Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security

149 views

Published on

Cloud Security conducted at AWS Community Day, Bangalore 2019

Published in: Technology
  • Real people just like you are kissing the idea of punching the clock for someone else goodbye, and embracing a new way of living. The internet economy is exploding, and there are literally THOUSANDS of great earnings opportunities available right now, all just one click away.  http://t.cn/AisJWUCf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If you want to enjoy the Good Life: making money in the comfort of your own home with just your laptop, then this is for YOU... ★★★ http://t.cn/AieX2Loq
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Cloud Security

  1. 1. Secure Cloud Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  2. 2. Speaker Experience ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  3. 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  4. 4. Defining Cloud Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Citation: Special Publication (NIST SP) - 800-145 – On-demand self-service – Broad network access – Resource pooling – Rapid elasticity – Measured service
  5. 5. Cloud Service Models • Infrastructure as a Service (IaaS) – Standardized, highly automated offering, where compute resources, complemented by storage and networking capabilities are owned by a service provider and offered to customers on-demand. Customers are able to self-provision the infrastructure. • Platform as a Service (PaaS) – Offering is a broad collection of application infrastructure (middleware) services including application platform, integration, business process management and database services. • Software as a Service (SaaS) – Software is owned, delivered and managed remotely by a provider. The provider delivers software based on one set of common code and data definitions that is by contracted customers on a pay-for-use basis or as a subscription.
  6. 6. Cloud Service Models Facilities Hardware Integration Middleware Interfaces Abstraction Layer Connectivity/Network Presentment Application Programming Interfaces Data Metadata Applications/Software Infrastructure as a Service Platform as a Service Software as a Service
  7. 7. Cloud Deployment Models • Public Cloud infrastructure is available to the general public, owned by org selling cloud services • Private Cloud infrastructure for single organization only, may be managed by the organization or a 3rd party, on or off premise • Hybrid Cloud infrastructure shared by several organizations that have shared concerns, managed by org or 3rd party • Community Combinations of clouds types
  8. 8. Chief Information Officers’ Cloud Concerns Security Availability Performance Costs Standards
  9. 9. Shared Security Responsibility Application Platform Architecture Virtual Infrastructure Hardware Facility Service Provider Consumer I A A S P A A S S A A S I A A S P A A S S A A S • Service Provider and Consumer roles, related to cloud model, are inverse of each other.
  10. 10. Data Types and Compliance • Data, being the key attribute of an information technology system, is the driving force in selecting the appropriate level of security. • Develop detail data flows • If security controls and approach is not matched to the characterization of data then: – The system will be more costly and utility reduced if over secured. – The system and data will be vulnerable and could lead to a breach.
  11. 11. Risk = (Data Type + Breach Probability)/Data Security Profile Public Data Sensitive Data Public Data Confidential Data Restricted Data Public Data Classification: Low Classification: HighClassification: Moderate Data Security Profile 4 Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA Pub 1075 CJIS Data Security Profile 1 Data Security Profile 3Data Security Profile 2 NIST SP 800-53v4 SP 800-53v4, Pub 1075, CJIS-SP Policies & Procedures Profile 4 Policies & Procedures Profile 3 Policies & Procedures Profile 2 Policies & Procedures Profile 1 Data Object Security Data Security Profile + Data Owner + Originating System + Data Integrity ConfidenceData Pedigree Risk Profile Risk= (Data Type * Breach Probability)/Security Profile
  12. 12. DoDM 5200, E.O. 13256 Data Classification Comparison: Project - Federal Agency – National Security Direct comparison is difficult because data classification is specific to mission, context, aggregation and system. Detailed review of data sets, usage and regulatory compliance yields appropriate classifications. Data can transition up or down in classification levels based on certain factors. Regulations, NIST SP 800-53v4, FIPS, PUB 1075, Agency Specific Guidance Classification: For Official Use Only (FOUO) Classification: Secret Classification: Confidential Classification: Unclassified Classification: Top Secret Limited Damage Serious Damage Damage No Damage Grave Damage National Security/Dept. of Defense Classifications Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA Pub 1075 CJIS Classification: Low Classification: Moderate Classification: Public Data Classifications Classification: Low Classification: High Classification: Moderate Classification: Public Limited Adverse Effect Severe Adverse Effect Serious Adverse Effect No Adverse Effect Integrity Controls Privacy Act FISMA HIPAA PCI-DSS FERPA, Pub 1075 CFR Title 28, DOJ-BoPrisons Federal Agency Classifications Moderate +
  13. 13. Education – Partnership – Solutions Information Security Office of Budget and Finance
  14. 14. Education – Partnership – Solutions Information Security Office of Budget and Finance
