This document discusses virtualization and private cloud risk modeling. It begins by introducing how business and security see virtualization and cloud differently. It then covers virtualization architecture and components, assets in virtual and cloud environments, potential threat agents, undesirable events, and categories of vulnerabilities. The document provides examples of risk scenarios involving administrative, technical, and physical vulnerabilities. It also demonstrates how to create risk statements using a binary risk analysis model and evaluates examples involving virtualization administrators' privileges, identity and access management in cloud services, and missing hypervisor patches. The summary emphasizes the need to assess user interfaces, roles, storage, management interfaces, and network segmentation when analyzing risks in virtualization and cloud environments.
The session will be focusing how cloud-native security platform can continuously discovers workloads, identifies risk, and enforces security policies in any multi-cloud environment. Additionally it will also cover the Automated policy generation through agent-less security controls makes protecting data and applications the easiest thing to do in the cloud.
The Speaker of the session will be Dr. Ratinder Paul Singh Ahuja, Founder and Chief Research and Development Officer, Shield X, USA
Dr. Ratinder leads ShieldX and its mission as its central pivot point. Drawing from a career as a successful serial entrepreneur and corporate leader, he brings his unique blend of business acumen, industry network and deep technical knowledge.
At his previous start-ups, Internet Junction, Webstacks and Reconnex he served as Chief Technology Officer and Vice President of the Mobile and Network Security Business Units. His knowledge of innovation and emerging trends in networking, network security, and data-loss prevention are derived from years of industry experience. Dr. Ahuja holds a BS in Electronics & Electrical Engineering from Thapar University, in India, and a Masters and Ph.D. in Computer Engineering from Iowa State University. Dr. Ahuja has been granted 61 patents for security-based technologies, and has presented in many public forums, including the Content Protection Summit, IC3, IEEE Computer Society, McAfee FOCUS, and the Cloud Expo.
Avoid Meltdown from the Spectre - How to measure impact and track remediationQualys
The recently disclosed Meltdown and Spectre vulnerabilities negatively impact the security of virtually every computer in the world today. These vulnerabilities allow an attacker to gain control of a computer’s processor and steal data located on that computer. Organizations that store data in the cloud are particularly susceptible.
During this webcast, Jimmy Graham, Director of Product Management for Qualys Threat Protection and Asset Inventory, showcased solutions that can help you determine the impact of Spectre and Meltdown across your global IT environments.
Understand how:
• To quickly and easily visualize Spectre and Meltdown vulnerabilities within your environment
• To track remediation progress as you patch against Spectre and Meltdown
• The Qualys Asset Inventory and Threat Protection apps will help you automate detection and track remediation progress
Watch the on-demand webcast: https://goo.gl/6FQ6uJ
Visibility & Security for the Virtualized EnterpriseEMC
Identifying and understanding high-value digital assets in the context of the business is critical in assessing what work-loads to move to the cloud. But doing so is difficult without an effective model to help define and classify these assets. This session presents a down-to-earth methodology for identifying assets and understanding their value that you can apply in critical business decisions.
Objective 1: Understand what to look for when identifying valuable information assets.
After this session you will be able to:
Objective 2: Identify critical steps in the process of identifying and understanding digital assets.
Objective 3: Apply asset value when deciding what digital assets to entrust to the cloud.
Full recording via http://www.brainshark.com/emcworld/vu?pi=zHJzQJGhyzB8sLz0
Virtualization security for the cloud computing technologyDeep Ranjan Deb
Virtualization reduces the number of physical servers, reducing the energy required to power and cool them and save time. It's also much faster to deploy a virtual machine than it is to deploy a new physical server. It also reduces desktop management headaches.
We have in mind essential customer highlights like availability and performance; flexibility, efficiency and cost; security, privacy, and regulatory compliance; where "two out of three" is not good enough to prepare, manage and protect & secure your organization.
