SlideShare a Scribd company logo

Understanding IaaS/PaaS attack vectors.pptx

Moshe Ferber
Moshe Ferber

Summary of the Cloud Security Alliance research on IaaS/PaaS attack vectors.

Technology
1 of 15
Download to read offline
Understanding IaaS/PaaS attack vector Moshe Ferber CCSK, CCSP , CCAK, ACSP Onlinecloudsec.com
CCSK, CCSP , CCAK, ACSP Moshe Farber • Information security professional for over 20 years • Founder, partner and investor at various cyber initiatives and startups • Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more) • Co-hosting the Silverlining podcast – lean about security engineering • Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification • Member of the board at Macshava Tova – Narrowing societal gaps • Chairman of the Board, Cloud Security Alliance, Israeli Chapter • Cloud Security Course Schedule can be found at: https://onlinecloudsec.com/speaking-schedule/ 2
About the Cloud Security Alliance 3 • Global, not-for-profit organization • Building security best practices for next generation IT • Research and Educational Programs • Cloud providers & security professionals Certifications • Awareness and Marketing • The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing”
CSA relevant publications 4
Sources: What are we going to talk about? 5 Risks & threats Vulnerability Attack vectors
SaaS PaaS IaaS The focus today is IaaS/PaaS 6 Gain the expertise for building secure applications Evaluate our providers correctly Very hard to provide best practices
#1 Exploitable workloads 7
#2 Workloads with excessive permissions 8
#3 Unsecured keys, credentials, and application secrets 9
#4 Exploitable authentication or authorization 10
#5 Unauthorized access to object storage 11
#6 Third party cross environment/account access leading to privilege escalation 12
#7 Unsecured/unencrypted snapshots & backups 13
#8 Compromised images 14
Moshe Ferber Moshe @ onlinecloudsec.com www.onlinecloudsec.com http://il.linkedin.com/in/MosheFerber KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Recommended

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsCloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsMoshe Ferber
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsGuy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsCSAIsrael
 
Hogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityHogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityIndonesia Honeynet Chapter
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscapeMoshe Ferber
 
Berezha Security
Berezha SecurityBerezha Security
Berezha SecurityVlad Styran
 
CSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalCSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalPeister
 

Recommended

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsCloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsMoshe Ferber
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Guy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsGuy Alfassi - CSA Conference Highlights
Guy Alfassi - CSA Conference HighlightsCSAIsrael
 
Hogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityHogan Kusnadi - Cloud Computing Secutity
Hogan Kusnadi - Cloud Computing SecutityIndonesia Honeynet Chapter
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscapeMoshe Ferber
 
Berezha Security
Berezha SecurityBerezha Security
Berezha SecurityVlad Styran
 
CSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalCSA NY Metro Inaugural Event 5 17 2011 Final
CSA NY Metro Inaugural Event 5 17 2011 FinalPeister
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxChinatu Uzuegbu
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Trish McGinity, CCSK
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureEnterpriseGRC Solutions, Inc.
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoringMoshe Ferber
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...South Tyrol Free Software Conference
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 
OpenStack Summit Hong Kong
OpenStack Summit Hong KongOpenStack Summit Hong Kong
OpenStack Summit Hong KongOpenStack Foundation
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference BrochureEnterpriseGRC Solutions, Inc.
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training CourseRicky Lionel Vaz
 
Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation Cloud Security Alliance, UK chapter
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Cyber security certification course
Cyber security certification courseCyber security certification course
Cyber security certification coursechandrashekar965278
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Cyber Security_Presentation_KTH
Cyber Security_Presentation_KTHCyber Security_Presentation_KTH
Cyber Security_Presentation_KTHAwais Shibli
 
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_aprSarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_aprSarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computingMoshe Ferber
 

More Related Content

Similar to Understanding IaaS/PaaS attack vectors.pptx

Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxChinatu Uzuegbu
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoringMoshe Ferber
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...South Tyrol Free Software Conference
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training CourseRicky Lionel Vaz
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Cyber security certification course
Cyber security certification courseCyber security certification course
Cyber security certification coursechandrashekar965278
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
Cyber Security_Presentation_KTH
Cyber Security_Presentation_KTHCyber Security_Presentation_KTH
Cyber Security_Presentation_KTHAwais Shibli
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 

Similar to Understanding IaaS/PaaS attack vectors.pptx (20)

Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptx
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdf
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
OpenStack Summit Hong Kong
OpenStack Summit Hong KongOpenStack Summit Hong Kong
OpenStack Summit Hong Kong
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training Course
 
Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation Csa UK agm 2019 - Chapter Presentation
Csa UK agm 2019 - Chapter Presentation
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
Cyber security certification course
Cyber security certification courseCyber security certification course
Cyber security certification course
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
 
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
 
Cyber Security_Presentation_KTH
Cyber Security_Presentation_KTHCyber Security_Presentation_KTH
Cyber Security_Presentation_KTH
 
