on EBS disks • Once client realised that there was an issue • Server was replicated and the original server left untouched • The EBS disk from original server was replicated and mounted in a new instance
ISO created from mounted disk • Using TSK tools created strings from ISO • Able to find fairly large extract of text from audit logs of one of the server • The log snippet contained the user who logged in and ran delete commands
groups 2. Able to see ports and the application Discovered there was an internal enterprise mobile application connecting to a certain port which was open to all without any authn and authz
inject his own file name and path in AWS EC2 • EC2 uses Auto Scaling • Auto Scaling requires information to be present on the EC2 instance • Meta Web Server allows local HTTP Requests to be made and server and its credentials are pwned
Server is brought up to check something. • Un patched server is left running on the Internet without any network protection • Attacker compromises the server, steals the AWS credentials and manages to email all its customers, how bad the company is
really not very different from regular security • Same principles and processes apply • Same tools and techniques apply • IT folks need to simply understand what is the best way to get the same thing done
remote servers are networked to allow the centralized data storage, and online access to computer services or resources. -‐ From http://en.wikipedia.org/wiki/Cloud_computing
the user can provision resourceson-‐demand. • By minimizing user involvement, automation speeds up the process, reduces labor costs and reduces human errors
• Application Security (The application on the compute instance) • Data Security (The data being generated, processed by the application) • Network security for the guest & applications • Security Monitoring of Guest OS & applications
to IAAS and PAAS as in SAAS it is not our application • An in secure app can expose underlying infrastructure and data to theft, corruption and exposure
application for security • We might require permission to run automated scanners against the app • Ideal framework to test against is OWASP Top 10 and OWASP Testing Guide
bug • The AWS root credentials are being used • They are stored in a world readable file on the server • Attacker reads the credentials and starts multiple large instances to mine bitcoins • Victim saddled with a massive bill at the end of the month
for security • We may require permission to run automated scanners against the server • Ideal framework to test against is any Penetration Testing Standard PTES / OSSTMM
external port • Developers work directly on production database and require SQL Management Software • They log in using the root user of MySQL Database server and a simple password • Attacker runs a brute force script and cracks the password, gains full access to the database
all PAAS, IAAS and SAAS • Our data can get leaked, exposed, stolen, held ransom if we don’t take care of making sure it is safe while being used, while being transmitted and while being stored
testing requirement. A part of this can be tested by looking at the system and application architecture • All the places where the data can be written, sent, travel need to be looked at. • Writing to storage, exposing APIs, backups and even insider threats
– This will ensure that if an attacker has access to the disk/store, they can’t use the data • Data in motion is encrypted – This will ensure that if an attacker can sniff the network traffic they can’t see &tamper the data • Data in use (tmp files, key loaded in memory) – This will ensue that if an attacker can’t do catastrophic damage if they manage to gain access to a server
data storage and data transmission, the encryption keys need to be safeguarded against theft, accidental loss • A secure key management process will ensure that at any point keys can be revoked and reissued
• Due to performance reasons, database wasn’t encrypted when initial backups were done. • Dev team moves to newer type SSDs and doesn’t decommission older HDDs. • Attacker finds older HDD, does forensics for data recovery and sell the data for profit.
AWS Google Compute Engine Microsoft Azure Rackspace IAM YES YES YES Sort of 2FA for Management Layer Need to enable Need to enable NO NO Network Isolation YES YES YES YES Virtual Private Networks YES YES YES YES Firewall YES YES YES YES Centralized Logs and Audit Trail YES NO NO NO Encryption for Storage YES YES YES Key Management YES YES YES YES Older Slide
By Qingqing Chen (Own work) [Public domain], via Wikimedia Commons • CPU Usage https://www.wormly.com/help/windows-server/cpu-usage-win32 • Yoga agility By Earl McGehee (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Toyota Robot at Toyota Kaikan • AWS Scale on Demand http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html • SOA for Cloud Computing http://www.communitydatalink.com/portfolio/cloudservices/ • http://www.rackspace.com/knowledge_center/whitepaper/understanding-the-cloud-computing-stack-saas-paas-iaas • By Sam Joton (wikipedia) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons