cloud computing security breaches

8/11/2019 Cloud Computing Security Breaches

1/54

Presented By

Sahil

Cloud Security

By Sahil


2/54

What is Cloud Security ?

Cloud security is an evolving sub-domain of

computer security, network security, and, more

broadly, information security. It refers to a broad set

of policies, technologies, and controls deployed to

protect data, applications, and the associatedinfrastructure of cloud computing.


3/54

Security Issues in the Cloud

LossofControl Takebackcontrol

Dataandappsmaystillneedtobeonthecloud

Butcantheybemanagedinsomewaybytheconsumer?

Lackoftrust

Increasetrust(mechanisms)

Technology

Policy,regulation

Contracts(incentives):topicofafuturetalk

Multi-tenancy

Privatecloud

Takesawaythereasonstouseacloudinthefirstplace

Strongseparation


4/54

Loss of Control in the Cloud

Consumerslossofcontrol Data,applications,resourcesarelocatedwithprovider

Useridentitymanagementishandledbythecloud

Useraccesscontrolrules,securitypoliciesandenforcementare

bythecloudprovider

Consumerreliesonprovidertoensure Datasecurityandprivacy

Resourceavailability

Monitoringandrepairingofservices/resources


5/54

Example :


6/54

Lack of Trust in the Cloud

Abriefdeviationfromthetalk

(Butstillrelated)

Trustingathirdpartyrequirestakingrisks

Definingtrustandrisk

Oppositesidesofthesamecoin(J.Camp)

Peopleonlytrustwhenitpays

Needfortrustarisesonlyinriskysituations

Defunctthirdpartymanagementschemes

Hardtobalancetrustandrisk

e.g.KeyEscrow(Clipperchip)

Isthecloudheadedtowardthesamepath?


7/54

Multi-tenancy Issues in the Cloud

Conflictbetweentenantsopposinggoals Tenantsshareapoolofresourcesandhave

opposinggoals

Howdoesmulti-tenancydealwithconflictof

interest?

Cantenantsgetalongtogetherandplaynicely

? Iftheycant,canweisolatethem?

Howtoprovideseparationbetween

tenants?


8/54

Principal security dangers to

cloud computing


9/54

Principal security dangers

Loss of governance

Responsibility ambiguity

Isolation failure

Vendor lockin

Compliance and legal risks

Handling of security incidents

Management interface vulnerability

Data protection

Malicious behavior of insiders

Business failure of the provider

Service unavailability

Insecure or incomplete data deletion


10/54

Mitigating Risk

Ensure effective governance, risk and compliance processes exist

Audit operational and business processes

Manage people, roles and identities

Ensure proper protection of data and information

Enforce privacy policies

Assess the security provisions for cloud applications

Ensure cloud networks and connections are secure

Evaluate security controls on physical infrastructure and facilities

Manage security terms in the cloud SLA

Understand the security requirements of the exit process


11/54

Data corruption or loss

As more businesses move their operationsto the cloud and other virtual

environments, a new survey reveals some

of the pitfalls associated with storing

critical information there.

The survey revealed that 65 percent ofbusinesses and other organizations have

frequently lost data from a virtual

environment,


12/54

Data corruption or loss

According to the survey, common causes ofdata loss from virtualized environments

include:

file system corruption

deleted virtual machines

internal virtual disk corruptionRAID and other storage

server hardware failures

deleted or corrupt files


13/54

Cause of Data Failure

Top 5 causes of

data loss

Softwarefailure

Hardwarefailure

Humanerror

Employeetheft

Cybercrime


14/54

Internel Security Breaches


15/54

Risk Score

3

FactoidA Awareness

Category: People

Class: Training

Frequency: High

Impact: High

Vulnerability:

Inadequate user and Cloud servicer provider employee awareness training

on cyber and other security risks.

Threat Actors:

Cloud service provider employees and Cloud users (inadvertently).

Risk:

Poorly trained or unaware employees are less likely to detect and respond

to internal or external data security breaches or threats.

Key Controls:

Contractual terms that specify the training regime required, supported by

quality assurance and audit processes. Similar training must also occur in-

house at the users site.

Percentage of people surv

that the weather could af

25

Copyright The Risk Management Group, 2013


16/54

Risk Score

3

FactoidE Cloud Provider Employees

Category: People

Class: Background Checks

Frequency: High

Impact: Medium

Vulnerability:

Because Cloud services are generally hosted overseas, the same employee

screening checks as those used at home may not be possible. In many

cases, they may not even be legal.

