Cloud Security - the egregious 11 cloud security threats
•
0 likes•42 views
Reviewing the important aspects of the Cloud Security Alliance top threats to cloud computing research
Recommended
Recommended
More Related Content
Similar to Cloud Security - the egregious 11 cloud security threats
Similar to Cloud Security - the egregious 11 cloud security threats (20)
More from Moshe Ferber
More from Moshe Ferber (10)
Recently uploaded
Recently uploaded (20)
Cloud Security - the egregious 11 cloud security threats
- 1. The egregious 11 Cloud computing Threats Moshe Ferber CCSK, CCSP , CCAK, ACSP Onlinecloudsec.com
- 3. CCSK, CCSP , CCAK, ACSP Moshe Farber • Information security professional for over 20 years • Founder, partner and investor at various cyber initiatives and startups • Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more) • Co-hosting the Silverlining podcast – lean about security engineering • Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification • Member of the board at Macshava Tova – Narrowing societal gaps • Chairman of the Board, Cloud Security Alliance, Israeli Chapter • Cloud Security Course Schedule can be found at: https://onlinecloudsec.com/speaking-schedule/ 3
- 4. About the Cloud Security Alliance 4 • Global, not-for-profit organization • Building security best practices for next generation IT • Research and Educational Programs • Cloud providers & security professionals Certifications • Awareness and Marketing • The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing”
- 6. What are the attacks vectors? How do they reflect in the real world? Cloud computing threats – what they are? Sources: What we are going to talk about? 6
- 7. Quick review: security terminology Threat Risk Attack Vector 20 Theft Losing Money Unsecure Door
- 8. Quick review: security terminology 21 Preventive • Firewall (Security Groups) • Authentication • Anti Virus • Guards Detective • IDS • System monitoring • Motion detector Corrective • Upgrades & Patches • Vulnerability scanning • Dialing a security company Compensatory • DRP & Backup • Firewall logs • Reviews • Audit & reconciliation
- 10. #2 Misconfiguration and Inadequate Change Control 23
- 11. #3 Lack of Cloud Security architecture and strategy 24
- 12. #4 Insufficient Identity, Credential, Access and Key Management 25 8 out of 10 incidents involve a wrong permission or usage of API key
- 15. #7 insecure interfaces and API’s 28
- 16. 29
- 17. #8 Weak control plane 30
- 18. #9 Metastruture and Applistructure failures 31
- 19. #10 Limited cloud usage visibility 32
- 20. #11 Abuse & Nefarious use of Cloud Services 33
- 21. Recommendation, Cloud Providers 36 • Invest in consumer visible controls • You might be a chain in supply chain attacks - Think about your role in your customers security • Start with good building block: • Secure Software development life cycle • Security in operations • Transparency • CSA tools and research can help you achieving good foundations
- 22. 01 02 03 04 Recommendation, Cloud Consumers 37 • Invest in education. • There are 4 kind of security controls. Make sure you use the right mixture. • Establish Cloud Strategy. • Audit your provider, his services and the supply chain. Preventive • Anti virus • Authentication Detective • IDS • Logs Corrective • Patches • Scanning Compensatory • DR & backups • Audits
- 23. Moshe Ferber Moshe@onlinecloudsec.com www.onlinecloudsec.com @FerberMoshe http://il.linkedin.com/in/MosheFerber KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule
Editor's Notes
- Data breaches The classic ones: Uber, microsoft, Verizon, weight watchers The role of the supply chain. 4 or 5 different roles Talk about the shared responsibility between the provider and consumer Booking.com partners miss configured bucket Chtbox leaked 50m from Isragram Exactis - leaked information from customers Misconfiguration and inadequate change control Lets talk about S3 & DB misconfigurations S3: 120M brzilian citizens MongoDB: 96 million votters mexican Israel: Elector app db leaking Israel ,mongodb: Paybox Elasticsearch: 8m hotel guests details on AAVGO elastic server Lack of cloud security architecture and strategy Accenture 137gb of cloud strategy Also happened to Delliot, also happened to me (Dropbox) Myspace lost 12 years of photos KPMG lost all teams data Lack of strategy leads to Finops, denial of wallet The china great wall Lack of understanding about backups Insufficient identity , credentials, access and key management Identity is the new perimeter Lots of startups are doing identity The growing number of phishing