The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez

THE CLOUD
Threats & Solutions in 2016
C o p y r i g h t © 2 0 1 6 L y n x T e c h n o l o g y P a r t n e r s , I n c . A l l R i g h t s R e s e r v e d .

OBLIGATORY DISCLAIMER
3
Any statements made in the course of this presentation should not be relied on as a
commitment, directly on behalf of my employer, by this forum’s management, the
National Football League, or any other major institution that your barracuda lawyer
may opt to pursue in the name of earning his or her outrageous legal fees.
The opinions expressed herein are not necessarily those of my employer, not
necessarily mine, and probably not necessary.
My opinions are subject to change without notice.
Thanks for disagreeing.
T h e c o n t e n t a n d o p i n i o n s e x p r e s s e d h e r e i n a r e s o l e l y t h o s e o f t h e a u t h o r , a n d n e i t h e r r e p r e s e n t t h e v i e w s n o r
d e s c r i b e t h e c u r r e n t o r i n t e n d e d p r a c t i c e s o f a n y o t h e r e n t i t y . T h e i n f o r m a t i o n i n t h i s p r e s e n t a t i o n c o n t a i n s
r e f e r e n c e s t o c o p y r i g h t e d m a t e r i a l ; T h e a u t h o r m a k e s n o c l a i m s o f o w n e r s h i p o r r i g h t s t o s u c h m a t e r i a l .

BIOGRAPHY
Certifications
• CISSP, CPP, CRISC, ITIL, PMP, GISO, GSLC, C|CISO, PPMC, EIEIO
Organizations
• Infragard – President, Board of Directors
• FBI Sector Chief for Financial Services
• FBI Citizens Academy 2014 Graduate
• USSS Electronic Crimes Task Force
• ISSA – Vice President, Board of Directors
• ASIS-ANSI-ISO Standards Committees and Working Groups
Awards
• 2008 Top 5 “Best Security Team in the US” SC Magazine
• 2009, 2010, 2013 Top 5 “CSO of the Year” SC Magazine
• 2012 Finalist Information Security Leadership Award (ISC)2
• 2012 ISE North America Executive Leadership Award Nominee
• 2016 SVUS Management Team of the Year
• 2016 Finalist CISO of the Year (EC Council)
4
Internet entrepreneur & über geek who groks e-
commerce, IT security, risk & privacy management,
caffeinated beverages, Padrón cigars, 18-yo single
malt scotch, & dark beers
Bobby Dominguez
Chief Strategy & Security
Officer
Lynx Technology Partners,
Inc.h t t p s : / / w w w . l i n k e d i n . c o m / i n / b o b b y d o m i n g u e z
h t t p s : / / t w i t t e r . c o m / M o o n r a k e r 0 6 9
b d o m i n g u e z @ l y n x t p . c o m

ABSTRACT
If you’re in business in 2016, you’re company most likely uses Cloud services of one kind
or another. You can’t avoid the Cloud, whether personally or for your business. Security
remains a serious concern for organizations using the Cloud. The shared, on-demand
nature of Cloud computing introduces the possibility of security breaches. Mitigating Cloud
risks starts by identifying the top security threats you may face.
In this session, Bobby Dominguez will describe some of the most relevant threats as well
as risk mitigation techniques that may help your organization function in the Cloud and
reduce the risks associated with this fastest growing technology segment. The discussion
will not only focus on the threats, but potential solutions and give specific examples of what
you can do to manage your Cloud risks.
5

6
The information security threat landscape
is constantly evolving and today’s
borderless environment creates new
threat vectors.
The Cloud can leverage some traditional
protection measures, but new ones should
be adopted to properly mitigate risks.
THREAT HORIZON

#1: COMPROMISED CREDENTIALS & BROKEN
AUTHENTICATION
7
Problems
Lax authentication, weak passwords, and poor key or
certificate management
Segregation of duties may not be available or is not enabled
because management may not integrate with AD or other
tools, especially on free cloud apps
Developers embed credentials and cryptographic keys in
source code – repositories such as GitHub
Solutions
Multifactor authentication systems, one-time passwords, phone-
based authentication, and smartcards
Frequent (or periodic) rotation of keys and passwords
Separation of duties
Code security analysis, best practices, and post deployment spot
checks

