Your SlideShare is downloading. ×
0
CLOUD 9:<br />UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD<br />byManu Zacharia<br />MVP (Enterprise Security), C|EH...
# whoami<br /><ul><li> I am an Information Security Evangelist
 For paying my bills – I do consulting -  HackIT – Technology & Advisory Services – A startup.
 Awards
Information Security Leadership Achievement Award from (ISC)² - 2010
 Microsoft Most Valuable Professional (Enterprise Security) – 2009 and 2010
Co-Author of a Book
 President – Information Security Research Association - NPO</li></li></ul><li># whoami<br /><ul><li> Chief Architect - Ma...
 Founder c0c0n – International Security & Hacking Conference
 Extend service to various state and central investigations agencies as Cyber Forensics Consultant</li></li></ul><li># who...
 Microsoft Tech-Ed 2010 (& 2011 upcoming)
 IQPC - Enterprise Security 2010 - Singapore
 Information Security Conference - Bangalore
ClubHack, etc
DevCon</li></li></ul><li># whoami<br /><ul><li> Training associations:
Indian Navy - Signal School , Centre for Defense Communication and Electronic and Information / Cyber Warfare  and INS Val...
Centre for Police Research, Pune and Kerala Police
 SCIT -  Symbiosis Centre for Information Technology,Pune
 Institute of Management Technology (IMT) – Ghaziabad
IGNOU M-Tech (Information Systems Security) – Expert Member – Curriculum Review Committee
C-DAC, ACTS (DISCS  & DSSD)</li></li></ul><li>DISCLAIMER(S)<br /><ul><li> The opinion here represented are my personal one...
 Registered brands belong to their legitimate owners.
 The information contained in this presentation does not break any intellectual property, nor does it provide detailed inf...
REFERENCES<br /><ul><li> Information and resources from Internet (including publications from Cloud Security Alliance) wer...
AGENDA<br />INTRO & CLOUD ARCHITECTURE<br />CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK<br />EXPLOITING CLOUD & FORENSICS<b...
INTRODUCTION<br />9<br />
QUESTION<br /><ul><li> So what is Cloud Computing?
 Do you know what is EC2 and S3?
 What is SPI Model?</li></ul>10<br />
WHY THIS TALK?<br /><ul><li> cloud is loud
 Headline stealer
 Everybody is concerned about Cloud Security</li></ul>11<br />
WHY CLOUD IS DIFFERENT?<br /><ul><li> Why handle cloud differently?
 Simple – power of cloud</li></ul>12<br />
TIGR - ??????<br /><ul><li>Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of clou...
CLOUD POWER<br /><ul><li> A 64 node Linux cluster can be online in just five minutes
 Forget about those sleepless nights in your data centers</li></ul>14<br />
EC2<br /><ul><li> Amazon Elastic Compute Cloud (Amazon EC2)
 A web service that provides resizable compute capacity in the cloud</li></ul>15<br />
EC2 - WIKIPEDIA<br /><ul><li> Allows users to rent computers on which to run their own computer applications.
 A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing a...
EC2 - WIKIPEDIA<br /><ul><li> A user can create, launch, and terminate server instances as needed, paying by the hour for ...
S3<br /><ul><li> Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services.
 Provides unlimited storage through a simple web services interface</li></ul>18<br />
S3<br /><ul><li> $0.15 per gigabyte-month
 102 billion objects as of March 2010</li></ul>19<br />
POWER OF CLOUD<br /><ul><li> The New York Times - Amazon EC2 and S3 - PDF's of 15M scanned news articles.
 NASDAQ  uses Amazon S3 to deliver historical stock information.</li></ul>20<br />
CLOUD<br /><ul><li> Cloud separates:
 application and information resources from the underlying infrastructure, and
 the mechanisms used to deliver them.</li></ul>21<br />
CLOUD<br /> Use of a collection of<br /><ul><li> services,
 applications,
 information, and
 infrastructure </li></ul> comprised of pools of compute, network, information, and storage resources.<br />22<br />
CLOUD<br /><ul><li> Components can be
rapidly orchestrated,
 provisioned,
 implemented & decommissioned, and
 scaled up or down
 Provide an on-demand utility-like model.</li></ul>23<br />
CLOUD CONFUSION<br /><ul><li> From an architectural perspective; there is much confusion
 How cloud is both similar to and different from existing models of computing? </li></ul>24<br />
CLOUD CONFUSION<br /><ul><li> How these similarities and differences impact the
 organizational,
 operational, and
 technological approaches </li></ul>to network and information security practices.<br />25<br />
CLOUD SECURITY – DIFFERENT?<br />Marcus Ranum - Same old, <br />Same old <br />26<br />
CLOUD SECURITY – DIFFERENT?<br />Same Client / Server paradigm from Mainframe days – Bruce Schneier<br />27<br />
So what is this cloud?<br />28<br />
CLOUD ARCHITECTURE<br />29<br />
CLOUD<br /><ul><li> NIST (U.S. National Institute of Standards and Technology) defines cloud computing by describing:
 five essential characteristics,
 three cloud service models, and
 four cloud deployment models.</li></ul>30<br />
CLOUD CHARACTERISTICS<br /><ul><li> Five essential characteristics
 On-demand self-service
 Broad network access
 Resource pooling
 Rapid elasticity
 Measured service</li></ul>31<br />
CLOUD CHARACTERISTICS<br /><ul><li> On-demand self-service
Unilaterally provision computing capabilities as needed automatically, without requiring human interaction with a service ...
 Computing capabilities include server time and network storage </li></ul>32<br />
CLOUD CHARACTERISTICS<br /><ul><li> Broad network access
Available over the network and accessed through standard mechanisms</li></ul>33<br />
CLOUD CHARACTERISTICS<br /><ul><li> Can be accessed through heterogeneous thin or thick client platforms (e.g., mobile pho...
CLOUD CHARACTERISTICS<br /><ul><li> Resource pooling
 The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model,
 Different physical and virtual resources dynamically assigned and reassigned according to consumer demand.</li></ul>35<br />
CLOUD CHARACTERISTICS<br /><ul><li> Degree of location independence - customer has no control or knowledge over the exact ...
 Customer may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). </li></u...
CLOUD CHARACTERISTICS<br /><ul><li> Examples of resources include:
 storage,
 processing,
 memory,
 network bandwidth, and
 virtual machines.</li></ul>37<br />
CLOUD CHARACTERISTICS<br /><ul><li> Rapid elasticity
 Capabilities can be
 rapidly and elastically provisioned to quickly scale out ; and
 rapidly released to quickly scale in.
 In some cases this is done automatically.</li></ul>38<br />
CLOUD CHARACTERISTICS<br /><ul><li> Measured service.
Metering capability at some level of abstraction appropriate to the type of service
 Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of ...
CLOUD CHARACTERISTICS<br /><ul><li> Example:
 storage,
 processing,
 bandwidth,
 active user accounts</li></ul>40<br />
MYTHS - CLOUD CHARACTERISTICS<br /><ul><li> Myths about Cloud Computing Essential Characteristics
Virtualization is mandatory
 Answer is No
 Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies</li></u...
MYTHS - CLOUD CHARACTERISTICS<br /><ul><li> There is no requirement that ties the abstraction of resources to virtualizati...
 In many offerings virtualization by hypervisor or operating system container is not utilized.</li></ul>42<br />
MYTHS - CLOUD CHARACTERISTICS<br /><ul><li>Multi-tenancy as an essential cloud characteristic
 Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such.</li></ul>43<...