  15. 15. What is Cloud Security? • There is a lot of noise and distraction about cloud security. • The truth is that security controls need to be implemented if you use: – Stand alone servers – Physical servers in your data center – Virtualization in your data center – Cloud provided by a service provider • There are few differences when identifying what controls • Bottom line is that organizations feel vulnerability since they believe they lose control
  16. 16. Endpoint Device Security • Host based Intrusion Detection Systems (HIDS) • Host based firewalls • Application whitelisting • Endpoint encryption • Trusted platform module • Mobile device management • Sandboxing
  17. 17. Cloud Security • TLS Encryption • Network Firewalls/Web Application Firewall • Data Encryption – FIPS 140-2 • Central Logging • Authentication Layering • Network Scanning • Third Party Security Testing – Vulnerability Assessments – Penetration Testing – Security Audit • Statement on Standards for Attestation Engagements (SSAE) 16 Compliant Data Center
  18. 18. Architectural Considerations • Attack Surface. – The hypervisor is an additional layer of software between an operating system and hardware platform. The hypervisor normally supports other application programming interfaces to conduct administrative operations, such as launching, migrating, and terminating virtual machine instances. This increases the attack surface. • Complicated Architectures – Virtual machines environments and their supportive software are complicated. Implementing organizational software in PaaS or IaaS creates additional complications that have to managed appropriately
  19. 19. Architectural Considerations • Virtual Network Protection – Most virtualization platforms have the ability to create software-based switches and network configurations as part of the virtual environment to allow virtual machines on the same host to communicate more directly and efficiently. Some hypervisors’ network monitoring capabilities are not as robust as physical network tools. • Virtual Machine Images. – IaaS cloud providers maintain repositories of virtual machine images. A virtual machine image includes a the software stack and speeds up the time to implementation. These are often shared. Shared virtual images must be validated and carefully controlled to not implement problems.
  20. 20. Architectural Considerations • Client-Side Protection – Web browsers, a key element for many cloud computing services, and the various plug-ins and extensions are notorious for their security problems. Security awareness is as important when dealing with a cloud application as any other alternately implemented application. • Identify and Access Management – Identification, authentication, authorization and accounting are critical to implement, enforce and monitor on any cloud based applications or cloud management portals.
  21. 21. Education – Partnership – Solutions Information Security Office of Budget and Finance
  22. 22. Identity and Access Management • Identity Management includes: – Self-service – Registration – Password management – Provisioning • Access Management includes: – Authentication – Authorization – Policy Management – Federation – Identity Repository
  23. 23. Identity and Access Management • Identity repositories provide directory services for the administration of user accounts and their attributes. • Common Directory Services: – X.500 and LDAP – Microsoft Active Directory – Novell eDirectory – Metadata replication and synchronization – Directory as a Service
  24. 24. Federated Identity Management • Provides the policies and processes that manage identity and trusted access to systems across entities • Like Kerberos, but for separate domains • Federation Standards: – Security Assertion Markup Language (SAML) – WS-Federation – OpenID Connect (based on OAuth 2.0) – OAuth for web and mobile applications • Federated Identity Providers – Identity Provider – holds all the identities and generates a token for known users – Relying Party – the service provider who consumes these tokens
  25. 25. Security Threats • Malicious Code –Ransomware –Virus –Worms –Trojans –Logic bombs –Malware –Botnet • Malicious Code Countermeasures – Scanners – IDS/IPS – Security testing – Anti-malware – Code signing – Sandboxing – Appropriate patching
  26. 26. Security Threats • Malicious Activity – Social Engineering –Spoofing –Phishing –Spam –Botnets • Malicious Activity Countermeasures – User Awareness Training – System Hardening – Patching – Sandboxing – Policies and Procedures
  27. 27. Security Threats • Abuse and Nefarious use – Hackers continue to leverage technologies to improve their reach, avoid detection, and improve the effectiveness of their activities. – Cloud providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers’ fraud detection capabilities are limited. • Countermeasures: Patching, intrusion detection, security awareness training, background checks
  28. 28. Security Threats • Insecure interfaces and APIs – Cloud providers strive to provide security and that it is integrated into their service models. – Consumers of services need to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services. – Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability. • Countermeasures: Architecture review, security testing, patching schedules, Service Level Agreements, legal agreements (BAA)
  29. 29. Security Threats • Malicious insiders – The impact that malicious insiders can have on an organization is great because of their level of access and understanding of data and information technology assets. – Theft, reputation damage and loss of productivity are some examples of how malicious insider can affect an operation. – Organizations that adopt cloud services need to understand the human element and that the responsibility for a malicious insider is relevant for staff of the cloud provider. • Countermeasures: Background checks, policies and procedures, non-repudiation, two man work, security awareness training, least privilege
