Stephen Coty Director, Threat Research

Transcription

1 Emerging threats facing Cloud Computing Stephen Coty Director, Threat Research

2 Cloud Environments 101

3 Cloud Adoption is Gaining Momentum Cloud market revenue will increase at a 36% annual rate Analyst expect AWS revenues to hit $6 - $10 billion in 2014 Microsoft Azure reached $1 billion in Q Oracle Cloud bookings increased by 35% in 2013 Gartner predicts 60% of banking institutions to migrate to the cloud Healthcare is expected to adopt cloud computing at a 21% year over year rate through 2017 VDI (Desktop as a Service) market reached $13.4 billion in 2013

4 Over 2,500Organizations Worldwide 250, Petabytes 8.2 Million 40,000 devicesmanaged of data under security events incidents identified and reviewed management correlated per day per month

5 Threats in the Cloud are Increasing With Adoption Increase in attack frequency Brute force attacks and vulnerability scansarenow occurring at near-equivalent rates in both cloud and onpremisesenvironments Malware/Botnet is increasing year over year Traditional on-premises threats are moving to the cloud Majority of cloud incidents were related to web application attacks, brute force attacks, and vulnerability scans

6 Cloud Attacks With the Biggest Change Cloudenvironments saw significant increases with brute force attacks climbing from 30% to 44% of customers, and vulnerability scans increasing from 27% to 44% Malware/botnet attacks, historically the most common attacks in the on-premises datacenter, are on the rise in CHPenvironments

7 Why Honeypots Honeypots give us a unique data set Simulates vulnerable systems without the risk of real dataloss Gives the ability to collect intelligence from malicious attackers Allows for collection of various different attacks based on system Helps identify what industry specific targets are out there

8 Honeypot Locations

9 Honeypot Designs The honeypot data cited was gathered using Low-interaction Simulates high level services Medium Interaction Delivers form pages and collects Keystrokes SCADA Simulates a (Supervisory Control And DataAcquisition) system Web application software that emulates a vulnerable OS and application Fictitious business domains have been created to redirect traffic to what would be considered a legitimate business Theseparticular honeypots monitored connections to common ports and gathered statistics on IP, country, and malware, if submitted

10 Honeypot Findings Highest volume of attacks occurred in Europe Attacks against Microsoft DS accounted for over 51% of the overall attack vectors Database services have been a consistent target Underscores the importance of a defense in depth strategy for the need to secure your cloud infrastructure

11 Cloud Security Best Practices

12 Seven Best Practices of Cloud Security Secure yourcode Create accessmanagementpolicies Adopt a patchmanagementapproach Review logsregularly Build a securitytoolkit Stay informed of the latest vulnerabilities that may affect you Understand your cloud service providers security model

13 1. Secure Your Code Test inputs that are open to the Internet Add delays to your code to confuse bots Use encryption when you can Test libraries Scan plugins Scan your code after every update Limit privileges Stay informed

14 2. Create Access Management Policies Identify data infrastructure that requires access Define roles and responsibilities Simplify access controls (KISS) Continually audit access Start with a least privilege access model

15 3. Adopt a Patch Management Approach Inventory all production systems Devise a plan for standardization, if possible Compare reported vulnerabilities to production infrastructure Classify the risk based on vulnerability and likelihood Testpatchesbefore you release into production Setup a regular patchingschedule Keep informed, followbugtraqer Follow a SDLC Updates

16 4. Importance of Log Management and Review Monitoring for malicious activity Forensic investigations Compliance needs System performance All sources of log data is collected Data types (Windows, Syslog) Review process Live monitoring Correlation logic

17 5. Builda SecurityToolkit Recommended Security Solutions Antivirus IP tables Intrusion Detection System Malware Detection Web Application Firewalls Anomaly behavior vianetflow Future Deep Packet Forensics

18 6. StayInformed of the LatestVulnerabilities Websites to follow

19 6. Understand Your Cloud Service Providers SecurityModel Review of Service Provider Responsibilities Hypervisor Example Questions to use when evaluating cloud service providers

20 Service Provider & Customer Responsibility Summary Apps Software and virtual patching Access management Application level attack monitoring Configuration management Hosts Secure coding and best practices Hardened hypervisor System image library Root access for customer Access management Patch management Responsibility Networks Responsibility Security monitoring Log analysis Cloud Service Provider Customer Configuration hardening Logical network segmentation Network threat detection Security monitoring Perimeter security services External DDoS, spoofing, and scanning prevented Foundation Services Compute Storage DB Network

21 Examples of Shared Responsibilities

22 Cloud Server Architecture VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint. It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts

23 How the Hypervisor functions In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring 0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2 The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code instructions that only work at "Ring -1," intended to be used by the hypervisor

24 Exploitation of the Hypervisor CVE The PHYSDEVOP_{prepare,release}_msixoperations are supposed to be controlled by dom0 access as it allows access to host and othervm'scontrolled by the host, but the necessary privilege level check was missing Two different functions were added toxeninphysdevopto manage resources for allocation anddeallocationofmsi-x devices This can easily result in malicious or misbehaving unprivileged guests, causing the host or other guests to malfunction. This can result in host-wide denial of service of all thevm sand the host itself Inphysdev.cthe attacker has a function: ret_tdo_physdev_op(intcmd, XEN_GUEST_HANDLE_PARAM(void)arg) This has a command in switch/case values which lead us to:

25 Exploitation of the Hypervisor CVE Knowing the attacker hasseg, bus, anddevfn, functions are now being passed topci_prepare_msixwhich is Figure 1 The attacker first has to pass theposcheck forpci_find_cap_offset. If there's nothing there then they have to pass thepci_get_pdevcheck Figure 1 Checkoutpci_find_cap_offset

26 Application Exploitation Without Secure Coding WordPress: 162,000 sites used for distributed denial of service attack Pingback enabled sites can be used in DDOS Trackback Pingbacks Remote Access via mobile devices Random query of? = bypasses cache and forces full page reloads Request originated from legitimate sites

27 Application Exploitation Without Secure Coding A total of 66 differentwordpressplugins were targeted, out of which 8 received the lions share of attacks TimThumbis a simple, flexible, PHP script that resizes images. You give it a bunch of parameters, and it spits out a thumbnail image that you can display on your site. Looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types

28 Questions to ask your Service Provider What is the data encryption strategy and how is it implemented? What is the hypervisor and provider infrastructure patching schedule? What is the drive wiping standard used for recycled instances? How does your provider support your implementation of endpoint security? How do you isolate and safeguard my data from other customers? How is user access monitored, modified and documented? Regulatory requirements PCI, SOX, SSAE16? What is the provider s back-up and disaster recovery strategy? What visibility will the provider offer your organization intosecurityprocesses and events affecting yourdata from both front and backend of your instance? How does the provider ensure that legal actions taken against other tenants will not affectthe privacy of yourdata?

29 Today s Takeaways Cloud adoption is on the rise Attacks are growing with further cloud adoption You need to be prepared for cloud security challenges Work closely with your cloud service provider and security partner Make sure to ask all the right questions Log everything Keep informed of current vulnerabilities Have a security in depthstrategy

30 Thank You Q&A

31 Links to additional data