Azure for Auditors - Speaker Deck

Slide 1

Slide 1 text

for Auditors Teri Radichel | CEO | 2nd Sight Lab IIA and ISACA ~ Seattle 2019 © 2nd Sight Lab, LLC @teriradichel

Slide 2

Slide 2 text

@teriradichel Auditors Can have a significant impact on cybersecurity @teriradichel

Slide 3

Slide 3 text

@teriradichel Not just what to check… @teriradichel But Why?

Slide 4

Slide 4 text

@teriradichel Communicate @teriradichel Why Findings Matter.

Slide 5

Slide 5 text

@teriradichel Influence @teriradichel Decision Makers.

Slide 6

Slide 6 text

@teriradichel Help @teriradichel Solve the Problem.

Slide 7

Slide 7 text

@teriradichel Brief Tangent • Breaches • Repercussions • Why it matters

Slide 8

Slide 8 text

@teriradichel Cost of a Breach • It goes up daily… • Executives know this. • They say they care. • So why all the breaches?

Slide 9

Slide 9 text

@teriradichel The cost will keep going up… • GDPR: 4% of revenue. • More regulation likely coming if we don’t fix it. • Regulations cost a lot and make EVERYTHING more complicated. • Fix it before that happens.

Slide 10

Slide 10 text

@teriradichel Is this FUD? No. This is news.

Slide 11

Slide 11 text

@teriradichel The bigger cost • Democracy • Cyberwar • Critical infrastructure • Healthcare systems • Some people call this FUD. • I call it reality.

Slide 12

Slide 12 text

@teriradichel Definition of war and insurance • Check the definition of war. • Check your policy. • Insurance companies may have an out. • Maybe you can change your policy. • Talk to your lawyer about definitions. • Better yet… • Instead of relying on insurance – let’s protect the systems.

Slide 13

Slide 13 text

@teriradichel Auditors are key! • Audit the systems. • Show the problems. • Translate into potential realities. • Raise awareness. • Explain to them why it matters. • Help obtain resources and training. • Get companies to fix problems.

Slide 14

Slide 14 text

@teriradichel Understand attacks to know what to audit

Slide 15

Slide 15 text

@teriradichel Azure Internet Connections • Anything exposed to Internet will be scanned and attacked. • Storage Accounts • Databases • Virtual Machines • Containers • Serverless Functions • Common problems: RDP Brute Force and Misconfigured Data Stores

Slide 16

Slide 16 text

@teriradichel BlueKeep is to RPD port 3389 as WannaCry is to SMB port 445

Slide 17

Slide 17 text

@teriradichel Just In Time Access

Slide 18

Slide 18 text

@teriradichel Understand network layers and protocols • OSI Model – Layers 1-7 – protections at different network layers. • TLS doesn’t always save you. • It doesn’t encrypt everything. • DNS over HTTPS is coming out. • This will hide DNS traffic used by security systems to spot malware. • Good or bad?? • Do you know the difference between an SSL and IPSEC VPN? • One encrypts more traffic than the other.

Slide 19

Slide 19 text

@teriradichel What was the original purpose of a VPN? • What was the initial purpose of a VPN? • Not to hide your traffic so you can watch videos in a foreign country. • Not for pentesting so people can’t tell where you are coming from. • Not for end users to hide their traffic from their ISP. • What was it?

Slide 20

Slide 20 text

@teriradichel Connect to private network from anywhere Firewall Trusted Users Only Authenticated Encrypted tunnel Specific CIDR block Network restrictions Specific to VPN network traffic ranges

Slide 21

Slide 21 text

@teriradichel VPN + Bastion Host + JIT VPN + Firewall Or NSG Trusted Users Only Bastion Host + JIT VM VM VM Internet

Slide 22

Slide 22 text

@teriradichel Private Network + Bastion Host + JIT Firewall Or NSG Trusted Users Only Bastion Host + JIT VM VM VM Express Route Or Azure VPN

Slide 23

Slide 23 text

@teriradichel Look for potential data exfiltration

Slide 24

Slide 24 text

@teriradichel How are systems connected? • Azure Connectivity – VPN or Express Route? Or Internet? • What about Cloud Shell traffic via a web browser? • Connections from Azure to third-parties? • What traffic is and is not visible to security team and monitored? • Who approves, tracks, and sets up new network connections? • Is DLP in place to spot potential exfiltration? • What paths exist from your most sensitive data to the Internet?