  30. 30. Security Threats • Shared technology issues – Attacks have surfaced in recent years that target the shared technology inside cloud computing environments. – As a result, attackers focus on how to impact the operations of other cloud customers, and how to gain unauthorized access to data. • Countermeasures: Patching, security testing, monitoring, security awareness training
  31. 31. Security Threats • Data loss or leakage – Data loss or leakage can have a devastating impact on a business and its impact is directly relevant to the type of data. – Compliance violations, legal ramifications – Loss of core intellectual property could have competitive and financial implications. • Countermeasures: Data Loss Prevention Applications, encryption, security awareness training, data classification, policies and procedures, least privilege
  32. 32. Security Threats • Account or service hijacking – Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical cloud services, allowing them to compromise the confidentiality, integrity and availability of the services and the data. • Countermeasures: Policies and procedures, security awareness training, enforced password life, complexity and reuse
  33. 33. Education – Partnership – Solutions Information Security Office of Budget and Finance
  34. 34. Security Threats • Unknown Risk Profile – When adopting a cloud service, the features and functionality may be well advertised, but one must understand the cloud service security posture/risk profile. – Understand the controls or compliance alignment – Make sure you agree with the cloud providers internal security procedures, configuration hardening, patching, auditing, and logging – Do they go through SSAE16 SOC2 audits or are FEDRamp certified? – Under what conditions can you have access to or be given an extract of logs? – Can you conduct vulnerability scanning or penetration testing on “your” infrastructure; and/or will you receive the regular reports of the results of their scanning and testing. • Countermeasures: Research, agreements, and governance
  35. 35. Education – Partnership – Solutions Information Security Office of Budget and Finance
  36. 36. Cloud Governance • Cloud Governance by the Customer is Critical – Extend organizational practices pertaining to the policies, procedures, and standards implemented for users. – Practices pertaining to policies, procedures and standards implemented for application development and service provisioning. – Environment establishment such as development, testing, staging, training, production and disaster recovery in alignment with organizational standards. – Put in place audit mechanisms and tools to ensure organizational practices are followed such as log review and reporting.
  37. 37. Cloud Governance • Cloud Governance by the Customer is Critical – Cloud Customers need to define cloud strategy before entering into agreement with CSP – Organizational assets agreed upon and assessed for suitability for cloud – Define suitable business units or functions – Outline phased approach to cloud journey – Document exceptions, restrictions, and risks – List regulatory and compliance components (addressed either jointly or by the provider) – List business and system interdependencies.
  38. 38. Cloud Application Security • Cloud development and applications must take into consideration service models and deployment models • Data sensitivity issues in cloud • Use RESTful vs SOAP APIs • Careful with multitenancy • Appropriate cryptography • Release management
  39. 39. Cloud Application Security • On-premises does not always port • Should follow appropriate Software Development Lifecycle • Not all applications are suitable for the cloud • Users and developers must understand and have appropriate security awareness • Document cloud applications thoroughly • Identify complexities of integration • Code for 2019 OWASP TOP 10 in mind • Code for ISO/IEC 27034-1 Information Technology – Security Techniques
  40. 40. Cloud Application Security • APIs are a very important part of cloud applications • Primary access method • Two of the possible formats for cloud APIs are: – Representational State Transfer (REST) • Uses HTTP • Supports many data formats (e.g., JSON, XML, YAML, etc.) • Good performance and scalability, uses caching • Widely used • Stateless – Simple Object Access Protocol (SOAP) • Uses SOAP envelope around HTTP, FTP, or SMTP • Only supports XML • Slower performance, complex scalability, no caching • Used where REST is not possible • Stateful
  41. 41. Cloud Operations & Maintenance • It is critical to research the cloud operations and maintenance of the cloud service provider to ensure they are operating appropriately for compliance and risk threshold. • You cannot assume that because they say they operate it appropriately they do. – Ask for patching schedules. – What type of continuous scanning is done and can you have a summary report. • And ensure the following:
  42. 42. Cloud Operations & Maintenance • Fault management • Problem management • Equipment management • Change management • Release management • Supplier management • Prevention management • Resource staffing • Architectural/network topology documentation
  43. 43. Cloud Compliance • Align compliance requirements developed from regulations, standards, and organization mission to create a framework for acceptable: – Risk: Have risk management in place supported by leadership – Recovery Time Objective: How long can the system or components be down? – Recovery Point Objective: How much data can you lose before reaching the unacceptable threshold – Loss: Are there acceptable losses? – Budget: For losses, fines or hopefully controls – Controls: Dependent on identified risk and vulnerabilities.
