My Neighbor Runs a Crack House: Aggregate Risk Model for the...
Transcript of My Neighbor Runs a Crack House: Aggregate Risk Model for the...
![Page 1: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/1.jpg)
SecureWorks
My Neighbor Runs a Crack House: Aggregate Risk Model for the Cloud
![Page 2: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/2.jpg)
Crack Houses Attract Criminals
Overall crime rate is higher in the regions which have a higher drug crime rate
The size of the dots is proportional to the drug related arrests normalized by population, and the darkness of the dots is proportional to the total arrests normalized by population
2
![Page 3: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/3.jpg)
In the Cloud, Anyone Can Move in Next Door
3
![Page 4: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/4.jpg)
The Neighborhood – IP Reputation
• Public IPs are routinely being re-used by Cloud Providers
• Customer assumes reputation of IP they are assigned– But a security researcher just burned that IP probing a botnet…– …and it now under DDoS as retaliation, so we released it back into pool ;)– Or we hosted research bots at that IP, and reputation providers noticed
4
![Page 5: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/5.jpg)
Neighbors Drawing Attention
5
![Page 6: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/6.jpg)
Risks in Virtualized & Cloud Environments
• Based on Threat Intelligence data and IDS data collected over last year– vulnerabilities reported in virtualized technologies nearly doubled.– IDS events detecting these attacks increased by more than 500%
• Risk due to vulnerabilities in virtualization-related tech is amplified within the Cloud
6
VulnsAlerts
![Page 7: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/7.jpg)
7
Security is the Major Issue
![Page 8: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/8.jpg)
Adversaries Target the Cloud: Data & Privacy
8
![Page 9: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/9.jpg)
Statistics of Adoption of Virtualization & Cloud
• 96% of respondents had virtualized at some portion of their infrastructure.
• 52% had moved data and applications into a Cloud environment, and of those that had not, 46% planned to within 12 months.
• 58% believed their Cloud environment was not adequately secured.
9
*****Results based on customer survey at SecureWorks Enterprise Security Summit 2010
![Page 10: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/10.jpg)
Open Kitchen Dining Experience Analogy
10
![Page 11: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/11.jpg)
Open Kitchen Dining Experience Analogy
11
![Page 12: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/12.jpg)
Simple Model of IT Stack
Users
Applications
Platform
Infrastructure
12
![Page 13: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/13.jpg)
NIST Working Definition of Cloud Computing – Visual Model
13
![Page 14: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/14.jpg)
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Your Org’s Guest OS
Neighbor’s Guest OS
14
![Page 15: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/15.jpg)
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor
Your Org’s Guest OS
Neighbor’s Guest OS
15
![Page 16: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/16.jpg)
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s Userbase
Neighbor’s Userbase
Software Application Stack
Hardware Network Storage
SaaS Provider Platform
Software Application
Platform Stack
Guest OS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor Hypervisor
Your Org’s Guest OS
Neighbor’s Guest OS
16
![Page 17: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/17.jpg)
Your Neighbors and You: SaaS
Your Org’s Userbase
Neighbor’s Userbase
Software Application Stack
Hardware Network Storage
SaaS Provider Platform
Software Application
Platform Stack
Guest OS
Hypervisor
• In addition to shared virtualized infrastructure,shared Guest OS, and shared Platform Stack, Software Application Stack and Software Application are shared with Neighbor
• Potential for exploitation of vulnerabilities in Software Application Stack and Software Application expose Organizations using SaaS to some risk from Neighbor
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
17
![Page 18: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/18.jpg)
![Page 19: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/19.jpg)
Loss of Governance: Malicious Insiders
19
![Page 20: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/20.jpg)
Your Neighbors and You: PaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor
• In addition to shared virtualized infrastructure, Guest OS and Platform Stack are shared with Neighbor
• Potential for exploitation of vulnerabilities in Platform and Guest OS expose Organizations using PaaS to some risk from Neighbor
20
![Page 22: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/22.jpg)
Social Graph API
![Page 23: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/23.jpg)
Adversaries Target the Cloud: Web APIs
23
![Page 24: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/24.jpg)
API vulnerability that allowed open posting of status messages to fan pages.
