SlideShare una empresa de Scribd logo

The security mindset securing social media integrations and social learning for blackboard learn

Descargar como PPTX, PDF
F
franco_bb
Tecnología
1 de 55
The Security Mindset and Social Learning Franco Antico, Software Architect Blackboard
ABOUT ME Franco Antico Software Architect Blackboard franco.antico@blackboard.com I am a software architect on the Bb Learn security team.
WHAT WE ARE GOING TO LEARN TODAY Security mindset, approaches and best practices Bb security operations around Social Learning and the Blackboard Cloud Enable the Blackboard Cloud with confidence
SECURITY MINDSET What is the security mindset? Why does it matter? What practices are the most effective at securing applications and services we use daily?
SECURITY MINDSET: A PERSPECTIVE The security mindset is a way of looking at the operation of a system. It’s a matter of perspective that starts by asking and answering security questions: How does an attacker see our system/service/processes/etc.? What do they see? (attack surface) How do we secure our system in response?
SECURITY MINDSET: A PERSPECTIVE Security issues don’t tend to be random. Both an attacker’s intent and opportunity shape the most likely exploits. The safeguards and protections we implement shouldn’t be random either. These Countermeasures should match the real threat level.
SECURITY MINDSET: WHY IT MATTERS The world waits for no one. What was secure today may not be secure tomorrow. Technology changes, some of this is trendy, some is here to stay and represents a new model, a new way of doing things; e.g., Social Media A process that promotes continual evaluation, learning and evolution of the security posture is the best bet to manage this change.
SECURITY MINDSET: APPROACHES How can we apply the security mindset in practice? Security Assessments provide a great vehicle to evaluate the security of a system in a comprehensive way fueled by the security mindset. Each assessment is a project with defined triggers, inputs, deliverables and is part of the SDLC. The assessment’s goal is to provide actionable security recommendations based on sound and consistent analysis.
SECURITY ASSESSMENTS Establish the scope of the assessment Selection of Evaluation Level • Basic: Lower Risk • Moderate: Medium Risk • Rigorous: High Risk (e.g., new integrations) Evaluation Level drives scope and deliverables
SECURITY ASSESSMENTS Security Assessments have two main components: • Analytic Reviews (Design and Code) • Penetration Testing and Static Analysis The assessment can proceed with a high degree of parallelism. Each component breaks down to largely independent tasks. We will focus today on the Analytic items
SECURITY ASSESSMENTS Threat Modeling is the central analytic process of the assessment. Threat Modeling provides an effective means to identify, measure and manage security risk. The threat modeling process pairs identified threats with countermeasure recommendations. The countermeasure aspect is what closes the loop on threat-vulnerability pair and makes the threat model actionable.
THREAT MODELING Purpose: To analyze the security risks for a given system or entity from a number of perspectives. Threat Model: An Analytic Flow • Identify Assets and Actors • Modeling Methodologies: MS STRIDE, DREAD • Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST • Identify Key Architecture Characteristics (e.g., APIs) • Attack Surface Analysis (e.g., System Integration Points) • Technology Specific Considerations (e.g., OAuth)
THREAT MODELING Threat Model: (continued) • Diagrams • Data Flow Diagram • Attack Tree • Threat Library • Categorization vs. Scoring (Threat vs. Vulnerability) • STRIDE • DREAD • CWE (Common Weakness Enumeration) • CVSS (Common Vulnerability Scoring System)
THREAT MODELING: ASSETS AND ACTORS Identify Assets and Actors What are the actors' motivations? What risks do well motivated actors pose to our system?
THREAT MODELING: ASSETS AND ACTORS Asset Description Data Any data associated with the system (e.g., student grade data.) Reputation Reputation with customers and communities. Infrastructure The architectural components of the system. These can be services, systems and may impact both software and hardware.
THREAT MODELING: ASSETS AND ACTORS Actor Description Attacker External entity with no direct connection to the system. The attacker may be a human (individual or organized group) or some autonomous entity (bot, script.) Malicious User Registered user attempting to violate terms of use or perform other inappropriate actions. Malicious Insider A person who has special access to the system.
MODELING METHODOLOGIES Microsoft STRIDE – Categorizing S – Spoofing identity T – Tampering with data R – Repudiation (deny action taken) I – Information disclosure D – Denial of service E – Elevation of privilege
MODELING METHODOLOGIES DREAD– Scoring (Categorizing) D – Damage R – Reproducibility (involvement) E – Exploitability (required skill) A – Affected users D – Discoverability Each component scored [Low, Med, High]. Higher scores are bad. Final score is average of the components.
