The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
-
Upload
ec-council -
Category
Technology
-
view
664 -
download
2
Transcript of The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
1
THE CLOUD Threats & Solutions in 2016
C o p y r i g h t © 2 0 1 6 Ly n x Te c h n o l o g y Pa r t n e r s , I n c . A l l R i g h t s Re s e r v e d .
3
OBLIGATORY DISCLAIMERAny statements made in the course of this presentation should not be relied on as a commitment, directly on behalf of my employer, by this forum’s management, the National Football League, or any other major institution that your barracuda lawyer may opt to pursue in the name of earning his or her outrageous legal fees.
The opinions expressed herein are not necessarily those of my employer, not necessarily mine, and probably not necessary. My opinions are subject to change without notice.Thanks for disagreeing.
T h e c o n t e n t a n d o p i n i o n s e x p r e s s e d h e r e i n a r e s o l e l y t h o s e o f t h e a u t h o r , a n d n e i t h e r r e p r e s e n t t h e v i e w s n o r d e s c r i b e t h e c u r r e n t o r i n t e n d e d p r a c ti c e s o f a n y o t h e r e n ti t y . T h e i n f o r m a ti o n i n t h i s p r e s e n t a ti o n c o n t a i n s
r e f e r e n c e s t o c o p y r i g h t e d m a t e r i a l ; T h e a u t h o r m a k e s n o c l a i m s o f o w n e r s h i p o r r i g h t s t o s u c h m a t e r i a l .
4
BIOGRAPHYCertifications• CISSP, CPP, CRISC, ITIL, PMP, GISO, GSLC, C|CISO, PPMC, EIEIO
Organizations• Infragard – President, Board of Directors
• FBI Sector Chief for Financial Services• FBI Citizens Academy 2014 Graduate
• USSS Electronic Crimes Task Force• ISSA – Vice President, Board of Directors• ASIS-ANSI-ISO Standards Committees and Working Groups
Awards• 2008 Top 5 “Best Security Team in the US” SC Magazine• 2009, 2010, 2013 Top 5 “CSO of the Year” SC Magazine• 2012 Finalist Information Security Leadership Award (ISC)2
• 2012 ISE North America Executive Leadership Award Nominee• 2016 SVUS Management Team of the Year• 2016 Finalist CISO of the Year (EC Council)
Internet entrepreneur & über geek who groks e-commerce, IT security, risk & privacy management, caffeinated beverages, Padrón cigars, 18-yo single malt scotch, & dark beers
Bobby Dominguez Chief Strategy & Security Officer Lynx Technology Partners, Inc.
h t t p s : / /w w w. l i n ke d i n . c o m / i n / b o b b y d o m i n g u e z
h t t p s : / / t w i t t e r. c o m / M o o n r a ke r 0 6 9
b d o m i n g u e z @ l y n x t p . c o m
5
ABSTRACTIf you’re in business in 2016, you’re company most likely uses Cloud services of one kind or another. You can’t avoid the Cloud, whether personally or for your business. Security remains a serious concern for organizations using the Cloud. The shared, on-demand nature of Cloud computing introduces the possibility of security breaches. Mitigating Cloud risks starts by identifying the top security threats you may face.In this session, Bobby Dominguez will describe some of the most relevant threats as well as risk mitigation techniques that may help your organization function in the Cloud and reduce the risks associated with this fastest growing technology segment. The discussion will not only focus on the threats, but potential solutions and give specific examples of what you can do to manage your Cloud risks.
6
The information security threat landscape is constantly evolving and today’s borderless environment creates new threat vectors.The Cloud can leverage some traditional protection measures, but new ones should be adopted to properly mitigate risks.
THREAT HORIZON
7
#1: COMPROMISED CREDENTIALS & BROKEN AUTHENTICATION
ProblemsLax authentication, weak passwords, and poor key or certificate managementSegregation of duties may not be available or is not enabled because management may not integrate with AD or other tools, especially on free cloud appsDevelopers embed credentials and cryptographic keys in source code – repositories such as GitHub
SolutionsMultifactor authentication systems, one-time passwords, phone-based authentication, and smartcards
Frequent (or periodic) rotation of keys and passwords
Separation of duties
Code security analysis, best practices, and post deployment spot checks
8
#2: HACKED INTERFACES AND APISProblems
Attackers target the trust mechanisms used by APIs – specifically the certificates upon which encryption, authentication, and non-repudiation dependAssuming everyone is using the API as designed – Poorly designed and tested interfaces can permit accidental or malicious compromises
SolutionsUnderstand how your API can be attacked – threat modeling applications and systems, including data flows and architecture / design specifications
Pen testing by security experts with development experience – they need to understand web services (RESTful, JSON, etc.) and won’t just run vulnerability scan tools
9
#3: ACCOUNT HIJACKING
ProblemsPhishing, fraud, and social engineeringSoftware exploitsEavesdropping (shoulder surfing, MITM Wifi) Manipulating transactions and modifying data
SolutionsDoes your service provider conduct background checks on employees who have physical access to the servers in their data centers?
Require multi-factor or dynamic (one-time) password authentication, and strong API authentication
Restrict IP addresses allowed to access cloud applications (from corporate networks or VPNs).
Encrypt sensitive data before it goes to the cloud or ensure you alone have the private keys
Service accounts should be monitored for activity
10
#4: PERMANENT DATA LOSS
ProblemsRansomwareFailure to backup or to recover – too much reliance on Cloud provider and “snapshots”New EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification
SolutionsDisaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage
11
#4: PERMANENT DATA LOSS
ProblemsRansomwareFailure to backup or to recover – too much reliance on Cloud provider and “snapshots”New EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification
SolutionsDisaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage
12
#5: MALICIOUS INSIDERS
ProblemsWho: A current or former employee, a rogue administrator, a contractor, or a business partnerWhat: Data theft• to sell (fraud)• to use in next job (theft of IP)Data destruction – Revenge, ransomware, etc.
