Bobby Dominguez is an accomplished Internet pioneer and an acknowledged security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank, where he implemented a new technology risk management framework. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010, and 2013 SC Magazine “CSO of Year.” In 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.
3. OBLIGATORY DISCLAIMER
3
Any statements made in the course of this presentation should not be relied on as a
commitment, directly on behalf of my employer, by this forum’s management, the
National Football League, or any other major institution that your barracuda lawyer
may opt to pursue in the name of earning his or her outrageous legal fees.
The opinions expressed herein are not necessarily those of my employer, not
necessarily mine, and probably not necessary.
My opinions are subject to change without notice.
Thanks for disagreeing.
T h e c o n t e n t a n d o p i n i o n s e x p r e s s e d h e r e i n a r e s o l e l y t h o s e o f t h e a u t h o r , a n d n e i t h e r r e p r e s e n t t h e v i e w s n o r
d e s c r i b e t h e c u r r e n t o r i n t e n d e d p r a c t i c e s o f a n y o t h e r e n t i t y . T h e i n f o r m a t i o n i n t h i s p r e s e n t a t i o n c o n t a i n s
r e f e r e n c e s t o c o p y r i g h t e d m a t e r i a l ; T h e a u t h o r m a k e s n o c l a i m s o f o w n e r s h i p o r r i g h t s t o s u c h m a t e r i a l .
4. BIOGRAPHY
Certifications
• CISSP, CPP, CRISC, ITIL, PMP, GISO, GSLC, C|CISO, PPMC, EIEIO
Organizations
• Infragard – President, Board of Directors
• FBI Sector Chief for Financial Services
• FBI Citizens Academy 2014 Graduate
• USSS Electronic Crimes Task Force
• ISSA – Vice President, Board of Directors
• ASIS-ANSI-ISO Standards Committees and Working Groups
Awards
• 2008 Top 5 “Best Security Team in the US” SC Magazine
• 2009, 2010, 2013 Top 5 “CSO of the Year” SC Magazine
• 2012 Finalist Information Security Leadership Award (ISC)2
• 2012 ISE North America Executive Leadership Award Nominee
• 2016 SVUS Management Team of the Year
• 2016 Finalist CISO of the Year (EC Council)
4
Internet entrepreneur & über geek who groks e-
commerce, IT security, risk & privacy management,
caffeinated beverages, Padrón cigars, 18-yo single
malt scotch, & dark beers
Bobby Dominguez
Chief Strategy & Security
Officer
Lynx Technology Partners,
Inc.h t t p s : / / w w w . l i n k e d i n . c o m / i n / b o b b y d o m i n g u e z
h t t p s : / / t w i t t e r . c o m / M o o n r a k e r 0 6 9
b d o m i n g u e z @ l y n x t p . c o m
5. ABSTRACT
If you’re in business in 2016, you’re company most likely uses Cloud services of one kind
or another. You can’t avoid the Cloud, whether personally or for your business. Security
remains a serious concern for organizations using the Cloud. The shared, on-demand
nature of Cloud computing introduces the possibility of security breaches. Mitigating Cloud
risks starts by identifying the top security threats you may face.
In this session, Bobby Dominguez will describe some of the most relevant threats as well
as risk mitigation techniques that may help your organization function in the Cloud and
reduce the risks associated with this fastest growing technology segment. The discussion
will not only focus on the threats, but potential solutions and give specific examples of what
you can do to manage your Cloud risks.
5
6. 6
The information security threat landscape
is constantly evolving and today’s
borderless environment creates new
threat vectors.
The Cloud can leverage some traditional
protection measures, but new ones should
be adopted to properly mitigate risks.