attacks on 365. Solarwind and golden SAML attacks (from internal to the cloud) Scraping github credentials - talk about access keys Account hijacking The account hijacking of Elon Must, AP (about Barak Obama) Codespaces vs. just fishing (hijacking in SaaS vs. IaaS) What can we learn from Codespaces - reducing the blast radius Insider threats Consumers: Elon Musk - the twitter hack Snapchat employee Yahoo - former employee admin hacking 6000 account for sexual content Industrial espionage Telss malicious insider steal plans Angry employee 600 webex servers deleted Even happing to security companies Trend micro employee sold customers data Governments MS sharing Indian citizens banking data with us Twitter employee spayed for Saudi arabia on gov critics Cloud providers are the new port nox Insecure interfaces and API’s API’s are the new b2b Automation, Open banking ,, customers API are the new authentication & authorization engines Access tokens are a target Facebook - view as API exposed 50m . stilling access tokens Salesforce - data leakage through misconfigured API’s Instrgram API glitch - scrapping millions of data, posting on behalf Remind our research paper Other interfaces: Meta - data - used in capital 1 Weak control plane Capitol 1 - least privilege AMI & malicious images Docker hub malicious images AWS market place windows 7 - with bitcoin mining. Meta structure and applistracture Talk about providers failures Google deleted out g-suite Google suspended an account Digital ocean falsely detected crypto miner and shut the company down Facebook and twitter close Trump account / Parler Limited cloud visibility Talk about shadow IT Hospitals Hilary clinton Abuse & Nefarious use of cloud services Zepto populated through cloud storage apps Telegram used to deliver Herorat Google drive and one drive links Sometimes the abuser are governments Grinder & tiktok - chinese owners forced to sell German and France governments are saying USA is abusing cloud services
- Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
- 120m records: https://www.forbes.com/sites/ thomasbrewster/2017/12/19/120m-american-households-exposed-in- massive-consumerview-database-leak/#37bb94d27961 230m records: https://www.wired.com/story/exactis-database-leak-340-million- records/ Chain of supply: short-circuit-how-a-robotics-vendor-exposed-confidential-data-for-major- manufacturing-companies Misconfiguration of s3: https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/ https://www.helpnetsecurity.com/2019/07/11/magecart-unsecured-s3-buckets/ https://gizmodo.com/amazon-engineer-leaked-private-encryption-keys-outside-1841160934 Misconfiguration of MongoDB: https://www.ifi.today/news/547-The-Paybox-payment-app-reported-it-clients-partial/ Misconfiguration of Elasticsearch: https://m.facebook.com/story.php?story_fbid=2588367461187658&id=766718676685888
- https://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/ hackread.com/personal-data-of-over-50000-honda-connect-app-leaked/ Lack of understanding: "As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago, may no longer be available on or from MySpace.” Some estimate nearly 50 million songs from 2003 to 2015 have been lost. According to MySpace users on Reddit, all pre-2015 music stopped working about a year ago. https://www.engadget.com/2019-03-18-myspace-lost-12-years-music-photos.html Lack of strategy causes waste of money: Finops, DDOS, Fincicail ddos, denial of wallet China greatwall Serverless Lack of understanding about backups: As part of using Amazon EC2, you agree that your Amazon EC2 resources may be terminated or replaced due to failure, retirement or other AWS requirement(s). We have no liability whatsoever for any damages, liabilities, losses (including any corruption, deletion, or destruction or loss of data, applications or profits), or any other consequences resulting from the foregoing. https://www-theregister-com.cdn.ampproject.org/c/s/www.theregister.com/AMP/2020/08/24/kpmg_microsoft_teams
- Just password guessing: https:// www.nytimes.com/2019/01/08/world/europe/germany-hacking-arrest.html https://www. irishtimes.com/news/world/europe/german-data-hacker-says-he-was- annoyed-by-politicians-1.3751332 phising Cloud an on-premise: Solarwind and golden SAML attacks The growing number of phising attacks on 365. https://www. helpnetsecurity.com/2018/05/18/office-365-phishing-threats/ Secrets: http://www.forbes.com/sites/ runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service- credentials-hijack-account-to-mine-virtual-currency/ Even security companies do mistakes: Comdo exposed github username & password: https://techcrunch.com/2019/07/27/comodo-password-access-data/
