background threat classification
TRANSCRIPT
Kia Manoochehri
Background
Threat Classification ◦ Traditional Threats
◦ Availability of cloud services
◦ Third-Party Control
The “Notorious Nine”
Contractual Obligations
Security: “freedom from risk and danger”
In Computer Science we define security as… ◦ “the ability of a system to protect information and
system resources with respect to confidentiality and integrity”
Three core areas ◦ Confidentiality
◦ Integrity
◦ Authentication
Some other security concepts ◦ Access Control
◦ Nonrepudiation
◦ Availability
◦ Privacy
Cloud Service Providers (CSP) provide a “target rich environment”
Consolidation of information draws potential attackers
Potential problematic areas in the field of Cloud Computing aren’t transparent.
Three broad classifications
◦ Traditional Threats
◦ Availability Threats
◦ Third-Party Control Threats
Anytime a computer is connected to the internet they are at risk… ◦ When we are dealing with Cloud based applications
we are amplifying these threats
Question of responsibility ◦ User vs Provider
Authorization and Authentication ◦ Individual access vs enterprise access
One solution would be to have tiered access ◦ Not every user is created equal!
Distributed Denial of Service attacks (DDoS)
SQL Injection
Phishing
Cross-Site Scripting
Digital forensics cannot be applied to the cloud ◦ Difficult to trace where an attack is from
Virtual Machine vulnerabilities extend to the cloud as well
System failures ◦ http://www.forbes.com/sites/anthonykosner/2012
/06/30/amazon-cloud-goes-down-friday-night-taking-netflix-instagram-and-pinterest-with-it/
◦ Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning.
Netflix, Instagram, and Pintrest were down for at least a few hours.
Problem stems from CSP outsourcing certain aspects of their operation ◦ How does this affect
Introduces more points of entry and vulnerability to the Cloud
In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing
February 2013 yielded their “Notorious Nine” list ◦ 9 major threats in Cloud Computing
Data Breaches ◦ Currently the biggest threat
◦ The solution is encryption… but
What if you lose the key?
◦ Backing up the data is not viable either
Example: Epsilon
Data Loss ◦ Malicious deletion ◦ Accidental deletion by CSP ◦ Physical catastrophe ◦ Loss of the encryption key
Compliance policies require audit audit records
Example: Mat Honan
Account/Service Hijacking ◦ Phishing, fraud, software exploits
◦ Organizations should be proactive
◦ Two-Factor authentication
Example: XSS attack on Amazon
Insecure Interfaces and APIs ◦ Any vulnerability in an API bleeds over
◦ Can effect security and availability
◦ Partially falls on the consumer
Denial of Service ◦ From the user end… most frustrating
◦ Can cost cloud users $$$
◦ Makes the user doubt the cloud
Malicious Insiders ◦ Straightforward
◦ Systems that only depends on the
CSP for security are at greatest risk
◦ If data-usage encryption is used the data is still vulnerable during storage
Abuse of Cloud Services ◦ Using CSP for malicious purpose
◦ Hacking encryption keys via cloud
◦ DDoS attacks via cloud
◦ Problems of detection arise
Insufficient Due Diligence ◦ Insufficient user experience
◦ Unknown levels of risk when using CSP
◦ Design and architecture issues for devs
◦ Countered by:
Capable resources
Extensive internal understanding of risks
Shared Technology Vulnerabilities ◦ CPU caches, GPUs are not designed to
be isolated
◦ A single vulnerability can lead to an entire environment being compromised
Buffer Overflow SQL Injection Privilege escalation
SSL Certificate spoofing Attacks on browser caches Phishing attacks
Limiting resources Privilege-related attacks Data Distortion Injecting additional operations
DDoS attacks
Goal is to minimize the security risks
Contract between the CSP and user should: ◦ State CSP obligations to handle securely sensitive
information and it’s compliance to privacy laws
◦ Spell out CSP liability for mishandling information
◦ Spell out CSP liability for data loss
◦ Spell out rules governing ownership of data
◦ Specify the geographical regions where information and backups can be stored.
Kia Manoochehri