THREAT HORIZON
7. #1: COMPROMISED CREDENTIALS & BROKEN
AUTHENTICATION
7
Problems
Lax authentication, weak passwords, and poor key or
certificate management
Segregation of duties may not be available or is not enabled
because management may not integrate with AD or other
tools, especially on free cloud apps
Developers embed credentials and cryptographic keys in
source code – repositories such as GitHub
Solutions
Multifactor authentication systems, one-time passwords, phone-
based authentication, and smartcards
Frequent (or periodic) rotation of keys and passwords
Separation of duties
Code security analysis, best practices, and post deployment spot
checks
8. #2: HACKED INTERFACES AND APIS
8
Problems
Attackers target the trust mechanisms used by APIs –
specifically the certificates upon which encryption,
authentication, and non-repudiation depend
Assuming everyone is using the API as designed – Poorly
designed and tested interfaces can permit accidental or
malicious compromises
Solutions
Understand how your API can be attacked – threat modeling
applications and systems, including data flows and architecture /
design specifications
Pen testing by security experts with development experience – they
need to understand web services (RESTful, JSON, etc.) and won’t just
run vulnerability scan tools
9. #3: ACCOUNT HIJACKING
9
Problems
Phishing, fraud, and social engineering
Software exploits
Eavesdropping (shoulder surfing, MITM Wifi)
Manipulating transactions and modifying data
Solutions
Does your service provider conduct background checks on employees who have physical access to the
servers in their data centers?
Require multi-factor or dynamic (one-time) password authentication, and strong API authentication
Restrict IP addresses allowed to access cloud applications (from corporate networks or VPNs).
Encrypt sensitive data before it goes to the cloud or ensure you alone have the private keys
Service accounts should be monitored for activity
10. #4: PERMANENT DATA LOSS
10
Problems
Ransomware
Failure to backup or to recover – too much reliance on Cloud
provider and “snapshots”
New EU data protection rules also treat data destruction and
corruption of personal data as data breaches requiring
appropriate notification
Solutions
Disaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage
11. #4: PERMANENT DATA LOSS
11
Problems
Ransomware
Failure to backup or to recover – too much reliance on Cloud
provider and “snapshots”
New EU data protection rules also treat data destruction and
corruption of personal data as data breaches requiring
appropriate notification
Solutions
Disaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage
12. #5: MALICIOUS INSIDERS
12
Problems
Who: A current or former employee, a rogue administrator, a
contractor, or a business partner
What: Data theft
• to sell (fraud)
• to use in next job (theft of IP)
Data destruction – Revenge, ransomware, etc.
Solutions
Encryption
Segregating duties and minimizing access given to any one user or
group of users – two-man rule
Effective logging, monitoring, and auditing administrator activities –
storage segregation and protection too
14. #6: A PARASITIC THREAT (APTs)
14
Problems
APTs typically move laterally through the network and
blend in with normal traffic
Common points of entry include spear phishing, direct
attacks, USB drives preloaded with malware, and
compromised third-party networks
Command and Control tunneled through valid services or
encrypted
Solutions
Strong phishing awareness training and testing
DNS prevention with DMARC (SPF / DKIM)
DNS monitoring
Behavioral analysis of access to apps / systems
Block encrypted traffic or proxy SSL to decrypt
15. #6: A PARASITIC THREAT (APTs) ( C O N T I N U E D )
15
Intelligence
Gathering
Threat Actor
Command &
Control
External
Staging
Lateral Movement
Point of
Entry
1
3
2
5
4
6
Data of Interest
3
Password Reuse
Vulnerabilities
Malicious URL or File
USB / Rubber Ducky
1. Reconnaissance
OSINT
SQL User Dump
Domain Scanning
Spear Phishing
Physical Access
2. Establish Beachhead
ARP Hijack
MitM Credentials
Keylog
Sniffing Passwords / Keys
Machine Access
3. Exfiltrate INT or DAMAGE
Users, Hashes, passwords, LSA, keys
Network layout, IPs, Servers
4. Lateral Access
Web, OS, SQL exploits
Test / QA / Development
Workstations to Servers
5. Local Collection of Data
Collect, compress, encrypt & hide
6. Exfiltrate Data
Steal IP, PII, PHI, etc.
16. #7: INADEQUATE DILIGENCE
16
Problems
Failure to factor security costs early in project
What data are going to be stored in the Cloud? Used by
whom?
Inadequate contractual considerations
Forgetting to update policies and standards to account for
the new operating paradigm
What about the Regulators?
