Malicious Insider deleted data on AWS • All
data
was
on
EBS
disks • Once
client
realised
that
there
was
an
issue • Server
was
replicated
and
the
original
server
left
untouched • The
EBS
disk
from
original
server
was
replicated
and
mounted
in
a
new
instance
Forensic Process • Focus
on
data
recovery
for
logs/history • ISO
created
from
mounted
disk • Using
TSK
tools
created
strings
from
ISO • Able
to
find
fairly
large
extract
of
text
from
audit
logs
of
one
of
the
server • The
log
snippet
contained
the
user
who
logged
in
and
ran
delete
commands
How did we test? 1. Whitelisted
our
IP
in
security
groups 2. Able
to
see
ports
and
the
application Discovered
there
was
an
internal
enterprise
mobile
application
connecting
to
a
certain
port
which
was
open
to
all
without
any
authn and
authz
Application (In)Security & XXE • Researcher
finds
that,
he
can
inject
his
own
file
name
and
path
in
AWS
EC2 • EC2 uses
Auto
Scaling • Auto
Scaling
requires
information
to
be
present
on
the
EC2 instance • Meta
Web
Server
allows
local
HTTP
Requests
to
be
made
and
server
and
its
credentials
are
pwned
BrowserStack Hack • Old
neglected
server,
not
being
used. • Server
is
brought
up
to
check
something.
• Un
patched
server
is
left
running
on
the
Internet
without
any
network
protection • Attacker
compromises
the
server,
steals
the
AWS
credentials
and
manages
to
email
all
its
customers,
how
bad
the
company
is
What does this mean? • Security
in
the
cloud
is
really
not
very
different
from
regular
security • Same
principles
and
processes
apply • Same
tools
and
techniques
apply • IT
folks
need
to
simply
understand
what
is
the
best
way
to
get
the
same
thing
done
Where we are headed? • External
Pen
tests
on
infra • External
VA/PT
on
applications
• OS
Configuration
Audits • Architecture
Review • Testing
Firewalls
• DOS
Testing • Identity
&
Access
Managment
Cloud
computing is
computing
in
which
large
groups
of
remote
servers
are networked to
allow
the
centralized
data
storage,
and
online
access
to
computer
services
or
resources. -‐ From
http://en.wikipedia.org/wiki/Cloud_computing
How do we get Elasticity? by
provisioning
and
de-‐provisioning
resources
in
an
autonomic manner,
such
that
at
each
point
in
time
the
available
resources
match
the
current
demand
as
closely
as
possible.
Autonomic Manner The
system
makes
decisions
on
its
own,
using
high-‐ level
policies;
it
will
constantly
check
and
optimize
its
status
and
automatically
adapt
itself
to
changing
conditions.
Virtualization provides automation • Computing
automates
the
process
through
which
the
user
can
provision
resourceson-‐demand.
• By
minimizing
user
involvement,
automation
speeds up
the
process,
reduces
labor
costs
and
reduces
human
errors
Private Cloud Private
cloud
is
cloud
infrastructure
operated
solely
for
a
single
organization,
whether
managed
internally
or
by
a
third-‐party,
and
hosted
either
internally
or
externally
Hybrid Cloud Hybrid
cloud
is
a
composition
of
two
or
more
clouds
(private,
community
or
public)
that
remain
distinct
entities
but
are
bound
together,
offering
the
benefits
of
multiple
deployment
models.
IAAS CSP takes care of • Physical
Security
(Nobody
should
walk
away
with
the
server
including
Govt.) • Host
OS
which
runs
the
virtualization
software • Virtualization
Security
(Rogue
VMs
can't
harm
others)
IAAS CSP takes care of • Environmental
Safeguards
(DC
is
safe
to
run
servers) • Administrative
Controls
(Policies
and
Procedures) • Certifications
and
Accreditations
(SAS70,
SOC1,
PCI,
ISO27K1)
You take care of • Guest
OS
(The
Compute
instance) • Application
Security
(The
application
on
the
compute
instance) • Data
Security
(The
data
being
generated,
processed
by
the
application) • Network
security
for
the
guest
&
applications • Security
Monitoring
of
Guest
OS
&
applications
Our apps in the public cloud • This
applies
only
to
IAAS
and
PAAS
as
in
SAAS
it
is
not
our
application • An
in
secure
app
can
expose
underlying
infrastructure
and
data
to
theft,
corruption
and
exposure
Security Testing of Apps • No
different
from
testing
any
application
for
security • We
might
require
permission
to
run
automated
scanners
against
the
app • Ideal
framework
to
test
against
is
OWASP
Top
10
and
OWASP
Testing
Guide
App Insecurity Scenario • App
has
a
Local
File
Inclusion
bug • The
AWS
root
credentials
are
being
used • They
are
stored
in
a
world
readable
file
on
the
server • Attacker
reads
the
credentials
and
starts
multiple
large
instances
to
mine
bitcoins • Victim
saddled
with
a
massive
bill
at
the
end
of
the
month
Our infra in the public cloud • This
applies
only
to
IAAS
as
in
SAAS
and
PAAS
it
is
not
our
application
or
infra • Infrastructure
vulnerabilities
can
derail
any
app
security
in
place.
