1) The document discusses security design and implementation considerations for managing cloud security in a ransomware world. 2) It provides examples of security design reviews that can be conducted, including checking for authentication, authorization, port listening, and firewall configurations. 3) The document also gives examples of how to implement authentication and authorization securely in MongoDB, such as binding to localhost by default and using IP whitelisting.

1. #MDBW17
Davi Ottenheimer, Product Security
Managing Cloud Security
Design and Implementation
in a Ransomware World

2. Background
#MDBW17

3. #MDBW17
Whoami
>20 years of flyingpenguin
● Security Ops
● Assessments
● Investigations
● Products

4. #MDBW17
Realities of Securing Big Data
“Why trust a strategic
knowledge system?”

5. #MDBW17
Security is Evolution
● Evolution is the process not a destination
● Escalation a function of competitions
● Economics impacts risk mitigation
#MDBW17

6. #MDBW17
Security is Evolution
● Audit everything (Check your health)
● People who could behave responsibly may not
● BitCoin “mining” changed behavior economics
● Authentication hygiene still is top threat to security
#MDBW17

7. #MDBW17
Ignaz Semmelweis
1847 “Savior of mothers”
discovered hand washing
standards can drop childbed
fever from 30% to 1%
“There is one cause,
all that matters is
cleanliness”
Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/

8. #MDBW17
Economics of “Getting Bit”
● Mining with AWS keys is wasteful
○ 1 instance per day is ~$8 cost for ~$2 mined (variable)
○ ~$6/day loss per instance
○ “Better use of dollars to buy coins instead of instance time”
● Stolen AWS key shifts waste to victims
○ Attacker spins victim instances ASAP
○ $10,000/hour victim cost burden
○ $2,500/hour attacker profit

9. Today’s Hot Example
#MDBW17

10. #MDBW17
RANSOMWARE!
● Use of access to
deny access,
unless ransom paid
● US gov: 4,000/day
ransomware
attacks in 2016
(300% over 2015)
Source: https://www.justice.gov/criminal-ccips/file/872771/

11. #MDBW17
Source: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#enterprise
RANSOMWARE!

12. #MDBW17
Ransomware Evolution
1994 2004 2007 2010 2014
Botnets
Adware
Spyware
Rogueware
For-Profit
“Advanced
Persistent”
Key & Cert
GPCODE CRYPTOLOCKERCRYPTOVIRUS
1989
AIDS
...
Viruses
Worms
Trojans
CRYPTOWALL
TORRENTLOCKER
TESLACRYPT
LOCKER
R.I.P.
Tron
1998
R.I.P.
Hagbard
1989
LOCKY
“KGB Hack”
> DM 100K + drugs over 3 years
> Burned to death
> http://phrack.org/issues/25/10.html

13. #MDBW17
An Economics Perspective
X
● Old-method experienced cost inflation
○ Cloud agility = DDoS more expensive
○ Expensive race condition for pay
● New-method experienced cost deflation
○ Scan/Exploit kits (easy to find victims)
○ Social engineering kits (easy to phish)
○ Key management kits (easy to encrypt)
○ Monetization kits (easy to extort)
“I’ve never actually stormed a castle, but I’ve
taken a bunch of siege-management courses.”

14. #MDBW17
Big DDoS attacks affect some AWS customers,
but chief Andy Jassy assures cloud is secure
● DDoS targeted Dynamic Network Services (Dyn)
● Dyn one of many AWS DNS providers
● AWS services (Shield) help, and 3rd party too but…
“...agility single biggest reason
enterprise move to cloud”
2016 Q4 Akamai “State of the Internet” Report:
● 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016
● 3 of 10 were in 2016 Q4
Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/,
https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/

15. #MDBW17
2008 Terry Childs Case
● San Francisco City Government Loses Control of Cloud
○ Emergency Services (Fire, Police, etc.)
○ “Almost Included Utilities” (Wastewater Treatment)
● Own Administrator (Childs) Charged With DoS
○ Deadman Traps on Switches (Erase Config)
○ Encrypted Storage (Fiber Tap at Core Led to Hidden Servers)
○ Withheld “Keys” From Staff and Management
● Found Guilty by Court
○ “His boss’ boss was an authorized user, could not be legally denied access”
○ Jury included 13 Year Network Admin and CCIE
Source: http://www.computerworld.com/article/2468913/cybercrime-hacking/terry-childs-found-guilty-of-san-francisco-fiberwan-lockout.html