Solutions
Security as an enabler
Discovery of data
Partner with Legal council and work together to understand
nuances of contracts
Partner with Audit teams and understand your Compliance
requirements
17. #8: DENIAL OF SERVICE
17
Problems
DDoS attacks consume large amounts of processing power
Collateral damage
A distraction for the real breach
Solutions
Detection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes;
Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?
18. #8: DENIAL OF SERVICE
18
Problems
DDoS attacks consume large amounts of processing power
Collateral damage
A distraction for the real breach
Solutions
Detection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes;
Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?
19. #9: SHARED TECHNOLOGY, SHARED DANGERS
19
Problems
A multi-tenant environment – shared everything
Misconfiguration, vulnerabilities, etc.
Solutions
Defense-in-depth strategy
Multi-factor authentication
Host-based and network-based intrusion detection/protection systems
Applying the concept of least privilege
Network segmentation
Who else is sharing your Cloud services?
20. SUMMARY OF SOLUTIONS
20
Dip your toe in the water
Update policies and unify for decentralized environments
Evaluate your currently deployed security technologies
Be aware of what you have in the Cloud
Diversify your Cloud providers
Embrace a data-centric security strategy
Know your Cloud vendors
Treat & attack detection like you would in-house
Robust crisis management plans that includes testing with
Cloud provider
Strike a balance between privacy and security
21. CLOSING THOUGHTS
21
Risks can be summarized by 3 things:
- Multi-tenancy
- Shared responsibilities
- Compliance
Does anyone really believe that ”a perimeter” still
exists?
Defense-in-depth remains a key security strategy
Focus on these 3 things:
- Information classification
- Encryption
- Privileged access management
22. SUPPLEMENTAL – REGULATIONS FRAGMENT THE
CLOUD
22
Regulatory and legislative changes will impose new
restrictions on how personal data is collected, stored,
exchanged and disposed of over the next few years
Organizations that depend on Cloud services can expect to
suffer a particularly heavy impact. They will be stuck trying to
remain compliant with new data protection and data
localization requirements, while trying to conduct business
as usual.
The location of data has become a particularly pressing
issue after the overturning of the US-EU Safe Harbor
Agreement in October 2015, and the newly launched EU
General Data Protection Regulation has complicated the
situation with a wide array of compliance requirements
backed by significant fines for non-compliance.
23. RESOURCES
23
Cloud Security Alliance
https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
Reuters, “Your Medical Record Is Worth More to Hackers Than Your Credit Card”
https://www.reuters.com/article/us-cybersecurity-hospitalsidUSKCN0HJ21I20140924
Cloud Security Alliance, SecaaS Implementation Guidance
https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf
Amazon Web Services, AWS Official Blog
http://aws.amazon.com/blogs/aws/
Managing Cloud Risk
http://www.isaca.org/Journal/archives/2016/volume-4/Pages/managing-cloud-risk.aspx
ISACA Data Science as a Tool for Cloud Security
http://www.isaca.org/Journal/archives/2016/volume-4/Pages/data-science-as-a-tool-for-cloud-security.aspx
FBI Ransomware Warning
http://www.bankinfosecurity.com/fbi-warning-ransomware-surging-a-8962
24. FINAL CONTACT INFO
24
Thank you!
+ 1.800.314.0455
sales@lynxtp.com
GLOBAL HEADQUARTERS
1501 Broadway
12th Floor
New York, NY 10036
Pittsburgh, PA
309 Smithfield Street
3rd Floor
Pittsburgh, PA 15222
Phoenix, AZ
2200 E. Williams Field Road
Suite 200
Gilbert, AZ 85295
lynxgrc.com
Fiercelyprotectingourclients
IT Risk & Cyber Security Experts
Editor's Notes
<CLICK>
The content may be offensive to some – but I am an equal opportunity offender
<CLICK> for “box brief” bio
Project Management Professional Certification (PMP)
Program & Portfolio Management Masters Certificate (PPMC)
EC-Council Certified Chief Information Security Officer (C|CISO)
Certified in Risk and Information Systems Control (CRISC)
GIAC Information Security Officer Certification (GISO)
GIAC Security Leadership Certification (GSLC)
Certified Protection Professional (CPP)
Certified in ITIL Foundation (ITIL)
3 key takeaways:
While threats in the Cloud contain many of the elements security is used to facing, the shared environment introduces some unique challenges that may require additional processes, technologies, and communication to ensure appropriate insight into your risks. You can’t prevent personnel or your company from leveraging myriad advantages of Cloud computing, but you can enable them by embracing the advantages and knowledgably addressing the risks.