CLOUD SERVICE MODELS<br /><ul><li> Divided into three archetypal models.
 The three fundamental classifications are known as the SPI Model.
 Various other derivative combinations are also available.</li></ul>44<br />
CLOUD SERVICE MODELS<br /><ul><li> Cloud Service Models
 Cloud Software as a Service (SaaS).
 Cloud Platform as a Service (PaaS).
 Cloud Infrastructure as a Service (IaaS).</li></ul>45<br />
CLOUD SERVICE MODELS - SaaS<br /><ul><li> The client use the software / applications running on a cloud infrastructure.
 Accessed through thin client interface such as a browser.</li></ul>46<br />
CLOUD SERVICE MODELS - SaaS<br /><ul><li> User does not manage or control the underlying cloud infrastructure including:
 network,
 servers,
 operating systems,
 storage, or
 even individual application capabilities</li></ul>47<br />
CLOUD SERVICE MODELS - SaaS<br /><ul><li> Possible exception - limited user specific application configuration settings.</...
CLOUD SERVICE MODELS - PaaS<br /><ul><li> User can deploy onto the cloud infrastructure consumer-created or acquired appli...
CLOUD SERVICE MODELS - PaaS<br /><ul><li> The consumer does not manage or control the underlying cloud infrastructure incl...
 network,
 servers,
 operating systems, or
 storage,</li></ul>50<br />
CLOUD SERVICE MODELS - PaaS<br /><ul><li> Has control over the deployed applications and possibly application hosting envi...
CLOUD SERVICE MODELS - IaaS<br /><ul><li> The user can provision
 processing,
 storage,
 networks, and
 other fundamental computing resources</li></ul>52<br />
CLOUD SERVICE MODELS - IaaS<br /><ul><li> The consumer is able to deploy and run arbitrary software, which can include ope...
 The consumer does not manage or control the underlying cloud infrastructure</li></ul>53<br />
CLOUD SERVICE MODELS - IaaS<br /><ul><li> Has control over
 operating systems,
 storage,
 deployed applications, and
 possibly limited control of select networking components (e.g., host firewalls).</li></ul>54<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Regardless of the service model, there are four cloud deployment models:
 Public Cloud
 Private Cloud
 Community Cloud
 Hybrid Cloud</li></ul>55<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> There are derivative variations that address specific requirements.</li></ul>56<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Public Cloud
 The cloud infrastructure is made available to the general public or a large industry group
 Owned by an organization providing cloud services.</li></ul>57<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Private Cloud
 The cloud infrastructure is operated solely for a single organization.
 It may be managed by the organization or a third party, and may exist on-premises or off-premises.</li></ul>58<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Community Cloud
 The cloud infrastructure is shared by several organizations
 Supports a specific community that has shared concerns</li></ul>59<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Examples:
 mission,
 security requirements,
 policy, or
 compliance considerations</li></ul>60<br />
CLOUD DEPLOYMENT MODELS<br /> It may be managed by the:<br /><ul><li> organizations or
 a third party </li></ul>and may exist <br /><ul><li> on-premises or
 off-premises.</li></ul>61<br />
CLOUD DEPLOYMENT MODELS<br /><ul><li> Hybrid Cloud
 Composition of two or more clouds (private, community, or public)
 They remain unique entities but are bound together by standardized or proprietary technology that enables data and applic...
CLOUD DEPLOYMENT MODELS<br /><ul><li> Example -  Hybrid Cloud
 Cloud bursting for load-balancing between clouds.</li></ul>63<br />
CLOUD BURSTING<br /><ul><li> New twist on an old concept :)
 Bursting into the cloud when necessary, or
 using the cloud when additional compute resources are required temporarily</li></ul>64<br />
CLOUD BURSTING<br /><ul><li> Example - used to shoulder the burden of some of the application's processing requirements.
 How it is done?
 Basic application functionality could be provided from within the cloud</li></ul>65<br />
CLOUD BURSTING<br /><ul><li> More critical (e.g. revenue-generating or mission critical) applications continue to be serve...
CLOUD BURSTING<br /><ul><li> How it is different from the traditional bursting?
 Traditionally been applied to resource allocation and automated provisioning / de-provisioning of resources
 Historically focused on bandwidth.</li></ul>67<br />
CLOUD BURSTING<br /><ul><li> In the cloud, it is being applied to resources such as:
 servers,
 application servers,
 application delivery systems, and
 other infrastructure…</li></ul>68<br />
CLOUD BURSTING<br /><ul><li> …required to provide on-demand computing environments that expand and contract as necessary, ...
CLOUD BURSTING<br /><ul><li> Without manual intervention means?
 We generally call it - automation
 But is automation sufficient for cloud? or is it the right thing for cloud?</li></ul>70<br />
CLOUD ORCHESTRATION<br /> Orchestration describes the automated<br /><ul><li> arrangement,
 coordination, and
 management of </li></ul>complex computer systems, middleware, and services.<br />71<br />
CLOUD ORCHESTRATION<br /><ul><li> Generally used in the context of:
 Service Oriented Architecture,
 virtualization,
 provisioning, and
 dynamic datacenter topics.</li></ul>72<br />
DERIVATIVE - DEPLOYMENT MODELS<br /><ul><li> Derivative cloud deployment models are emerging due to the maturation of mark...
Upcoming SlideShare
Loading in...5
×

nullcon 2011 - Security and Forensic Discovery in Cloud Environments

3,619

Published on

Security and Forensic Discovery in Cloud Environments by Manu Zacharia

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
3,619
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
93
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "nullcon 2011 - Security and Forensic Discovery in Cloud Environments"

  1. 1. CLOUD 9:<br />UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD<br />byManu Zacharia<br />MVP (Enterprise Security), C|EH, <br />ISLA-2010 (ISC)², C|HFI, CCNA, MCP<br />Certified ISO 27001:2005 Lead Auditor<br />HackIT – Technology & Advisory Services<br />“Aut viam inveniam aut faciam ” <br />Hannibal Barca<br />
  2. 2. # whoami<br /><ul><li> I am an Information Security Evangelist
  3. 3. For paying my bills – I do consulting - HackIT – Technology & Advisory Services – A startup.
  4. 4. Awards
  5. 5. Information Security Leadership Achievement Award from (ISC)² - 2010
  6. 6. Microsoft Most Valuable Professional (Enterprise Security) – 2009 and 2010
  7. 7. Co-Author of a Book
  8. 8. President – Information Security Research Association - NPO</li></li></ul><li># whoami<br /><ul><li> Chief Architect - Matriux – (www.matriux.com) - OS for Hacking, Forensics and Security testing – Open Source & Free 
  9. 9. Founder c0c0n – International Security & Hacking Conference
  10. 10. Extend service to various state and central investigations agencies as Cyber Forensics Consultant</li></li></ul><li># whoami<br /><ul><li> Speaker at various national and international security, technology and hacking conferences:
  11. 11. Microsoft Tech-Ed 2010 (& 2011 upcoming)
  12. 12. IQPC - Enterprise Security 2010 - Singapore
  13. 13. Information Security Conference - Bangalore
  14. 14. ClubHack, etc
  15. 15. DevCon</li></li></ul><li># whoami<br /><ul><li> Training associations:
  16. 16. Indian Navy - Signal School , Centre for Defense Communication and Electronic and Information / Cyber Warfare and INS Valsura.
