Azure for Auditors

Transcript

1. for Auditors Teri Radichel | CEO | 2nd Sight Lab

   IIA and ISACA ~ Seattle 2019 © 2nd Sight Lab, LLC @teriradichel

2. @teriradichel Auditors Can have a significant impact on cybersecurity @teriradichel

3. @teriradichel Not just what to check… @teriradichel But Why?

4. @teriradichel Communicate @teriradichel Why Findings Matter.

5. @teriradichel Influence @teriradichel Decision Makers.

6. @teriradichel Help @teriradichel Solve the Problem.

7. @teriradichel Brief Tangent • Breaches • Repercussions • Why it

   matters

8. @teriradichel Cost of a Breach • It goes up daily…

   • Executives know this. • They say they care. • So why all the breaches?

9. @teriradichel The cost will keep going up… • GDPR: 4%

   of revenue. • More regulation likely coming if we don’t fix it. • Regulations cost a lot and make EVERYTHING more complicated. • Fix it before that happens.

10. @teriradichel Is this FUD? No. This is news.

11. @teriradichel The bigger cost • Democracy • Cyberwar • Critical

    infrastructure • Healthcare systems • Some people call this FUD. • I call it reality.

12. @teriradichel Definition of war and insurance • Check the definition

    of war. • Check your policy. • Insurance companies may have an out. • Maybe you can change your policy. • Talk to your lawyer about definitions. • Better yet… • Instead of relying on insurance – let’s protect the systems.

13. @teriradichel Auditors are key! • Audit the systems. • Show

    the problems. • Translate into potential realities. • Raise awareness. • Explain to them why it matters. • Help obtain resources and training. • Get companies to fix problems.

14. @teriradichel Understand attacks to know what to audit

15. @teriradichel Azure Internet Connections • Anything exposed to Internet will

    be scanned and attacked. • Storage Accounts • Databases • Virtual Machines • Containers • Serverless Functions • Common problems: RDP Brute Force and Misconfigured Data Stores

16. @teriradichel BlueKeep is to RPD port 3389 as WannaCry is

    to SMB port 445

17. @teriradichel Just In Time Access

18. @teriradichel Understand network layers and protocols • OSI Model –

    Layers 1-7 – protections at different network layers. • TLS doesn’t always save you. • It doesn’t encrypt everything. • DNS over HTTPS is coming out. • This will hide DNS traffic used by security systems to spot malware. • Good or bad?? • Do you know the difference between an SSL and IPSEC VPN? • One encrypts more traffic than the other.

19. @teriradichel What was the original purpose of a VPN? •

    What was the initial purpose of a VPN? • Not to hide your traffic so you can watch videos in a foreign country. • Not for pentesting so people can’t tell where you are coming from. • Not for end users to hide their traffic from their ISP. • What was it?

20. @teriradichel Connect to private network from anywhere Firewall Trusted Users

    Only Authenticated Encrypted tunnel Specific CIDR block Network restrictions Specific to VPN network traffic ranges

21. @teriradichel VPN + Bastion Host + JIT VPN + Firewall

    Or NSG Trusted Users Only Bastion Host + JIT VM VM VM Internet

22. @teriradichel Private Network + Bastion Host + JIT Firewall Or

    NSG Trusted Users Only Bastion Host + JIT VM VM VM Express Route Or Azure VPN

23. @teriradichel Look for potential data exfiltration

24. @teriradichel How are systems connected? • Azure Connectivity – VPN

    or Express Route? Or Internet? • What about Cloud Shell traffic via a web browser? • Connections from Azure to third-parties? • What traffic is and is not visible to security team and monitored? • Who approves, tracks, and sets up new network connections? • Is DLP in place to spot potential exfiltration? • What paths exist from your most sensitive data to the Internet?