Mitigation is not solely about applying the right technology or processes… it’s about conducting diligent assessments of the vendors you will use, and understanding the business use cases for each service. It is in the intersection of these 2 areas that you can identify your company’s specific risks and take approriate, measured steps to enable the business.
Denial of access is not an appropriate response to the new technology appetite demonstrated by businesses and individuals. With a generation brought up on instant and ubiquitous access to technology, these millennials expect businesses to provide access to the new tools and services available outside of traditional IT capabilities. Enable your staff and organization in a managed manner (risk managed) or they will enable themselves through more shadow IT.
Defining “Cloud”:
As networks, databases, applications, infrastructure, platforms, and any set of services leveraging technologies you do not directly, physically control
It’s an environment where you may not know which physical device or location your data resides
Typically relies up on 3rd party to supply a portion of the technology
Typically makes use of public networks, such as the Internet – does not include dedicated circuits, e.g. black fiber, etc.
Organizations continue to embrace the advantages of flexibility, scalability, and management provided by cloud computing platforms and services and often consider security one of their top concerns in cloud environments.
These come from the CSA, but have my own spin on solutions
You’ll notice that the issues and solution are pretty obvious – but the subtleties in the environments can make for more challenges that normal when deploying protection
Certificates
Manual management, no managed as part of directory services – How many do you have? Where are they? Complicated with DevOps where you can provision whole operational environments on the fly
They expire causing outages or poor customer experience
Lack of standards on encryption-key lengths, certificate validity periods
Private-key administration is lax
Certificate Authorities get compromised
DigiNotar
CNNIC Root Certificate Authority
Password
We know issues with passwords – complexity, length, shared across platforms
Password resets provided with public or even data perceived as private
Anthem breach, which exposed more than 80 million customer records, was the result of stolen user credentials. No multifactor authentication
Rotate keys and passwords on a regular schedule – even those used by applications – architect applications to minimize customer impact when rotating keys
Separate key generation from Cloud provider hosting the data
Spot checks – because even the best security can sometimes fail – so check yourself frequently, because if you don’t, you can bet the bad guys do.
Vendors
Okta
Duo Security
Venafi
TrendMicro
API keys are used by Cloud services to identify third-party applications using the services
Poorly designed apps
Allowing anonymous access
Reusable tokens or passwords
Clear-text authentication or transmission of content
Inflexible access controls
Improper authorizations
Limited monitoring and logging capabilities
Unknown service or API dependencies
API security means:
Authentication
Access control
Encryption
Context validation
Activity monitoring
Pen testers: Example is when doing database pen test or specific app pen tests where you try SQL injection and usually have someone who understands how to make database queries, etc.
They need to understand the architecture. Which brings my other point… pen testing by “security” experts may not be enough… use security experts that have real world experience deploying, integrating, architecting, maintaining cloud these environments.
Black box testing and fuzzing are important methods
Vendors
CA API Management Suite (formerly Layer 7 technologies)
Apigee
SOA Software
IBM
When cloud account hijacking occurs, an attacker typically uses a compromised email account or other credentials to impersonate the account owner.
Additionally, as with all cloud services, ensure that your data is backed up in a manner that provides efficient recovery
What good is a backup if it too gets compromised with Ransomware?
Prohibit sharing of account credentials between users and services
Vendors
Vormetric
PhishMe
KnowB4
CipherCloud
AWS VPCs
In many cases, companies rely on the ability to to make virtual snapshots and restore from those, or other digital media
Issue is that ransomware may exist on these versions too, but in dormant mode
If you don’t spot the compromise, you may be backing up the problem!