See the practical ways Quest proposes to simplify and implement GDPR compliance
The session will be focusing how cloud-native security platform can continuously discovers workloads, identifies risk, and enforces security policies in any multi-cloud environment. Additionally it will also cover the Automated policy generation through agent-less security controls makes protecting data and applications the easiest thing to do in the cloud.
The Speaker of the session will be Dr. Ratinder Paul Singh Ahuja, Founder and Chief Research and Development Officer, Shield X, USA
Dr. Ratinder leads ShieldX and its mission as its central pivot point. Drawing from a career as a successful serial entrepreneur and corporate leader, he brings his unique blend of business acumen, industry network and deep technical knowledge.
At his previous start-ups, Internet Junction, Webstacks and Reconnex he served as Chief Technology Officer and Vice President of the Mobile and Network Security Business Units. His knowledge of innovation and emerging trends in networking, network security, and data-loss prevention are derived from years of industry experience. Dr. Ahuja holds a BS in Electronics & Electrical Engineering from Thapar University, in India, and a Masters and Ph.D. in Computer Engineering from Iowa State University. Dr. Ahuja has been granted 61 patents for security-based technologies, and has presented in many public forums, including the Content Protection Summit, IC3, IEEE Computer Society, McAfee FOCUS, and the Cloud Expo.
Avoid Meltdown from the Spectre - How to measure impact and track remediationQualys
The recently disclosed Meltdown and Spectre vulnerabilities negatively impact the security of virtually every computer in the world today. These vulnerabilities allow an attacker to gain control of a computer’s processor and steal data located on that computer. Organizations that store data in the cloud are particularly susceptible.
During this webcast, Jimmy Graham, Director of Product Management for Qualys Threat Protection and Asset Inventory, showcased solutions that can help you determine the impact of Spectre and Meltdown across your global IT environments.
Understand how:
• To quickly and easily visualize Spectre and Meltdown vulnerabilities within your environment
• To track remediation progress as you patch against Spectre and Meltdown
• The Qualys Asset Inventory and Threat Protection apps will help you automate detection and track remediation progress
Watch the on-demand webcast: https://goo.gl/6FQ6uJ
Visibility & Security for the Virtualized EnterpriseEMC
Identifying and understanding high-value digital assets in the context of the business is critical in assessing what work-loads to move to the cloud. But doing so is difficult without an effective model to help define and classify these assets. This session presents a down-to-earth methodology for identifying assets and understanding their value that you can apply in critical business decisions.
Objective 1: Understand what to look for when identifying valuable information assets.
After this session you will be able to:
Objective 2: Identify critical steps in the process of identifying and understanding digital assets.
Objective 3: Apply asset value when deciding what digital assets to entrust to the cloud.
Full recording via http://www.brainshark.com/emcworld/vu?pi=zHJzQJGhyzB8sLz0
Virtualization security for the cloud computing technologyDeep Ranjan Deb
Virtualization reduces the number of physical servers, reducing the energy required to power and cool them and save time. It's also much faster to deploy a virtual machine than it is to deploy a new physical server. It also reduces desktop management headaches.
We have in mind essential customer highlights like availability and performance; flexibility, efficiency and cost; security, privacy, and regulatory compliance; where "two out of three" is not good enough to prepare, manage and protect & secure your organization.
See the practical ways Quest proposes to simplify and implement GDPR compliance
With malware accounting for at least 40% of all breaches, knowing how malware works can be an extremely valuable asset in your threat detection cache – especially for the incident responder. According to Verizon’s 2013 Data Breach Investigations Report, “Malware and hacking still rank as the most common [threat] actions”. In general, malware can range from being simple annoyances like pop-up advertising to causing serious damage like stealing passwords and data or infecting other machines on the network.
Malware is as old as software itself and although there are new types of malware constantly under development, they generally fall into a few broad categories. Check out this SlideShare to learn how malware works, and what we believe are the most common types of malware you should be prepared for.
