1

THE CLOUD Threats & Solutions in 2016

C o p y r i g h t © 2 0 1 6 Ly n x Te c h n o l o g y Pa r t n e r s , I n c . A l l R i g h t s Re s e r v e d .

3

OBLIGATORY DISCLAIMERAny statements made in the course of this presentation should not be relied on as a commitment, directly on behalf of my employer, by this forum’s management, the National Football League, or any other major institution that your barracuda lawyer may opt to pursue in the name of earning his or her outrageous legal fees.

The opinions expressed herein are not necessarily those of my employer, not necessarily mine, and probably not necessary. My opinions are subject to change without notice.Thanks for disagreeing.

T h e c o n t e n t a n d o p i n i o n s e x p r e s s e d h e r e i n a r e s o l e l y t h o s e o f t h e a u t h o r , a n d n e i t h e r r e p r e s e n t t h e v i e w s n o r d e s c r i b e t h e c u r r e n t o r i n t e n d e d p r a c ti c e s o f a n y o t h e r e n ti t y . T h e i n f o r m a ti o n i n t h i s p r e s e n t a ti o n c o n t a i n s

r e f e r e n c e s t o c o p y r i g h t e d m a t e r i a l ; T h e a u t h o r m a k e s n o c l a i m s o f o w n e r s h i p o r r i g h t s t o s u c h m a t e r i a l .

4

BIOGRAPHYCertifications• CISSP, CPP, CRISC, ITIL, PMP, GISO, GSLC, C|CISO, PPMC, EIEIO

Organizations• Infragard – President, Board of Directors

• FBI Sector Chief for Financial Services• FBI Citizens Academy 2014 Graduate

• USSS Electronic Crimes Task Force• ISSA – Vice President, Board of Directors• ASIS-ANSI-ISO Standards Committees and Working Groups

Awards• 2008 Top 5 “Best Security Team in the US” SC Magazine• 2009, 2010, 2013 Top 5 “CSO of the Year” SC Magazine• 2012 Finalist Information Security Leadership Award (ISC)2

• 2012 ISE North America Executive Leadership Award Nominee• 2016 SVUS Management Team of the Year• 2016 Finalist CISO of the Year (EC Council)

Internet entrepreneur & über geek who groks e-commerce, IT security, risk & privacy management, caffeinated beverages, Padrón cigars, 18-yo single malt scotch, & dark beers

Bobby Dominguez Chief Strategy & Security Officer Lynx Technology Partners, Inc.

h t t p s : / /w w w. l i n ke d i n . c o m / i n / b o b b y d o m i n g u e z

h t t p s : / / t w i t t e r. c o m / M o o n r a ke r 0 6 9

b d o m i n g u e z @ l y n x t p . c o m

5

ABSTRACTIf you’re in business in 2016, you’re company most likely uses Cloud services of one kind or another. You can’t avoid the Cloud, whether personally or for your business. Security remains a serious concern for organizations using the Cloud. The shared, on-demand nature of Cloud computing introduces the possibility of security breaches. Mitigating Cloud risks starts by identifying the top security threats you may face.In this session, Bobby Dominguez will describe some of the most relevant threats as well as risk mitigation techniques that may help your organization function in the Cloud and reduce the risks associated with this fastest growing technology segment. The discussion will not only focus on the threats, but potential solutions and give specific examples of what you can do to manage your Cloud risks.

6

The information security threat landscape is constantly evolving and today’s borderless environment creates new threat vectors.The Cloud can leverage some traditional protection measures, but new ones should be adopted to properly mitigate risks.