Use a method similar to those in tape backups and don’t just rely on snapshot that may be available for the Cloud provider.
The 3 R’s of Backups: Rotation, Retention, Remote
<CLICK> for Mo
Use more Cloud services to bolster your data recovery capabilities
Indeed, we’re seeing more Cloud providers that actually cover many of these 9 threats and solutions.
So part of the answer to Cloud threats may be: Mo Cloud!
Not a new concern and not exclusive to Cloud
But how serious is it really?
CERT: 2001-2012 a little of 700 confirmed (reports) malicious insider incidents
Don’t confuse stupidity for maliciousness – copying data to unprotected area for use by others needing it is not malicious,
has same consequences, but some different solutions, because intent helps determine how far protection needs to go.
Encryption includes some form of obfuscation that may or may not be reversible – hashing (with salt), tokenization
But protect the keys – if you’re cloud operator says they encrypt automatically, who controls the keys? They do. That may be bad.
Segregate security duties
You can use a Cloud service to manage your keys, but monitor, alerts, and use a 2-man rule
Administrator who uses an admin account for every day functions?
Or the case where the administrative functions are performed from a work station that was used to access external non-company site?
Some examples of administrator segregation:
Hosting
Virtual image (Hypervisor)
System
Application
A disgruntled insider used several relatively cheap, easily configured cloud systems to launch a distributed denial of service attack on his organization, hindering incident investigation and limiting forensic analysis.
Example of incident where administrator exploited certain circumstances to perpetrate the attack
Rogue administrator at company
Understood cloud architecture, replication, latency, and other factors related to how systems were lay out and worked together
Also understood change schedule, change plans, and incident response processes
Sold information to fraudsters
Fraudsters DDoS attacked specific services and servers during change / maintenance window
Fraudsters used phishing and coordinated email attacks to flood company with distracting issues
Fraudsters had ability to create issue tickets (unknown how they got this access, except that it came from a customer – so customer was somehow compromised)
Flood of issues at the same time, first seen as performance issues, and attack was not realized for 75 minutes after attacks began.
During that time, rogue administrator ran a backdoor program on one of the servers using a “root” account. Numerous users were on server in root and a second administrator ran same exploit that had been renamed to a system program
Fraudsters gained access and were able to grab password files, and complete database containing encrypted data. However, keys for database were in admin account with other config notes.
Fraudsters stole $5MM in company funds – most of which were stopped by BANK controls – not company controls
Insider was only caught after law enforcement investigation and private company investigation – used bank information to track funds transfer to administrator and he confessed
An insider planning to leave the company leverages cloud storage to consolidate and exfiltrate sensitive information to take to a new job with a competitor.
APTs infiltrate and establish a foothold, lie dormant and/or collect intelligence, allow fraudster to move through your network using authorized credentials, and eventually, stealthily exfiltrate data over an extended period of time.
Major Cloud providers segment and apply other techniques to protect their infrastructure, but what are you doing with your Cloud systems?
Vendors for Phishing
PhishMe
KnowB4
DNS techniques
Domain-based Message Authentication, Reporting & Conformance (DMARC)
An email authentication protocol
It builds on the widely deployed SPF and DKIM protocols
Adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email
Sender Policy Framework (SPF)
Domain Keys Identified Mail (DKIM)
DNS tunneling - monitor your DNS traffic!
Can be used to tunnel outgoing CNC communications
Just because it is using port 53 doesn’t mean it is DNS – is it formatted for DNS? Is it encrypted?
Vendors for traffic and malware
Damballa
Fire Eye
Bluecoat
Forcepoint (formerly Websense)
Behavioral Analytics
These are often difficult to deploy, but identifying lateral movements of AUTHORIZED users is important!