  17. 17. Centre for Police Research, Pune and Kerala Police
  18. 18. SCIT - Symbiosis Centre for Information Technology,Pune
  19. 19. Institute of Management Technology (IMT) – Ghaziabad
  20. 20. IGNOU M-Tech (Information Systems Security) – Expert Member – Curriculum Review Committee
  21. 21. C-DAC, ACTS (DISCS & DSSD)</li></li></ul><li>DISCLAIMER(S)<br /><ul><li> The opinion here represented are my personal ones and do not necessary reflect my employers views.
  22. 22. Registered brands belong to their legitimate owners.
  23. 23. The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)</li></ul>6<br />
  24. 24. REFERENCES<br /><ul><li> Information and resources from Internet (including publications from Cloud Security Alliance) were extensively used for the creation of this presentation.</li></ul>7<br />
  25. 25. AGENDA<br />INTRO & CLOUD ARCHITECTURE<br />CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK<br />EXPLOITING CLOUD & FORENSICS<br />CONCLUSION<br />8<br />
  26. 26. INTRODUCTION<br />9<br />
  27. 27. QUESTION<br /><ul><li> So what is Cloud Computing?
  28. 28. Do you know what is EC2 and S3?
  29. 29. What is SPI Model?</li></ul>10<br />
  30. 30. WHY THIS TALK?<br /><ul><li> cloud is loud
  31. 31. Headline stealer
  32. 32. Everybody is concerned about Cloud Security</li></ul>11<br />
  33. 33. WHY CLOUD IS DIFFERENT?<br /><ul><li> Why handle cloud differently?
  34. 34. Simple – power of cloud</li></ul>12<br />
  35. 35. TIGR - ??????<br /><ul><li>Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade." </li></ul>13<br />
  36. 36. CLOUD POWER<br /><ul><li> A 64 node Linux cluster can be online in just five minutes
  37. 37. Forget about those sleepless nights in your data centers</li></ul>14<br />
  38. 38. EC2<br /><ul><li> Amazon Elastic Compute Cloud (Amazon EC2)
  39. 39. A web service that provides resizable compute capacity in the cloud</li></ul>15<br />
  40. 40. EC2 - WIKIPEDIA<br /><ul><li> Allows users to rent computers on which to run their own computer applications.
  41. 41. A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing any software desired.</li></ul>16<br />
  42. 42. EC2 - WIKIPEDIA<br /><ul><li> A user can create, launch, and terminate server instances as needed, paying by the hour for active servers, hence the term "elastic".</li></ul>17<br />
  43. 43. S3<br /><ul><li> Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services.
  44. 44. Provides unlimited storage through a simple web services interface</li></ul>18<br />
  45. 45. S3<br /><ul><li> $0.15 per gigabyte-month
  46. 46. 102 billion objects as of March 2010</li></ul>19<br />
  47. 47. POWER OF CLOUD<br /><ul><li> The New York Times - Amazon EC2 and S3 - PDF's of 15M scanned news articles.
  48. 48. NASDAQ uses Amazon S3 to deliver historical stock information.</li></ul>20<br />
  49. 49. CLOUD<br /><ul><li> Cloud separates:
  50. 50. application and information resources from the underlying infrastructure, and
  51. 51. the mechanisms used to deliver them.</li></ul>21<br />
  52. 52. CLOUD<br /> Use of a collection of<br /><ul><li> services,
  53. 53. applications,
  54. 54. information, and
  55. 55. infrastructure </li></ul> comprised of pools of compute, network, information, and storage resources.<br />22<br />
  56. 56. CLOUD<br /><ul><li> Components can be
  57. 57. rapidly orchestrated,
  58. 58. provisioned,
  59. 59. implemented & decommissioned, and
  60. 60. scaled up or down
  61. 61. Provide an on-demand utility-like model.</li></ul>23<br />
  62. 62. CLOUD CONFUSION<br /><ul><li> From an architectural perspective; there is much confusion
  63. 63. How cloud is both similar to and different from existing models of computing? </li></ul>24<br />
  64. 64. CLOUD CONFUSION<br /><ul><li> How these similarities and differences impact the
  65. 65. organizational,
  66. 66. operational, and
  67. 67. technological approaches </li></ul>to network and information security practices.<br />25<br />
  68. 68. CLOUD SECURITY – DIFFERENT?<br />Marcus Ranum - Same old, <br />Same old <br />26<br />
  69. 69. CLOUD SECURITY – DIFFERENT?<br />Same Client / Server paradigm from Mainframe days – Bruce Schneier<br />27<br />
  70. 70. So what is this cloud?<br />28<br />
  71. 71. CLOUD ARCHITECTURE<br />29<br />
  72. 72. CLOUD<br /><ul><li> NIST (U.S. National Institute of Standards and Technology) defines cloud computing by describing:
  73. 73. five essential characteristics,
  74. 74. three cloud service models, and
  75. 75. four cloud deployment models.</li></ul>30<br />
  76. 76. CLOUD CHARACTERISTICS<br /><ul><li> Five essential characteristics
  77. 77. On-demand self-service
  78. 78. Broad network access
  79. 79. Resource pooling
  80. 80. Rapid elasticity
  81. 81. Measured service</li></ul>31<br />
  82. 82. CLOUD CHARACTERISTICS<br /><ul><li> On-demand self-service
  83. 83. Unilaterally provision computing capabilities as needed automatically, without requiring human interaction with a service provider.
  84. 84. Computing capabilities include server time and network storage </li></ul>32<br />
  85. 85. CLOUD CHARACTERISTICS<br /><ul><li> Broad network access
  86. 86. Available over the network and accessed through standard mechanisms</li></ul>33<br />
  87. 87. CLOUD CHARACTERISTICS<br /><ul><li> Can be accessed through heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloud based software services.</li></ul>34<br />
  88. 88. CLOUD CHARACTERISTICS<br /><ul><li> Resource pooling
  89. 89. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model,
  90. 90. Different physical and virtual resources dynamically assigned and reassigned according to consumer demand.</li></ul>35<br />
  91. 91. CLOUD CHARACTERISTICS<br /><ul><li> Degree of location independence - customer has no control or knowledge over the exact location of the provided resources
  92. 92. Customer may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). </li></ul>36<br />
  93. 93. CLOUD CHARACTERISTICS<br /><ul><li> Examples of resources include:
  94. 94. storage,
  95. 95. processing,
  96. 96. memory,
  97. 97. network bandwidth, and
  98. 98. virtual machines.</li></ul>37<br />
  99. 99. CLOUD CHARACTERISTICS<br /><ul><li> Rapid elasticity
  100. 100. Capabilities can be
  101. 101. rapidly and elastically provisioned to quickly scale out ; and
  102. 102. rapidly released to quickly scale in.
  103. 103. In some cases this is done automatically.</li></ul>38<br />
  104. 104. CLOUD CHARACTERISTICS<br /><ul><li> Measured service.
