Oleg Podsechin, profile picture
Uploaded byOleg Podsechin
1,222 views

Staying safe in the cloud

This document discusses various ways to stay safe in the cloud, including ensuring availability, reliability, and privacy. It outlines potential attack vectors like social engineering, packet sniffing, and zero-day exploits. Some recommended countermeasures include encrypted drives, strong passwords, two-factor authentication, and security audits. The document also discusses trade-offs between self-reliance and reliability as well as security and convenience. It notes that while security is important, users often don't care if a service gets hacked and every service will likely experience a breach at some point.

Embed presentation

Downloaded 11 times
Staying Safe in the Cloud
/whois me
helsinkijs.org
define: security ● availability ○ no access ● reliability ○ data loss ● privacy ○ data leak
Availability ● Pingdom ● Where’s it Up? ● StatusPage.io ○ status.myservice.com: ~ 10% ● Hosting & Infrastructure ○ CDNs like CloudFlare - test with Blitz etc. ○ DaaS like AWS RDS, MongoHQ etc. ○ deployment, e.g. NPM ○ third party JS, tag management e.g. GTM ○ DDOS with botnets, HTTPX
Reliability ● Funding or lack thereof, business model ○ or corporate strategy, think Google Reader, G+ ● PEBKAC ○ Google Docs, Yammer ● API availability ~ data backup an option ○ programmableweb.com ○ Kimono ● Backupify, Import2
Privacy ● Third party JS, GA has 20M accounts ○ BuiltWith ● Retargeting cookies ● Email/IP to user info on social media ○ Rapleaf, Rapportive ○ Intercom ○ FOAF ● FastMail, Minerva Fabric ○ PGP
Attack Vectors ● Social engineering, war driving, sniping, drones? ○ Apple Amazon hack ● Rootkits, keyloggers ○ Vodafone Greece example (pre NSA) ● Packet sniffing, port scanning ● 0 day exploits, exploit marketplaces ○ WebGL, Java, Rails, OpenSSL/Heartbleed ● DNS, SSL intercept ○ compromised rootcerts ○ Arab Spring example
Attack Vectors ● Infrastructure providers ○ HDDs reused ○ Internal sniffing, e.g. MongoDB ○ OSS clients libs not audited, Nodetime example ● Phishing mails ● Cross site attacks: XSS, CSRF ● Malicious extensions: e.g. Window Resizer ● OAuth, third party app access ○ ~60% use Google for login ● etc. etc.
Countermeasures ● Encrypted laptop drives ● Secure passwords ○ LastPass or PwdHash ● Two Factor Authentication 2FA ○ Not enforced by most ● Suspicious activity detection ● Access logs ○ per user audit trail?
Preemption ● Security audits ● “Honeypots” ● Production/Staging divide ● Bug bounty programs
Politics: NSA, etc. ● Hosting outside of US by a non-US legal entity is a competitive advantage ○ e.g. Upcloud, younited ○ caveat: traffic goes via Sweden ● How many SaaS companies from Estonia? ○ Sportlyzer ○ Weekdone ○ GoWorkaBit ○ InventoryAPI
Shadow IT ● Bring Your Own Device (BYOD) ● Bring Your Own Service (BYOS) ● Most companies don’t know what software their employees use ○ … and don’t want to know ● Shared accounts ○ Bitium, Meldium
Case Study: StartHQ ● first contact: ○ password reset mails ○ access log monitoring ○ break in ○ disable /admin ○ apply fix ● two weeks later: ○ second break in ○ mail sent to all @starthq.com ○ apply second fix, more attempts, no more breakins
Case Study: Buffer
Trade-offs ● Self Reliance vs. Reliability ○ Self host MongoDB or go with MongoHQ ○ Speed and time to market critical ● Security vs. Convenience?
Reality ● Everyone gets hacked ○ Atlassian story ● Users largely don’t care ● Case in point: StartHQ extension ○ see video
Resources Security Engineering by Ross Anderson Light Blue Touchpaper blog
Resources Chaos Computer Club TV
Resources OWASP Top 10 Project Homakov blog
Thank you! @olegpodsechin