Different types:
User (identity-centric): a departing executive exhibits a 300% spike in activity; he’s downloaded hundreds of pieces of sensitive data to an external drive
Activity (action-centric): a customer list is copied to a thumb drive, which is outside of normal business use for your company
File (asset-centric): A user access sensitive CAD files on a file share for the first time
Method (system-centric): a machine is accessing backend servers it has never accessed before at a time it has never been active on the network
Don’t be confused with tools that just look at the network such as NetFlow stats alone. This is useful, but you need contextual relevance
Vendors for behavioral analytics
Interset
Exabeam
Protectwise
Really stands for Advanced Persistent Threat, a term used to describe a combination of techniques, technologies, or other combinations to penetrate an environment, spread within that environment, and ultimatel execute whatever fraudster’s agenda is.
Key point: Stealth and patience
Social engineering or other techniques to identify targets (anyone who has access privileges or can get access to people / networks / servers that do have access)
Send spear phishing emails; spoof
Can affect traditional networks or Cloud enabled environments
Can also take place FROM the Cloud – even the same Cloud provider you use to further hide the attacks
When you consider the “must haves” for secure cloud adoption, the initial costs can quickly exceed expectations
Doesn’t mean the Cloud won’t be cheaper or that you won’t be able to realize all of the benefits of the Cloud
It just may take a little longer that planned
Is your current security infrastructure capable of providing adequate coverage of Cloud environments?
Just because the Cloud Provider does all the heavy lifting with spinning up virtual servers, doesn’t mean you shouldn’t embed security capabilities in your virtual images.
And on that note… will you know if DevOps is spinning up instances and taking them down?
You go full out and often don’t take the time to understand not just:
1) the data
2) but the data flows
3) the touch points within and outside of applications
4) Who will access what, when, and how?
Contractual considerations:
1) Modification to the contract terms – Scrutinize Cloud provider’s ability to change the terms of the contract.
2) Description of the service – Make sure there is a clear description of the cloud service. Many contracts grant the vendor the freedom to add or remove features. Have specific SLAs, escalation processes, and specific contacts; and interruption compensation.
3) Limitation on the use or reuse of the data – Can the Cloud provider use your data or reuse in a manner not specified? Know WHERE your data will be located.
4) Confidentiality and security requirements – They will follow their policies, not yours. Properly allocated liability – what if a virtual appliance that you created led to a breach of your environment vs a breach caused by something happening in their environment? Notification?
5) Intellectual property rights – Who owns the content you provide? If it is a a free service, you may be granting the Cloud provider a royalty-free license to use this content – Scope of license will also be crucial
6) Indemnification – Identifies how one party will compensate the other for a loss incurred – what if Cloud service impinges on someone else’s IP; then can indemnify you for that
7) Limitation of liability and damages – typically this is most negotiated clause; Will determine extent of damages and HOW the damages were incurred – words like ”Negligence” and “Gross negligence,” etc. mean different things and may not kick in liability – Insurance is important but how much?
8) Term and renewal of the contract – Does contract give vendor the freedom to terminate the contract at any time and for no reason after initial period? Or does it automatically renew if not term’d in certain window?
9) Effect of termination – What will happen upon termination? Where do the data go? How will you ensure destruction? How will you retrieve the data from the services? In what export format? Will they be required to keep data during transition period?
An old disrupter but still a threat
It’s typically an assault by millions of automated requests for service
Largest DDoS attack in the history (January 2016) was carried out against the BBC website: 602 Gbps
Also took down Trump’s site
New World Hacking group – Guy named Ownz – used own tool called BangStresser
Claimed to use AWS!
A similar group Lizard Squad using Lizard Stresser to take down Sony’s Playstation network and Microsoft XBOX Live in 2015 Christmas Eve
Processing and bandwidth loads will impact your bill and not just your availability
Does your contract contain any provision on bandwidth resulting from external attacks like a DDoS? What will the vendor do to assist with that HUGE bill you’ll get?
Collateral damage
The problem is that you may not be the intended victim of the attack…
Large bank in Pittsburgh was attacked in 2013, they impacted other businesses in the city because all network pipes were flooded
What if your Cloud provider was attacked – but you are not target?