THREAT HORIZON

7

#1: COMPROMISED CREDENTIALS & BROKEN AUTHENTICATION

ProblemsLax authentication, weak passwords, and poor key or certificate managementSegregation of duties may not be available or is not enabled because management may not integrate with AD or other tools, especially on free cloud appsDevelopers embed credentials and cryptographic keys in source code – repositories such as GitHub

SolutionsMultifactor authentication systems, one-time passwords, phone-based authentication, and smartcards

Frequent (or periodic) rotation of keys and passwords

Separation of duties

Code security analysis, best practices, and post deployment spot checks

8

#2: HACKED INTERFACES AND APISProblems

Attackers target the trust mechanisms used by APIs – specifically the certificates upon which encryption, authentication, and non-repudiation dependAssuming everyone is using the API as designed – Poorly designed and tested interfaces can permit accidental or malicious compromises

SolutionsUnderstand how your API can be attacked – threat modeling applications and systems, including data flows and architecture / design specifications

Pen testing by security experts with development experience – they need to understand web services (RESTful, JSON, etc.) and won’t just run vulnerability scan tools

9

#3: ACCOUNT HIJACKING

ProblemsPhishing, fraud, and social engineeringSoftware exploitsEavesdropping (shoulder surfing, MITM Wifi) Manipulating transactions and modifying data

SolutionsDoes your service provider conduct background checks on employees who have physical access to the servers in their data centers?

Require multi-factor or dynamic (one-time) password authentication, and strong API authentication

Restrict IP addresses allowed to access cloud applications (from corporate networks or VPNs).

Encrypt sensitive data before it goes to the cloud or ensure you alone have the private keys

Service accounts should be monitored for activity

10

#4: PERMANENT DATA LOSS

ProblemsRansomwareFailure to backup or to recover – too much reliance on Cloud provider and “snapshots”New EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification

SolutionsDisaster Recovery and Business Continuity practices still apply! Test, Test, Test

Maintain multiple backups across a reasonable span of time and vary backup types

Distribute across multiple zones for added protection

Off cloud (off site) storage

11

#4: PERMANENT DATA LOSS

ProblemsRansomwareFailure to backup or to recover – too much reliance on Cloud provider and “snapshots”New EU data protection rules also treat data destruction and corruption of personal data as data breaches requiring appropriate notification

SolutionsDisaster Recovery and Business Continuity practices still apply! Test, Test, Test

Maintain multiple backups across a reasonable span of time and vary backup types

Distribute across multiple zones for added protection

Off cloud (off site) storage

12

#5: MALICIOUS INSIDERS

ProblemsWho: A current or former employee, a rogue administrator, a contractor, or a business partnerWhat: Data theft• to sell (fraud)• to use in next job (theft of IP)Data destruction – Revenge, ransomware, etc.

SolutionsEncryption

Segregating duties and minimizing access given to any one user or group of users – two-man rule

Effective logging, monitoring, and auditing administrator activities – storage segregation and protection too

13

#5: MALICIOUS INSIDERS ( C O N T I N U E D )

AdministratorSegregation

14

#6: A PARASITIC THREAT (APTs)

ProblemsAPTs typically move laterally through the network and blend in with normal trafficCommon points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networksCommand and Control tunneled through valid services or encrypted

SolutionsStrong phishing awareness training and testing

DNS prevention with DMARC (SPF / DKIM)

DNS monitoring

Behavioral analysis of access to apps / systems

Block encrypted traffic or proxy SSL to decrypt

15

#6: A PARASITIC THREAT (APTs) ( C O N T I N U E D )

Intelligence Gathering

Threat Actor

Command & Control

External Staging

Lateral Movement

Point of Entry

1

3

2

54

6

Data of Interest

3

Password ReuseVulnerabilitiesMalicious URL or FileUSB / Rubber Ducky

1. ReconnaissanceOSINTSQL User DumpDomain ScanningSpear PhishingPhysical Access

2. Establish BeachheadARP HijackMitM CredentialsKeylogSniffing Passwords / KeysMachine Access

3. Exfiltrate INT or DAMAGE Users, Hashes, passwords, LSA, keysNetwork layout, IPs, Servers

4. Lateral AccessWeb, OS, SQL exploitsTest / QA / DevelopmentWorkstations to Servers

5. Local Collection of DataCollect, compress, encrypt & hide

6. Exfiltrate DataSteal IP, PII, PHI, etc.

16

#7: INADEQUATE DILIGENCE

ProblemsFailure to factor security costs early in projectWhat data are going to be stored in the Cloud? Used by whom?Inadequate contractual considerationsForgetting to update policies and standards to account for the new operating paradigmWhat about the Regulators?