  105. 105. Metering capability at some level of abstraction appropriate to the type of service
  106. 106. Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service.</li></ul>39<br />
  107. 107. CLOUD CHARACTERISTICS<br /><ul><li> Example:
  108. 108. storage,
  109. 109. processing,
  110. 110. bandwidth,
  111. 111. active user accounts</li></ul>40<br />
  112. 112. MYTHS - CLOUD CHARACTERISTICS<br /><ul><li> Myths about Cloud Computing Essential Characteristics
  113. 113. Virtualization is mandatory
  114. 114. Answer is No
  115. 115. Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies</li></ul>41<br />
  116. 116. MYTHS - CLOUD CHARACTERISTICS<br /><ul><li> There is no requirement that ties the abstraction of resources to virtualization technologies
  117. 117. In many offerings virtualization by hypervisor or operating system container is not utilized.</li></ul>42<br />
  118. 118. MYTHS - CLOUD CHARACTERISTICS<br /><ul><li>Multi-tenancy as an essential cloud characteristic
  119. 119. Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such.</li></ul>43<br />
  120. 120. CLOUD SERVICE MODELS<br /><ul><li> Divided into three archetypal models.
  121. 121. The three fundamental classifications are known as the SPI Model.
  122. 122. Various other derivative combinations are also available.</li></ul>44<br />
  123. 123. CLOUD SERVICE MODELS<br /><ul><li> Cloud Service Models
  124. 124. Cloud Software as a Service (SaaS).
  125. 125. Cloud Platform as a Service (PaaS).
  126. 126. Cloud Infrastructure as a Service (IaaS).</li></ul>45<br />
  127. 127. CLOUD SERVICE MODELS - SaaS<br /><ul><li> The client use the software / applications running on a cloud infrastructure.
  128. 128. Accessed through thin client interface such as a browser.</li></ul>46<br />
  129. 129. CLOUD SERVICE MODELS - SaaS<br /><ul><li> User does not manage or control the underlying cloud infrastructure including:
  130. 130. network,
  131. 131. servers,
  132. 132. operating systems,
  133. 133. storage, or
  134. 134. even individual application capabilities</li></ul>47<br />
  135. 135. CLOUD SERVICE MODELS - SaaS<br /><ul><li> Possible exception - limited user specific application configuration settings.</li></ul>48<br />
  136. 136. CLOUD SERVICE MODELS - PaaS<br /><ul><li> User can deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider.</li></ul>49<br />
  137. 137. CLOUD SERVICE MODELS - PaaS<br /><ul><li> The consumer does not manage or control the underlying cloud infrastructure including
  138. 138. network,
  139. 139. servers,
  140. 140. operating systems, or
  141. 141. storage,</li></ul>50<br />
  142. 142. CLOUD SERVICE MODELS - PaaS<br /><ul><li> Has control over the deployed applications and possibly application hosting environment configurations.</li></ul>51<br />
  143. 143. CLOUD SERVICE MODELS - IaaS<br /><ul><li> The user can provision
  144. 144. processing,
  145. 145. storage,
  146. 146. networks, and
  147. 147. other fundamental computing resources</li></ul>52<br />
  148. 148. CLOUD SERVICE MODELS - IaaS<br /><ul><li> The consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
  149. 149. The consumer does not manage or control the underlying cloud infrastructure</li></ul>53<br />
  150. 150. CLOUD SERVICE MODELS - IaaS<br /><ul><li> Has control over
  151. 151. operating systems,
  152. 152. storage,
  153. 153. deployed applications, and
  154. 154. possibly limited control of select networking components (e.g., host firewalls).</li></ul>54<br />
  155. 155. CLOUD DEPLOYMENT MODELS<br /><ul><li> Regardless of the service model, there are four cloud deployment models:
  156. 156. Public Cloud
  157. 157. Private Cloud
  158. 158. Community Cloud
  159. 159. Hybrid Cloud</li></ul>55<br />
  160. 160. CLOUD DEPLOYMENT MODELS<br /><ul><li> There are derivative variations that address specific requirements.</li></ul>56<br />
  161. 161. CLOUD DEPLOYMENT MODELS<br /><ul><li> Public Cloud
  162. 162. The cloud infrastructure is made available to the general public or a large industry group
  163. 163. Owned by an organization providing cloud services.</li></ul>57<br />
  164. 164. CLOUD DEPLOYMENT MODELS<br /><ul><li> Private Cloud
  165. 165. The cloud infrastructure is operated solely for a single organization.
  166. 166. It may be managed by the organization or a third party, and may exist on-premises or off-premises.</li></ul>58<br />
  167. 167. CLOUD DEPLOYMENT MODELS<br /><ul><li> Community Cloud
  168. 168. The cloud infrastructure is shared by several organizations
  169. 169. Supports a specific community that has shared concerns</li></ul>59<br />
  170. 170. CLOUD DEPLOYMENT MODELS<br /><ul><li> Examples:
  171. 171. mission,
  172. 172. security requirements,
  173. 173. policy, or
  174. 174. compliance considerations</li></ul>60<br />
  175. 175. CLOUD DEPLOYMENT MODELS<br /> It may be managed by the:<br /><ul><li> organizations or
  176. 176. a third party </li></ul>and may exist <br /><ul><li> on-premises or
  177. 177. off-premises.</li></ul>61<br />
  178. 178. CLOUD DEPLOYMENT MODELS<br /><ul><li> Hybrid Cloud
  179. 179. Composition of two or more clouds (private, community, or public)
  180. 180. They remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability </li></ul>62<br />
  181. 181. CLOUD DEPLOYMENT MODELS<br /><ul><li> Example - Hybrid Cloud
  182. 182. Cloud bursting for load-balancing between clouds.</li></ul>63<br />
  183. 183. CLOUD BURSTING<br /><ul><li> New twist on an old concept :)
  184. 184. Bursting into the cloud when necessary, or
  185. 185. using the cloud when additional compute resources are required temporarily</li></ul>64<br />
  186. 186. CLOUD BURSTING<br /><ul><li> Example - used to shoulder the burden of some of the application's processing requirements.
  187. 187. How it is done?
  188. 188. Basic application functionality could be provided from within the cloud</li></ul>65<br />
  189. 189. CLOUD BURSTING<br /><ul><li> More critical (e.g. revenue-generating or mission critical) applications continue to be served from within the controlled enterprise data center.</li></ul>66<br />
  190. 190. CLOUD BURSTING<br /><ul><li> How it is different from the traditional bursting?
  191. 191. Traditionally been applied to resource allocation and automated provisioning / de-provisioning of resources
  192. 192. Historically focused on bandwidth.</li></ul>67<br />
  193. 193. CLOUD BURSTING<br /><ul><li> In the cloud, it is being applied to resources such as:
  194. 194. servers,
  195. 195. application servers,
  196. 196. application delivery systems, and
  197. 197. other infrastructure…</li></ul>68<br />
  198. 198. CLOUD BURSTING<br /><ul><li> …required to provide on-demand computing environments that expand and contract as necessary, without manual intervention.</li></ul>69<br />
  199. 199. CLOUD BURSTING<br /><ul><li> Without manual intervention means?
  200. 200. We generally call it - automation
  201. 201. But is automation sufficient for cloud? or is it the right thing for cloud?</li></ul>70<br />
  202. 202. CLOUD ORCHESTRATION<br /> Orchestration describes the automated<br /><ul><li> arrangement,
  203. 203. coordination, and
  204. 204. management of </li></ul>complex computer systems, middleware, and services.<br />71<br />
  205. 205. CLOUD ORCHESTRATION<br /><ul><li> Generally used in the context of:
  206. 206. Service Oriented Architecture,
  207. 207. virtualization,
  208. 208. provisioning, and
  209. 209. dynamic datacenter topics.</li></ul>72<br />
  210. 210. DERIVATIVE - DEPLOYMENT MODELS<br /><ul><li> Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand.
