SlideShare a Scribd company logo
The Notorious 9
Cloud computing Threats
Moshe Ferber, CCSK
 Onlinecloudsec.com
Cloud Security Alliance Congress
San Jose, 2014
About
 Moshe Ferber, 39, Based in Israel
 Information security professional for over 20 years
 Founded Cloud7, Managed Security Services provider (currently
owned by Matrix LTD)
 Partner at Clarisite – Your customer’s eye view
 Partner at FortyCloud – Make your public cloud private
 Member of the board at Macshava Tova – Narrowing societal gaps
 Certified CCSK instructor for the Cloud Security Alliance.
 Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter
What we are going to talk about
Sources:
 Cloud Security Alliance Notorious nine cloud computing threats.
 Cloud Security Alliance Cloud Computing Vulnerability Incidents: A
Statistical Overview
Cloud computing threats –
what they are?
how do they reflect in the real world?
What are the attacks vectors?
Cloud computing 2014 – what affects security?
SaaS
PaaS
IaaS
Consolidation will
continue at IaaS level
More supply Chain Attacks
The Cloud & Cyber
Cloud Services
Ransom Malwares
Stealing CPU time
#1 Data Breaches
 Cloud Provider will continue to be a target for data
breaches, sometimes just for the accounts and not
even for the data.
 iCloud, Evernote, Adobe tells the story well.
 But not all data lost happens due to hacking,
Unintended disclosure is also happening.
 Cloud Computing and Shadow IT contribute to this
phenomena.
Source: Verizon data breach report 2013
Shadow IT
#2 Data Lost
 Hacking or simple failures – it does not really
matter.
 Multi Cloud backup or external backups are not a
“nice to have”.
#3 Account Hijacking
New account Hijacking Motivation:
 Most attacks used spear phishing.
 DNS ownership is also at attack vector
 Two factor & pro-active defenses for identifying
account hijacking will continue.
 We will see more attacks on PaaS and on federation
protocols.
#3 Account Hijacking
“ …the
basic methods of gaining
access to a victim’s
environment are
not. The most prolific is
the old faithful: spear
phishing. “
Verizon data breach report 2014
#4 Insecure Interfaces and API’s
The cloud providers management dashboard, especially in
IaaS, is the most intimidating attack vector
DNS
Amplification
Attacks
#5 Denial of Service
 Network DDOS are becoming less common
when talking about cloud providers.
 But application level attacks are increasing.
#6 Malicious Insider
#7 Abuse of Cloud Services
#8 Insufficient due Diligence
 Evaluating your provider is hard, very hard.
 Government legislation and industry efforts will lead to better
understanding of Cloud Accountability.
 CSA will help in promoting transparency and provider evaluation
methodology.
#9 Shared Technologies vulnerabilities
#9 Shared Technologies vulnerabilities
 From the infrastructure point of view SDN might
solve some of the problems.
 Innovation is required on the application layer,
Identity Management and encryption.
Cloud Vulnerability Incidents
A Statistical Overview
# DESCRIPTION
T1 Abuse of cloud services
T2 Insecure Interfaces and API
T3 Malicious Insiders
T4 Shared Technologies Vulnerabilities
T5 Data Loss
T6 Account Hijacking
T7 Insufficient due diligence
T8 Hardware failures
T9 Nature disasters
T10 Closure of cloud services
T11 Cloud Related Malware
T12
Inadequate infrastructure design and
planning
Recommendation, Cloud Providers
 Invest in consumer visible controls.
 You might be a chain in supply chain attacks - Think
about your role in your customers security.
 Start with good building block:
 Secure Software development life cycle.
 Security in operations.
 Transparency.
 CSA tools and research can help you achieving good
foundations.
Recommendation, Cloud Consumers
 Invest in education.
 There are 4 kind of security controls. Make sure you
use the right mixture.
 Establish Cloud Strategy.
 Audit your provider, his services and the supply
chain.
Preventive
• Anti virus
• Authentication
Detective
• IDS
• Logs
Corrective
• Patches
• Scanning
Compensatory
• DR & backups
• Audits
Moshe Ferber
 moshe@onlinecloudsec.com
 www.onlinecloudsec.com
http://il.linkedin.com/in/MosheFerber
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule

More Related Content

What's hot

Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23   from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23   from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Moshe Ferber
 
Cloud security
Cloud securityCloud security
Cloud security
Tushar Kayande
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
Shankar Subramaniyan
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
Keet Sugathadasa
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
Moshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
Intel IT Center
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - Kloudlearn
KloudLearn
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
Azure Group
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud Environment
KaashivInfoTech Company
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
Susanne Tedrick
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
Hari Kumar
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
HTS Hosting
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
DrRajapraveenkN
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 

What's hot (20)

Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23   from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23   from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 
Cloud security
Cloud securityCloud security
Cloud security
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Intel SaaS Security Playbook
Intel SaaS Security PlaybookIntel SaaS Security Playbook
Intel SaaS Security Playbook
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - Kloudlearn
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 
Security as a Service Model for Cloud Environment
Security as   a Service Model   for   Cloud   EnvironmentSecurity as   a Service Model   for   Cloud   Environment
Security as a Service Model for Cloud Environment
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 

Similar to The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose

Notorious 9 ciso platform moshe
Notorious 9 ciso platform  moshe Notorious 9 ciso platform  moshe
Notorious 9 ciso platform moshe
Priyanka Aash
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Arunvignesh Venkatesh
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
Priyanka Aash
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
Techugo
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
Techugo
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdfCloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
petchphumsanit40
 
Cyber Security Demistyified
Cyber Security DemistyifiedCyber Security Demistyified
Cyber Security Demistyified
Microsoft UK
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
Cloud Expo
 
Security threat in cloud computing
Security threat in cloud computingSecurity threat in cloud computing
Security threat in cloud computing
Impressico Business Solutions
 
Websense security prediction 2014
Websense   security prediction 2014Websense   security prediction 2014
Websense security prediction 2014
Bee_Ware
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?
Gabe Akisanmi
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Four Network Security Challenges for the Cloud Generation
Four Network Security Challenges for the Cloud GenerationFour Network Security Challenges for the Cloud Generation
Four Network Security Challenges for the Cloud Generation
AboutSSL
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
Amazon Web Services
 
Data Storage Issues in Cloud Computing
Data Storage Issues in Cloud ComputingData Storage Issues in Cloud Computing
Data Storage Issues in Cloud Computing
ijtsrd
 

Similar to The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose (20)

Notorious 9 ciso platform moshe
Notorious 9 ciso platform  moshe Notorious 9 ciso platform  moshe
Notorious 9 ciso platform moshe
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
 
Cloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdfCloud Application Security Best Practices To follow.pdf
Cloud Application Security Best Practices To follow.pdf
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
 
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdfCloudflare_Everywhere_Security_Solution_Brief (1).pdf
Cloudflare_Everywhere_Security_Solution_Brief (1).pdf
 
Cyber Security Demistyified
Cyber Security DemistyifiedCyber Security Demistyified
Cyber Security Demistyified
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Security threat in cloud computing
Security threat in cloud computingSecurity threat in cloud computing
Security threat in cloud computing
 
Websense security prediction 2014
Websense   security prediction 2014Websense   security prediction 2014
Websense security prediction 2014
 
Should we fear the cloud?
Should we fear the cloud?Should we fear the cloud?
Should we fear the cloud?
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Four Network Security Challenges for the Cloud Generation
Four Network Security Challenges for the Cloud GenerationFour Network Security Challenges for the Cloud Generation
Four Network Security Challenges for the Cloud Generation
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Data Storage Issues in Cloud Computing
Data Storage Issues in Cloud ComputingData Storage Issues in Cloud Computing
Data Storage Issues in Cloud Computing
 

Recently uploaded

HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 

Recently uploaded (11)

HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 

The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose

  • 1. The Notorious 9 Cloud computing Threats Moshe Ferber, CCSK  Onlinecloudsec.com Cloud Security Alliance Congress San Jose, 2014
  • 2. About  Moshe Ferber, 39, Based in Israel  Information security professional for over 20 years  Founded Cloud7, Managed Security Services provider (currently owned by Matrix LTD)  Partner at Clarisite – Your customer’s eye view  Partner at FortyCloud – Make your public cloud private  Member of the board at Macshava Tova – Narrowing societal gaps  Certified CCSK instructor for the Cloud Security Alliance.  Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 3. What we are going to talk about Sources:  Cloud Security Alliance Notorious nine cloud computing threats.  Cloud Security Alliance Cloud Computing Vulnerability Incidents: A Statistical Overview Cloud computing threats – what they are? how do they reflect in the real world? What are the attacks vectors?
  • 4. Cloud computing 2014 – what affects security? SaaS PaaS IaaS Consolidation will continue at IaaS level
  • 6. The Cloud & Cyber Cloud Services Ransom Malwares Stealing CPU time
  • 7. #1 Data Breaches  Cloud Provider will continue to be a target for data breaches, sometimes just for the accounts and not even for the data.  iCloud, Evernote, Adobe tells the story well.  But not all data lost happens due to hacking, Unintended disclosure is also happening.  Cloud Computing and Shadow IT contribute to this phenomena. Source: Verizon data breach report 2013 Shadow IT
  • 8. #2 Data Lost  Hacking or simple failures – it does not really matter.  Multi Cloud backup or external backups are not a “nice to have”.
  • 9. #3 Account Hijacking New account Hijacking Motivation:
  • 10.  Most attacks used spear phishing.  DNS ownership is also at attack vector  Two factor & pro-active defenses for identifying account hijacking will continue.  We will see more attacks on PaaS and on federation protocols. #3 Account Hijacking “ …the basic methods of gaining access to a victim’s environment are not. The most prolific is the old faithful: spear phishing. “ Verizon data breach report 2014
  • 11. #4 Insecure Interfaces and API’s The cloud providers management dashboard, especially in IaaS, is the most intimidating attack vector
  • 12. DNS Amplification Attacks #5 Denial of Service  Network DDOS are becoming less common when talking about cloud providers.  But application level attacks are increasing.
  • 14. #7 Abuse of Cloud Services
  • 15. #8 Insufficient due Diligence  Evaluating your provider is hard, very hard.  Government legislation and industry efforts will lead to better understanding of Cloud Accountability.  CSA will help in promoting transparency and provider evaluation methodology.
  • 16. #9 Shared Technologies vulnerabilities
  • 17. #9 Shared Technologies vulnerabilities  From the infrastructure point of view SDN might solve some of the problems.  Innovation is required on the application layer, Identity Management and encryption.
  • 18. Cloud Vulnerability Incidents A Statistical Overview # DESCRIPTION T1 Abuse of cloud services T2 Insecure Interfaces and API T3 Malicious Insiders T4 Shared Technologies Vulnerabilities T5 Data Loss T6 Account Hijacking T7 Insufficient due diligence T8 Hardware failures T9 Nature disasters T10 Closure of cloud services T11 Cloud Related Malware T12 Inadequate infrastructure design and planning
  • 19. Recommendation, Cloud Providers  Invest in consumer visible controls.  You might be a chain in supply chain attacks - Think about your role in your customers security.  Start with good building block:  Secure Software development life cycle.  Security in operations.  Transparency.  CSA tools and research can help you achieving good foundations.
  • 20. Recommendation, Cloud Consumers  Invest in education.  There are 4 kind of security controls. Make sure you use the right mixture.  Establish Cloud Strategy.  Audit your provider, his services and the supply chain. Preventive • Anti virus • Authentication Detective • IDS • Logs Corrective • Patches • Scanning Compensatory • DR & backups • Audits
  • 21. Moshe Ferber  moshe@onlinecloudsec.com  www.onlinecloudsec.com http://il.linkedin.com/in/MosheFerber KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Editor's Notes

  1. We can also mention Code Space for not deleting API access attack.
  2. DDOS was also used as a cover on Codespaces attack.