MODELING KNOWLEDGE BASES OWASP • Open Web Application Security Project • Countermeasure guidelines and frameworks (ESAPI) • Top 10 List (2013 List recently released) NIST • National Institute of Standards and Technology • Cryptographic recommendations CSA and ENISA • Cloud Security Alliance and European Network and Information Security Agency • Cloud security
DATA FLOW DIAGRAM: THE BB SYSTEM ADMIN REGISTERS A LEARN INSTANCE WITH THE CLOUD
ATTACK TREE DIAGRAM: IMPERSONATE USER
THREAT MODEL IN ACTION The following threat model items represent general threats facing social media and cloud integrations. These are the kinds of threats that we consider during development and test.
THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation An attacker alters an API message either at the source, en-route or at the destination. Attack Vectors Countermeasures 1. Message intercepted in transit. 1. API level message signature, hashing or MAC protection. Each tier that processes an API message, including routing, should add to the signature envelope. SSL alone will not guarantee message integrity for all cases: non-SSL scenarios, message tampering after SSL termination. A.1.1 API Message Integrity
THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation, Denial of Service An attacker intercepts an API message and retransmits (replays) the message at a later time to compromise the system. Attack Vectors Countermeasures 1. Message intercepted and replayed. Attacker captures a wall post message and replays the message in an effort to crash the system or impair performance. 1. Include a one-time nonce with each API message. Note, the nonce can be included in the API signature referenced in A.1.1. A.1.2 API Message Misuse
THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Repudiation, Denial of Service An attacker or malicious executes a well timed Denial of Service attack in an attempt to compromise a given user's profile. Attack Vectors Countermeasures 1. Attacker launches large scale flood of API messages targeting the API infrastructure, user's profile left in unknown state, potentially locking user out of profile. 1. Ensure API message resilience where the system can recover from messages lost in transit. A.1.5 API Resilience
THREAT MODELING IN ACTION: SOCIAL MEDIA Social Media Threats (from Threat Library): Threats Description Spoofing, Information Disclosure An external attacker compromises a user's Twitter/FB account and subsequently launches an attack attempting to exploit social learn users. Attack Vectors Countermeasures An external attacker adds malicious JavaScript to a user's Twitter description by exploiting a vulnerability in Twitter. The attacker then launches a CSRF attack against other users in the compromised user's follower (or potential follower) list. Any data coming from an external applications must be sanitized before processing. Moreover, as a final fallback measure, the system should escape any data (externally sourced or not) prior to display. EI.1.2 Data Input Validation
THREAT MODELING IN ACTION: SOCIAL MEDIA Threats Description Spoofing, Information Disclosure, Denial of Service 1. A malicious user attempts to perform a denial of service attack on the system through an avatar upload. 2. An external attacker gains access to a student's avatar image despite the student's privacy social learn settings. Attack Vectors Countermeasures 1. A malicious user attempts to compromise the service by uploading a 100MB avatar image either through the file upload or external social network, e.g. Twitter (assume this vector is possible via a vulnerability in Twitter.) A variation of this vector could be embedding malicious code in a standard sized avatar with the goal of distributing the attack through the browser's rendering of the image. Potential attacks include attempting to exploit jpeg buffer overflow or ICC profile corruption vulnerabilities. 1. Implement a server-side check on the avatar size: reject any avatar image that is suspiciously large. Also, to address a potential "evil" avatar image, use a security vetted image toolkit to load and validate the avatar. 2. Provide authorization controls that guard the delivery of the avatar. Tie the avatar ACL to the profile privacy settings, i.e., only allow an open avatar for public privacy scenarios. The scope of public should address the visibility of avatars and other data are public: any legitimate user can view the avatar/data vs. any one on the internet can view the data. EI.1.4 Avatar Security
THREAT MODELING IN ACTION: CLOUD Cloud Threats (from Threat Library): Threats Description Spoofing, Repudiation, Information Disclosure An attacker or malicious user is able to impersonate a user through via their session id even after logout. Attack Vectors Countermeasures 1. Using the browser's history and attacker discovers a user's session and gains access to the system as that user. 1. Ensure that logout invalidates all relevant cross-system sessions in as synchronous a manner as possible. S.1.2 Cross System Logout
SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth: a standard for granting authorization across platforms and content delivery modalities OAuth: protects passwords by providing an API for authorizing API access OAuth is a reality of social media. Developers leverage OAuth because that is what the service providers implement (FB, Twitter, etc.)