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_aprSarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
Sarwono sutikno its 17 maret 2016 dari public-isaca csx-update-18_apr
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
 

More from Moshe Ferber

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computingMoshe Ferber
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial servicesMoshe Ferber
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
 

More from Moshe Ferber (12)

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Understanding IaaS/PaaS attack vectors.pptx

  • 1. Understanding IaaS/PaaS attack vector Moshe Ferber CCSK, CCSP , CCAK, ACSP Onlinecloudsec.com
  • 2. CCSK, CCSP , CCAK, ACSP Moshe Farber • Information security professional for over 20 years • Founder, partner and investor at various cyber initiatives and startups • Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more) • Co-hosting the Silverlining podcast – lean about security engineering • Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification • Member of the board at Macshava Tova – Narrowing societal gaps • Chairman of the Board, Cloud Security Alliance, Israeli Chapter • Cloud Security Course Schedule can be found at: https://onlinecloudsec.com/speaking-schedule/ 2
  • 3. About the Cloud Security Alliance 3 • Global, not-for-profit organization • Building security best practices for next generation IT • Research and Educational Programs • Cloud providers & security professionals Certifications • Awareness and Marketing • The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing”
  • 5. Sources: What are we going to talk about? 5 Risks & threats Vulnerability Attack vectors
  • 6. SaaS PaaS IaaS The focus today is IaaS/PaaS 6 Gain the expertise for building secure applications Evaluate our providers correctly Very hard to provide best practices
  • 8. #2 Workloads with excessive permissions 8
  • 9. #3 Unsecured keys, credentials, and application secrets 9
  • 10. #4 Exploitable authentication or authorization 10
  • 11. #5 Unauthorized access to object storage 11
  • 12. #6 Third party cross environment/account access leading to privilege escalation 12
  • 15. Moshe Ferber Moshe @ onlinecloudsec.com www.onlinecloudsec.com http://il.linkedin.com/in/MosheFerber KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Editor's Notes

  1. Data breaches The classic ones:  Uber, microsoft, Verizon, weight watchers The role of the supply chain. 4 or 5 different roles Talk about the shared responsibility between the provider and consumer Booking.com partners miss configured bucket Chtbox leaked 50m from Isragram Exactis - leaked information from customers  Misconfiguration and inadequate change control Lets talk about S3 & DB misconfigurations S3:  120M brzilian citizens MongoDB:  96 million votters mexican Israel:   Elector app db leaking Israel ,mongodb:  Paybox Elasticsearch: 8m hotel guests details on AAVGO elastic server Lack of cloud security architecture and strategy Accenture 137gb of cloud strategy Also happened to Delliot, also happened to me (Dropbox) Myspace lost 12 years of photos KPMG lost all teams data Lack of strategy leads to Finops, denial of wallet The china great wall Lack of understanding about backups Insufficient identity , credentials, access and key management  Identity is the new perimeter Lots of startups are doing identity  The growing number of phishing attacks on 365. Solarwind and golden SAML attacks (from internal to the cloud) Scraping github credentials - talk about access keys Account hijacking The account hijacking of Elon Must, AP (about Barak Obama) Codespaces vs. just fishing (hijacking in SaaS vs. IaaS) What can we learn from Codespaces - reducing the blast radius Insider threats Consumers: Elon Musk - the twitter hack Snapchat employee Yahoo - former employee admin hacking 6000 account for sexual content Industrial espionage  Telss malicious insider steal plans Angry employee 600 webex servers deleted  Even happing to security companies Trend micro employee sold customers data Governments MS sharing Indian citizens banking data with us Twitter employee spayed for Saudi arabia on gov critics Cloud providers are the new port nox Insecure interfaces and API’s API’s are the new b2b Automation, Open banking ,,  customers API are the new authentication & authorization engines Access tokens are a target Facebook - view as API exposed 50m . stilling access tokens Salesforce - data leakage through misconfigured API’s Instrgram API glitch - scrapping millions of data, posting on behalf Remind our research paper Other interfaces: Meta - data - used in capital 1 Weak control plane Capitol 1  - least privilege AMI & malicious images Docker hub malicious images AWS market place windows 7 - with bitcoin mining.  Meta structure and applistracture Talk about providers failures Google deleted out g-suite Google suspended an account Digital ocean falsely detected crypto miner and shut the company down Facebook and twitter close Trump account / Parler  Limited cloud visibility Talk about shadow IT Hospitals Hilary clinton Abuse & Nefarious use of cloud services Zepto populated through cloud storage apps Telegram used to deliver Herorat Google drive and one drive links Sometimes the abuser are governments  Grinder & tiktok - chinese owners forced to sell German and France governments are saying USA is abusing cloud services 
  2. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  3. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  4. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  5. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  6. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  7. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  8. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
  9. Classic Data breaches: https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/ https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ Partners: Partners of booking.com https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach Marketing data: https://www.wired.com/story/exactis-database-leak-340-million-records/amp Verizon 12 million – the shared responsibility model Instgram 50M leaked due to Chtrbox - a parner https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/