25. @teriradichel Azure Cloud App Security • Works as CASB •

    Identifies Shadow IT • What apps connected to Azure? • Can they exfiltrate data? • Third-Party: McAfee, Netskope

26. @teriradichel Application Architecture APP WEB DATA

27. @teriradichel VNET Azure Networking • Virtual Networks • Routes •

    Subnets • Security Groups • Azure Firewall • WAF SSUB Subnets segregate layers NSGs protect individual resources WAF and/or Azure Firewall Limit routes

28. @teriradichel Credentials • SANS Institute survey • Cloud security incidents

    • Number one issue • Stolen credentials

29. @teriradichel How they are stolen • Credentials in code •

    Phishing attacks • Shared • Malicious insider • Malware on machine • Social engineering

30. @teriradichel What they are used for… • Steal data •

    Ransomware • Cryptominers • Delete systems – or an account! • Maintain a foothold • Monitor communications • Steal intellectual property • Attack other systems

31. @teriradichel Cryptominers • More common in cloud • Often not

    reported • Not required • No data loss • Using your resources

32. @teriradichel IAM – Integrate and Automate • Azure AD •

    Integrated with main Active Directory store • Using same HR processes • Automated • When someone leaves is there access automatically removed? • When someone changes roles, is their access automatically changed? • Is creation of users automated to prevent human error?

33. @teriradichel MFA– Is it in place and is it effective?

    • Is MFA in place – for everyone? • How long is MFA cached? • Is it truly two-factor? • How can MFA be bypassed? • And yes, it can be!

34. @teriradichel IAM – Segregation, Least Privilege • Least privilege •

    Humans, compute resources, all permissions • Only privileges to do what is needed • Segregation • If one person’s creds stolen – how much can those creds access? • What can they do?

35. @teriradichel Least Privilege ~ Credentials AND Networking z

36. @teriradichel Application and user permissions • Service principles or managed

    identities for applications • Only permissions required granted to users and resources • Cannot create resources with higher permissions than themselves • JIT enforced for remote access • Only required network ports and rules allowed • Verify someone is monitoring logs and responding to events • Network traffic, application, OS, Active Directory, Activity logs

37. @teriradichel Secrets management • No secrets in code • Secrets

    stored in vault • Azure Key Vault • HashiCorp Vault Running code retrieves secrets from vault Azure Key Vault contains [encrypted!] secrets Application can only retrieve secrets that belong to it, not secrets for other applications. In a SAAS application, users can only retrieve their own secrets!

38. @teriradichel Where are secrets exposed? • Metadata, configuration files, documentation

    • Logs, backup files, caches, environment variables, registry • GitHub and other source control systems • Databases, unencrypted • On developer documentation systems (Confluence) • In Slack, chat, IM • Email, Support Tickets

39. @teriradichel Segregation QA DEV PROD DEPLOY

40. @teriradichel Subscriptions and resource groups • Is the organization using

    access segregation effectively to limit risk? • How are subscriptions and resource groups organized and managed? • Are different teams, lines of business, SDLC functions segregated? • Different projects, different microservices, different trust levels • Are permissions between each limited to what is required? • Can get complicated – a dedicated team?

41. @teriradichel Deployment systems • How are deployment systems and networks

    architected? • Do they provide adequate governance? • How are deployment systems secured (Jenkins, Repositories) • Who has access to change the Deployment systems? • Can the deployment systems be bypassed by manual changes? • Are security scans and checks built into deployment processes? • Is the security team monitoring deployment systems?

42. @teriradichel Other ways malware get into systems • Cryptominers inserted

    into third-party software, web pages • E-skimming software – CMS, plugins • Software packages – Docker Hub containers, Python libraries • Source code changes • Misconfigurations, developer induced vulnerabilities • Third party code included via URLs • PS: Don’t expose your CMS Admin site to Internet!

43. @teriradichel Application Security VMs, Containers, Serverless

44. @teriradichel Azure and OWASP Top 10 • WAF • Front

    Door • Advanced Threat Protection • Azure Security Center

45. @teriradichel Vulnerability scanning • Before Deployment • Automated • In

    the deployment pipeline • Segregation of Duties - Not manually or controlled by Devs • Serverless scanning mainly depends on static code analysis • After Deployment • Cloud Native options – agents will report to Azure Security Center • Third parties – Azure integrates with Qualys, others • Azure security center will tell you if it finds agent scanning or not

46. @teriradichel Azure Security Center Vulnerability Assessments • Integrates with Qualys

    and others

47. @teriradichel Patching • Including DevOps systems! • Check the Jenkins

    server… • Check Kubernetes… • Immutable deployments are better than patching live systems! • Make sure systems can’t change once they are scanned.