By learning how malware works and recognizing its different types, you’ll understand:
- How they find their way into your network
- How attackers control them remotely
- How they use your systems for nefarious purposes
- And most importantly, the security controls you need to effectively defend against and detect malware infections. (Hint: you need more than antivirus!)
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
AWS Cloud Security From the Point of View of the ComplianceYury Chemerkin
Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.
http://pentestmag.com/pentest-webapp-1212/
I'm preparing for the CISSP next week and also speaking for ISACA, so created this deck to help my peers with some concepts that appear in CISM/ CISSP and ITIL practitioner exams
Tsvi Korren,
VP of Product Strategy at Aqua Security CISSP, has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the VP of Product Strategy at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.
The transition to cloud services contain many advantages to the organization such as, scalability, flexibility, efficiency, reducing cost and enjoying an enterprise grade level of security that meets the highest standards. However, cloud services also entail various risks that the organization must recognize and mitigate before the transition to the cloud.
BinProxy: New Paradigm of Binary Analysis With Your Favorite Web ProxyDONGJOO HA
With the rapid development of information technology, the attackers have become interested in not only normal applications but also various systems such as web, mobile and embedded system. Consequently, there is an evergrowing number of applications that should be analyzed, and the lack of time and manpower has been one of the biggest problems for the defenders. To this end, we present “BinProxy”, an application analysis framework that makes an easy environment for dynamic analysis of applications. Our approach provides web proxylike analysis environments for an easy analysis, and does not required any analysis tools such as debugger, decompiler and other reversing tools. Furthermore, BinProxy can be applied to Windows, Linux, Mac or other kinds of mobile platforms including Android and iOS. In this presentation, we show several techniques for implementing BinProxy and demonstrate some use cases by using BinProxy. We believe that our framework solves the lack of time and manpower problem and presents a new paradigm for program analysis.
# PoC
- Basic : http://youtu.be/ZjKEGEzYvJw
- Android(monitor) : http://youtu.be/xS8lcn0plrU
- Android(modify) : http://youtu.be/az-jsx8apgw
- iOS(monitor) : http://youtu.be/Eq3I21O3EhE
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
With malware accounting for at least 40% of all breaches, knowing how malware works can be an extremely valuable asset in your threat detection cache – especially for the incident responder. According to Verizon’s 2013 Data Breach Investigations Report, “Malware and hacking still rank as the most common [threat] actions”. In general, malware can range from being simple annoyances like pop-up advertising to causing serious damage like stealing passwords and data or infecting other machines on the network.
Malware is as old as software itself and although there are new types of malware constantly under development, they generally fall into a few broad categories. Check out this SlideShare to learn how malware works, and what we believe are the most common types of malware you should be prepared for.
By learning how malware works and recognizing its different types, you’ll understand:
- How they find their way into your network
- How attackers control them remotely
- How they use your systems for nefarious purposes
- And most importantly, the security controls you need to effectively defend against and detect malware infections. (Hint: you need more than antivirus!)
Will your organization or enterprise expand cost-effectively with the power of a managed cloud? We outline 10 key reasons why this strategy will help you improve security, simplify compliance, reduce costs and streamline scalability.
AWS Cloud Security From the Point of View of the ComplianceYury Chemerkin
Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.
http://pentestmag.com/pentest-webapp-1212/
I'm preparing for the CISSP next week and also speaking for ISACA, so created this deck to help my peers with some concepts that appear in CISM/ CISSP and ITIL practitioner exams
Tsvi Korren,
VP of Product Strategy at Aqua Security CISSP, has been an IT security professional for over 25 years. In previous positions at DEC and CA Inc., he consulted with various industry verticals on the process and organizational aspects of security. As the VP of Product Strategy at Aqua, he is tasked with delivering commercial and open source solutions that make Cloud Native workloads the most secure, compliant and resilient application delivery platform.