SOCIAL MEDIA TECHNOLOGY: OAUTH Key OAuth roles: Resource Owner (or End User) • Someone with a Facebook account (identity, credentials) Resource Server • Facebook service itself Client • Facebook App
SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth is flow based: Two-Legged vs. Three-Legged. Here is diagram from Google Apps Marketplace that shows the gist of an OAuth 2.0 Three-Legged flow that is most applicable to social media: http://www.google.com/support/enterprise/static/gapps/art/a dmin/en/cpanel/3-legged-oauth-diagram.png Resource Owner (End User)  User Resource Server  Google Client  Web application
OAUTH TAKEAWAYS What to look for: • Transparency of data usage • Support of opt-in model • Ability to turn integrations on and off
BLACKBOARD CLOUD Are folks familiar with the Blackboard Cloud? Anyone have the Bb Cloud enabled currently?
BLACKBOARD CLOUD What is the Blackboard cloud? Why should I turn on the Cloud? How do I turn on the Cloud?
WHAT IS THE BLACKBOARD CLOUD The Blackboard Cloud is a platform for delivering new capabilities and extensions to Learn. Blackboard manages the Cloud. The new cloud-based capabilities are optional, and require activation by an administrator.
WHAT IS THE BLACKBOARD CLOUD The Cloud consists of three feature sets: Blackboard Cloud Services • Software Updates, Inline Assignment Grading and enhanced tools to foster Social Learning. Cloud Profiles & Tools • basic Profiles (called Profile Cards), the People tool, and enhancements to the Posts tool Social Profiles & Tools • full Profiles, Spaces, Messages, and enhancements to Profile Cards, People tool, and the Posts tool
WHY SHOULD I TURN ON THE CLOUD? • More Rapid Innovation & Responsiveness • Scalability with Less Cost to You • Future Cross-institution / Global capabilities • Enhanced Educational Experience • It’s Secure, provides Privacy Control (Cloud Profile private by default) and Transparency of Data Usage
SOCIAL MEDIA DATA USAGE TRANSPARENCY Bb Cloud usage of Twitter and Facebook user data: Facebook/Twitter: profile picture (avatar), “about me” text (description) Facebook only: Facebook specific email address https://help.blackboard.com/en- us/Cloud/Cloud_Management/Administrator/Cloud_FA Q (Under Are there Facebook and Twitter integrations with a user profile?)
HOW DO I TURN ON THE CLOUD Enabling the cloud goes in a certain order. This is like activating different layers in an architecture. The feature sets build on one another. 1.Blackboard Cloud Services 2.Cloud Profiles & Tools 3.Social Profiles & Tools Cloud Profiles and Social Learning Tools are NOT automatically enabled once the Blackboard Cloud is enabled.
TURNING ON BLACKBOARD CLOUD SERVICES Administrator Panel, under Cloud Management, click Cloud Connector.
TURNING ON BLACKBOARD CLOUD SERVICES Set the External URL of your Learn instance, a Description and the Instance Type:
ENABLING CLOUD PROFILES AND TOOLS On the Administrator Panel, under Cloud Management, click Cloud Profiles and Tools.
ENABLING CLOUD PROFILES AND TOOLS The cloud tools are off by default:
ENABLING CLOUD PROFILES AND TOOLS We can then turn them on:
ENABLING CLOUD PROFILES AND TOOLS Same thing for the Cloud Tools (can also turn on Twitter and FB):
ENABLING SOCIAL PROFILES AND TOOLS With Cloud Profiles and Tools On, go Administrator Panel, under Cloud Management, click Cloud Profiles and Tools to find:
ENABLING SOCIAL PROFILES AND TOOLS After you click On, you can manage the Social Settings:
ENABLING SOCIAL PROFILES AND TOOLS Here is what things will look after you enable the entire Cloud:
ENABLING THE CLOUD More details @ help.blackboard.com: https://help.blackboard.com/en- us/Cloud/Cloud_Management/Administrator Under Cloud FAQs and Cloud Management (Licensing, Firewall implications, setting specifics, etc.)
DO THIS NEXT Turn on the Blackboard Cloud with confidence: • Blackboard Cloud Services • Cloud Profiles and Tools • Social Profiles and Tools
THANK YOU! Franco Antico Software Architect Blackboard franco.antico@blackboard.com
REFERENCES AND ADDITIONAL INFORMATION STRIDE and DREAD: • http://msdn.microsoft.com/en-us/library/ff648644.aspx’ OWASP: • https://www.owasp.org/ • Latest Top-10 List: http://owasptop10.googlecode.com/files/OWASP%20Top %2010%20-%202013.pdf NIST: • http://www.nist.gov/information-technology-portal.cfm
REFERENCES AND ADDITIONAL INFORMATION FISMA: • http://csrc.nist.gov/groups/SMA/fisma/index.html CSA: • https://cloudsecurityalliance.org/ ENISA: • http://www.enisa.europa.eu/
REFERENCES AND ADDITIONAL INFORMATION Data Flow Diagrams: • http://en.wikipedia.org/wiki/Data_flow_diagram • Visio tool: http://www.microsoft.com/security/sdl/adopt/threatmodeli ng.aspx Attack Trees: • http://en.wikipedia.org/wiki/Attack_tree • http://www.schneier.com/paper-attacktrees-ddj-ft.html OAuth: • http://oauth.net/
REFERENCES AND ADDITIONAL INFORMATION Google Apps Marketplace: • http://support.google.com/a/bin/answer.py?hl=en&ans wer=2538798 CVSSv2 Calculator: • http://nvd.nist.gov/cvss.cfm?calculator&version=2 CWE • http://cwe.mitre.org/