Distraction for a real breach
2 things happened in March 2016 where the KKK web site was attacked with a DDoS
… this had the effect to take down everyone else using that same service provider
And it was a distraction for the real attack
which lead to a breach and they lost ccard info for all of their customers
http://www.bankinfosecurity.com/hackers-attack-web-hosting-firm-a-8964
It’s one of those things that if it is big enough, you can’t do much except hunker down and get back up as soon as possible
Before you can defend against it, you need to understand that these events take place in 3 forms:
Volumetric – UDP floods, ICMP floods, DNS amplification (reflection attacks) – least sophisticated but can be most devastating
Layer 3 – packets crafted to cause resource consumption – TCP SYN floods, TCP fragmentation attacks – easy to filter for malformed packets
Layer 7 – exploit web application commands to do a task that are resource intensive – more difficult to filter, programmatically throttled
Tell story of the where are my ATMs widget
Incident response
Detection – need intelligence from others in your same industry, skills in networking tools
Diversity – more than one network, more than one provider, and burstable – look at choke points all along Internet pipeline
Akamai, CloudFlare
Good news is that many of the established large providers have this built into their services already
Protection – Incapsula, Akamai (Prolexic), GigeNet – all use some sort of BGP routing
Arbor (AT&T uses them) or Black Lotus (acquired by Level 3)
Or an appliance like Radware
Incident response – preparation, detection, containment
Use Lite sites (static version of your content)
Attacks require multi-discipline response – media relations, 3rd party suppliers, network, application, help desk
<CLICK> for animation on next slide
An old disrupter but still a threat
It’s typically an assault by millions of automated requests for service
Largest DDoS attack in the history (January 2016) was carried out against the BBC website: 602 Gbps
Also took down Trump’s site
New World Hacking group – Guy named Ownz – used own tool called BangStresser
Claimed to use AWS!
A similar group Lizard Squad using Lizard Stresser to take down Sony’s Playstation network and Microsoft XBOX Live in 2015 Christmas Eve
Processing and bandwidth loads will impact your bill and not just your availability
Does your contract contain any provision on bandwidth resulting from external attacks like a DDoS? What will the vendor do to assist with that HUGE bill you’ll get?
Collateral damage
The problem is that you may not be the intended victim of the attack…
Large bank in Pittsburgh was attacked in 2013, they impacted other businesses in the city because all network pipes were flooded
What if your Cloud provider was attacked – but you are not target?
Distraction for a real breach
2 things happened in March 2016 where the KKK web site was attacked with a DDoS
… this had the effect to take down everyone else using that same service provider
And it was a distraction for the real attack
which lead to a breach and they lost ccard info for all of their customers
http://www.bankinfosecurity.com/hackers-attack-web-hosting-firm-a-8964
It’s one of those things that if it is big enough, you can’t do much except hunker down and get back up as soon as possible
Before you can defend against it, you need to understand that these events take place in 3 forms:
Volumetric – UDP floods, ICMP floods, DNS amplification (reflection attacks) – least sophisticated but can be most devastating
Layer 3 – packets crafted to cause resource consumption – TCP SYN floods, TCP fragmentation attacks – easy to filter for malformed packets
Layer 7 – exploit web application commands to do a task that are resource intensive – more difficult to filter, programmatically throttled
Tell story of the where are my ATMs widget
Incident response
Detection – need intelligence from others in your same industry, skills in networking tools
Diversity – more than one network, more than one provider, and burstable – look at choke points all along Internet pipeline
Akamai, CloudFlare
Good news is that many of the established large providers have this built into their services already
Protection – Incapsula, Akamai (Prolexic), GigeNet – all use some sort of BGP routing
Arbor (AT&T uses them) or Black Lotus (acquired by Level 3)
Or an appliance like Radware
Incident response – preparation, detection, containment
Use Lite sites (static version of your content)
Attacks require multi-discipline response – media relations, 3rd party suppliers, network, application, help desk
<CLICK> for animation on next slide
A compromise of a single component, such as the hypervisor, exposes more than just the compromised customer
it exposes the entire environment to a potential of compromise and breach
Same is true about other shared resources like CPU caches, shared database services, or shared storage
Compromises can impact beyond their immediate surroundings
Vendors
Digital Guardian (formerly Verdasys)
Dip Toe – Learning curve with cloud adoption so take baby steps, starting with apps and data that are not critical
Policies – Update security policies to cover Cloud and Internal infrastructure
Current Technology – Do the security tools you have now work to protect your extended environment? Remember, the perimeter is a myth
Be Aware – Do a data discovery – not once, but periodically – always keep checking for what you have
Data-centric – focus on the people and the data, because you may not be able to control the endpoints to the extent you wish – apps in Cloud may have their own security systems
Know Your Vendor – Cloud vendors differentiate on price and features
Check what they do to secure themselves – how they treat themselves is how they will treat your data
Conduct due diligence to see where and look deeper than the marketing jargon
For example: encrypted sessions are terminated in the cloud (they don’t encrypt within their cloud) the grade
Check platform you will use conforms to industry and internal compliance standards
If not, can you upgrade and modify security settings and create your own “golden” image?