Security Testing of Infra • No
different
from
testing
server
for
security • We
may
require
permission
to
run
automated
scanners
against
the
server • Ideal
framework
to
test
against
is
any
Penetration
Testing
Standard
PTES
/
OSSTMM
Infra Insecurity Scenario • MySQL
Production
database
is
listening
on
external
port • Developers
work
directly
on
production
database
and
require
SQL
Management
Software • They
log
in
using
the
root
user
of
MySQL
Database
server
and
a
simple
password
• Attacker
runs
a
brute
force
script
and
cracks
the
password,
gains
full
access
to
the
database
Our data in the public cloud • This
applies
only
all
PAAS,
IAAS
and
SAAS • Our
data
can
get
leaked,
exposed,
stolen,
held
ransom
if
we
don’t
take
care
of
making
sure
it
is
safe
while
being
used,
while
being
transmitted
and
while
being
stored
Verifying Data Security through Testing • This
is
a
specialized
testing
requirement.
A
part
of
this
can
be
tested
by
looking
at
the
system
and
application
architecture • All
the
places
where
the
data
can
be
written,
sent,
travel
need
to
be
looked
at.
• Writing
to
storage,
exposing
APIs,
backups
and
even
insider
threats
Verifying Data uses Encryption • Data
at
rest
is
encrypted – This
will
ensure
that
if
an
attacker
has
access
to
the
disk/store,
they
can’t
use
the
data • Data
in
motion
is
encrypted – This
will
ensure
that
if
an
attacker
can
sniff
the
network
traffic
they
can’t
see
&tamper
the
data • Data
in
use
(tmp
files,
key
loaded
in
memory) – This
will
ensue
that
if
an
attacker
can’t
do
catastrophic
damage
if
they
manage
to
gain
access
to
a
server
Secure Key Management • Once
we
start
using
encryption
for
data
storage
and
data
transmission,
the
encryption
keys
need
to
be
safeguarded
against
theft,
accidental
loss • A
secure
key
management
process
will
ensure
that
at
any
point
keys
can
be
revoked
and
reissued
Data Insecurity Scenario • Database
is
getting
backed
up
regularly. • Due
to
performance
reasons,
database
wasn’t
encrypted
when
initial
backups
were
done.
• Dev
team
moves
to
newer
type
SSDs
and
doesn’t
decommission
older
HDDs.
• Attacker
finds
older
HDD,
does
forensics
for
data
recovery
and
sell
the
data
for
profit.
European Network and Information Security Agency (ENISA) • Cloud
Computing
Information
Assurance
Framework • http://www.enisa.europa.eu/activities/risk-‐ management/files/deliverables/cloud-‐computing-‐ information-‐assurance-‐framework/at_download/fullReport • Covers
15
areas
in
OpSec
&
Identity
&Access
Management
Why Infrastructure first? In
all
cases
Cloud
Service
Provider
(CSP)
takes
care
of
physical
security
and
the
host
operating
system.
So
we
just
need
to
worry
about
the
guest
OS
and
all
the
infrastructure
running
on
it.
5 Pillars of Security in IAAS • Identity
and
Access
Management • Configuration
and
Patch
Management • Endpoint
and
Network
Protection • Vulnerability
and
Asset
Management • Data
Protection
How the CSPs stack up for security? CSP/Security
Feature AWS Google
Compute
Engine Microsoft
Azure Rackspace IAM YES YES YES Sort of 2FA
for
Management
Layer Need to
enable Need
to
enable NO NO Network
Isolation YES YES YES YES Virtual Private
Networks YES YES YES YES Firewall YES YES YES YES Centralized
Logs and
Audit
Trail YES NO NO NO Encryption for
Storage YES YES YES Key Management YES YES YES YES Older
Slide
Attributions • Cloud Image Background from www.perspecsys.com • Virtualization image By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons • CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32 • Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Toyota Robot at Toyota Kaikan • AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html • SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/ • http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas • By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
makash
optimisuke
hakubishin3
sugawani
aoshun7
codenote
sansantech
ufried
kojira
yamamuteki
poteboy
peisuke
takasehideki
deanohume
danielanewman
addyosmani
andyhume
moore
samanthasiow
geoffreycrofte
jonrohan
zenorocha
lara
pauljervisheath