SolutionsSecurity as an enabler

Discovery of data

Partner with Legal council and work together to understand nuances of contracts

Partner with Audit teams and understand your Compliance requirements

17

#8: DENIAL OF SERVICE

ProblemsDDoS attacks consume large amounts of processing powerCollateral damageA distraction for the real breach

SolutionsDetection – Minimize damage by detecting as soon as possible

Diversity – Multiple network pipelines, content delivery networks

Protection – Services using filters and shunted pipelines; ISP Clean Pipes; Appliances that filter malformed packets

Response – Test response and prepare with providers

Assess – Can you do these things? Can your providers?

18

#8: DENIAL OF SERVICE

ProblemsDDoS attacks consume large amounts of processing powerCollateral damageA distraction for the real breach

SolutionsDetection – Minimize damage by detecting as soon as possible

Diversity – Multiple network pipelines, content delivery networks

Protection – Services using filters and shunted pipelines; ISP Clean Pipes; Appliances that filter malformed packets

Response – Test response and prepare with providers

Assess – Can you do these things? Can your providers?

19

#9: SHARED TECHNOLOGY, SHARED DANGERS

ProblemsA multi-tenant environment – shared everythingMisconfiguration, vulnerabilities, etc.

SolutionsDefense-in-depth strategy

Multi-factor authentication

Host-based and network-based intrusion detection/protection systems

Applying the concept of least privilege

Network segmentation

Who else is sharing your Cloud services?

20

SUMMARY OF SOLUTIONS

Dip your toe in the waterUpdate policies and unify for decentralized environmentsEvaluate your currently deployed security technologiesBe aware of what you have in the CloudDiversify your Cloud providersEmbrace a data-centric security strategyKnow your Cloud vendorsTreat & attack detection like you would in-houseRobust crisis management plans that includes testing with Cloud providerStrike a balance between privacy and security

21

CLOSING THOUGHTS

Risks can be summarized by 3 things:- Multi-tenancy- Shared responsibilities- Compliance

Does anyone really believe that ”a perimeter” still exists?

Defense-in-depth remains a key security strategy

Focus on these 3 things:- Information classification- Encryption- Privileged access management

22

SUPPLEMENTAL – REGULATIONS FRAGMENT THE CLOUD

Regulatory and legislative changes will impose new restrictions on how personal data is collected, stored, exchanged and disposed of over the next few yearsOrganizations that depend on Cloud services can expect to suffer a particularly heavy impact. They will be stuck trying to remain compliant with new data protection and data localization requirements, while trying to conduct business as usual.The location of data has become a particularly pressing issue after the overturning of the US-EU Safe Harbor Agreement in October 2015, and the newly launched EU General Data Protection Regulation has complicated the situation with a wide array of compliance requirements backed by significant fines for non-compliance.

23

RESOURCES

Cloud Security Alliancehttps://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/

Reuters, “Your Medical Record Is Worth More to Hackers Than Your Credit Card”https://www.reuters.com/article/us-cybersecurity-hospitalsidUSKCN0HJ21I20140924

Cloud Security Alliance, SecaaS Implementation Guidance https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf

Amazon Web Services, AWS Official Bloghttp://aws.amazon.com/blogs/aws/

Managing Cloud Riskhttp://www.isaca.org/Journal/archives/2016/volume-4/Pages/managing-cloud-risk.aspx

ISACA Data Science as a Tool for Cloud Securityhttp://www.isaca.org/Journal/archives/2016/volume-4/Pages/data-science-as-a-tool-for-cloud-security.aspx

FBI Ransomware Warninghttp://www.bankinfosecurity.com/fbi-warning-ransomware-surging-a-8962

24

FINAL CONTACT INFO

Thank you!

+ 1.800.314.0455sales@lynxtp.com

GLOBAL HEADQUARTERS 1501 Broadway 12th Floor New York, NY 10036

Pittsburgh, PA 309 Smithfield Street 3rd Floor Pittsburgh, PA 15222

Phoenix, AZ 2200 E. Williams Field Road Suite 200 Gilbert, AZ 85295

lynxgrc.com

Fiercely protecting our clientsIT Risk & Cyber Security Experts