Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Azure for Auditors

Teri
October 17, 2019

Azure for Auditors

Auditors can have a significant positive impact on Cybersecurity. How can auditors help cloud security? What should auditors and those performing cloud security assessments consider when evaluating cloud security on Azure? This slide deck is from a sold out presentation on Azure for Auditors for ISACA and IIA in Seattle. If you'd like to learn more check out my cybersecurity classes at https://2ndsightlab.com

Teri

October 17, 2019
Tweet

More Decks by Teri

Other Decks in Technology

Transcript

  1. for Auditors Teri Radichel | CEO | 2nd Sight Lab

    IIA and ISACA ~ Seattle 2019 © 2nd Sight Lab, LLC @teriradichel
  2. @teriradichel Cost of a Breach • It goes up daily…

    • Executives know this. • They say they care. • So why all the breaches?
  3. @teriradichel The cost will keep going up… • GDPR: 4%

    of revenue. • More regulation likely coming if we don’t fix it. • Regulations cost a lot and make EVERYTHING more complicated. • Fix it before that happens.
  4. @teriradichel The bigger cost • Democracy • Cyberwar • Critical

    infrastructure • Healthcare systems • Some people call this FUD. • I call it reality.
  5. @teriradichel Definition of war and insurance • Check the definition

    of war. • Check your policy. • Insurance companies may have an out. • Maybe you can change your policy. • Talk to your lawyer about definitions. • Better yet… • Instead of relying on insurance – let’s protect the systems.
  6. @teriradichel Auditors are key! • Audit the systems. • Show

    the problems. • Translate into potential realities. • Raise awareness. • Explain to them why it matters. • Help obtain resources and training. • Get companies to fix problems.
  7. @teriradichel Azure Internet Connections • Anything exposed to Internet will

    be scanned and attacked. • Storage Accounts • Databases • Virtual Machines • Containers • Serverless Functions • Common problems: RDP Brute Force and Misconfigured Data Stores
  8. @teriradichel Understand network layers and protocols • OSI Model –

    Layers 1-7 – protections at different network layers. • TLS doesn’t always save you. • It doesn’t encrypt everything. • DNS over HTTPS is coming out. • This will hide DNS traffic used by security systems to spot malware. • Good or bad?? • Do you know the difference between an SSL and IPSEC VPN? • One encrypts more traffic than the other.
  9. @teriradichel What was the original purpose of a VPN? •

    What was the initial purpose of a VPN? • Not to hide your traffic so you can watch videos in a foreign country. • Not for pentesting so people can’t tell where you are coming from. • Not for end users to hide their traffic from their ISP. • What was it?
  10. @teriradichel Connect to private network from anywhere Firewall Trusted Users

    Only Authenticated Encrypted tunnel Specific CIDR block Network restrictions Specific to VPN network traffic ranges
  11. @teriradichel VPN + Bastion Host + JIT VPN + Firewall

    Or NSG Trusted Users Only Bastion Host + JIT VM VM VM Internet
  12. @teriradichel Private Network + Bastion Host + JIT Firewall Or

    NSG Trusted Users Only Bastion Host + JIT VM VM VM Express Route Or Azure VPN
  13. @teriradichel How are systems connected? • Azure Connectivity – VPN

    or Express Route? Or Internet? • What about Cloud Shell traffic via a web browser? • Connections from Azure to third-parties? • What traffic is and is not visible to security team and monitored? • Who approves, tracks, and sets up new network connections? • Is DLP in place to spot potential exfiltration? • What paths exist from your most sensitive data to the Internet?
  14. @teriradichel Azure Cloud App Security • Works as CASB •

    Identifies Shadow IT • What apps connected to Azure? • Can they exfiltrate data? • Third-Party: McAfee, Netskope
  15. @teriradichel VNET Azure Networking • Virtual Networks • Routes •

    Subnets • Security Groups • Azure Firewall • WAF SSUB Subnets segregate layers NSGs protect individual resources WAF and/or Azure Firewall Limit routes
  16. @teriradichel How they are stolen • Credentials in code •

    Phishing attacks • Shared • Malicious insider • Malware on machine • Social engineering
  17. @teriradichel What they are used for… • Steal data •

    Ransomware • Cryptominers • Delete systems – or an account! • Maintain a foothold • Monitor communications • Steal intellectual property • Attack other systems
  18. @teriradichel Cryptominers • More common in cloud • Often not

    reported • Not required • No data loss • Using your resources
  19. @teriradichel IAM – Integrate and Automate • Azure AD •

    Integrated with main Active Directory store • Using same HR processes • Automated • When someone leaves is there access automatically removed? • When someone changes roles, is their access automatically changed? • Is creation of users automated to prevent human error?
  20. @teriradichel MFA– Is it in place and is it effective?

    • Is MFA in place – for everyone? • How long is MFA cached? • Is it truly two-factor? • How can MFA be bypassed? • And yes, it can be!
  21. @teriradichel IAM – Segregation, Least Privilege • Least privilege •

    Humans, compute resources, all permissions • Only privileges to do what is needed • Segregation • If one person’s creds stolen – how much can those creds access? • What can they do?
  22. @teriradichel Application and user permissions • Service principles or managed

    identities for applications • Only permissions required granted to users and resources • Cannot create resources with higher permissions than themselves • JIT enforced for remote access • Only required network ports and rules allowed • Verify someone is monitoring logs and responding to events • Network traffic, application, OS, Active Directory, Activity logs
  23. @teriradichel Secrets management • No secrets in code • Secrets

    stored in vault • Azure Key Vault • HashiCorp Vault Running code retrieves secrets from vault Azure Key Vault contains [encrypted!] secrets Application can only retrieve secrets that belong to it, not secrets for other applications. In a SAAS application, users can only retrieve their own secrets!
  24. @teriradichel Where are secrets exposed? • Metadata, configuration files, documentation