  44. 44. Cloud Compliance • Customer chooses where to place data. – Customer organization needs to understand cloud computing. • Cloud providers generally have regions (AWS) that isolated by design • Data is not replicated to other regions does not move unless the customer chooses that option • Customers manage access to their data as well as AWS services and resources • Customers choose how their data is secured.
  45. 45. Cloud Compliance
  46. 46. Some Key Points • Make sure you exercise due diligence when selecting a cloud service provider. • Make sure the cloud environment supports the regulatory requirements of your industry and data. • Conduct data classification to understand the sensitivity of your data before moving to the cloud. • Clearly define who owns the data and how it will be “returned” to you and the timing in the event you cancel your agreement. • Understand if you are leveraging the cloud in IaaS, PaaS, SaaS or other model. • Establish Service Level Agreements (SLAs) to ensure performance • Engage Cloud specific legal advice before moving to the cloud.
  47. 47. Some Key Points • Make sure your you schedule enough time to move your application or data center to the cloud. • Make sure you budget a sufficient amount. • Recognize that many organizational policies and procedures will need to be updated. • When using data provided by 3rd parties note that you may need to notify and append your agreement. • Do not let the IT skill level, who understands the business and your applications, weaken.
  48. 48. AWS Security Best Practices-CloudTrail • Enable CloudTrail across all geographic regions and AWS services to prevent activity monitoring gaps. • Turn on CloudTrail log file validation so that any changes made to the log file itself after it has been delivered to the S3 bucket is trackable to ensure log file integrity. • Enable access logging for CloudTrail S3 bucket so that you can track access requests and identify potentially unauthorized or unwarranted access attempts. • Turn on multifactor authenthication (MFA) to delete CloudTrail S3 buckets, and encrypt all CloudTrail log files in flight and at rest. • Hackers disable Cloud Trail & Delete logs
  49. 49. AWS Security Best Practices-IAM • When creating IAM policies, ensure that they’re attached to groups or roles rather than individual users to minimize the risk of an individual user getting excessive and unnecessary permissions or privileges by accident. • Provision access to a resource using IAM roles instead of providing an individual set of credentials for access to ensure that misplaced or compromised credentials don’t lead to unauthorized access to the resource. • Ensure IAM users are given minimal access privileges to AWS resources that still allows them to fulfill their job responsibilities. • As a last line of defense against a compromised account, ensure all IAM users have multifactor authentication activated for their individual accounts, and limit the number of IAM users with administrative privileges. • Rotate IAM access keys regularly and standardize on a selected number of days for password expiration to ensure that data cannot be accessed with a potential lost or stolen key. • Enforce a strong password policy requiring minimum of 14 characters containing at least one number, one upper case letter, and one symbol. Apply a password reset policy that prevents users from using a password they may have used in their last 24 password resets. • Hackers try to crack IAM credentials to gain full access
  50. 50. AWS Security Best Practices-IAM • AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources • AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators • AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience
  51. 51. AWS Security Best Practices- Monitoring • Deep visibility into API calls through AWS CloudTrail, including who, what, who, and from where calls were made • Log aggregation options, streamlining investigations and compliance reporting • Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded • These tools and features give you the visibility you need to spot issues before they impact the business and allow you to improve security posture, and reduce the risk profile, of your environment.
  52. 52. AWS Security Best Practices- Configuration • A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage • Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards • Inventory and configuration management tools, including AWS Config, that identify AWS resources and then track and manage changes to those resources over time • Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments • Hackers try to take advantage of configuration drift
  53. 53. AWS Security Best Practices-KMS • Flexible key management options, including AWS Key Management Service, allowing you to choose whether to have AWS manage the encryption keys or enable you to keep complete control over your keys • Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS • Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements • In addition, AWS provides APIs for you to integrate encryption and data protection with any of the services you develop or deploy in an AWS environment.
