2. CCSK, CCSP , CCAK, ACSP
Moshe Farber
• Information security professional for over 20 years
• Founder, partner and investor at various cyber initiatives and startups
• Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT,
INFOSEC and more)
• Co-hosting the Silverlining podcast – lean about security engineering
• Founding committee member for ISC2 CCSP and CSA CCSK, CCAK
certification
• Member of the board at Macshava Tova – Narrowing societal gaps
• Chairman of the Board, Cloud Security Alliance, Israeli Chapter
• Cloud Security Course Schedule can be found at:
https://onlinecloudsec.com/speaking-schedule/
2
3. About the Cloud Security
Alliance
3
• Global, not-for-profit organization
• Building security best practices for
next generation IT
• Research and Educational Programs
• Cloud providers & security
professionals Certifications
• Awareness and Marketing
• The globally authoritative source for
Trust in the Cloud
“To promote the use of
best practices for
providing security
assurance within Cloud
Computing, and
provide education on
the uses of Cloud
Computing to help
secure all other forms
of computing”
5. Sources:
What are we going to talk about?
5
Risks & threats
Vulnerability
Attack
vectors
6. SaaS
PaaS
IaaS
The focus today is IaaS/PaaS
6
Gain the expertise for building
secure applications
Evaluate our
providers correctly
Very hard to provide
best practices
15. Moshe Ferber
Moshe @ onlinecloudsec.com
www.onlinecloudsec.com
http://il.linkedin.com/in/MosheFerber
KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule
Editor's Notes
Data breaches
The classic ones: Uber, microsoft, Verizon, weight watchers
The role of the supply chain. 4 or 5 different roles
Talk about the shared responsibility between the provider and consumer
Booking.com partners miss configured bucket
Chtbox leaked 50m from Isragram
Exactis - leaked information from customers
Misconfiguration and inadequate change control
Lets talk about S3 & DB misconfigurations
S3: 120M brzilian citizens
MongoDB: 96 million votters mexican
Israel: Elector app db leaking
Israel ,mongodb: Paybox
Elasticsearch: 8m hotel guests details on AAVGO elastic server
Lack of cloud security architecture and strategy
Accenture 137gb of cloud strategy
Also happened to Delliot, also happened to me (Dropbox)
Myspace lost 12 years of photos
KPMG lost all teams data
Lack of strategy leads to
Finops, denial of wallet
The china great wall
Lack of understanding about backups
Insufficient identity , credentials, access and key management
Identity is the new perimeter
Lots of startups are doing identity
The growing number of phishing attacks on 365.
Solarwind and golden SAML attacks (from internal to the cloud)
Scraping github credentials - talk about access keys
Account hijacking
The account hijacking of Elon Must, AP (about Barak Obama)
Codespaces vs. just fishing (hijacking in SaaS vs. IaaS)
What can we learn from Codespaces - reducing the blast radius
Insider threats
Consumers:
Elon Musk - the twitter hack
Snapchat employee
Yahoo - former employee admin hacking 6000 account for sexual content
Industrial espionage
Telss malicious insider steal plans
Angry employee
600 webex servers deleted
Even happing to security companies
Trend micro employee sold customers data
Governments
MS sharing Indian citizens banking data with us
Twitter employee spayed for Saudi arabia on gov critics
Cloud providers are the new port nox
Insecure interfaces and API’s
API’s are the new b2b
Automation, Open banking ,, customers
API are the new authentication & authorization engines
Access tokens are a target
Facebook - view as API exposed 50m . stilling access tokens
Salesforce - data leakage through misconfigured API’s
Instrgram API glitch - scrapping millions of data, posting on behalf
Remind our research paper
Other interfaces:
Meta - data - used in capital 1
Weak control plane
Capitol 1 - least privilege
AMI & malicious images
Docker hub malicious images
AWS market place windows 7 - with bitcoin mining.
Meta structure and applistracture
Talk about providers failures
Google deleted out g-suite
Google suspended an account
Digital ocean falsely detected crypto miner and shut the company down
Facebook and twitter close Trump account / Parler
Limited cloud visibility
Talk about shadow IT
Hospitals
Hilary clinton
Abuse & Nefarious use of cloud services
Zepto populated through cloud storage apps
Telegram used to deliver Herorat
Google drive and one drive links
Sometimes the abuser are governments
Grinder & tiktok - chinese owners forced to sell
German and France governments are saying USA is abusing cloud services
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/