  211. 211. Example
  212. 212. Virtual Private Clouds</li></ul>73<br />
  213. 213. VIRTUAL PRIVATE CLOUDS<br /><ul><li> Public cloud infrastructure in a private or semi-private manner
  214. 214. By interconnecting these resources to the internal resources of a consumers’ datacenter, usually via virtual private network (VPN) connectivity.</li></ul>74<br />
  215. 215. CLOUD SERVICE BROKERS<br /><ul><li> Providers that offer intermediation, monitoring, transformation/portability, governance, provisioning, and integration services.
  216. 216. They also negotiate relationships between various cloud providers and consumers.</li></ul>75<br />
  217. 217. CLOUD SERVICE BROKERS<br /><ul><li> They take advantage of the incompatibility issues prevailing and provide an interface for customers.
  218. 218. Acts as proxy (middle man)</li></ul>76<br />
  219. 219. OPEN AND PROPRIETARY API<br /><ul><li> Open and proprietary APIs are evolving which seek to enable things such as
  220. 220. management,
  221. 221. security and
  222. 222. inter-operatibility</li></ul>for cloud.<br />77<br />
  223. 223. OPEN AND PROPRIETARY API<br /><ul><li> Open Cloud Computing Interface Working Group,
  224. 224. Amazon EC2 API,
  225. 225. VMware’s DMTF-submitted vCloud API,
  226. 226. Sun’s Open Cloud API,
  227. 227. Rackspace API, and
  228. 228. GoGrid’s API,</li></ul>78<br />
  229. 229. OPEN AND PROPRIETARY API<br /><ul><li> Play a key role in cloud portability and interoperability as well as common container formats such as the DMTF’s Open Virtualization Format (OVF).
  230. 230. DMTF - Distributed Management Task Force </li></ul>79<br />
  231. 231. MULTI-TENANCY IN CLOUD<br /><ul><li> Not an essential characteristic of Cloud Computing in NIST’s model.
  232. 232. Generally identified as an important element of cloud.</li></ul>80<br />
  233. 233. MULTI-TENANCY IN CLOUD<br /><ul><li> Implies a need for
  234. 234. policy-driven enforcement,
  235. 235. segmentation,
  236. 236. isolation,
  237. 237. governance,
  238. 238. service levels, and
  239. 239. chargeback/billing models for different consumers. </li></ul>81<br />
  240. 240. CLOUD<br />82<br />
  241. 241. CLOUD CUBE<br />83<br />
  242. 242. CLOUD REFERENCE MODEL<br />84<br /><ul><li> Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks.</li></li></ul><li>CLOUD REF MODEL<br />85<br /><ul><li>IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS
  243. 243. As the capabilities are inherited, so are information security issues and risk.</li></li></ul><li>CLOUD REF MODEL<br />86<br />
  244. 244. CLOUD SECURITY<br />87<br />
  245. 245. CLOUD – WHAT COULD BE TARGETTED?<br /><ul><li> From an attackers point of view:
  246. 246. The boxes,
  247. 247. Storage,
  248. 248. Applications</li></ul>88<br />
  249. 249. WHY CLOUD SECURITY IS DIFFERENT?<br /><ul><li> With any new technology comes new risks
  250. 250. New vectors - that we need to be aware of
  251. 251. Confusion exists - how cloud is both similar to and different from existing models of computing</li></ul>89<br />
  252. 252. SECURITY ISSUES<br /><ul><li> Cloud based security issues, also commonly know as Cloud Based Risk – CRISK</li></ul>90<br />
  253. 253. SECURITY ISSUES<br />Lock-in<br /><ul><li> When a cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT
  254. 254. Different cloud service providers use different API – not compatible with each other for migrating the data </li></ul>91<br />
  255. 255. SECURITY ISSUES<br />Lack of:<br /><ul><li> Tools,
  256. 256. Procedures,
  257. 257. Standard data formats, and
  258. 258. Interfaces,</li></ul>can considerably delay or prevent a successful migration.<br />92<br />
  259. 259. SECURITY ISSUES<br />Shared Service Consequences<br /><ul><li> Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform may affect the other tenants and associated stake holders.</li></ul>93<br />
  260. 260. SECURITY ISSUES<br />Examples - Shared Service Consequences:<br /><ul><li>Blocking of IP ranges
  261. 261. Confiscation of resources as part of an investigation - the availability is in question.</li></ul>94<br />
  262. 262. SECURITY ISSUES<br />Examples - Shared Service Consequences: <br /><ul><li> The diversity of application running on the cloud platform and a sudden increase in the resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure.</li></ul>95<br />
  263. 263. SECURITY ISSUES<br />Sudden Acquisitions and Take-overs<br /><ul><li> Cloud is upcoming and promising domain for organizations to venture and expand.
  264. 264. Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation.</li></ul>96<br />
  265. 265. SECURITY ISSUES<br />Run-on-the-cloud<br /><ul><li> Similar to the conventional run on the bank concept.
  266. 266. Bankruptcy and catastrophes does not come with an early warning.</li></ul>97<br />
  267. 267. SECURITY ISSUES<br /><ul><li> What happens if the majority clients withdraw the associated services from a cloud infrastructure?</li></ul>98<br />
  268. 268. SECURITY ISSUES<br /><ul><li> The cloud service providers may try to prevent that move through direct and indirect methods – which may include a lock-in also.</li></ul>99<br />
  269. 269. SECURITY ISSUES<br />Maintaining Certifications & Compliance<br /><ul><li> Organizations need to ensure that they can maintain the same when moving to cloud.
  270. 270. ToU prohibits VA/PT
  271. 271. This may introduce security vulnerabilities and gaps
  272. 272. Result – Loose your certification.</li></ul>100<br />
  273. 273. SECURITY ISSUES<br />Example - Maintaining Certifications:<br /><ul><li> In general scenario, the PCI DSS compliance cannot be achieved with the Amazon EC2/S3 cloud service.
  274. 274. Major downfall in performance and quality metrics may affect your certifications.</li></ul>101<br />
  275. 275. SECURITY ISSUES<br />Technical and Procedural Vulnerability<br /><ul><li> Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure.
  276. 276. Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data. </li></ul>102<br />
  277. 277. SECURITY ISSUES<br />Confidentiality is @ Risk<br /><ul><li> The information deleted by the customer may be available to the cloud solution provider as part of their regular backups.
  278. 278. Insecure and inefficient deletion of data, true data wiping not happening, exposing the sensitive information to other cloud users.</li></ul>103<br />
  279. 279. SECURITY ISSUES<br />Lack of transparency in cloud<br /><ul><li>The service provider may be following good security procedures, but it is not visible to the customers and end users.
  280. 280. May be due to security reasons.
  281. 281. But end user is finally in the dark.</li></ul>104<br />
  282. 282. SECURITY ISSUES<br />Lack of transparency in cloud<br /><ul><li> End user questions remains un-answered:
  283. 283. how the data is backed up,
  284. 284. who back up the data,
  285. 285. whether the cloud service provider does it or has they outsourced to some third party, </li></ul>105<br />
  286. 286. SECURITY ISSUES<br /><ul><li> how the backup is transferred to a remote site as part of the backup policy,
  287. 287. is it encrypted and send,
  288. 288. is the backup properly destroyed after the specified retention period or</li></ul>106<br />
  289. 289. SECURITY ISSUES<br /><ul><li> is it lying somewhere in the disk,
  290. 290. what kind of data wiping technologies are used.