    • Logs, backup files, caches, environment variables, registry • GitHub and other source control systems • Databases, unencrypted • On developer documentation systems (Confluence) • In Slack, chat, IM • Email, Support Tickets
  25. @teriradichel Subscriptions and resource groups • Is the organization using

    access segregation effectively to limit risk? • How are subscriptions and resource groups organized and managed? • Are different teams, lines of business, SDLC functions segregated? • Different projects, different microservices, different trust levels • Are permissions between each limited to what is required? • Can get complicated – a dedicated team?
  26. @teriradichel Deployment systems • How are deployment systems and networks

    architected? • Do they provide adequate governance? • How are deployment systems secured (Jenkins, Repositories) • Who has access to change the Deployment systems? • Can the deployment systems be bypassed by manual changes? • Are security scans and checks built into deployment processes? • Is the security team monitoring deployment systems?
  27. @teriradichel Other ways malware get into systems • Cryptominers inserted

    into third-party software, web pages • E-skimming software – CMS, plugins • Software packages – Docker Hub containers, Python libraries • Source code changes • Misconfigurations, developer induced vulnerabilities • Third party code included via URLs • PS: Don’t expose your CMS Admin site to Internet!
  28. @teriradichel Azure and OWASP Top 10 • WAF • Front

    Door • Advanced Threat Protection • Azure Security Center
  29. @teriradichel Vulnerability scanning • Before Deployment • Automated • In

    the deployment pipeline • Segregation of Duties - Not manually or controlled by Devs • Serverless scanning mainly depends on static code analysis • After Deployment • Cloud Native options – agents will report to Azure Security Center • Third parties – Azure integrates with Qualys, others • Azure security center will tell you if it finds agent scanning or not
  30. @teriradichel Patching • Including DevOps systems! • Check the Jenkins

    server… • Check Kubernetes… • Immutable deployments are better than patching live systems! • Make sure systems can’t change once they are scanned.
  31. @teriradichel Encryption • Is everything encrypted • Disks, Databases, Files,

    Storage Accounts, Logs, Queues, Metadata? • Is the boot disk encrypted – Azure uses BitLocker? • Who has access to keys – can this be limited via automation? • Are the keys rotated frequently (30-90 days or even less?) • In a SAAS environment – does each customer have separate keys? • Are appropriate algorithms, modes, and key lengths used?
  32. @teriradichel Proper configurations • Every single service on Azure has

    a configuration. • If you can see it, touch it, change it – it’s your responsibility. • Understand best practices for each service. • Understand how it might be attacked (threat modeling) • Secure accordingly. • Customer configurations are one of the biggest risks in the cloud!
  33. @teriradichel CIS Benchmarks in Azure Security Center • CIS Benchmarks:

    best practices for Azure, Docker, Operating Systems, and more • Check some of these with Azure Security Center
  34. @teriradichel Architect for Availability • Is the architecture structured to

    prevent downtime? • What if an Azure datacenter fails? • Your architecture should be resilient to this if required. • BCP and DR plans aligned with business needs. • What if your systems are hit with ransomware? • Do you have backups? • Have they been tested?
  35. @teriradichel Azure options for Availability • Azure architecture solutions •

    Azure Load Balancers • Azure Autoscale • Azure Site Recovery • Azure Backup
  36. @teriradichel Security Functions • Threat modeling to design to prevent

    breaches • Security team has access to ALL logs • Event monitoring and incident response • Security requirements
  37. @teriradichel ALL the logs…. • What logs exist? • Are

    they turned on? • Is anyone looking at them? • Do they KNOW what to look for? • Are they centralized? • Log shipping – ephemeral resources • Who can change them? (No one hopefully – check permissions)
  38. @teriradichel Compliance…is not security • But it’s better than nothing!

    • Azure Security Center can help • Will rate things Azure can see
  39. @teriradichel Third-Party Products ~ CloudNeeti • Met at Seattle AWS

    Architects and Engineers Meetup • Cross-cloud • SAAS - obtain customer consent
  40. @teriradichel Tools for Auditors on Azure • No role –

    have to find or create one that gives least privilege • Azure Security Center is your friend! • Learn how to write scripts to query resources (Power BI, CLI, Insights) • Network Watcher • Become familiar with all the logs • Review recommendations and best practices for each service.
  41. @teriradichel Cloud systems can make security worse. Would you trust

    a software developer or business person operate on you? Why not?
  42. @teriradichel Training…at every level • Train the Decision Makers •

    Different types of training • Risk and Governance • Research and reverse engineering malware • Cloud specific configurations • Application security (OWASP top 10) • Network security • Pentesting • DFIR (monitoring and responding to incidents)
  43. @teriradichel Best practices ~ Resources • https://docs.microsoft.com/en-us/azure/security/fundamentals/best- practices-and-patterns • https://azure.microsoft.com/en-us/resources/security-best-practices-

    for-azure-solutions/ • https://docs.microsoft.com/en- us/azure/security/fundamentals/network-best-practices • https://docs.microsoft.com/en- us/azure/security/fundamentals/operational-checklist • https://www.cisecurity.org/benchmark/azure/
  44. @teriradichel Thank you! Teri Radichel Follow: @teriradichel + @2ndsightlab Web:

    https://2ndsightlab.com Blog: https://medium.com/cloud-security Classes: https://2ndsightlab.com/cloud-security-training.html