16. #MDBW17
“Rock Solid, Secure…” June 16, 2014

17. #MDBW17
“...completely deleted” June 17, 2014

18. Ransomware
Explained
#MDBW17

19. #MDBW17
1. Seek vulnerable access
2. Lock and/or Encrypt
3. Extort
How Ransomware Works
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/

20. #MDBW17
Seek Vulnerable Access
1. Find a foothold using credential (or even non-credentialed)
• Internet facing services
• User devices
• Platforms (github, pastebin, facebook, etc.)
2. Pivot and traverse
• Gather credentials
• Elevate privileges
• Find valuable data
North
South
East
West
Users
Apps
User
Dir
User
Dir

21. #MDBW17
Lock and/or encrypt
• Anything believed to be valuable to target
• Any backups (prevent restores)
• Using modern algorithms (AES256)
• Unique keys on remote infrastructure

22. #MDBW17
Extort
• Name of “Replaced” DB
• README
• ReadmePlease
• PLEASE_READ
• IHAVEYOURDATA
• WARNING
• WARNING_ALERT
• PWNED
• PWNED_SECURE_YOUR_STUFF_SILLY
• DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB
• to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD
● Amount
○ 0.1 BTC
○ 0.15 BTC
○ 0.2 BTC
○ 0.25 BTC
○ 0.5 BTC
○ 1 BTC
Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0
{
"_id" : ObjectId("9854a4532b5e63f722fcc9da"),
"mail" : "user@domain.com",
"note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND
CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
}

23. Design and
Implementation
#MDBW17

24. #MDBW17
Are You Ready?
● Asset Management Lifecycle
● Dependencies on Providers
● Incident Response Procedures
● Disaster Recovery Plan (Backups!)
● Identity and Access Management
○ Components
○ Standards*
● AES256
● TLS1.2
● FIPS 140-2
*https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
{
● PCI/DSS
● SOC2
● ISO 27000x
● HIPAA-HITECH
● GDPR
● FedRamp (NIST 800-53)

25. #MDBW17
Design Considerations
● Critical Severity Vulnerability
○ Remediate Immediately (R = 0)
○ Patch Within 24 hours (e.g. HEARTBLEED)
● High Severity (R = 5 Days)
● Medium Severity (R = 60 Days)
● Low Severity
○ Business Impact Analysis
○ Customer Impact Analysis

26. #MDBW17
Design Considerations (RFC2904)
X
● Authentication
● Authorization
● Accounting
Source: https://tools.ietf.org/html/rfc2904

27. #MDBW17
Security Design Review Services
• Providers*
• AWS Trusted Advisor, Inspector
• Azure Security Center
• GCP Cloud Security Scanner
• Self
• Scan for Accidental Secret Leaks (“Github Commit Crawler”)
• Detect and Identify Assets (API Call, OVF Scan)
• Assess Configurations (SCAP, XCCDF, SSLcheck)
*https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

28. #MDBW17
Implementation Example 1
• Is authentication disabled?
> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){
print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")}
• Is a default port listening (27017, 29017)?
> db.adminCommand('getCmdLineOpts').parsed.net.port
Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/

29. #MDBW17
Implementation Example 2
Service connected to wide area network lacking any
“security group” or firewall?
1. On system outside network, grab mongodb client
> wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz
> tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1
2. Test by connecting to Internet hostname
> ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>

30. #MDBW17
Implementation Example 2

31. #MDBW17
Implementation Example 2
• Bind to localhost by default in v3.5.8
• IP Whitelisting option in v3.6
• Associate IP addresses/ranges to auth roles
• If IP fail, then authentication fail
• Can restrict __system user to authenticate from only cluster nodes

32. #MDBW17
Design Improvement Cycles
● Daily Full Credential Scan of Any New Instance
● Weekly Full Credential Scan of Builds Prior to Staging
● Quarterly “Approved Scanning Vendor” (ASV) Report
● Biannually
○ “Full” Penetration Test
○ Code Review
#MDBW17

33. #MDBW17
Managing Cloud Security
Design and Implementation
in a Ransomware World
Thank You!