Attacking the cloud with social engineering
-
Upload
peter-wood -
Category
Technology
-
view
490 -
download
0
description
Transcript of Attacking the cloud with social engineering
Attacking the cloudwith social engineering
Peter WoodChief Executive Officer
First•Base Technologies
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2013
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2013
Cloud models
Slide 4 © First Base Technologies 2013
Cloud computing definition
Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
Slide 5 © First Base Technologies 2013
The ‘SPI’ Model
Software (SaaS) – cloud provider owns application, operating
system and infrastructure
Platform (PaaS) - cloud provider owns operating system and
infrastructure, client owns application
Infrastructure (IaaS) cloud provider owns infrastructure, client
owns application and operating system
Slide 6 © First Base Technologies 2013
SPI in context
• Software as a Service– Just run it for me!
– Examples: Google Apps, Salesforce.com
• Platform as a Service– Give me a nice API and you take care of the rest
– Examples: Google App Engine, Microsoft Azure
• Infrastructure as a Service– Why buy machines when you can rent cycles?
– Examples: Amazon EC2, Rackspace Cloud
Slide 7 © First Base Technologies 2013
Cloud Benefits
Slide 8 © First Base Technologies 2013
What's different in cloud
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security ~ YOU
Security ~ THEM
Security Ownership
Slide 9 © First Base Technologies 2013
What does it mean for attackers?
• Login from anywhere
• Browser access
• Simple credentials
• No intruder detection
• No physical security
• Trick a user and it’s game over!
Slide 10 © First Base Technologies 2013
Why social engineering?
• Staff can be tricked at home, in a
coffee shop, at an airport …
• No corporate desktop controls
• Easy to impersonate your IT staff
or help desk
• Using email, phone, chat …
Slide 11 © First Base Technologies 2013
Just a little brainstorm
Slide 12 © First Base Technologies 2013
Why should you care?
Exposure of
• Customer data (industrial espionage, reputation)
• Credit card data (PCI DSS, reputation, direct costs)
• Personal information (data protection, reputation)
• Sensitive information (contractual penalties, reputation)
• Business plans (industrial espionage, reputation)
• Staff data (data protection, spam, social engineering, reputation)
• and identity theft: personal and business
Slide 13 © First Base Technologies 2013
Even cloud email has value …
Slide 14 © First Base Technologies 2013
Why APT works
THIS WORKS FOR CLOUD TOO !
Slide 15 © First Base Technologies 2013
Attack Techniques
Slide 16 © First Base Technologies 2013
Classic phishing email
Slide 17 © First Base Technologies 2013
Spear phishing email
Slide 18 © First Base Technologies 2013
Spear phishing
• Emails that look as if they are from your employer or
from a colleague
• The email sender information has been faked
• Malicious attachment or link to drive-by web site
• The payload can steal credentials or install a Trojan
• Or even simple form filling to capture user details
Slide 19 © First Base Technologies 2013
Telephone social engineering
• Not every hacker is
sitting alone with a
computer, hacking into a
corporate VPN
• Sometimes all they have
to do is phone!
Slide 20 © First Base Technologies 2013
The remote worker
1. Call the target firm’s switchboard and ask for IT staff names and phone numbers
2. Overcome their security question: Are you a recruiter?
3. Call each number until voicemail tells you they are out
4. Call the help desk claiming to be working from home
5. Say you have forgotten your password and need it reset now, as you are going to pick up your kids from school
6. Receive the username and password as a text to your mobile
7. Game over!
Slide 21 © First Base Technologies 2013
Phones are very flexible
Previous calls gave access to:
• CEO’s email and calendar
• IT manager’s desktop
• Remote access to a network
• … and cloud services!
Slide 22 © First Base Technologies 2013
Telephone SE
• Impersonation of IT staff to obtain user’s credentials
• Impersonation of user to obtain new password
• Impersonation of provider to obtain user’s credentials
• Impersonation of client admin to provider
• Impersonation of provider to client admin
• … and so on … Game Over
Slide 23 © First Base Technologies 2013
People love USB sticks!
I found it in the car park …
… just wanted to see what was on it …
Slide 24 © First Base Technologies 2013
USB sticks
• Autorun infection of user’s computer
• Manual click to infect user’s computer
• Contains link to drive-by web site
• The payload can steal credentials or install a Trojan
• Or even simple form filling to capture details
• … and so on … Game Over
Slide 25 © First Base Technologies 2013
Defence
Slide 26 © First Base Technologies 2013
Human firewall
• Train your staff to recognise social engineering attacks
• Invest in continual awareness campaigns
Slide 27 © First Base Technologies 2013
Technical controls
• Implement two-factor authentication (if you can)
• Use ‘least privilege’ principles for access to services
Slide 28 © First Base Technologies 2013
Procedural controls
• Ensure joiners, movers and leavers are handled
thoroughly and quickly!
• Divide responsibilities between your administrators and
the service provider's administrators, so no one has free
access across all security layers
Slide 29 © First Base Technologies 2013
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: peterwoodx
Need more information?