's Twitter/FB account and
subsequently launches an attack attempting to exploit social learn
users.
Attack Vectors Countermeasures
An external attacker adds malicious JavaScript to a user's Twitter
description by exploiting a vulnerability in Twitter. The attacker
then launches a CSRF attack against other users in the
compromised user's follower (or potential follower) list.
Any data coming from an external
applications must be sanitized before
processing. Moreover, as a final
fallback measure, the system should
escape any data (externally sourced
or not) prior to display.
EI.1.2 Data Input Validation
27. THREAT MODELING IN
ACTION:
SOCIAL MEDIA
Threats Description
Spoofing, Information Disclosure, Denial
of Service
1. A malicious user attempts to perform a denial of service attack on the
system through an avatar upload.
2. An external attacker gains access to a student's avatar image despite
the student's privacy social learn settings.
Attack Vectors Countermeasures
1. A malicious user attempts to compromise the service by uploading a
100MB avatar image either through the file upload or external social
network, e.g. Twitter (assume this vector is possible via a
vulnerability in Twitter.) A variation of this vector could be embedding
malicious code in a standard sized avatar with the goal of distributing
the attack through the browser's rendering of the image. Potential
attacks include attempting to exploit jpeg buffer overflow or ICC
profile corruption vulnerabilities.
1. Implement a server-side check on the avatar
size: reject any avatar image that is
suspiciously large. Also, to address a
potential "evil" avatar image, use a security
vetted image toolkit to load and validate the
avatar.
2. Provide authorization controls that guard
the delivery of the avatar. Tie the avatar ACL
to the profile privacy settings, i.e., only allow
an open avatar for public privacy scenarios.
The scope of public should address the
visibility of avatars and other data are public:
any legitimate user can view the avatar/data
vs. any one on the internet can view the
data.
EI.1.4 Avatar Security
28. THREAT MODELING IN
ACTION:
CLOUD
Cloud Threats (from Threat Library):
Threats Description
Spoofing, Repudiation, Information
Disclosure
An attacker or malicious user is able to impersonate a user through via
their session id even after logout.
Attack Vectors Countermeasures
1. Using the browser's history and attacker discovers a user's session
and gains access to the system as that user.
1. Ensure that logout invalidates all
relevant cross-system sessions in as
synchronous a manner as possible.
S.1.2 Cross System Logout
29. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
OAuth: a standard for granting authorization
across platforms and content delivery modalities
OAuth: protects passwords by providing an API for
authorizing API access
OAuth is a reality of social media. Developers
leverage OAuth because that is what the service
providers implement (FB, Twitter, etc.)
30. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
Key OAuth roles:
Resource Owner (or End User)
• Someone with a Facebook account (identity, credentials)
Resource Server
• Facebook service itself
Client
• Facebook App
31. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
OAuth is flow based: Two-Legged vs. Three-Legged. Here
is diagram from Google Apps Marketplace that shows the
gist of an OAuth 2.0 Three-Legged flow that is most
applicable to social media:
http://www.google.com/support/enterprise/static/gapps/art/a
dmin/en/cpanel/3-legged-oauth-diagram.png
Resource Owner (End User) User
Resource Server Google
Client Web application
32. OAUTH TAKEAWAYS
What to look for:
• Transparency of data usage
• Support of opt-in model
• Ability to turn integrations on and off
33. BLACKBOARD CLOUD
Are folks familiar with the Blackboard
Cloud?
Anyone have the Bb Cloud enabled
currently?
34. BLACKBOARD CLOUD
What is the Blackboard cloud?
Why should I turn on the Cloud?
How do I turn on the Cloud?
35. WHAT IS THE
BLACKBOARD CLOUD
The Blackboard Cloud is a platform for
delivering new capabilities and
extensions to Learn.
Blackboard manages the Cloud.
The new cloud-based capabilities are
optional, and require activation by an
administrator.
36. WHAT IS THE
BLACKBOARD CLOUD
The Cloud consists of three feature sets:
Blackboard Cloud Services
• Software Updates, Inline Assignment Grading and
enhanced tools to foster Social Learning.
Cloud Profiles & Tools
• basic Profiles (called Profile Cards), the People tool,
and enhancements to the Posts tool
Social Profiles & Tools
• full Profiles, Spaces, Messages, and enhancements to
Profile Cards, People tool, and the Posts tool
37. WHY SHOULD I TURN
ON THE CLOUD?
• More Rapid Innovation & Responsiveness
• Scalability with Less Cost to You
• Future Cross-institution / Global capabilities
• Enhanced Educational Experience
• It’s Secure, provides Privacy Control (Cloud Profile
private by default) and Transparency of Data Usage
38. SOCIAL MEDIA DATA
USAGE
TRANSPARENCY
Bb Cloud usage of Twitter and Facebook user data:
Facebook/Twitter: profile picture (avatar), “about me”
text (description)
Facebook only: Facebook specific email address
https://help.blackboard.com/en-
us/Cloud/Cloud_Management/Administrator/Cloud_FA
Q
(Under Are there Facebook and Twitter integrations
with a user profile?)
39. HOW DO I TURN ON
THE CLOUD
Enabling the cloud goes in a certain order. This is like
activating different layers in an architecture. The feature
sets build on one another.
1.Blackboard Cloud Services
2.Cloud Profiles & Tools
3.Social Profiles & Tools
Cloud Profiles and Social Learning Tools are NOT
automatically enabled once the Blackboard Cloud is
enabled.
46. ENABLING SOCIAL
PROFILES AND TOOLS
With Cloud Profiles and Tools On, go Administrator
Panel, under Cloud Management, click Cloud Profiles
and Tools to find: