Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shared Responsibility In Action

4,451 views

Published on

Published in: Technology
  • Be the first to comment

Shared Responsibility In Action

  1. 1. Shared Responsibility Mark Nunnikhoven @marknca …In Action
  2. 2. MODELLING SECURITY on AWS
  3. 3. Traditional Responsibility Model ! Operating System Application Account Management You Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Layer
  4. 4. Shared Responsibility Model You Operating System Application Account Management Security Groups Network Configuration AWS Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Layer More info on the model is available at http://aws.amazon.com/security
  5. 5. Shared Responsibility Model You Operating System Application Account Management Security Groups Network Configuration AWS Facilities Physical Security Physical Verify Infrastructure Network Infrastructure Virtualization Compliance information available at http://aws.amazon.com/compliance
  6. 6. Common View More information on the model at http://aws.amazon.com/security
  7. 7. Abstract Container Infrastructure Better View From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
  8. 8. Service Examples Service Type *aaS SQS, S3, Route53 Abstract SaaS RDS, EMR, OpsWorks Container PaaS EC2, EBS, VPC Infrastructure IaaS From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
  9. 9. Less responsibilities More responsibilities Distribution of Security
  10. 10. Options : Responsibilities Distribution of Security Rough correlation between # of options & level of responsibilities
  11. 11. RE:BOOT
  12. 12. Critical embargoed bug discovered in Xen, details at http://4mn.ca/1rcXTTN
  13. 13. Protecting Instances A small percentage of instances on EC2 are scheduled for a reboot
  14. 14. Actions to Take For EC2 Nothing for cloud-native architectures Manage availability for traditional architectures For RDS Nothing for Multi-AZ instances Standard maintenance window for single instances
  15. 15. POODLE
  16. 16. CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption
  17. 17. Attack forces an older cipher choice, details at http://4mn.ca/1EYfBEA
  18. 18. For ELB Select a non-affected cipher suite (e.g., ELBSecurityPolicy-2014-10) For Web Servers Enable TLS_FALLBACK_SCSV Disable support for SSL 3.0* Disabling SSL 3.0 may cause compatibility issues Actions to Take
  19. 19. Shellshock
  20. 20. More info on bash at http://www.gnu.org/software/bash
  21. 21. (){}; attack 10/10 vulnerability : widespread & easy to exploit
  22. 22. Actions to Take Steps to protection Update bash Use an intrusion prevention system
  23. 23. Applied at the boundary Majority of traditional controls are applied at the boundary Shifting Controls
  24. 24. Applied to each instance Same controls required in AWS, now applied to the instance Shifting Controls
  25. 25. Watch the demo in action at http://4mn.ca/1sY3YK4
  26. 26. “View Source”, find cgi URL to exploit
  27. 27. Run attack via curl
  28. 28. Return contents of /etc/passwd with a simple custom header
  29. 29. Add intrusion prevention controls to the instance
  30. 30. Intrusion prevention resets connection when attack is detected
  31. 31. Options : Responsibilities Where does you deployment fall on the scale?
  32. 32. Thank you! Learn more at testdrive.trendmicro.com Follow me on Twitter @marknca

×