Slide 25

Slide 25 text

@teriradichel Azure Cloud App Security • Works as CASB • Identifies Shadow IT • What apps connected to Azure? • Can they exfiltrate data? • Third-Party: McAfee, Netskope

Slide 26

Slide 26 text

@teriradichel Application Architecture APP WEB DATA

Slide 27

Slide 27 text

@teriradichel VNET Azure Networking • Virtual Networks • Routes • Subnets • Security Groups • Azure Firewall • WAF SSUB Subnets segregate layers NSGs protect individual resources WAF and/or Azure Firewall Limit routes

Slide 28

Slide 28 text

@teriradichel Credentials • SANS Institute survey • Cloud security incidents • Number one issue • Stolen credentials

Slide 29

Slide 29 text

@teriradichel How they are stolen • Credentials in code • Phishing attacks • Shared • Malicious insider • Malware on machine • Social engineering

Slide 30

Slide 30 text

@teriradichel What they are used for… • Steal data • Ransomware • Cryptominers • Delete systems – or an account! • Maintain a foothold • Monitor communications • Steal intellectual property • Attack other systems

Slide 31

Slide 31 text

@teriradichel Cryptominers • More common in cloud • Often not reported • Not required • No data loss • Using your resources

Slide 32

Slide 32 text

@teriradichel IAM – Integrate and Automate • Azure AD • Integrated with main Active Directory store • Using same HR processes • Automated • When someone leaves is there access automatically removed? • When someone changes roles, is their access automatically changed? • Is creation of users automated to prevent human error?

Slide 33

Slide 33 text

@teriradichel MFA– Is it in place and is it effective? • Is MFA in place – for everyone? • How long is MFA cached? • Is it truly two-factor? • How can MFA be bypassed? • And yes, it can be!

Slide 34

Slide 34 text

@teriradichel IAM – Segregation, Least Privilege • Least privilege • Humans, compute resources, all permissions • Only privileges to do what is needed • Segregation • If one person’s creds stolen – how much can those creds access? • What can they do?

Slide 35

Slide 35 text

@teriradichel Least Privilege ~ Credentials AND Networking z

Slide 36

Slide 36 text

@teriradichel Application and user permissions • Service principles or managed identities for applications • Only permissions required granted to users and resources • Cannot create resources with higher permissions than themselves • JIT enforced for remote access • Only required network ports and rules allowed • Verify someone is monitoring logs and responding to events • Network traffic, application, OS, Active Directory, Activity logs

Slide 37

Slide 37 text

@teriradichel Secrets management • No secrets in code • Secrets stored in vault • Azure Key Vault • HashiCorp Vault Running code retrieves secrets from vault Azure Key Vault contains [encrypted!] secrets Application can only retrieve secrets that belong to it, not secrets for other applications. In a SAAS application, users can only retrieve their own secrets!

Slide 38

Slide 38 text

@teriradichel Where are secrets exposed? • Metadata, configuration files, documentation • Logs, backup files, caches, environment variables, registry • GitHub and other source control systems • Databases, unencrypted • On developer documentation systems (Confluence) • In Slack, chat, IM • Email, Support Tickets

Slide 39

Slide 39 text

@teriradichel Segregation QA DEV PROD DEPLOY

Slide 40

Slide 40 text

@teriradichel Subscriptions and resource groups • Is the organization using access segregation effectively to limit risk? • How are subscriptions and resource groups organized and managed? • Are different teams, lines of business, SDLC functions segregated? • Different projects, different microservices, different trust levels • Are permissions between each limited to what is required? • Can get complicated – a dedicated team?

Slide 41

Slide 41 text

@teriradichel Deployment systems • How are deployment systems and networks architected? • Do they provide adequate governance? • How are deployment systems secured (Jenkins, Repositories) • Who has access to change the Deployment systems? • Can the deployment systems be bypassed by manual changes? • Are security scans and checks built into deployment processes? • Is the security team monitoring deployment systems?

Slide 42

Slide 42 text

@teriradichel Other ways malware get into systems • Cryptominers inserted into third-party software, web pages • E-skimming software – CMS, plugins • Software packages – Docker Hub containers, Python libraries • Source code changes • Misconfigurations, developer induced vulnerabilities • Third party code included via URLs • PS: Don’t expose your CMS Admin site to Internet!