SolutionsEncryption
Segregating duties and minimizing access given to any one user or group of users – two-man rule
Effective logging, monitoring, and auditing administrator activities – storage segregation and protection too
13
#5: MALICIOUS INSIDERS ( C O N T I N U E D )
AdministratorSegregation
14
#6: A PARASITIC THREAT (APTs)
ProblemsAPTs typically move laterally through the network and blend in with normal trafficCommon points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networksCommand and Control tunneled through valid services or encrypted
SolutionsStrong phishing awareness training and testing
DNS prevention with DMARC (SPF / DKIM)
DNS monitoring
Behavioral analysis of access to apps / systems
Block encrypted traffic or proxy SSL to decrypt
15
#6: A PARASITIC THREAT (APTs) ( C O N T I N U E D )
Intelligence Gathering
Threat Actor
Command & Control
External Staging
Lateral Movement
Point of Entry
1
3
2
54
6
Data of Interest
3
Password ReuseVulnerabilitiesMalicious URL or FileUSB / Rubber Ducky
1. ReconnaissanceOSINTSQL User DumpDomain ScanningSpear PhishingPhysical Access
2. Establish BeachheadARP HijackMitM CredentialsKeylogSniffing Passwords / KeysMachine Access
3. Exfiltrate INT or DAMAGE Users, Hashes, passwords, LSA, keysNetwork layout, IPs, Servers
4. Lateral AccessWeb, OS, SQL exploitsTest / QA / DevelopmentWorkstations to Servers
5. Local Collection of DataCollect, compress, encrypt & hide
6. Exfiltrate DataSteal IP, PII, PHI, etc.
16
#7: INADEQUATE DILIGENCE
ProblemsFailure to factor security costs early in projectWhat data are going to be stored in the Cloud? Used by whom?Inadequate contractual considerationsForgetting to update policies and standards to account for the new operating paradigmWhat about the Regulators?
SolutionsSecurity as an enabler
Discovery of data
Partner with Legal council and work together to understand nuances of contracts
Partner with Audit teams and understand your Compliance requirements
17
#8: DENIAL OF SERVICE
ProblemsDDoS attacks consume large amounts of processing powerCollateral damageA distraction for the real breach
SolutionsDetection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes; Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?
18
#8: DENIAL OF SERVICE
ProblemsDDoS attacks consume large amounts of processing powerCollateral damageA distraction for the real breach
SolutionsDetection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes; Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?
19
#9: SHARED TECHNOLOGY, SHARED DANGERS
ProblemsA multi-tenant environment – shared everythingMisconfiguration, vulnerabilities, etc.
SolutionsDefense-in-depth strategy
Multi-factor authentication
Host-based and network-based intrusion detection/protection systems
Applying the concept of least privilege
Network segmentation
Who else is sharing your Cloud services?
20
SUMMARY OF SOLUTIONS
Dip your toe in the waterUpdate policies and unify for decentralized environmentsEvaluate your currently deployed security technologiesBe aware of what you have in the CloudDiversify your Cloud providersEmbrace a data-centric security strategyKnow your Cloud vendorsTreat & attack detection like you would in-houseRobust crisis management plans that includes testing with Cloud providerStrike a balance between privacy and security
21
CLOSING THOUGHTS
Risks can be summarized by 3 things:- Multi-tenancy- Shared responsibilities- Compliance
Does anyone really believe that ”a perimeter” still exists?
Defense-in-depth remains a key security strategy
Focus on these 3 things:- Information classification- Encryption- Privileged access management
22
SUPPLEMENTAL – REGULATIONS FRAGMENT THE CLOUD
Regulatory and legislative changes will impose new restrictions on how personal data is collected, stored, exchanged and disposed of over the next few yearsOrganizations that depend on Cloud services can expect to suffer a particularly heavy impact. They will be stuck trying to remain compliant with new data protection and data localization requirements, while trying to conduct business as usual.The location of data has become a particularly pressing issue after the overturning of the US-EU Safe Harbor Agreement in October 2015, and the newly launched EU General Data Protection Regulation has complicated the situation with a wide array of compliance requirements backed by significant fines for non-compliance.
23
RESOURCES
Cloud Security Alliancehttps://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
Reuters, “Your Medical Record Is Worth More to Hackers Than Your Credit Card”https://www.reuters.com/article/us-cybersecurity-hospitalsidUSKCN0HJ21I20140924
Cloud Security Alliance, SecaaS Implementation Guidance https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf
Amazon Web Services, AWS Official Bloghttp://aws.amazon.com/blogs/aws/
Managing Cloud Riskhttp://www.isaca.org/Journal/archives/2016/volume-4/Pages/managing-cloud-risk.aspx
ISACA Data Science as a Tool for Cloud Securityhttp://www.isaca.org/Journal/archives/2016/volume-4/Pages/data-science-as-a-tool-for-cloud-security.aspx
FBI Ransomware Warninghttp://www.bankinfosecurity.com/fbi-warning-ransomware-surging-a-8962
24
FINAL CONTACT INFO
Thank you!
GLOBAL HEADQUARTERS 1501 Broadway 12th Floor New York, NY 10036
Pittsburgh, PA 309 Smithfield Street 3rd Floor Pittsburgh, PA 15222
Phoenix, AZ 2200 E. Williams Field Road Suite 200 Gilbert, AZ 85295
lynxgrc.com
Fiercely protecting our clientsIT Risk & Cyber Security Experts