  291. 291. The lists of questions are big and the cloud users are in dark</li></ul>107<br />
  292. 292. SECURITY TESTING<br /><ul><li> Problems testing the cloud?
  293. 293. Permission
  294. 294. How do you get permission to test your application running on Amazon EC2 when the results of your testing could show you data from another client completely?</li></ul>108<br />
  295. 295. SECURITY TESTING<br /><ul><li> Getting black hole or getting kicked-off
  296. 296. "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia</li></ul>109<br />
  297. 297. SECURITY TESTING<br /><ul><li> How do you track version?
  298. 298. How do you do regression testing?
  299. 299. How do you know what version of the search engine google is currently running on?</li></ul>110<br />
  300. 300. SECURITY TESTING<br /><ul><li> If you test an application today and find it vulnerable or not vulnerable, how do you know that the app you testing tomorrow is the same one that you tested yesterday? - You don't</li></ul>111<br />
  301. 301. THEN WHY WE MOVE?<br /> If its not good, safe or not even new, then why cloud adoption happening?<br />112<br />
  302. 302. FEW TOP REASONS<br /><ul><li> Management by in-flight magazines
  303. 303. Management version – something new and promising – let’s try it out
  304. 304. Geek version – It’s really cool
  305. 305. There is nobody to put a break when these two people join together.</li></ul>113<br />
  306. 306. OTHER REASONS<br /><ul><li> Poor uptime and service delivery experience from IT department.
  307. 307. Economical factors
  308. 308. Multi-tenancy means cost sharing</li></ul>114<br />
  309. 309. OTHER REASONS<br /><ul><li> Cost saving makes it attractive during recession.
  310. 310. Cloud computing allows you to move from CAPEX to OPEX.
  311. 311. Save 30% of IT Operational Cost</li></ul>115<br />
  312. 312. OTHER REASONS<br /><ul><li> Variable cost subscription model – rapidly scale up and scale down.
  313. 313. Go Green or Green IT also influenced many.
  314. 314. Powerful - A 64 node Linux cluster can be online in just five minutes - forget about those sleepless nights in your data centers</li></ul>116<br />
  315. 315. ADDRESSING SECURITY ISSUES IN CLOUD – RISK ASSESSMENT FRAMEWORK FOR CLOUD<br />117<br />
  316. 316. ADDRESSING CLOUD SECURITY<br /><ul><li>Adopt a risk based approach
  317. 317. Evaluate your tolerance for moving an asset to cloud
  318. 318. Have a framework to evaluate cloud risks.</li></ul>118<br />
  319. 319. RA FRAMEWORK FOR CLOUD<br /><ul><li> Identify the asset for cloud.
  320. 320. Evaluate the asset
  321. 321. Map the asset to cloud deployment models
  322. 322. Evaluate cloud service models & providers
  323. 323. Sketch the potential data flow</li></ul>119<br />
  324. 324. 1 - IDENTIFY THE ASSET<br /><ul><li> Two types of assets are supported by cloud:
  325. 325. Data
  326. 326. Applications/Functions/Processes
  327. 327. Either partial functions or full applications</li></ul>120<br />
  328. 328. 1 - IDENTIFY THE ASSET<br /><ul><li> In cloud, we do not need data and application to reside at the same location.
  329. 329. We can shift parts of functions to the cloud.</li></ul>121<br />
  330. 330. 1 - IDENTIFY THE ASSET<br /><ul><li> Example:
  331. 331. Host the main application and data in our own data-centre.
  332. 332. Outsource a portion of its functionality to the cloud through Platform as a Service (PaaS).</li></ul>122<br />
  333. 333. 1 - IDENTIFY THE ASSET<br /><ul><li>First step in evaluating risk for the cloud - determine exactly what data or function is being considered for the cloud.
  334. 334. Include potential use of the asset once it moves to the cloud</li></ul>123<br />
  335. 335. 1 - IDENTIFY THE ASSET<br /><ul><li> This will help you account for scope creep
  336. 336. Data and transaction volumes are often higher than expected.</li></ul>124<br />
  337. 337. 1 - IDENTIFY THE ASSET<br /><ul><li> What is scope creep?
  338. 338. Also known as
  339. 339. focus creep,
  340. 340. requirement creep,
  341. 341. feature creep,
  342. 342. function creep</li></ul>125<br />
  343. 343. 1 - IDENTIFY THE ASSET<br /><ul><li> Refers to uncontrolled changes in a project's scope.
  344. 344. Can occur when the scope of a project is not properly defined, documented, or controlled.</li></ul>126<br />
  345. 345. 2 - EVALUATE THE ASSET<br /><ul><li> Determine how important the data or function is to the organization.
  346. 346. A detailed valuation is recommended only if the organization has an existing process for that. </li></ul>127<br />
  347. 347. 2 - EVALUATE THE ASSET<br /><ul><li> If not, a rough assessment of the following is recommended:
  348. 348. how sensitive an asset is, and
  349. 349. how important an application / function / process is.</li></ul>128<br />
  350. 350. 2 - EVALUATE THE ASSET<br /><ul><li> How do we do it?
  351. 351. For each asset, ask the following questions:
  352. 352. How would we be harmed if the asset became widely public and widely distributed?</li></ul>129<br />
  353. 353. 2 - EVALUATE THE ASSET<br /><ul><li> How would we be harmed if an employee of our cloud provider accessed the asset?
  354. 354. How would we be harmed if the process or function were manipulated by an outsider?</li></ul>130<br />
  355. 355. 2 - EVALUATE THE ASSET<br /><ul><li> How would we be harmed if the process or function failed to provide expected results?
  356. 356. How would we be harmed if the information/data were unexpectedly changed?</li></ul>131<br />
  357. 357. 2 - EVALUATE THE ASSET<br /><ul><li> How would we be harmed if the asset were unavailable for a period of time?</li></ul>132<br />
  358. 358. 2 - EVALUATE THE ASSET<br /><ul><li> What are we doing basically with the above process?
  359. 359. Assessing confidentiality, integrity, and availability requirements for the asset; and
  360. 360. how those are affected if all or part of the asset is handled in the cloud.</li></ul>133<br />
  361. 361. 3 – MAP THE ASSETS<br /><ul><li> Step 3 - Map the asset to potential cloud deployment models
  362. 362. Determine which deployment model is good for the organizational requirement.</li></ul>134<br />
  363. 363. 3 – MAP THE ASSETS<br /><ul><li> Decide whether the organization can accept the risks implicit to the various deployment models (private, public, community, or hybrid); and hosting scenarios (internal, external, or combined).</li></ul>135<br />
  364. 364. 3 – MAP THE ASSETS<br /><ul><li> For the asset, determine if you are willing to accept the following options:
  365. 365. Public.
  366. 366. Private, internal/on-premises.
  367. 367. Private, external (including dedicated or shared infrastructure).
  368. 368. Community
  369. 369. Hybrid</li></ul>136<br />
  370. 370. 3 – MAP THE ASSETS<br /><ul><li> End of this phase you should have answer to the following:
  371. 371. Deployment models and locations that fits your security and risk requirements.</li></ul>137<br />
  372. 372. 4 – EVALUATE MODELS & PROVIDERS<br /><ul><li> Focus on the degree of control you’ll have at each SPI tier to implement any required risk management.</li></ul>138<br />
  373. 373. 5 – SKETCH DATA FLOW<br /><ul><li> Map out the data flow between:
  374. 374. your organization,
  375. 375. the cloud service, and
  376. 376. any customers/other nodes.</li></ul>139<br />
  377. 377. 5 – SKETCH DATA FLOW<br /><ul><li> High-level design can be adopted for the same.