- https://www.infoworld.com/article/2608076/ data-center/murder-in-the-amazon-cloud.html https://www.cultofmac.com/583836/alleged-hacker-tried-to-sell-details- of-319-million-icloud-for-bitcoin/ Codespaces:account hijhack https://www.infoworld.com/article/2608076/ data-center/murder-in-the-amazon-cloud.html https://www.securitynewspaper.com/2019/02/12/vfemail-is-set-to-shut-after-suffering-attack-that-wiped-its-servers/ OAUTH – bypass MFA, https://threatpost.com/microsoft-oauth-flaw-azure-takeover/150737/
- Consumers attacks: The twitter account take over (elon mask) ultiple employees have abused their privileged access to spy on Snapchat users: https://www.vice.com/en/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion Former Yahoo Employee Admits Hacking into 6000 Accounts for Sexual Content https://thehackernews.com/2019/10/yahoo-email-hacking.html Tesla – industry espionage https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/ Cisco webex – deleting 600 servers https://www.theregister.com/2020/08/26/former_cisco_engineer_aws_webex_teams Trend Micro rough employee sold customer data: https://www.bbc.com/news/technology-50315544 https://businessinsights.bitdefender.com/palo-alto-networks-employee-data-breach-highlights-risks-posed-by-third-party-vendors https://www.bleepingcomputer.com/news/security/resentful-employee-deletes-1-200-microsoft-office-365-accounts-gets-prison/amp/?__twitter_impression=true Clouds are becoming the new port-nox. Therefor government access: https://www.theguardian.com/technology/2018/oct/04/china-planted-chips-on-apple-and-amazon-servers-report-claims Access to data does not have to be malicious insider. Government are after cloud data: https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies/ https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html To examine: https://www.darkreading.com/the-6-worst-insider-attacks-of-2018---so-far/d/d-id/1332183 https://www.hackread.com/whistleblower-apple-contractors-listen-to-siri-conversions/
- Sales Force API’s: API is the new b2b. API is all about authorization. https://threatpost.com/salesforce-com-warns-marketing-customers-of-data-leakage-snafu/134703/ After change “ API service can retrieve or write data from one customer’s account to another inadvertently,” Facebook: Attackers found multiple bugs in view as feature that "allowed them to steal Facebook access tokens״ https://www.bbc.com/news/technology-45686890 Instrgram: The hackers used this glitch in Instagram’s system to start posting nude pictures of the singer and actor’s ex-boyfriend Justin Bieber to her 125 million followers. https://techcrunch.com/2017/09/01/hackers-are-selling-millions-of-instagram-celeb-accounts-on-the-web/ Capital 1: Using metadata for key recovery
- Capital one: Least privilage Avoid lift and shift AMI malicous machine images https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/
- Google says they are sorry for suspending account: https://ilya-sher.org/2018/03/23/google-deleted-our-g-suite/ https://medium.com/@serverpunch/why-you-should-not-use-google-cloud-75ea2aec00de
- Shadow IT he “Skyhigh Networks Cloud Adoption & Risk Report Q2 2015 reported that “the average enterprise now uses 1,083 cloud services Shadow it: Hilary Clinton Prezi Shadow IT in Trelo, IDF: https://www.haaretz.co.il/captain/software/.premium-1.9518921
- https://www.techradar.com/news/trump-looks-to-block-foreign-actors-from-us-cloud-computing-services https://www.netskope.com/blog/zepto-variant-locky-ransomware-delivered-via-popular-cloud-storage-apps https://www.netskope.com/blog/cloudfanta-pops-cloud-using-sugarsync Abusing telegram: https://www.securityweek.com/herorat-controls-infected-android-devices-telegram https://www.crn.com/news/security/aws-solarwinds-hackers-used-our-elastic-compute-cloud Sometimes , the abuse comes from the providers themselves: Github locked a programmer: https://www.geektime.co.il/github-5-year-code-data-locked/ Digital ocean detected false cryptominer activity and shutdown the company: https://news.ycombinator.com/item?id=20064169 Sometimes the abuser are goverments: https://www.theverge.com/2019/3/27/18283666/grindr-chinese-owner-beijing-kunlun-tech-cfius-divest-national-security-concerns Hackers , governments , all went into flames with OVH data center https://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure This can also happen: https://www.cnn.com/2021/04/09/politics/amazon-data-center-attempted-bombing/index.html