The transition to cloud services contain many advantages to the organization such as, scalability, flexibility, efficiency, reducing cost and enjoying an enterprise grade level of security that meets the highest standards. However, cloud services also entail various risks that the organization must recognize and mitigate before the transition to the cloud.
BinProxy: New Paradigm of Binary Analysis With Your Favorite Web ProxyDONGJOO HA
With the rapid development of information technology, the attackers have become interested in not only normal applications but also various systems such as web, mobile and embedded system. Consequently, there is an evergrowing number of applications that should be analyzed, and the lack of time and manpower has been one of the biggest problems for the defenders. To this end, we present “BinProxy”, an application analysis framework that makes an easy environment for dynamic analysis of applications. Our approach provides web proxylike analysis environments for an easy analysis, and does not required any analysis tools such as debugger, decompiler and other reversing tools. Furthermore, BinProxy can be applied to Windows, Linux, Mac or other kinds of mobile platforms including Android and iOS. In this presentation, we show several techniques for implementing BinProxy and demonstrate some use cases by using BinProxy. We believe that our framework solves the lack of time and manpower problem and presents a new paradigm for program analysis.
# PoC
- Basic : http://youtu.be/ZjKEGEzYvJw
- Android(monitor) : http://youtu.be/xS8lcn0plrU
- Android(modify) : http://youtu.be/az-jsx8apgw
- iOS(monitor) : http://youtu.be/Eq3I21O3EhE
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...CODE BLUE
This talk will explore program analysis on compiled code, where source is not available. Many static program analysis tools, such as LLVM passes, depend on the ability to compile source to bytecode, and cannot operate on binaries. A solution to this problem will be explained and demonstrated using the new Intermediate Language (IL) in Binary Ninja. Binary Ninja IL will be described, providing a basic understanding of how to write analyses using it.
This talk will describe and release a tool in Binary Ninja IL for automated discovery of a simple memory corruption vulnerability and demonstrate it on a CTF binary. The concepts of variable analysis, abstract interpretation, and integer range analysis will be discussed in the context of vulnerability discovery.
--- Sophia D'Antoine
Sophia D’Antoine is a security engineer at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using LLVM. She spends too much time playing CTF and going to noise concerts.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Security automation in virtual and cloud environments v2rpark31
Virtualization security must be as dynamic as the environment it is protecting. Learn how to build security automation into your virtual and cloud computing environments by using VMware's vShield API.
In this webinar, you will learn:
1. An introduction to security automation and why it matters
2. An overview of VMware's vShield and its API
3. Real world cloud examples of how to use the vShield API for security automation
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
Control Quotient: Adaptive Strategies For Gracefully Losing Control as presented at RSAC US 2013 by @djetue and @joshcorman
The security community has spent years on failed approaches to Return On Investment (ROI) on security offerings and Return On Security Investment (ROSI). It’s failed as it evaluates from the wrong perspective. This session flips ROI on its head, looking from the adversary’s perspective. We’ll introduce an “Adversary ROI” model, and show how it can change how you evaluate cyber security investment.
ThreatStack Workshop: Stop Wasting Your Time: Focus on Security Practices tha...Amazon Web Services
There’s no shortage of noise about cybersecurity. Between the shear number of vendors and daily news coverage about the next big vulnerability or breach, it’s easy to start feeling directionless and reactive. However, there are ways to cut through the noise. The first step is understanding how companies are actually getting breached - not just the ones you hear about in the media. Then, you can create a strategy that’s tailored to your risk profile and attack surface. In this session, you’ll leave with an understanding of how to measure your risk, devise a realistic defense strategy, and deploy high impact security, no matter what your budget or time crunch is.
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
VMworld 2013
Merritte Stidston, McKesson
James Wiese, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline three strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools.