  378. 378. Absolutely essential to understand whether, and how, data can move in and out of the cloud before finalizing.</li></ul>140<br />
  379. 379. RA - CONCLUSION<br /><ul><li> You should have a clear understanding of the following:
  380. 380. the importance of what you are considering moving to the cloud,
  381. 381. risk tolerance,</li></ul>141<br />
  382. 382. RA - CONCLUSION<br /><ul><li> which combinations of deployment and service models are acceptable, and
  383. 383. potential exposure points for sensitive information and operations.</li></ul>142<br />
  384. 384. RA - CONCLUSION<br /><ul><li> For low-value assets you don’t need the same level of security controls
  385. 385. Can skip most of the recommendations — such as on-site inspections, discoverability, and complex encryption schemes.
  386. 386. A high-value regulated asset might entail audit and data retention requirements.</li></ul>143<br />
  387. 387. EXPLOITING CLOUD for iw / attacks<br />144<br />
  388. 388. DO YOU KNOW THIS?<br />145<br />
  389. 389. INFORMATION WARFARE<br /><ul><li> Clue:
  390. 390. Kendo (kumdo in korean)</li></ul>146<br />
  391. 391. INFORMATION WARFARE<br />風 - Swift as the wind<br />林 - Quiet as the forest<br />火 - Conquer like the fire<br />山 - Steady as the mountain <br />147<br />
  392. 392. INFORMATION WARFARE<br /><ul><li> Battle strategy and motto of Japanese feudal lord Takeda Shingen( 武田信玄 )(1521–1573 A.D.).
  393. 393. Twenty-Four Generals - famous groupings of battle commanders
  394. 394. (Takeda Nijūshi-shō )武田二十四将</li></ul>148<br />
  395. 395. INFORMATION WARFARE<br /><ul><li> Came from the Art of War by Chinese strategist and tactician Sun Tzu (Sunzi)
  396. 396. A sort of abbreviation to remind officers and troops how to conduct battle</li></ul>149<br />
  397. 397. INFORMATION WARFARE<br /><ul><li> This is what we need in information warfare or when launching an attack</li></ul>150<br />
  398. 398. EXPLOITING CLOUD<br /><ul><li> Sample Task
  399. 399. Break PGP passphrases
  400. 400. Solution
  401. 401. Brute forcing PGP passphrases</li></ul>151<br />
  402. 402. EXPLOITING CLOUD<br /><ul><li>Try – ElcomSoft Distributed Password Recovery (with some patches to handle PGP ZIP)
  403. 403. Two elements - EDPR Managers & EDPR Agents</li></ul>152<br />
  404. 404. EXPLOITING CLOUD<br /><ul><li> Dual core Win7 box - 2100 days for a complex passphrase.
  405. 405. Not acceptable – too long
  406. 406. Lets exploit the cloud.</li></ul>153<br />
  407. 407. EXPLOITING CLOUD<br /><ul><li> First things first – Create an Account on Amazon. Credit Card Required 
  408. 408. Install Amazon EC2 API Tools on your linux box.</li></ul>sudo apt-get install ec2-api-tools<br />154<br />
  409. 409. EXPLOITING CLOUD<br /><ul><li> Select an AMI
  410. 410. Example - use a 32 bit Windows AMI - ami-df20c3b6-g</li></ul>155<br />
  411. 411. EXPLOITING CLOUD<br /><ul><li> Start an instance from the Linux shell as follows:</li></ul>ec2-run-instances -k ssh-keypair ami-df20c3b6-g default<br />156<br />
  412. 412. EXPLOITING CLOUD<br /><ul><li> Enumerate the instance ID & public IP:</li></ul>ec2-describe-instances<br />157<br />
  413. 413. EXPLOITING CLOUD<br /><ul><li> Instance status change from “pending” to “running”
  414. 414. Extract the admin password for the instance</li></ul>ec2-get-password -k ssh-keypair.pem $instanceID<br />158<br />
  415. 415. EXPLOITING CLOUD<br /><ul><li> Configure EC2 firewall to permit inbound RDP traffic to the instance.</li></ul>ec2-authorize default -p 3389 -s $trusted_ip_address/32<br />159<br />
  416. 416. EXPLOITING CLOUD<br /><ul><li> Configure the firewall in front of the EDPR manager system to permit TCP/12121 from anywhere.
  417. 417. RDP into the instance & configure EDPR</li></ul>160<br />
  418. 418. EXPLOITING CLOUD<br /><ul><li> Login using the password obtained from ec2-get-password command</li></ul>161<br />
  419. 419. EXPLOITING CLOUD<br /><ul><li> Install EDPR Agent,
  420. 420. Configure the Agent to connect to the Manager.
  421. 421. 3 points to configure mainly</li></ul>162<br />
  422. 422. EXPLOITING CLOUD<br /><ul><li> Configure the public IP address or hostname of the EDPR manager you have configured.</li></ul>163<br />
  423. 423. EXPLOITING CLOUD<br /><ul><li>Interface tab - Set the Start-up Mode to "At Windows Start-up".</li></ul>164<br />
  424. 424. EXPLOITING CLOUD<br /><ul><li> Registry hack
  425. 425. EDPR creates a pair of registry values which are used to uniquely identify the agent when connecting to the manager.
  426. 426. We need to scrub these values – why?</li></ul>165<br />
  427. 427. EXPLOITING CLOUD<br /><ul><li> If we don’t, every single instance we initiate will appear to be the same agent to the manager.
  428. 428. Output = The job handling will be totally corrupted.</li></ul>166<br />
  429. 429. EXPLOITING CLOUD<br />HKEY_LOCAL_MACHINESoftwareElcomSoftDistributed AgentUID<br /><ul><li> Set the value of the UID key to null, but DO NOT DELETE THE KEY.</li></ul>167<br />
  430. 430. EXPLOITING CLOUD<br /><ul><li> Let’s bundle the EC2 instance.
  431. 431. Remember in cloud, bundle is similar to creating a ‘template’ in VMware terminology.</li></ul>168<br />
  432. 432. EXPLOITING CLOUD<br /><ul><li> Install and configure EC2 AMI Tools
  433. 433. Command:</li></ul>ec2-bundle-instance $instance_id -b $bucket_name -p $bundle_name -o $access_key_id -w $secret_access_key<br />169<br />
  434. 434. EXPLOITING CLOUD<br /><ul><li> Bundling process runs sysprep on the Windows instance, compress and copies the instance to S3.</li></ul>170<br />
  435. 435. EXPLOITING CLOUD<br /><ul><li> Check the progress of the bundle task:</li></ul>ec2-describe-bundle-tasks<br />171<br />
  436. 436. EXPLOITING CLOUD<br /><ul><li> Register the bundled AMI:</li></ul>ec2-register $bucket_name/$bundle_name.manifest.xml<br />172<br />
  437. 437. EXPLOITING CLOUD<br /><ul><li> The register command returns AMI ID
  438. 438. Used to spawn instances of the EDPR agent. Example:</li></ul>IMAGE ami-54f3103d<br />173<br />
  439. 439. ACTION TIME <br /><ul><li>Start EDPR manager & configure task.