#2: HACKED INTERFACES AND APIS
8
Problems
Attackers target the trust mechanisms used by APIs –
specifically the certificates upon which encryption,
authentication, and non-repudiation depend
Assuming everyone is using the API as designed – Poorly
designed and tested interfaces can permit accidental or
malicious compromises
Solutions
Understand how your API can be attacked – threat modeling
applications and systems, including data flows and architecture /
design specifications
Pen testing by security experts with development experience – they
need to understand web services (RESTful, JSON, etc.) and won’t just
run vulnerability scan tools

#3: ACCOUNT HIJACKING
9
Problems
Phishing, fraud, and social engineering
Software exploits
Eavesdropping (shoulder surfing, MITM Wifi)
Manipulating transactions and modifying data
Solutions
Does your service provider conduct background checks on employees who have physical access to the
servers in their data centers?
Require multi-factor or dynamic (one-time) password authentication, and strong API authentication
Restrict IP addresses allowed to access cloud applications (from corporate networks or VPNs).
Encrypt sensitive data before it goes to the cloud or ensure you alone have the private keys
Service accounts should be monitored for activity

#4: PERMANENT DATA LOSS
10
Problems
Ransomware
Failure to backup or to recover – too much reliance on Cloud
provider and “snapshots”
New EU data protection rules also treat data destruction and
corruption of personal data as data breaches requiring
appropriate notification
Solutions
Disaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage

#4: PERMANENT DATA LOSS
11
Problems
Ransomware
Failure to backup or to recover – too much reliance on Cloud
provider and “snapshots”
New EU data protection rules also treat data destruction and
corruption of personal data as data breaches requiring
appropriate notification
Solutions
Disaster Recovery and Business Continuity practices still apply! Test, Test, Test
Maintain multiple backups across a reasonable span of time and vary backup types
Distribute across multiple zones for added protection
Off cloud (off site) storage

#5: MALICIOUS INSIDERS
12
Problems
Who: A current or former employee, a rogue administrator, a
contractor, or a business partner
What: Data theft
• to sell (fraud)
• to use in next job (theft of IP)
Data destruction – Revenge, ransomware, etc.
Solutions
Encryption
Segregating duties and minimizing access given to any one user or
group of users – two-man rule
Effective logging, monitoring, and auditing administrator activities –
storage segregation and protection too

#5: MALICIOUS INSIDERS ( C O N T I N U E D )
13
Administrator
Segregation

#6: A PARASITIC THREAT (APTs)
14
Problems
APTs typically move laterally through the network and
blend in with normal traffic
Common points of entry include spear phishing, direct
attacks, USB drives preloaded with malware, and
compromised third-party networks
Command and Control tunneled through valid services or
encrypted
Solutions
Strong phishing awareness training and testing
DNS prevention with DMARC (SPF / DKIM)
DNS monitoring
Behavioral analysis of access to apps / systems
Block encrypted traffic or proxy SSL to decrypt

#6: A PARASITIC THREAT (APTs) ( C O N T I N U E D )
15
Intelligence
Gathering
Threat Actor
Command &
Control
External
Staging
Lateral Movement
Point of
Entry
1
3
2
5
4
6
Data of Interest
3
Password Reuse
Vulnerabilities
Malicious URL or File
USB / Rubber Ducky
1. Reconnaissance
OSINT
SQL User Dump
Domain Scanning
Spear Phishing
Physical Access
2. Establish Beachhead
ARP Hijack
MitM Credentials
Keylog
Sniffing Passwords / Keys
Machine Access
3. Exfiltrate INT or DAMAGE
Users, Hashes, passwords, LSA, keys
Network layout, IPs, Servers
4. Lateral Access
Web, OS, SQL exploits
Test / QA / Development
Workstations to Servers
5. Local Collection of Data
Collect, compress, encrypt & hide
6. Exfiltrate Data
Steal IP, PII, PHI, etc.

