Attacking the cloud with social engineering

1,386 views

Published on

An ethical hacker's view of cloud security risks from social engineering

Published in: Technology, Business
  • Be the first to comment

Attacking the cloud with social engineering

  1. 1. Attacking the cloudwith social engineeringPeter WoodChief Executive OfficerFirst•Base TechnologiesAn Ethical Hacker’s View
  2. 2. Slide 2 © First Base Technologies 2013Who is Peter Wood?Worked in computers & electronics since 1969Founded First Base in 1989 (one of the first ethical hacking firms)CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive ProgrammeFBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
  3. 3. Slide 3 © First Base Technologies 2013Cloud models
  4. 4. Slide 4 © First Base Technologies 2013Cloud computing definitionCloud separates application and informationresources from the underlying infrastructure,and the mechanisms used to deliver themhttp://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
  5. 5. Slide 5 © First Base Technologies 2013The ‘SPI’ ModelSoftware (SaaS) – cloud provider owns application, operatingsystem and infrastructurePlatform (PaaS) - cloud provider owns operating system andinfrastructure, client owns applicationInfrastructure (IaaS) cloud provider owns infrastructure, clientowns application and operating system
  6. 6. Slide 6 © First Base Technologies 2013SPI in context• Software as a Service– Just run it for me!– Examples: Google Apps, Salesforce.com• Platform as a Service– Give me a nice API and you take care of the rest– Examples: Google App Engine, Microsoft Azure• Infrastructure as a Service– Why buy machines when you can rent cycles?– Examples: Amazon EC2, Rackspace Cloud
  7. 7. Slide 7 © First Base Technologies 2013Cloud Benefits
  8. 8. Slide 8 © First Base Technologies 2013Whats different in cloudIaaSInfrastructure as aServicePaaSPlatform as a ServiceSaaSSoftware as a ServiceSecurity ~YOUSecurity ~THEM
  9. 9. Slide 9 © First Base Technologies 2013What does it mean for attackers?• Login from anywhere• Browser access• Simple credentials• No intruder detection• No physical security• Trick a user and it’s game over!
  10. 10. Slide 10 © First Base Technologies 2013Why social engineering?• Staff can be tricked at home, in acoffee shop, at an airport …• No corporate desktop controls• Easy to impersonate your IT staffor help desk• Using email, phone, chat …
  11. 11. Slide 11 © First Base Technologies 2013Just a little brainstorm
  12. 12. Slide 12 © First Base Technologies 2013Why should you care?Exposure of• Customer data (industrial espionage, reputation)• Credit card data (PCI DSS, reputation, direct costs)• Personal information (data protection, reputation)• Sensitive information (contractual penalties, reputation)• Business plans (industrial espionage, reputation)• Staff data (data protection, spam, social engineering, reputation)• and identity theft: personal and business
  13. 13. Slide 13 © First Base Technologies 2013Even cloud email has value …
  14. 14. Slide 14 © First Base Technologies 2013Why APT works
  15. 15. Slide 15 © First Base Technologies 2013Attack Techniques
  16. 16. Slide 16 © First Base Technologies 2013Classic phishing email
  17. 17. Slide 17 © First Base Technologies 2013Spear phishing email
  18. 18. Slide 18 © First Base Technologies 2013Spear phishing• Emails that look as if they are from your employer orfrom a colleague• The email sender information has been faked• Malicious attachment or link to drive-by web site• The payload can steal credentials or install a Trojan• Or even simple form filling to capture user details
  19. 19. Slide 19 © First Base Technologies 2013Telephone social engineering• Not every hacker issitting alone with acomputer, hacking into acorporate VPN• Sometimes all they haveto do is phone!
  20. 20. Slide 20 © First Base Technologies 2013The remote worker1. Call the target firm’s switchboard and ask for IT staffnames and phone numbers2. Overcome their security question: Are you a recruiter?3. Call each number until voicemail tells you they are out4. Call the help desk claiming to be working from home5. Say you have forgotten your password and need itreset now, as you are going to pick up your kids fromschool6. Receive the username and password as a text to yourmobile7. Game over!
  21. 21. Slide 21 © First Base Technologies 2013Phones are very flexiblePrevious calls gave access to:• CEO’s email and calendar• IT manager’s desktop• Remote access to a network• … and cloud services!
  22. 22. Slide 22 © First Base Technologies 2013Telephone SE• Impersonation of IT staff to obtain user’s credentials• Impersonation of user to obtain new password• Impersonation of provider to obtain user’s credentials• Impersonation of client admin to provider• Impersonation of provider to client admin• … and so on … Game Over
  23. 23. Slide 23 © First Base Technologies 2013People love USB sticks!I found it in thecar park …… just wanted to see whatwas on it …
  24. 24. Slide 24 © First Base Technologies 2013USB sticks• Autorun infection of user’s computer• Manual click to infect user’s computer• Contains link to drive-by web site• The payload can steal credentials or install a Trojan• Or even simple form filling to capture details• … and so on … Game Over
  25. 25. Slide 25 © First Base Technologies 2013Defence
  26. 26. Slide 26 © First Base Technologies 2013Human firewall• Train your staff to recognise social engineering attacks• Invest in continual awareness campaigns
  27. 27. Slide 27 © First Base Technologies 2013Technical controls• Implement two-factor authentication (if you can)• Use ‘least privilege’ principles for access to services
  28. 28. Slide 28 © First Base Technologies 2013Procedural controls• Ensure joiners, movers and leavers are handledthoroughly and quickly!• Divide responsibilities between your administrators andthe service providers administrators, so no one has freeaccess across all security layers
  29. 29. Slide 29 © First Base Technologies 2013Peter WoodChief Executive OfficerFirst Base Technologies LLPpeterw@firstbase.co.ukhttp://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.comTwitter: peterwoodxNeed more information?

×