  54. 54. AWS Security Best Practices-Infra • Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS WAF let you create private networks, and control access to your instances and applications • Customer-controlled encryption in transit with TLS across all services • Connectivity options that enable private, or dedicated, connections from your office or on- premises environment • Automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities • Hackers try to crack AWS Infrastructure to gain access
  55. 55. AWS Security Best Practices- DB & S3 • Ensure that no S3 Buckets are publicly readable/writeable unless required by the business. • Turn on Redshift audit logging in order to support auditing and post-incident forensic investigations for a given database. • Encrypt data stored in EBS as an added layer of security. • Encrypt Amazon RDS as an added layer of security. • Enable require_ssl parameter in all Redshift clusters to minimize the risk of man-in-the-middle attack. • Restrict access to RDS instances to decrease the risk of malicious activities such as brute force attacks, SQL injections, or DoS attacks. • Hackers try to gain full access into sensitive data stored in DB & S3
  56. 56. Education – Partnership – Solutions Information Security Office of Budget and Finance
  57. 57. AWS Cloud Shared Security
  58. 58. Cloud IT Security Breaches 94
  59. 59. Target Targeted What happened? How it happened Hackers used credentials of 3rd party vendor to get into Target’s network The hackers installed credit card number stealing malware on POS devices in all domestic target stores The credit card numbers started flowing out of Target’s network Federal investigator warned Target of a massive data breach Target confirmed and eradicated the malware, after 40 million credit card numbers had been stolen Impact  Total of $153.9 million was paid towards legal settlements  CEO and CIO had to resign after the breach 95
  60. 60. Adobe Creative Cloud Security Breach What Happened? In October 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. In addition to the credit card records — tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. How it happened? Weak password requirements made if possible for the hacker to brute force into the Adobe infrastructure Impact?  Adobe pays US$1.2M plus settlements to end 2013 breach class action 96
  61. 61. Sony Cloud Breach What Happened? Hackers stole the computer credentials of a system administrator, which gave them broad access to Sony’s computer systems After gaining access to the Sony IT infrastructure, the hackers planted a malware in the network to collect data The malware used Microsoft Windows management and network file sharing features to spread, shut down the network, and reboot computers The GOP told Sony it had grabbed private files, computer source code files for software, and files that held passwords for Oracle and SQL databases, among other documents. the GOP grabbed data on movie production schedules, emails, financial documents and much more and published much of it. Impact According to Reuters, the cyber attack on Sony’s movie studio cost the studio as much as $100 million. Sony had to spend money on computer repairs and replacements. The company also had to spend money on conducting an investigation into what happened, and how to take steps to prevent a future attack. 97
  62. 62. Identification of Requirements 98 IaaS PaaS SaaS
  63. 63. What information to look for in cloud provider • Certifications & Standards • Technologies & Service Roadmap • Data Security, Data Governance and Business policies • Service Dependencies & Partnerships • Contracts, Commercials & SLAs • Reliability & Performance • Migration Support, Vendor Lock in & Exit Planning • Business health & Company profile 99
  64. 64. Controls to look for with a Cloud Service Provider • Application Security • Data Integrity and Security • Audit Assurance & Compliance • Information System Regulatory Mapping • Business Continuity Management, Planning and Testing • Equipment Maintenance • Impact Analysis • Customer Access Requirement • New Development and Acquisition  Data Security and Information Lifecycle  Datacenter Security  Encryption and Key Management  Governance and Risk Management  Human Resource Management  Identity and Access Management  Infrastructure and Virtualization Security  Security Incident Management, E- Discovery & Cloud Forensics  Threat and Vulnerability Management 100 Source: CSA
  65. 65. Why is SOC 2 Type 2 report important to evaluate Cloud Providers? 103 The Type 2 SOC 2 report will not only review the controls in question, but will go into detail on the effectiveness of the controls  Security: Unauthorized access to systems (both physical and logical) is prevented through controls.  Confidentiality: Sensitive information labeled as confidential is protected with adequate controls (customer data and systems would likely fall into this category).  Privacy: Personal information is collected and managed in accordance with the AICPA Generally Accepted Privacy Principles.  Availability: Systems are designed with uptime and availability in mind, and continuity of system operations is maintained.  Processing Integrity: All system processing activities are accurate, authorized, complete and authorized.
  66. 66. Education – Partnership – Solutions Information Security Office of Budget and Finance
  67. 67. Education – Partnership – Solutions Information Security Office of Budget and Finance
  68. 68. Education – Partnership – Solutions Information Security Office of Budget and Finance
  69. 69. Does Cloud add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
  70. 70. Attacking Cloud • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
  71. 71. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  72. 72. Education – Partnership – Solutions Information Security Office of Budget and Finance
  73. 73. OWASP Cloud Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  74. 74. Principles of Cloud Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  75. 75. Cloud Security Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  76. 76. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  77. 77. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  78. 78. 132 Email: amarprusty@gmail.com
  79. 79. 133

×