More Related Content

PDF
Jon Bing Memorial Seminar
byVestforsk.no
 
PDF
01 BlockChain
bySivakumar Ramar
 
PPT
RingoJS
byOleg Podsechin
 
PPT
AngularJS - the folly of choice
byOleg Podsechin
 
PDF
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
PPT
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
PDF
Cloud Security:Threats & Mitgations
byIndicThreads
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
Jon Bing Memorial Seminar
byVestforsk.no
 
01 BlockChain
bySivakumar Ramar
 
RingoJS
byOleg Podsechin
 
AngularJS - the folly of choice
byOleg Podsechin
 
Slashing Your Cloud Risk: 3 Must-Do's
bySecurity Innovation
 
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
Cloud Security:Threats & Mitgations
byIndicThreads
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 

Similar to Staying safe in the cloud

PDF
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
PDF
Security in the cloud protecting your cloud apps
byCenzic
 
PPT
Cloud Computing Security Issues
byDiscover Cloud Computing
 
PDF
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
PPTX
Cloud Security 2014 AASNET
byFarrukh Shahzad
 
PDF
IANS information security forum 2019 summary
byKarun Chennuri
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
PDF
Reducing Your Attack Surface
byAlert Logic
 
PPT
Aws training in bangalore
byapponix123
 
PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
byMarkAnnati
 
PDF
Cloud Security Primer - F5 Networks
byHarry Gunns
 
PPTX
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
byHackIT Ukraine
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
PPTX
Securing Applications in the Cloud
bySecurity Innovation
 
PPTX
Ple18 web-security-david-busby
byDavid Busby, CISSP
 
PDF
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
byNorth Texas Chapter of the ISSA
 
PPTX
How Romanian companies are developing secure applications on Azure.pptx
byRadu Vunvulea
 
PPTX
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
Anatomy of a Cloud Hack
byNotSoSecure Global Services
 
Security in the cloud protecting your cloud apps
byCenzic
 
Cloud Computing Security Issues
byDiscover Cloud Computing
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
byWP Engine
 
Cloud Security 2014 AASNET
byFarrukh Shahzad
 
IANS information security forum 2019 summary
byKarun Chennuri
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
Reducing Your Attack Surface
byAlert Logic
 
Aws training in bangalore
byapponix123
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
byMarkAnnati
 
Cloud Security Primer - F5 Networks
byHarry Gunns
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
byHackIT Ukraine
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
Securing Applications in the Cloud
bySecurity Innovation
 
Ple18 web-security-david-busby
byDavid Busby, CISSP
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
byNorth Texas Chapter of the ISSA
 
How Romanian companies are developing secure applications on Azure.pptx
byRadu Vunvulea
 
