2. Introduction
➢CERN (1) defines an insider threat as such:
A malicious insider threat ==
➢Organization
➢+
➢(current or former employee, contractor, or other business partner)
➢+
➢(Authorized access to an Organization's system )
5. Objective
➢How to protect your self from internal threats from Cloud
Service provider (CSP) perspective
➢How to protect your self from Internal threats (CSP) from user
perspective
6. Objective
●As a Client we are looking for privacy (please check previous
Presentation <Ahmed Nour >)
●As a CSP we are looking for defense in Depth.
➢What is DID ?
-Multilayer and technology of Security
10. Encryption
●For CSP and Client
●Try to use Multi layer of Encryption such as SFS for Linux and
EFS for Windows with any 3rd party(4).
11. DRM
●For CSP and Client.
●Data Right Management (DRM) based on PKI.
●Examples:
●Snap Chat
●Related News (5):
●Facebook Tried To Buy Snap chat For $3B.
●Snap chat may have rejected a $4 billion offer from
Google.
●Microsoft DRM.
●Apple Fair Play.
14. User Access Authentication
●For CSP and Client.
●Use Multi-factor authentication :
➢Something you know.
➢Something you have.
➢Something you are.
➢Two-man rule 0r Two-person integrity (TPI)
➢Examples : Nuke Bomb
15. And
●Security Architecture – Segmentation.
●Risk Management – Assessments (CSP perspective ).
➢Check on vacations.
➢Controls.
➢Mitigate Risk.
●Third Party Audits.
●Policy Enforcement.
16. Again Can We Trust CA,DRM,Security Algorithms !!!
17. Sony BMG DRM
• 2000 Napster Issue Shawn Fanning
• Music Companies “We will revenge”
• Sony BMG copy protection
• When inserted into a computer:
➢ the CDs installed one of two pieces of software
➢ which provided a form of digital rights management (DRM) by modifying the
operating system.
➢ Both programs could not be easily uninstalled.
➢ And they unintentionally created vulnerabilities that were exploited by
unrelated malware (6).
• rootkit scandal 2007 :)
20. RSA 4096-bit Crypto Analysis
(8)
Send Encrypted mails to you (He already know Plain text
and cipher text )
➢listen to frequency of your CPU by Microphone
➢Use low- and high-pass filters
➢Called acoustic signal Attack
➢ RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis(9)
24. References
(1)Cloud Security, The Notorious Nine Cloud Computing Top Threats in 2013 Alliance ,
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
(2)Edward Snowden a 'hero' for NSA disclosures, Wikipedia founder says | World news. The Guardian (2013-11-25).,
http://www.theguardian.com/world/2013/nov/25/edward-snowden-nsa-wikipedia-founder,
http://en.wikipedia.org/wiki/Edward_Snowden
(3)Watergate scandal,
http://en.wikipedia.org/wiki/Watergate_scandal
(4)Rajesh Kumar Pal, Indranil Sengupta, Enhancing File Data Security in Linux Operating System, Computational Intelligence in Cyber Security,
2009. CICS '09. IEEE Symposium on, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=4925089&queryText
%3DEnhancing+File+Data+Security+in+Linux+Operating+System+by+Integrating+Secure+File+System
(5)forbes, maybe snapchat is crazy to turn down 3b but was facebook nuts to offer it
http://www.forbes.com/sites/markrogowsky/2013/11/14/maybe-snapchat-is-crazy-to-turn-down-3b-but-was-facebook-nuts-to-offer-it/
(6)Halderman, J. Alex, and Felten, Edward. "Lessons from the Sony CD DRM Episode" , Center for Information Technology Policy, Department of
Computer Science, Princeton University, 2006-02-14.,
http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal, http://www.copyright.gov/1201/2006/hearings/sonydrm-ext.pdf,
http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
(7)The hacker news, fake google ssl certificates made in,
http://thehackernews.com/2013/12/fake-google-ssl-certificates-made-in.html
(8)Extremetech, researchers crack the worlds toughest encryption by listening to the tiny sounds made by your computers cpu,
http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-yourcomputers-cpu
(9)RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysisdt@infootnoteThe authors thank Lev Pachmanov for programming and
experiment support during the course of this research.dt@infootnote - acoustic-20131218.pdf,
http://www.cs.tau.ac.il/~tromer/acoustic/