Key takeaways from this session include how to:
- Design a workload-centric security architecture
- Improve visibility of AWS-only or hybrid environments
- Stop patching live instances but still prevent exploits
Speaker: Sasha Pavlovic, Director, Cloud & Datacentre Security, Asia Pacific, Trend Micro
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
2. ► Security professionals need to consider the risk of
implementing and operating virtualization and cloud
technologies
► In this presentation, we’ll discuss fundamental elements
of risk to virtualization and private cloud environments
► Then we’ll break down some “risk statements” to help
you conceptualize the endgame
Introduction
6. Virtualization Architecture
Host OS
VSwitch
Guest OS
VNIC VNICVNIC
VM Bus
Guest OS
Physical NIC
Are management and control
channels secured?
Is the host OS locked down?
Is the hypervisor secure?
Can we see this
traffic? Can we
segment it
appropriately?
How do I
harden and
manage my
Guest OS
images?
Storage
How is storage secured?
7. And Private Cloud…?
Diagram from http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1030816
Operations Services
and Traffic
DB, Messaging,
Management
Web interfaces, APIs
Hypervisors
Security
Management
9. ► Critical assets: Required for business operations
► Required by critical systems
► Not wholly replaceable elsewhere
► Important assets: No short term impedance of business
function, but severely impactful long term
► Supportive assets: Affects effectiveness of day-to-day
business operations, but not catastrophic if lost
► Assets that provide convenience
► Primarily an issue for asset owner, not organization as a whole
Asset Criticality
10. ► Many valuation models possible
► Most common are classification-based and cost-based
► For simplicity, easiest to use the classification model
here:
► Critical = High Value
► Important = Medium Value
► Supportive = Low Value
► This is the age-old Quantitative vs. Qualitative debate, of
course
Assets: Valuation
11. ► Data:
► Virtual machine files (at rest)
► Virtual machine files (in transit)
► Management databases + configuration
► Hypervisor configuration and OS
► Equipment:
► Server Hardware
► Virtual appliances (ties in to Data assets)
► Storage hardware
► Network equipment
► Management terminals/endpoints
Assets: Data and Equipment
12. ► Personnel
► Virtualization teams
► Network teams
► Developers / Operations
► Security teams
► SysAdmin teams
► Services include:
► Power
► Cooling
► Network/ISP services
► Facilities:
► Physical locations (data centers)
Asset: Personnel, Services &
Facilities
14. ► Insiders:
► Virtualization teams
► Network teams
► Developers / Operations
► Security teams
► SysAdmin teams
► Storage teams
► Outsiders
► Partners/Affiliates
► Nature (disasters)
► Technology (failure/improper function)
Threat Agents
15. ► Integrity changes: Accidental or intentional modification
of data that results in service interruption or additional
business consequences
► Logical/Physical exposure: Exposure of data or
information that could lead to additional compromise or
technical/regulatory/business consequences
► Availability issues: Individual or aggregate asset and
resource availability failure
Undesirable Events
16. Threat: Insider | Outsider | Partner
Undesirable Event: Integrity modification | Physical
Exposure | Logical Exposure | Denial of Service
Asset: Data | Equipment | Personnel | Services |
Facilities
Threat Statement: Who caused an event to what?