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 

More from Oleg Podsechin

PDF
Why SaaS (in Helsinki)?
byOleg Podsechin
 
PDF
Tips from angular js users anonymous
byOleg Podsechin
 
PDF
Lean and mean MongoDB
byOleg Podsechin
 
PPT
JS everywhere 2011
byOleg Podsechin
 
PPT
What every developer can learn from startups
byOleg Podsechin
 
PPT
Server side JavaScript: going all the way
byOleg Podsechin
 
PPT
Current State of Server Side JavaScript
byOleg Podsechin
 
PPT
On Platforms
byOleg Podsechin
 
PPT
Common Node
byOleg Podsechin
 
PPT
The future of server side JavaScript
byOleg Podsechin
 
PPT
RingoJS
byOleg Podsechin
 
PPT
Grid and Cloud Computing Intro
byOleg Podsechin
 
Why SaaS (in Helsinki)?
byOleg Podsechin
 
Tips from angular js users anonymous
byOleg Podsechin
 
Lean and mean MongoDB
byOleg Podsechin
 
JS everywhere 2011
byOleg Podsechin
 
What every developer can learn from startups
byOleg Podsechin
 
Server side JavaScript: going all the way
byOleg Podsechin
 
Current State of Server Side JavaScript
byOleg Podsechin
 
On Platforms
byOleg Podsechin
 
Common Node
byOleg Podsechin
 
The future of server side JavaScript
byOleg Podsechin
 
RingoJS
byOleg Podsechin
 
Grid and Cloud Computing Intro
byOleg Podsechin
 

Recently uploaded

PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 

Staying safe in the cloud

  • 1.
    Staying Safe inthe Cloud
  • 2.
  • 3.
  • 6.
    define: security ● availability ○no access ● reliability ○ data loss ● privacy ○ data leak
  • 7.
    Availability ● Pingdom ● Where’sit Up? ● StatusPage.io ○ status.myservice.com: ~ 10% ● Hosting & Infrastructure ○ CDNs like CloudFlare - test with Blitz etc. ○ DaaS like AWS RDS, MongoHQ etc. ○ deployment, e.g. NPM ○ third party JS, tag management e.g. GTM ○ DDOS with botnets, HTTPX
  • 9.
    Reliability ● Funding orlack thereof, business model ○ or corporate strategy, think Google Reader, G+ ● PEBKAC ○ Google Docs, Yammer ● API availability ~ data backup an option ○ programmableweb.com ○ Kimono ● Backupify, Import2
  • 10.
    Privacy ● Third partyJS, GA has 20M accounts ○ BuiltWith ● Retargeting cookies ● Email/IP to user info on social media ○ Rapleaf, Rapportive ○ Intercom ○ FOAF ● FastMail, Minerva Fabric ○ PGP
  • 11.
    Attack Vectors ● Socialengineering, war driving, sniping, drones? ○ Apple Amazon hack ● Rootkits, keyloggers ○ Vodafone Greece example (pre NSA) ● Packet sniffing, port scanning ● 0 day exploits, exploit marketplaces ○ WebGL, Java, Rails, OpenSSL/Heartbleed ● DNS, SSL intercept ○ compromised rootcerts ○ Arab Spring example
  • 16.
    Attack Vectors ● Infrastructureproviders ○ HDDs reused ○ Internal sniffing, e.g. MongoDB ○ OSS clients libs not audited, Nodetime example ● Phishing mails ● Cross site attacks: XSS, CSRF ● Malicious extensions: e.g. Window Resizer ● OAuth, third party app access ○ ~60% use Google for login ● etc. etc.
  • 19.
    Countermeasures ● Encrypted laptopdrives ● Secure passwords ○ LastPass or PwdHash ● Two Factor Authentication 2FA ○ Not enforced by most ● Suspicious activity detection ● Access logs ○ per user audit trail?
  • 20.
    Preemption ● Security audits ●“Honeypots” ● Production/Staging divide ● Bug bounty programs
  • 22.
    Politics: NSA, etc. ●Hosting outside of US by a non-US legal entity is a competitive advantage ○ e.g. Upcloud, younited ○ caveat: traffic goes via Sweden ● How many SaaS companies from Estonia? ○ Sportlyzer ○ Weekdone ○ GoWorkaBit ○ InventoryAPI
  • 24.
    Shadow IT ● BringYour Own Device (BYOD) ● Bring Your Own Service (BYOS) ● Most companies don’t know what software their employees use ○ … and don’t want to know ● Shared accounts ○ Bitium, Meldium
  • 26.
    Case Study: StartHQ ●first contact: ○ password reset mails ○ access log monitoring ○ break in ○ disable /admin ○ apply fix ● two weeks later: ○ second break in ○ mail sent to all @starthq.com ○ apply second fix, more attempts, no more breakins
  • 27.
  • 28.
    Trade-offs ● Self Reliancevs. Reliability ○ Self host MongoDB or go with MongoHQ ○ Speed and time to market critical ● Security vs. Convenience?
  • 29.
    Reality ● Everyone getshacked ○ Atlassian story ● Users largely don’t care ● Case in point: StartHQ extension ○ see video
  • 30.
    Resources Security Engineering byRoss Anderson Light Blue Touchpaper blog
  • 31.
  • 32.
    Resources OWASP Top 10Project Homakov blog
  • 33.