Slide 43

Slide 43 text

@teriradichel Application Security VMs, Containers, Serverless

Slide 44

Slide 44 text

@teriradichel Azure and OWASP Top 10 • WAF • Front Door • Advanced Threat Protection • Azure Security Center

Slide 45

Slide 45 text

@teriradichel Vulnerability scanning • Before Deployment • Automated • In the deployment pipeline • Segregation of Duties - Not manually or controlled by Devs • Serverless scanning mainly depends on static code analysis • After Deployment • Cloud Native options – agents will report to Azure Security Center • Third parties – Azure integrates with Qualys, others • Azure security center will tell you if it finds agent scanning or not

Slide 46

Slide 46 text

@teriradichel Azure Security Center Vulnerability Assessments • Integrates with Qualys and others

Slide 47

Slide 47 text

@teriradichel Patching • Including DevOps systems! • Check the Jenkins server… • Check Kubernetes… • Immutable deployments are better than patching live systems! • Make sure systems can’t change once they are scanned.

Slide 48

Slide 48 text

@teriradichel Encryption • Is everything encrypted • Disks, Databases, Files, Storage Accounts, Logs, Queues, Metadata? • Is the boot disk encrypted – Azure uses BitLocker? • Who has access to keys – can this be limited via automation? • Are the keys rotated frequently (30-90 days or even less?) • In a SAAS environment – does each customer have separate keys? • Are appropriate algorithms, modes, and key lengths used?

Slide 49

Slide 49 text

@teriradichel Checking Encryption on Azure Disks, Databases…what Azure can see.

Slide 50

Slide 50 text

@teriradichel Proper configurations • Every single service on Azure has a configuration. • If you can see it, touch it, change it – it’s your responsibility. • Understand best practices for each service. • Understand how it might be attacked (threat modeling) • Secure accordingly. • Customer configurations are one of the biggest risks in the cloud!

Slide 51

Slide 51 text

@teriradichel CIS Benchmarks in Azure Security Center • CIS Benchmarks: best practices for Azure, Docker, Operating Systems, and more • Check some of these with Azure Security Center

Slide 52

Slide 52 text

@teriradichel Architect for Availability • Is the architecture structured to prevent downtime? • What if an Azure datacenter fails? • Your architecture should be resilient to this if required. • BCP and DR plans aligned with business needs. • What if your systems are hit with ransomware? • Do you have backups? • Have they been tested?

Slide 53

Slide 53 text

@teriradichel Azure options for Availability • Azure architecture solutions • Azure Load Balancers • Azure Autoscale • Azure Site Recovery • Azure Backup

Slide 54

Slide 54 text

@teriradichel Security Functions • Threat modeling to design to prevent breaches • Security team has access to ALL logs • Event monitoring and incident response • Security requirements

Slide 55

Slide 55 text

@teriradichel ALL the logs…. • What logs exist? • Are they turned on? • Is anyone looking at them? • Do they KNOW what to look for? • Are they centralized? • Log shipping – ephemeral resources • Who can change them? (No one hopefully – check permissions)

Slide 56

Slide 56 text

@teriradichel Compliance…is not security • But it’s better than nothing! • Azure Security Center can help • Will rate things Azure can see

Slide 57

Slide 57 text

@teriradichel Third-Party Products ~ CloudNeeti • Met at Seattle AWS Architects and Engineers Meetup • Cross-cloud • SAAS - obtain customer consent

Slide 58

Slide 58 text

@teriradichel Tools for Auditors on Azure • No role – have to find or create one that gives least privilege • Azure Security Center is your friend! • Learn how to write scripts to query resources (Power BI, CLI, Insights) • Network Watcher • Become familiar with all the logs • Review recommendations and best practices for each service.

Slide 59

Slide 59 text

@teriradichel Cloud systems can make security worse. Would you trust a software developer or business person operate on you? Why not?

Slide 60

Slide 60 text

@teriradichel Training…at every level • Train the Decision Makers • Different types of training • Risk and Governance • Research and reverse engineering malware • Cloud specific configurations • Application security (OWASP top 10) • Network security • Pentesting • DFIR (monitoring and responding to incidents)

Slide 61

Slide 61 text

@teriradichel Cloud systems can make security better! If used properly, by people with security training…

Slide 62

Slide 62 text

@teriradichel Managing Risk

Slide 63

Slide 63 text

@teriradichel Best practices ~ Resources • https://docs.microsoft.com/en-us/azure/security/fundamentals/best- practices-and-patterns • https://azure.microsoft.com/en-us/resources/security-best-practices- for-azure-solutions/ • https://docs.microsoft.com/en- us/azure/security/fundamentals/network-best-practices • https://docs.microsoft.com/en- us/azure/security/fundamentals/operational-checklist • https://www.cisecurity.org/benchmark/azure/

Slide 64

Slide 64 text

@teriradichel Thank you! Teri Radichel Follow: @teriradichel + @2ndsightlab Web: https://2ndsightlab.com Blog: https://medium.com/cloud-security Classes: https://2ndsightlab.com/cloud-security-training.html