Recomendados

Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling MindsetRobert Hurlbut
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Vlad Styran
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 

Recomendados

Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling MindsetRobert Hurlbut
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Vlad Styran
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling MethodologiesEC-Council
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Null bachav
Null bachavNull bachav
Null bachavNaga Venkata Sunil Alamuri
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingEC-Council
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Threat modeling
Threat modelingThreat modeling
Threat modelingAnkita Ganguly
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Threat modelling
Threat modellingThreat modelling
Threat modellingRajeev Venkata
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 

Más contenido relacionado

La actualidad más candente

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling MethodologiesEC-Council
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingEC-Council
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 

La actualidad más candente (20)

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Null bachav
Null bachavNull bachav
Null bachav
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 

Similar a The security mindset securing social media integrations and social learning for blackboard learn

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedJennifer Campbell
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Aditya K Sood
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptxInfosectrain3
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfElanusTechnologies
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a bossrbrockway
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docxcroysierkathey
 
1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docxjeremylockett77
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutionsguest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And SolutionsHannan Ahmed
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
SensePost Threat Modelling
SensePost Threat ModellingSensePost Threat Modelling
SensePost Threat ModellingSensePost
 

Similar a The security mindset securing social media integrations and social learning for blackboard learn (20)

Threat modelling
Threat modellingThreat modelling
Threat modelling
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptx
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdf
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx
 
1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx1. While watching the video I observed Merideth’s automatic though.docx
1. While watching the video I observed Merideth’s automatic though.docx
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
SensePost Threat Modelling
SensePost Threat ModellingSensePost Threat Modelling
SensePost Threat Modelling
 

Último

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

The security mindset securing social media integrations and social learning for blackboard learn

