Upgrade to Pro — share decks privately, control downloads, hide ads and more …

There is no impenetrable system - So, why we are just waiting to get breached?

Nane Kratzke
February 20, 2018
Programming
0
190

There is no impenetrable system - So, why we are just waiting to get breached?

Although it might be hard to accept. By principle, attackers can establish footholds in our systems whenever they want (zero-day exploits). This presentation is some input for a panel discussion about "Security and Safety in Cloud-based Systems and Services" (9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018) in Barcelona, Spain in February 2018).

Cloud application security engineering efforts focus to harden the "fortress walls". Therefore, cloud applications rely on these defensive walls but seldom attack intruders actively. There is the somehow the need for a more reactive component. A component that could be inspired by biological systems. Biological systems consider by design that defensive "walls" can be breached at several layers. So, biological systems provide an additional active defense system to attack potential successful intruders - an immune system. Although several experts find this approach "intriguing", there are follow-up questions arising. What is about exploits that adapt to bio-inspired systems? How to protect the immune system against direct attacks? Are cloud immune systems prone to phenomenons like fever (running hot) or auto-immune diseases (self-attacking)?

Nane Kratzke

February 20, 2018
Tweet

More Decks by Nane Kratzke

See All by Nane Kratzke
KI aus der Cloud - Denkanstöße für Life-Sciences?
nkratzke
0
65
KI aus der Cloud
nkratzke
1
78
Pizza-as-a-Service
nkratzke
0
310
Smart Like A Fox: How clever students trick dumb automated programming assignment assessment systems
nkratzke
1
320
What is a SERVICE MESH and what it is good for?
nkratzke
2
870
About being the Tortoise or the Hare? Making Cloud Applications too Fast and Furious for Attackers
nkratzke
0
66
Towards a Lightweight Multi-Cloud DSL for Elastic and Transferable Cloud-native Applications
nkratzke
0
71
We have the Bricks to Build Cloud-native Cathedrals - But do we have the mortar?
nkratzke
0
55
About an Immune System Understanding for Cloud-native Applications . Biology Inspired Thoughts to Immunize the Cloud Forensic Trail
nkratzke
0
180

Other Decks in Programming

See All in Programming
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
380
2 週間で Twitter Bot を作ってみた
contour_gara
0
510
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
840
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
920
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
650
Fragment Composition of GraphQL
quramy
7
1k
Git Lint
bkuhlmann
4
750
Elm Form Validation
bkuhlmann
0
510
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
770
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
180
Snowflakeで眠ったデータを起こそう!
estie
0
120

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Debugging Ruby Performance
tmm1
70
11k
Thoughts on Productivity
jonyablonski
58
3.8k
4 Signs Your Business is Dying
shpigford
175
21k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Navigating Team Friction
lara
178
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
It's Worth the Effort
3n
180
27k

Transcript

  1. There is no impenetrable system So, why we are just

    waiting to get breached? Nane Kratzke Panel Discussion: “Security and Safety in Cloud-based Systems and Services“ 9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018); Barcelona, Spain, 2018

  2. The Fortress Walls of Cloud Applications Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 2 • Security Groups • Firewalls • VPNs • Intrusion Detection Systems • Unattended Security Updates • Symmetric and asymmetric encryption • Password (checks) • SSH Keys • Authentication • Authorization • Two (Multi) Factor Authentication • …

  3. How to defense against unknown vulnerabilities? Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 3 Reported in January 2018. Mainly x86 microprocessors with out-of-order execution and branch-prediction affected since 1995 (says Google). CVE-2017-5754 CVE-2017-5715 CVE-2017-5753 I started my computer science studies in 1996! My microprocessor professor told me, out-of-order execution and branch-prediction is one of the coolest things on earth.

  4. How long can presence be maintained? Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 4 Answer: Surprisingly long!

  5. Some scary considerations • In principle attackers can establish footholds

    in our systems whenever they want (zero-day exploits) • Cloud application security engineering efforts focus to harden the fortress walls. • Cloud applications rely on their defensive walls but seldom attack intruders actively. Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 5

  6. We need a reactive component as well Biological systems are

    different. Defensive “walls” can be breached at several layers. An additional active defense system is needed to attack potential successful intruders - an immune system. Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 6

  7. Let us make the game more challenging for the attacker

    (act, do not react) Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 7 We can create a race between a manual (time-intensive) breach and a fully automatic (and fast) regeneration. Regenerated node (randomly chosen at some point in time) Successfully breached node (lateral movement)

  8. It is all about Pets versus Cattle Prof. Dr. rer.

    nat. Nane Kratzke Computer Science and Business Information Systems 8 • Assume you are a rancher • Assume one of your cattle is deadly infectious • Be professional, shoot – and replace it • Yes, life is not fair (maybe for the cute kitty) • However, we should remember that for security (and that zero-day attacks are not fair as well)

  9. Immune systems for cloud applications? Yes, there are questions worth

    to be discussed … • Can we reduce regenerations? • Can we identify suspect nodes automatically? • Limited to what kind of applications? • What is about exploits/attacks that are adaptable to bio- inspired systems? • How to protect the regeneration mechanism against attackers? • Are cloud immune systems prone to phenomenons like fever (running hot) or auto-immune diseases (self- attacking)? Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 9

  10. Acknowledgement Picture Reference • Ninja: Pixabay (CC0 Public Domain) •

    Fortress: Pixabay (CC0 Public Domain) • Bowman: Pixabay (CC0 Public Domain) • Cattle: Pixabay (CC0 Public Domain) • Cell: Pixabay (CC0 Public Domain) • Air Transport: Pixabay (CC0 Public Domain) Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 10 This contribution resulted as a side-effect from research that is funded by German Federal Ministry of Education and Research (Project Cloud TRANSIT, 13FH021PX4). Presentation URL

  11. About Prof. Dr. rer. nat. Nane Kratzke Computer Science and

    Business Information Systems 11 Nane Kratzke CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke Blog: http://www.nkode.io Twitter: @NaneKratzke GooglePlus: +NaneKratzke LinkedIn: https://de.linkedin.com/in/nanekratzke GitHub: https://github.com/nkratzke ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke Speaker Deck: https://speakerdeck.com/nkratzke