  440. 440. to brute an password composed of uppercase letters, lowercase letters, and the numbers 0-9, with a length of between 1 to 8 characters against a PGP ZIP file.</li></ul>174<br />
  441. 441. ACTION TIME <br />175<br />
  442. 442. ACTION TIME <br /><ul><li> Start a single instance of our EDPR agent:</li></ul>ec2-run-instances -k $ssh-keypair ami-54f3103d -g default<br />176<br />
  443. 443. ACTION TIME <br /><ul><li> Agent check in with the EDPR manager.</li></ul>177<br />
  444. 444. ACTION TIME <br /><ul><li> We started it with default parameters
  445. 445. EC2 “small” instance
  446. 446. Trying 500K keys per second
  447. 447. How long will it take?</li></ul>178<br />
  448. 448. ACTION TIME <br /><ul><li>What???? 3600 days? = 10 years!!!!!</li></ul>179<br />
  449. 449. ACTION TIME <br /><ul><li> Let’s scale up – deploy 10 additional instances:</li></ul>ec2-run-instances -n 10 -k ssh-keypair ami-54f3103d -g default -t c1.medium<br />180<br />
  450. 450. ACTION TIME <br /><ul><li> The -n 10 parameter tells EC2 to launch 10 instances.
  451. 451. c1.medium instance = “High CPU" instance</li></ul>181<br />
  452. 452. ACTION TIME <br />182<br />
  453. 453. ACTION TIME <br /><ul><li> Now we have more cracking agents in the party!!!
  454. 454. 2+M keys/second
  455. 455. So what's the time required now???</li></ul>183<br />
  456. 456. ACTION TIME <br /><ul><li> Down to 122 days</li></ul>184<br />
  457. 457. ACTION TIME <br /><ul><li> Kickoff another 89 to hit a century.</li></ul>ec2-run-instances -n 89 -k ssh-keypair ami-54f3103d -g default -t c1.medium<br />Note: Check your EDPR License.<br />185<br />
  458. 458. ACTION TIME <br /><ul><li> Error:</li></ul>Client.InstanceLimitExceeded: Your quota allows for 9 more instance(s). You requested at least 89<br />186<br />
  459. 459. ACTION TIME <br /><ul><li> Option 1
  460. 460. Request to instance amazon EC2 Instance Limit - http://aws.amazon.com/contact-us/ec2-request/</li></ul>187<br />
  461. 461. ACTION TIME <br /><ul><li> Option 2
  462. 462. Amazon spot instances - allows us to bid on unused Amazon EC2 capacity and run those instances.</li></ul>188<br />
  463. 463. ACTION TIME <br /><ul><li> Option 3
  464. 464. Create custom python script to bypass this limitation</li></ul>189<br />
  465. 465. ACTION TIME <br /><ul><li> With a couple more of instances, we can reduce it to hours
  466. 466. A successful cloud based distributed cracking system.</li></ul>190<br />
  467. 467. CLOUD FORENSICS<br />191<br />
  468. 468. CLOUD FORENSICS<br /><ul><li> Mixed Responses
  469. 469. Bad guys have started using cloud based services and infrastructure for launching attacks
  470. 470. Cloud do provide a good platform for incidence response and forensics investigations</li></ul>192<br />
  471. 471. CLOUD FORENSICS<br /><ul><li> By utilizing the inherent features of cloud computing, computer forensic can become an on-demand service under certain circumstances.</li></ul>193<br />
  472. 472. CLOUD FORENSICS<br /><ul><li> Regular business and operations are not affected when a cloud environment needs to be forensically examined.
  473. 473. Not the case with the traditional infrastructure where the equipments are seized.
  474. 474. Cloud Example – Amazon EBS</li></ul>194<br />
  475. 475. CLOUD FORENSICS<br /><ul><li> Cloud based forensics took a new turn when Amazon introduced Elastic Block Store (EBS) volumes
  476. 476. Enables the user to launch an instance with an Amazon EBS volume that will serve as the root device.</li></ul>195<br />
  477. 477. CLOUD FORENSICS<br /><ul><li> When there is a need to preserve a cloud environment, EBS can create an exact replica of the cloud instance & put it on the same cloud for forensics evaluation and examination.
  478. 478. Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way.</li></ul>196<br />
  479. 479. CLOUD FORENSICS<br /><ul><li> Replication process achieved in few minutes.
  480. 480. Forensic evidences are invalid if they are not cryptographically hashed.
  481. 481. This can be easily achieved using the on-demand feature of cloud.</li></ul>197<br />
  482. 482. CLOUD FORENSICS<br /><ul><li> Replication process achieved in few minutes.
  483. 483. Forensic evidences are invalid if they are not cryptographically hashed.
  484. 484. This can be easily achieved using the on-demand feature of cloud.</li></ul>198<br />
  485. 485. CLOUD FORENSICS<br /><ul><li>The cloud based hashing takes less time and is much faster when you compare it with the traditional cryptographic hashing process.
  486. 486. Amazon Web Services is already providing a good forensic feature where it can provide a MD5 hash of every file that is on the cloud system.</li></ul>199<br />
  487. 487. CLOUD FORENSICS<br /><ul><li> What this practically means is that when a bit by bit copy is initiated (forensic duplication), you have systems in place which can ensure that you made the exact replica and not even a bit has changed during the replication and copying process.</li></ul>200<br />
  488. 488. CLOUD FORENSICS<br /><ul><li> Even though you have all the above services available, cloud forensics is still challenging.
  489. 489. Virtualization of various entities like the applications and host systems, which once used to be in-house is now scattered on the cloud.</li></ul>201<br />
  490. 490. CLOUD FORENSICS<br /><ul><li> Makes evidence gathering a challenging task
  491. 491. Since we are acquiring data from a virtual environment, the forensic investigator should have a clear and precise understanding of how they work and what files are interesting and required to acquire.</li></ul>202<br />
  492. 492. CLOUD FORENSICS<br /><ul><li> Near to impossible to acquire the complete hard disk due to various reasons including but not limited to:
  493. 493. multiple data owners on the same disk,
  494. 494. remote geographical location,
  495. 495. jurisdictional difficulties,
  496. 496. RAID configurations etc</li></ul>203<br />
  497. 497. AND FINALLY<br /><ul><li> Questions also arise on the compatibility and reliability of the tools used for investigating cloud forensics - because most of the tools are meant for real time systems and not for virtualized environments.
  498. 498. A collaborative and collective effort is required to address what we discussed.</li></ul>204<br />
  499. 499. conclusion<br />205<br />
  500. 500. CONCLUSION<br /><ul><li> The architectural mindset used when designing solutions has clear implications on the:
  501. 501. future flexibility,
  502. 502. security,
  503. 503. collaborative capabilities, and
  504. 504. mobility</li></ul>of the resultant solution.<br />206<br />
  505. 505. CONCLUSION<br /><ul><li> With so many different cloud deployment and service models, and their hybrid permutations — no list of security controls can cover all these circumstances.</li></ul>207<br />
  506. 506. GOOD SECURITY PROFESSIONAL<br />A good security professional is someone who always looks both ways before crossing a one-way street.<br />208<br />
  507. 507. 209<br />QUESTIONS??<br />Manu Zacharia<br />m@matriux.com<br />or<br />m@HackIT.co<br />or<br />
  508. 508. THANK YOU !<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×