  • 1. The Security Mindset and Social Learning Franco Antico, Software Architect Blackboard
  • 2. ABOUT ME Franco Antico Software Architect Blackboard franco.antico@blackboard.com I am a software architect on the Bb Learn security team.
  • 3. WHAT WE ARE GOING TO LEARN TODAY Security mindset, approaches and best practices Bb security operations around Social Learning and the Blackboard Cloud Enable the Blackboard Cloud with confidence
  • 4. SECURITY MINDSET What is the security mindset? Why does it matter? What practices are the most effective at securing applications and services we use daily?
  • 5. SECURITY MINDSET: A PERSPECTIVE The security mindset is a way of looking at the operation of a system. It’s a matter of perspective that starts by asking and answering security questions: How does an attacker see our system/service/processes/etc.? What do they see? (attack surface) How do we secure our system in response?
  • 6. SECURITY MINDSET: A PERSPECTIVE Security issues don’t tend to be random. Both an attacker’s intent and opportunity shape the most likely exploits. The safeguards and protections we implement shouldn’t be random either. These Countermeasures should match the real threat level.
  • 7. SECURITY MINDSET: WHY IT MATTERS The world waits for no one. What was secure today may not be secure tomorrow. Technology changes, some of this is trendy, some is here to stay and represents a new model, a new way of doing things; e.g., Social Media A process that promotes continual evaluation, learning and evolution of the security posture is the best bet to manage this change.
  • 8. SECURITY MINDSET: APPROACHES How can we apply the security mindset in practice? Security Assessments provide a great vehicle to evaluate the security of a system in a comprehensive way fueled by the security mindset. Each assessment is a project with defined triggers, inputs, deliverables and is part of the SDLC. The assessment’s goal is to provide actionable security recommendations based on sound and consistent analysis.
  • 9. SECURITY ASSESSMENTS Establish the scope of the assessment Selection of Evaluation Level • Basic: Lower Risk • Moderate: Medium Risk • Rigorous: High Risk (e.g., new integrations) Evaluation Level drives scope and deliverables
  • 10. SECURITY ASSESSMENTS Security Assessments have two main components: • Analytic Reviews (Design and Code) • Penetration Testing and Static Analysis The assessment can proceed with a high degree of parallelism. Each component breaks down to largely independent tasks. We will focus today on the Analytic items
  • 11. SECURITY ASSESSMENTS Threat Modeling is the central analytic process of the assessment. Threat Modeling provides an effective means to identify, measure and manage security risk. The threat modeling process pairs identified threats with countermeasure recommendations. The countermeasure aspect is what closes the loop on threat-vulnerability pair and makes the threat model actionable.
  • 12. THREAT MODELING Purpose: To analyze the security risks for a given system or entity from a number of perspectives. Threat Model: An Analytic Flow • Identify Assets and Actors • Modeling Methodologies: MS STRIDE, DREAD • Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST • Identify Key Architecture Characteristics (e.g., APIs) • Attack Surface Analysis (e.g., System Integration Points) • Technology Specific Considerations (e.g., OAuth)
  • 13. THREAT MODELING Threat Model: (continued) • Diagrams • Data Flow Diagram • Attack Tree • Threat Library • Categorization vs. Scoring (Threat vs. Vulnerability) • STRIDE • DREAD • CWE (Common Weakness Enumeration) • CVSS (Common Vulnerability Scoring System)
  • 14. THREAT MODELING: ASSETS AND ACTORS Identify Assets and Actors What are the actors' motivations? What risks do well motivated actors pose to our system?
