SlideShare a Scribd company logo

Real World Cloud Compromise

T
Teri Radichel

Cloud vulnerabilities I'm finding on penetration tests, bug bounties, and seeing in data breaches

Technology
1 of 36
Real World Cloud Compromise Teri Radichel, CEO | @teriradichel |
Alternatively, How I’m going to hack your cloud
Expectations: Not a DefCon talk.
@teriradichel
“Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records.” The State of DevOps Report, Summer 2020, Accuris
Internet Exposure
Software Vulnerabilities
Pivot.
Server-Side Request Forgery (SSRF) Web API X
Open Redirect 301 Metadata Service AWS Credentials
Initial Approach to Protect Credentials 301 Metadata Service AWS Credentials Firewall Rules May still be bypassed…
DNS Rebinding 301 Metadata Service AWS CredentialsDNS Server Evil Site
Open Redirect 301 Metadata Service AWS Credentials Validate Redirects
Host Header Redirect [Host Header] Evil Site
Subdomain Hijacking DNS [CNAME] 3rd Party Service
Network Protocol Manipulations Network Packets AWS IOT IOT Device
Malicious File Upload Malicious File File Upload Form
Bypass File Upload Restrictions Malicious File File Upload Form S3 Bucket Bypass
Obtain Credentials Web Page Service Exposure Social Engineering
Authentication Login MFA ?
X X Authorization
Injection <Evil Input> Execute SQL or other executable code to Obtain Malicious Objective. Many, many options!
Cross Site Scripting (XSS) <SCRIPT> Script Reflected from Server in Browser
DOM XSS <SCRIPT> Script Executes in Browser Never sent to web server.
Blind XSS <SCRIPT> Stored Executes Sends data to attacker Retrieved
Clickjacking Evil Site Your Site Evil Button
Cross Site Request Forgery (CSRF) TAB 1 TAB 2 Undesirable Action in Current Session
Caching <EVIL CONTENT> Inject Request
Sensitive Data Exposure Referrer: https://site.com?param=secret
Web Server API Server Request Smuggling Response 1 Response 2 Request 1 Request 2
API Attacks Web Server API Server
This was not a complete list.
Prevention: Follow Best Practices Cloud Providers, CIS, OWASP Deployment Pipeline Monitoring Cloud Penetration Test!
Thank You Teri Radichel, CEO | @teriradichel | | https://2ndSightLab.com https://linkedin.com/in/teriradichel https://medium.com/cloud-security

Recommended

Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 

Recommended

Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAmazon Web Services
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAleksandr Maklakov
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Abuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_AshwinAbuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_AshwinAshwin Palani
 

More Related Content

What's hot

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAmazon Web Services
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 

What's hot (20)

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWS
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
 
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of Needles
 
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
Understanding and Hardening the Attack Surface at the Edge (GPSTEC402) - AWS ...
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 

Similar to Real World Cloud Compromise

Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Abuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_AshwinAbuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_AshwinAshwin Palani
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourAdam Pennington
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...JamieWilliams130
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 
Effective and Efficient Computing for the Government
Effective and Efficient Computing for the GovernmentEffective and Efficient Computing for the Government
Effective and Efficient Computing for the GovernmentAmazon Web Services
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
Wrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsWrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsAndrew Bienert
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Peering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to MasterPeering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to MasterClint Edmonson
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Security challenges of cloud computing
Security challenges of cloud computingSecurity challenges of cloud computing
Security challenges of cloud computingMd. Hasibur Rashid
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Marcela Cárdenas Hidalgo
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 

Similar to Real World Cloud Compromise (20)

Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
Abuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_AshwinAbuse_in_the_Cloud_Palani_Ashwin
Abuse_in_the_Cloud_Palani_Ashwin
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 
Effective and Efficient Computing for the Government
Effective and Efficient Computing for the GovernmentEffective and Efficient Computing for the Government
Effective and Efficient Computing for the Government
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
 
Wrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsWrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS Accounts
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
 
Peering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to MasterPeering through the Clouds - Cloud Architectures You Need to Master
Peering through the Clouds - Cloud Architectures You Need to Master
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Security challenges of cloud computing
Security challenges of cloud computingSecurity challenges of cloud computing
Security challenges of cloud computing
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
 
Oas un llamado a la accion
Oas un llamado a la accionOas un llamado a la accion
Oas un llamado a la accion
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 

More from Teri Radichel

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxTeri Radichel
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTeri Radichel
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityTeri Radichel
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 

More from Teri Radichel (19)

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptx
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application Security
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber Security
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Real World Cloud Compromise

Editor's Notes

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36