48. @teriradichel Encryption • Is everything encrypted • Disks, Databases, Files,

    Storage Accounts, Logs, Queues, Metadata? • Is the boot disk encrypted – Azure uses BitLocker? • Who has access to keys – can this be limited via automation? • Are the keys rotated frequently (30-90 days or even less?) • In a SAAS environment – does each customer have separate keys? • Are appropriate algorithms, modes, and key lengths used?

49. @teriradichel Checking Encryption on Azure Disks, Databases…what Azure can see.

50. @teriradichel Proper configurations • Every single service on Azure has

    a configuration. • If you can see it, touch it, change it – it’s your responsibility. • Understand best practices for each service. • Understand how it might be attacked (threat modeling) • Secure accordingly. • Customer configurations are one of the biggest risks in the cloud!

51. @teriradichel CIS Benchmarks in Azure Security Center • CIS Benchmarks:

    best practices for Azure, Docker, Operating Systems, and more • Check some of these with Azure Security Center

52. @teriradichel Architect for Availability • Is the architecture structured to

    prevent downtime? • What if an Azure datacenter fails? • Your architecture should be resilient to this if required. • BCP and DR plans aligned with business needs. • What if your systems are hit with ransomware? • Do you have backups? • Have they been tested?

53. @teriradichel Azure options for Availability • Azure architecture solutions •

    Azure Load Balancers • Azure Autoscale • Azure Site Recovery • Azure Backup

54. @teriradichel Security Functions • Threat modeling to design to prevent

    breaches • Security team has access to ALL logs • Event monitoring and incident response • Security requirements

55. @teriradichel ALL the logs…. • What logs exist? • Are

    they turned on? • Is anyone looking at them? • Do they KNOW what to look for? • Are they centralized? • Log shipping – ephemeral resources • Who can change them? (No one hopefully – check permissions)

56. @teriradichel Compliance…is not security • But it’s better than nothing!

    • Azure Security Center can help • Will rate things Azure can see

57. @teriradichel Third-Party Products ~ CloudNeeti • Met at Seattle AWS

    Architects and Engineers Meetup • Cross-cloud • SAAS - obtain customer consent

58. @teriradichel Tools for Auditors on Azure • No role –

    have to find or create one that gives least privilege • Azure Security Center is your friend! • Learn how to write scripts to query resources (Power BI, CLI, Insights) • Network Watcher • Become familiar with all the logs • Review recommendations and best practices for each service.

59. @teriradichel Cloud systems can make security worse. Would you trust

    a software developer or business person operate on you? Why not?

60. @teriradichel Training…at every level • Train the Decision Makers •

    Different types of training • Risk and Governance • Research and reverse engineering malware • Cloud specific configurations • Application security (OWASP top 10) • Network security • Pentesting • DFIR (monitoring and responding to incidents)

61. @teriradichel Cloud systems can make security better! If used properly,

    by people with security training…

62. @teriradichel Managing Risk

63. @teriradichel Best practices ~ Resources • https://docs.microsoft.com/en-us/azure/security/fundamentals/best- practices-and-patterns • https://azure.microsoft.com/en-us/resources/security-best-practices-

    for-azure-solutions/ • https://docs.microsoft.com/en- us/azure/security/fundamentals/network-best-practices • https://docs.microsoft.com/en- us/azure/security/fundamentals/operational-checklist • https://www.cisecurity.org/benchmark/azure/

64. @teriradichel Thank you! Teri Radichel Follow: @teriradichel + @2ndsightlab Web:

    https://2ndsightlab.com Blog: https://medium.com/cloud-security Classes: https://2ndsightlab.com/cloud-security-training.html