  • 15. THREAT MODELING: ASSETS AND ACTORS Asset Description Data Any data associated with the system (e.g., student grade data.) Reputation Reputation with customers and communities. Infrastructure The architectural components of the system. These can be services, systems and may impact both software and hardware.
  • 16. THREAT MODELING: ASSETS AND ACTORS Actor Description Attacker External entity with no direct connection to the system. The attacker may be a human (individual or organized group) or some autonomous entity (bot, script.) Malicious User Registered user attempting to violate terms of use or perform other inappropriate actions. Malicious Insider A person who has special access to the system.
  • 17. MODELING METHODOLOGIES Microsoft STRIDE – Categorizing S – Spoofing identity T – Tampering with data R – Repudiation (deny action taken) I – Information disclosure D – Denial of service E – Elevation of privilege
  • 18. MODELING METHODOLOGIES DREAD– Scoring (Categorizing) D – Damage R – Reproducibility (involvement) E – Exploitability (required skill) A – Affected users D – Discoverability Each component scored [Low, Med, High]. Higher scores are bad. Final score is average of the components.
  • 19. MODELING KNOWLEDGE BASES OWASP • Open Web Application Security Project • Countermeasure guidelines and frameworks (ESAPI) • Top 10 List (2013 List recently released) NIST • National Institute of Standards and Technology • Cryptographic recommendations CSA and ENISA • Cloud Security Alliance and European Network and Information Security Agency • Cloud security
  • 20. DATA FLOW DIAGRAM: THE BB SYSTEM ADMIN REGISTERS A LEARN INSTANCE WITH THE CLOUD
  • 22. THREAT MODEL IN ACTION The following threat model items represent general threats facing social media and cloud integrations. These are the kinds of threats that we consider during development and test.
  • 23. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation An attacker alters an API message either at the source, en-route or at the destination. Attack Vectors Countermeasures 1. Message intercepted in transit. 1. API level message signature, hashing or MAC protection. Each tier that processes an API message, including routing, should add to the signature envelope. SSL alone will not guarantee message integrity for all cases: non-SSL scenarios, message tampering after SSL termination. A.1.1 API Message Integrity
  • 24. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Tampering, Repudiation, Denial of Service An attacker intercepts an API message and retransmits (replays) the message at a later time to compromise the system. Attack Vectors Countermeasures 1. Message intercepted and replayed. Attacker captures a wall post message and replays the message in an effort to crash the system or impair performance. 1. Include a one-time nonce with each API message. Note, the nonce can be included in the API signature referenced in A.1.1. A.1.2 API Message Misuse
  • 25. THREAT MODELING IN ACTION: APIS API Threats (from Threat Library): Threats Description Repudiation, Denial of Service An attacker or malicious executes a well timed Denial of Service attack in an attempt to compromise a given user's profile. Attack Vectors Countermeasures 1. Attacker launches large scale flood of API messages targeting the API infrastructure, user's profile left in unknown state, potentially locking user out of profile. 1. Ensure API message resilience where the system can recover from messages lost in transit. A.1.5 API Resilience
  • 26. THREAT MODELING IN ACTION: SOCIAL MEDIA Social Media Threats (from Threat Library): Threats Description Spoofing, Information Disclosure An external attacker compromises a user's Twitter/FB account and subsequently launches an attack attempting to exploit social learn users. Attack Vectors Countermeasures An external attacker adds malicious JavaScript to a user's Twitter description by exploiting a vulnerability in Twitter. The attacker then launches a CSRF attack against other users in the compromised user's follower (or potential follower) list. Any data coming from an external applications must be sanitized before processing. Moreover, as a final fallback measure, the system should escape any data (externally sourced or not) prior to display. EI.1.2 Data Input Validation