Review the cloud service provider’s business continuity plan and disaster recovery plan
Assess cloud service reliability across different providers.
Cloud Harmony
eCloudAssurance
Cloud Security Alliance
Threat Detection – Biggest difference between monitoring for attacks at an internal data center and in the cloud is that some assets won’t be in your direct control
Detection protocols must sit in front of cloud-based assets just as you would in your data center
A rapid response gives you time to assess and evaluate the attack and decide which mitigation resources to throw at it.
Strike a balance - A network or cloud provider under attack will continue to receive legitimate traffic
Parsing trusted sources from attack traffic requires some decryption which exposes potentially confidential information
Look for tools, such as behavioral threat detection algorithms that partially decrypt the least amount of data necessary to sort good traffic from bad
Discuss with your cloud provider which security protocols it uses, and the degree to which it can ensure that sensitive information remains private.
3 Risks
<CLICK>
There is no perimeter anymore – we rarely control the end points anymore
Whether you’re in the cloud, enabling mobile devices (BYOD, etc), or even have a server farm that hosts thousands of virtual systems, you will rarely know exactly where your data are
<CLICK>
These recommendations shouldn’t be a surprise – they all involve a balanced approach that addresses people, processes and technology controls
Defense in Depth – but also don’t forget data-centric solutions as part of that equation
Actually all of these approaches just reduce the threat surface
<CLICK>
Information classification:
In September 2014, a Reuters article stated that medical information is now worth 10 times more than credit card numbers on the black market and is increasingly being targeted by cybercriminals.
Classifying information enables business leaders to make informed decisions regarding how much risk they want to take in pursuit of innovation.
Isolate High-value Information - Once data has been classified, regulated enterprises may consider using a private cloud to isolate high value applications.
Encryption:
According to the CSA’s September 2012 cloud encryption publication, SecaaS Implementation Guidance, Category 8,9 encryption and protection of cryptographic keys are among the most effective data protection controls.
Robust key management is essential because losing encryption keys may result in data loss.
Implement tight controls to protect cryptographic keys, including a key life cycle management policy.
NIST Special Publication 800-5710 parts 1, 2 and 3 provide more detailed encryption key management guidelines.
Ensure cloud encryption service includes disaster recovery and failover capabilities to minimize business impact if keys are lost.
Define responsibilities for managing encryption keys.
Retain key management to mitigate external breach of the service provider or malicious compromise by the service provider’s privileged users.
Test to confirm database encryption will not adversely impact application performance.
Implement controls to purge data once removed from cloud storage – crypto shredding
Complement data encryption with integrity protections such as digital signatures to maintain data authenticity.
Privileged Access Management
Confirm the effectiveness of a cloud service provider’s privileged access controls specifically hiring and oversight of system administrators.
Implement strong passwords and automate security policy provisioning.
Enforce two-factor authentication and two-person rule over high-impact activities.
Log and monitor access to privileged accounts, including execution of high-impact commands.
Retain superuser account credentials for accounts that give full access to all cloud resources
Regularly rotate passwords for service accounts, using an automated password management solution.