Threat Statements
18. ► Administrative
► People - roles, privileges, hiring
► Technical
► Any technical flaw in software components or design
► Physical
► Focused on access control and facility weaknesses
Vulnerability Categories
19. ► Hiring practices: Background checks
► Missing or weak skills in technical team
► Poor role design and review
► Separation of Duties and Least Privilege
► Poor audit focus on user/admin activities
► Cloud = User involvement in workloads = more chances
for accidental or purposeful harmful events
Administrative Vulnerabilities
20. ► Lots of issues here
► Flaws in software products from VMware, Microsoft, and others
► Poor network design, segmentation
► Malware insertion in VM files
► Poor permissions/isolation
► Side-channel attacks
► Logs/orchestration
Technical Vulnerabilities
http://phys.org/news/2012-11-vm-rude-awakening-virtualization.html
21. ► Fundamentally an extension of DR and BCP strategies
► Virtualization and cloud has new considerations:
► Storage replication and cycle times for VMs and data
► Cloud-based DRaaS
► Hardware compatibility in backup sites
► Also includes physical access controls
Physical Vulnerabilities
23. ► Defining risk statements is the crux of real, practical risk
analysis
► Every environment is different - and risks will be too
► However, there are a number of common risk scenarios
I’ve seen
► I’ll describe these, and lay out a “standard” and “agile”
risk modeling design for risk statements around them
Creating Risk Statements
24. Threat:Vulnerability Event Asset
Virt Admins: Too many
Privileges
Data Loss
Integrity Changes
Availability Loss
Data
Services
DevOps: Weak
Workflow/Orchestration
Privileges
Integrity Changes
Availability Loss
Data
Services
Admins: Poor Logging and
Audit Trail Monitoring
Data Loss
Integrity Changes
Data
Services
Insiders/Partners: Poor
Identity Management and
Roles in *aaS clouds
Data Loss Data
Services
Risk Scenarios: Administrative
25. Threat:Vulnerability Event Asset
Insiders: Missing
Hypervisor or OS patches
Data Loss
Integrity Changes
Availability Loss
Data
Services
Insiders: Weak or Missing
Access Controls
Data Loss
Integrity Changes
Data
Services
Insiders/Outsiders/Partner
s : Poor Network
Segmentation
Data Loss
Availability Loss
Data
Services
Outsiders: System
Exposure
Data Loss
Availability Loss
Data
Services
Insiders/Outsiders/Partner
s : Poor Storage Security
Controls
Data Loss
Integrity Changes
Availability Loss
Data
Services
Risk Scenarios: Technical
26. ► Ben Sapiro developed a model called the Binary Risk
Analysis, presented at SecTor in 2011
► The goal: Reasonable risk analysis in 5 minutes.
► Is it perfect? Nope.
► Does it work for us? Yep.
► Ben’s paper, work card, and app available at:
► https://binary.protect.io/
A Simple Risk Model
27. ► Could virt admins
with too many
privileges cause
severe impact to
the organization’s
infrastructure?
► Asset:
Hypervisors and
Management
Tools
Risk Statement Example #1
Yes
Yes
Yes
Yes
No
No
28. ► Could virt admins
with too many
privileges cause
severe impact to
the organization’s
infrastructure?
► Answer:
Absolutely. This is
a HIGH risk, a
classic insider
abuse or mistake
scenario.
Risk Statement Example #1 (2)
Yes
Yes
Yes
Yes
29. ► Could poorly
defined and
controlled IAM
services lead to
data exposure in
*aaS services?
► Assets:
Presumed
sensitive data in
private *aaS
cloud offerings
Risk Statement Example #2
No
No
No
Yes
Yes
Yes
30. ► Could poorly
defined and
controlled IAM
services lead to
data exposure in
*aaS services?
► With Medium
Likelihood, but
High Impact, this
is a potentially
HIGH risk.
Risk Statement Example #2 (2)
Yes
Yes
Yes
Yes
31. ► Could missing
hypervisor
patches or
updates lead to
insider (or internal
attacker)
compromise?
► Assets:
Hypervisors and
virtualization
infrastructure,
VMs
Risk Statement Example #3
Yes
No
No
No
No
No
32. ► Could missing
hypervisor
patches or
updates lead to
insider (or internal
attacker)
compromise?
► Answer: Yes, but
with a MEDIUM
risk.
Risk Statement Example #3 (2)
Yes
No
Yes
Yes
34. ► You still need:
► Assets
► Threats
► Vulnerabilities
► Place greater emphasis on:
► User interfaces and interactions
► Separation of duties and IT Ops roles
► Storage and databases
► Management interfaces and network segments
► Find a risk statement model that works for you
► Binary Risk Analysis is good, Creative Commons too
Assessing Virt/Cloud Risk