  • 27. THREAT MODELING IN ACTION: SOCIAL MEDIA Threats Description Spoofing, Information Disclosure, Denial of Service 1. A malicious user attempts to perform a denial of service attack on the system through an avatar upload. 2. An external attacker gains access to a student's avatar image despite the student's privacy social learn settings. Attack Vectors Countermeasures 1. A malicious user attempts to compromise the service by uploading a 100MB avatar image either through the file upload or external social network, e.g. Twitter (assume this vector is possible via a vulnerability in Twitter.) A variation of this vector could be embedding malicious code in a standard sized avatar with the goal of distributing the attack through the browser's rendering of the image. Potential attacks include attempting to exploit jpeg buffer overflow or ICC profile corruption vulnerabilities. 1. Implement a server-side check on the avatar size: reject any avatar image that is suspiciously large. Also, to address a potential "evil" avatar image, use a security vetted image toolkit to load and validate the avatar. 2. Provide authorization controls that guard the delivery of the avatar. Tie the avatar ACL to the profile privacy settings, i.e., only allow an open avatar for public privacy scenarios. The scope of public should address the visibility of avatars and other data are public: any legitimate user can view the avatar/data vs. any one on the internet can view the data. EI.1.4 Avatar Security
  • 28. THREAT MODELING IN ACTION: CLOUD Cloud Threats (from Threat Library): Threats Description Spoofing, Repudiation, Information Disclosure An attacker or malicious user is able to impersonate a user through via their session id even after logout. Attack Vectors Countermeasures 1. Using the browser's history and attacker discovers a user's session and gains access to the system as that user. 1. Ensure that logout invalidates all relevant cross-system sessions in as synchronous a manner as possible. S.1.2 Cross System Logout
  • 29. SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth: a standard for granting authorization across platforms and content delivery modalities OAuth: protects passwords by providing an API for authorizing API access OAuth is a reality of social media. Developers leverage OAuth because that is what the service providers implement (FB, Twitter, etc.)
  • 30. SOCIAL MEDIA TECHNOLOGY: OAUTH Key OAuth roles: Resource Owner (or End User) • Someone with a Facebook account (identity, credentials) Resource Server • Facebook service itself Client • Facebook App
  • 31. SOCIAL MEDIA TECHNOLOGY: OAUTH OAuth is flow based: Two-Legged vs. Three-Legged. Here is diagram from Google Apps Marketplace that shows the gist of an OAuth 2.0 Three-Legged flow that is most applicable to social media: http://www.google.com/support/enterprise/static/gapps/art/a dmin/en/cpanel/3-legged-oauth-diagram.png Resource Owner (End User)  User Resource Server  Google Client  Web application
  • 32. OAUTH TAKEAWAYS What to look for: • Transparency of data usage • Support of opt-in model • Ability to turn integrations on and off
  • 33. BLACKBOARD CLOUD Are folks familiar with the Blackboard Cloud? Anyone have the Bb Cloud enabled currently?
  • 34. BLACKBOARD CLOUD What is the Blackboard cloud? Why should I turn on the Cloud? How do I turn on the Cloud?
  • 35. WHAT IS THE BLACKBOARD CLOUD The Blackboard Cloud is a platform for delivering new capabilities and extensions to Learn. Blackboard manages the Cloud. The new cloud-based capabilities are optional, and require activation by an administrator.