![Page 25: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/25.jpg)
Your Neighbors and You: IaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Your Org’s Guest OS
Neighbor’s Guest OS
• Virtualized infrastructure shared with Neighbor
– “from concrete to Hypervisor”
• Potential for exploitation of vulnerabilities in the shared virtual infrastructure expose Organizations using IaaS to some level of risk from Neighbor
• Exploitation of shared physical infrastructure also a consideration
25
![Page 26: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/26.jpg)
PCI Goes to the (IaaS) Cloud
• Challenge of migrating data and applications to Cloud while maintaining significant investments in regulatory compliance– Can Cloud provider provide evidence of compliance with relevant
requirements?– Does Cloud provider permit audits by relevant certifying bodies?
• Dec 5, Amazon Web Service (AWS) announces Level 1 PCI DSS certification– AWS certified from “concrete to hypervisor”– AWS customer must certify their in-scope elements on top of IaaS
› Guest OS, Application Stack, Apps, Controls, Operational Processes
– “Merchants and other service providers can now run their applications on AWS PCI-compliant technology infrastructure to store, process and transmit credit card information in the cloud.
26
![Page 27: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/27.jpg)
Simple Model of Cloud Stack
SaaS
PaaS
IaaSCustomer Has
Less Shared Exposure
Customer Has Less Direct
Operational Control
Customer Has More Direct Operational
Control
Customer Has More Shared
Exposure
27
L
E
S
S
L
E
S
S
M
O
R
E
M
O
R
E
ExposureControl
![Page 28: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/28.jpg)
Multi-Tenancy
28
![Page 29: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/29.jpg)
Multitenancy: Shared Technology
![Page 30: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/30.jpg)
Multitenancy: Unfriendly Neighbors
Confidential30 3/7/2011
![Page 31: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/31.jpg)
House With Poor Foundation
31
![Page 32: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/32.jpg)
Thought On Going to the Cloud
• “…what one gives up in terms of direct operational control, one must gain back in terms of visibility and transparency.”
– Christopher “beaker” Hoff
32
![Page 33: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/33.jpg)
“2-Step Verification” for Google Accounts
33 Source: Official Google Blog
![Page 34: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/34.jpg)
MitB-Resistant Authentication DevicesImage sources are the respective vendors public websites.
Offline Cryptographic Transaction Verification
Visual Cryptogram
![Page 35: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/35.jpg)
Prediction: Malware Targets the Cloud
• Target and steal credentials related to Cloud providers– AWS
› Amazon username/password› Certificate and private key› SSH key pairs› “Access Secret Key”
• Automate exploitation of Cloud provider APIs
• MitB compromise of Cloud provider credentials– spin up malicious Hypervisors (e.g. Worm)– Manipulate Data
• New, advanced malware capabilities– Attack multi-tenancy– Bypass processor-level isolation and/or hyper escalation– Exploit vulnerabilities in Virtual OS controls
35
![Page 36: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/36.jpg)
Other Predictions
• Phishing targets Cloud provider credentials
• Incident Response is slowed by involvement of 3rd parties
• Post-compromise forensic analysis made more difficult in Cloud
• Time to Remediate vulnerabilities may increase– Lower priority for Cloud provider?– Use of canned VM Images impact to vulnerability management
• Insider Threat– e.g., Amazon has their own Pfc. Bradley Manning employed as sysadmin
• Physical breach / loss of device may be more damaging– Lose laptop w/ cloud creds vs. laptop with creds to corp. servers (behind
FW)
36
![Page 37: My Neighbor Runs a Crack House: Aggregate Risk Model for the …itm.iit.edu/netsecure11/RudyRistich_CloudRisks.pdf · My Neighbor Runs a Crack House: Aggregate Risk Model for the](https://reader033.fdocuments.net/reader033/viewer/2022042211/5eb44c5689292c597222b30a/html5/thumbnails/37.jpg)
SecureWorks
My Neighbor Runs a Crack House: Aggregate Risk Model for the Cloud