#7: INADEQUATE DILIGENCE
16
Problems
Failure to factor security costs early in project
What data are going to be stored in the Cloud? Used by
whom?
Inadequate contractual considerations
Forgetting to update policies and standards to account for
the new operating paradigm
What about the Regulators?
Solutions
Security as an enabler
Discovery of data
Partner with Legal council and work together to understand
nuances of contracts
Partner with Audit teams and understand your Compliance
requirements

#8: DENIAL OF SERVICE
17
Problems
DDoS attacks consume large amounts of processing power
Collateral damage
A distraction for the real breach
Solutions
Detection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes;
Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?

#8: DENIAL OF SERVICE
18
Problems
DDoS attacks consume large amounts of processing power
Collateral damage
A distraction for the real breach
Solutions
Detection – Minimize damage by detecting as soon as possible
Diversity – Multiple network pipelines, content delivery networks
Protection – Services using filters and shunted pipelines; ISP Clean Pipes;
Appliances that filter malformed packets
Response – Test response and prepare with providers
Assess – Can you do these things? Can your providers?

#9: SHARED TECHNOLOGY, SHARED DANGERS
19
Problems
A multi-tenant environment – shared everything
Misconfiguration, vulnerabilities, etc.
Solutions
Defense-in-depth strategy
Multi-factor authentication
Host-based and network-based intrusion detection/protection systems
Applying the concept of least privilege
Network segmentation
Who else is sharing your Cloud services?

SUMMARY OF SOLUTIONS
20
Dip your toe in the water
Update policies and unify for decentralized environments
Evaluate your currently deployed security technologies
Be aware of what you have in the Cloud
Diversify your Cloud providers
Embrace a data-centric security strategy
Know your Cloud vendors
Treat & attack detection like you would in-house
Robust crisis management plans that includes testing with
Cloud provider
Strike a balance between privacy and security

CLOSING THOUGHTS
21
Risks can be summarized by 3 things:
- Multi-tenancy
- Shared responsibilities
- Compliance
Does anyone really believe that ”a perimeter” still
exists?
Defense-in-depth remains a key security strategy
Focus on these 3 things:
- Information classification
- Encryption
- Privileged access management

SUPPLEMENTAL – REGULATIONS FRAGMENT THE
CLOUD
22
Regulatory and legislative changes will impose new
restrictions on how personal data is collected, stored,
exchanged and disposed of over the next few years
Organizations that depend on Cloud services can expect to
suffer a particularly heavy impact. They will be stuck trying to
remain compliant with new data protection and data
localization requirements, while trying to conduct business
as usual.
The location of data has become a particularly pressing
issue after the overturning of the US-EU Safe Harbor
Agreement in October 2015, and the newly launched EU
General Data Protection Regulation has complicated the
situation with a wide array of compliance requirements
backed by significant fines for non-compliance.

RESOURCES
23
Cloud Security Alliance
https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
Reuters, “Your Medical Record Is Worth More to Hackers Than Your Credit Card”
https://www.reuters.com/article/us-cybersecurity-hospitalsidUSKCN0HJ21I20140924
Cloud Security Alliance, SecaaS Implementation Guidance
https://downloads.cloudsecurityalliance.org/initiatives/secaas/SecaaS_Cat_8_Encryption_Implementation_Guidance.pdf
Amazon Web Services, AWS Official Blog
http://aws.amazon.com/blogs/aws/
Managing Cloud Risk
http://www.isaca.org/Journal/archives/2016/volume-4/Pages/managing-cloud-risk.aspx
ISACA Data Science as a Tool for Cloud Security
http://www.isaca.org/Journal/archives/2016/volume-4/Pages/data-science-as-a-tool-for-cloud-security.aspx
FBI Ransomware Warning
http://www.bankinfosecurity.com/fbi-warning-ransomware-surging-a-8962

FINAL CONTACT INFO
24
Thank you!
+ 1.800.314.0455
sales@lynxtp.com
GLOBAL HEADQUARTERS
1501 Broadway
12th Floor
New York, NY 10036
Pittsburgh, PA
309 Smithfield Street
3rd Floor
Pittsburgh, PA 15222
Phoenix, AZ
2200 E. Williams Field Road
Suite 200
Gilbert, AZ 85295
lynxgrc.com
Fiercelyprotectingourclients
IT Risk & Cyber Security Experts

The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez

Similar to The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez (20)

More from EC-Council

More from EC-Council (20)

Recently uploaded

Recently uploaded (20)

The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez

Editor's Notes