  • 36. WHAT IS THE BLACKBOARD CLOUD The Cloud consists of three feature sets: Blackboard Cloud Services • Software Updates, Inline Assignment Grading and enhanced tools to foster Social Learning. Cloud Profiles & Tools • basic Profiles (called Profile Cards), the People tool, and enhancements to the Posts tool Social Profiles & Tools • full Profiles, Spaces, Messages, and enhancements to Profile Cards, People tool, and the Posts tool
  • 37. WHY SHOULD I TURN ON THE CLOUD? • More Rapid Innovation & Responsiveness • Scalability with Less Cost to You • Future Cross-institution / Global capabilities • Enhanced Educational Experience • It’s Secure, provides Privacy Control (Cloud Profile private by default) and Transparency of Data Usage
  • 38. SOCIAL MEDIA DATA USAGE TRANSPARENCY Bb Cloud usage of Twitter and Facebook user data: Facebook/Twitter: profile picture (avatar), “about me” text (description) Facebook only: Facebook specific email address https://help.blackboard.com/en- us/Cloud/Cloud_Management/Administrator/Cloud_FA Q (Under Are there Facebook and Twitter integrations with a user profile?)
  • 39. HOW DO I TURN ON THE CLOUD Enabling the cloud goes in a certain order. This is like activating different layers in an architecture. The feature sets build on one another. 1.Blackboard Cloud Services 2.Cloud Profiles & Tools 3.Social Profiles & Tools Cloud Profiles and Social Learning Tools are NOT automatically enabled once the Blackboard Cloud is enabled.
  • 40. TURNING ON BLACKBOARD CLOUD SERVICES Administrator Panel, under Cloud Management, click Cloud Connector.
  • 41. TURNING ON BLACKBOARD CLOUD SERVICES Set the External URL of your Learn instance, a Description and the Instance Type:
  • 42. ENABLING CLOUD PROFILES AND TOOLS On the Administrator Panel, under Cloud Management, click Cloud Profiles and Tools.
  • 43. ENABLING CLOUD PROFILES AND TOOLS The cloud tools are off by default:
  • 44. ENABLING CLOUD PROFILES AND TOOLS We can then turn them on:
  • 45. ENABLING CLOUD PROFILES AND TOOLS Same thing for the Cloud Tools (can also turn on Twitter and FB):
  • 46. ENABLING SOCIAL PROFILES AND TOOLS With Cloud Profiles and Tools On, go Administrator Panel, under Cloud Management, click Cloud Profiles and Tools to find:
  • 47. ENABLING SOCIAL PROFILES AND TOOLS After you click On, you can manage the Social Settings:
  • 48. ENABLING SOCIAL PROFILES AND TOOLS Here is what things will look after you enable the entire Cloud:
  • 49. ENABLING THE CLOUD More details @ help.blackboard.com: https://help.blackboard.com/en- us/Cloud/Cloud_Management/Administrator Under Cloud FAQs and Cloud Management (Licensing, Firewall implications, setting specifics, etc.)
  • 50. DO THIS NEXT Turn on the Blackboard Cloud with confidence: • Blackboard Cloud Services • Cloud Profiles and Tools • Social Profiles and Tools
  • 51. THANK YOU! Franco Antico Software Architect Blackboard franco.antico@blackboard.com
  • 52. REFERENCES AND ADDITIONAL INFORMATION STRIDE and DREAD: • http://msdn.microsoft.com/en-us/library/ff648644.aspx’ OWASP: • https://www.owasp.org/ • Latest Top-10 List: http://owasptop10.googlecode.com/files/OWASP%20Top %2010%20-%202013.pdf NIST: • http://www.nist.gov/information-technology-portal.cfm
  • 53. REFERENCES AND ADDITIONAL INFORMATION FISMA: • http://csrc.nist.gov/groups/SMA/fisma/index.html CSA: • https://cloudsecurityalliance.org/ ENISA: • http://www.enisa.europa.eu/
  • 54. REFERENCES AND ADDITIONAL INFORMATION Data Flow Diagrams: • http://en.wikipedia.org/wiki/Data_flow_diagram • Visio tool: http://www.microsoft.com/security/sdl/adopt/threatmodeli ng.aspx Attack Trees: • http://en.wikipedia.org/wiki/Attack_tree • http://www.schneier.com/paper-attacktrees-ddj-ft.html OAuth: • http://oauth.net/
  • 55. REFERENCES AND ADDITIONAL INFORMATION Google Apps Marketplace: • http://support.google.com/a/bin/answer.py?hl=en&ans wer=2538798 CVSSv2 Calculator: • http://nvd.nist.gov/cvss.cfm?calculator&version=2 CWE • http://cwe.mitre.org/