Threat Actors:

Foreign rogue employees and criminals or single issue extremists.

Risk:

Cloud service providers may be penetrated by threat actors intent in

accessing hosted data or subverting key systems.

Key Controls:

Prior investigation to short list Cloud providers and who can and do

conduct suitable pre-employment screening.

Percentage of businesses sta

awareness is a greater threaattacks by cyber criminals.

65



17/54

Risk Score

3

FactoidU User Account Management

Category: People

Class: User privileges

Frequency: High

Impact: Medium

Vulnerability:

A failure to amend users system privileges when they change roles or leave

the organisation.

Threat Actors:

Cloud service provider employees and sub-contractors.

Risk:

Users retain access rights after they are no longer required. Any resulting

abuses may be difficult to track.

Key Controls:

Close, automated liaison between HR and Security to ensure that all role

changes result in a review of user access rights plus regular audits of user

accounts and roles to verify appropriateness.

Percentage of UK residents e

companies or their employepersonal data without appro

97



18/54

Risk Score

3

FactoidRegulatory Non-compliance

Category: Applications

Class: Data Protection

Frequency: High

Impact: High

Vulnerability:

Data held or manipulated by third party service provider employees in

foreign jurisdictions may not be subject to the same level of protection as

that required of the data controller by the regulator in the home country or

that agreed with the Cloud host.

Threat Actors:

Cloud service provider third party employees.

Risk:

Data breaches occurring overseas can lead to regulatory sanctions locally.

Key Controls:

Contractual defences designed to mitigate the potential for regulatory

penalties in the data custodians home country.

Percentage of UK business u

spending on data security.

80%

R



19/54

Risk Score

3

FactoidC Data Classification Failures



Frequency: High

Impact: High

Vulnerability:

Poor processes for classifying data according to sensitivity and type can

lead to sensitive data being transported to Cloud storage inappropriately.

Threat Actors:

Employees and sub-contractors of the data controller.

Risk:

Data that should not be placed in Cloud storage is moved to remote

storage without the appropriate controls being implemented.

Key Controls:

A structured and audited data inventory and classification framework and

supporting processes. Regular ongoing Cloud storage inventory audits.

Percentage of businesses tha

data held on personal mobilCloud storage.

60



20/54

Risk Score

3

FactoidDs Denial of Service


Class: Service disruption

Frequency: Low

Impact: Critical

Vulnerability:

The dependency of Cloud users on remote services means that attacks or

technical failures that disrupt Cloud-based services or applications can halt

local business operations.

Threat Actors:

DoS or DDoS attackers, Malware Devs, Cloud provider staff or contractors.

Risk:

Partial or complete loss of access to key systems. Possible business failures

and/or financial losses.

Key Controls:

Localiseddisaster recovery and backups. Cloud provider resilience. Cloud

risk audits. Data classification and segmentation.

The number of UK Internet

free Low Orbit Ion Cannon

over a period of just 3 days

34,0


E i


21/54

Risk Score

3

FactoidEc E-crime


Class: e-Commerce Fraud

Frequency: High

Impact: Medium

Vulnerability:

E-Commerce platforms hosted in the Cloud are subject to attacks and

manipulation by internal and external fraudsters. Cloud service employees

with admin rights can potentially access sensitive payment data and

systems.

Threat Actors:

Cloud service employees, contractors, hackers, external fraudsters.

Risk:

Exposure and misuse of payment data or fraudulent payments for goods

and services via the payment platform.

Key Controls:

Payment Card Industry Data Security Standard (PCI DSS) controls & audits.

Cybercrime:

Espionage

Service denial

E-crime and cybercrime have

and effects. While they do o

primarily technical and e-crim


Ri k SH j ki


22/54

Risk Score

2

FactoidH Hyperjacking


Class: Takeover

Frequency: Low

Impact: Critical

Vulnerability:

Insecure Hypervisor (supervisory) Cloud applications can theoretically be

taken over by malicious attackers.

Threat Actors:

hackers or rogue employees.

Risk:

Control over the Hypervisor application stack gives the attacker control

over hosted Cloud applications and services can be denied or data

exposed. Crypto-extortion attacks are also possible.

Key Controls:

Logical security of the Hypervisor stack, supported by audits and regular

penetration testing.

The Cloud is becoming incr

complex. Once fairly well de

hands are both adding new

Something-


Ri k SM M l


23/54

Risk Score

3

FactoidM Malware


Class: Infections

Frequency: High

Impact: High

Vulnerability:

Like any other form of IT infrastructure, Cloud service platforms are

exposed to a wide range of malware infections, particularly if anti-malware

applications are not updated regularly.

Threat Actors:

Malware developers, Cloud users and hardware suppliers.

Risk:

Malware payloads can expose data, introduce persistent spyware, edit

operational parameters, facilitate account takeover or execute crypto-

extortion and logical denial of service attacks.

Key Controls:

Anti-malware applications from recognised suppliers, regularly updated.

90%

Percentage of mobile malwaaffecting the Android Operat

Image source: http://mashable.com/201


Risk Score F t idS Unauthorised Systems Access


24/54

Risk Score

2

FactoidSy Unauthorised Systems Access



Frequency: Low

Impact: High

Vulnerability:

Weak controls (e.g. poor or shared passwords) can lead to unauthorised

access to systems and data held in the Cloud.

Threat Actors:

hackers and data thieves, Cloud provider staff, joint Cloud tenants and sub-

contractors.

Risk:

Data is exposed, read, stolen, deleted or edited. Crypto-extortion attacks

may also result.

Key Controls:

Secure authentication, staff vetting, data encryption, key management,

contractual terms to establish liabilities and responsibilities, plus audits.

70%

Perc

that

are t

chall


Risk Score Q tSc Side Channel Attacks


25/54

Risk Score

2

QuoteSc Side Channel Attacks



Frequency: Low

Impact: High

Vulnerability:

Only demonstrated in the lab so far, this form of attack involves a joint

Cloud tenant sniffing the authentication session for another tenant and

then engineering an intrusion.

Threat Actors:

Malicious joint Cloud tenants.

Risk:

Data may be exposed or corrupted and account takeover or crypto-

extortion attacks may occur, leading also to regulatory exposure.

Key Controls:

Multi-factor authentication, encrypted channels, contractual rights to

exclude selected joint tenants or exclusive tenancy agreements.

Multi-tenant environment

requirements for each tena

make a multi-tenant cloud

compromise.

Hassan Takabi and James B.D Jos


Risk Score FactoidSo Source Code


26/54

Risk Score

3

FactoidSo Source Code


Class: Intellectual Property

Frequency: Medium

Impact: High

Vulnerability:

Unrestricted access to application or object source code.

Threat Actors:

hackers, Cloud service provider employees, contractors.

Risk:

Theft of intellectual property or the manipulation of Cloud systems and

hosted code.

Key Controls:

Tight access restrictions to source code and the use of compiled (secure)

code that defies reverse engineering.

75%

Perce

who

stron

tech

host


Risk Score FactoidSp Self Provisioning


27/54

Risk Score

4

FactoidSp Self Provisioning



Frequency: High

Impact: Critical

Vulnerability:

Frustrated by traditional IT project timelines and controls, many employees

now provision their own departmental Cloud services and pay with a credit

card.

Threat Actors:

Well intentioned but impatient employees.

Risk:

Data is placed in Cloud storage without classification and approval and

outside the prescribed control framework. Unsuitable Cloud service

providers may be selected.

Key Controls:

Rules on self-provisioning. Regular audits and data inventory checks.

45%

Perc

repo

prov

for fu


Risk Score FactoidD Device Risks


28/54

3

FactoidD Device Risks

Category: Network

Class: Access Control

Frequency: High

Impact: High

Vulnerability:

A failure to identify personal mobile or portable devices being used for

business purposes (laptops, tablets, PDAs and mobile phones) which often

present a higher risk level than desktop devices.

Threat Actors:

Mobile device users with infected devices, device thieves, malware

developers, hackers.

Risk:

Mobile devices are more easily stolen and are increasingly likely to be

infected by malware.

Key Controls:

Segmentation of access rights by device and/or connection type.

70%

30%

The use of personal devices business-related use is rising


Risk Score History lessonP Port Misuse


29/54

3

History lessonP Port Misuse

Category: Network


Frequency: High

Impact: Medium

Vulnerability:

Weak access controls on configuration and diagnostic ports within the

Cloud environment.

Threat Actors:

hackers and script kiddies, fraudsters and data thieves.

Risk:

Weak control over equipment ports can open the Cloud environment up to

a wide range of data theft and takeover threats.

Key Controls:

Proper user account management and restricted access to key commands

and systems (Firewalls, super user and system admin rights, etc.) all

reinforced by a sound audit and penetration test regime.

Hacking into configuration

sector has been a long-sta

cost that industry hundred

fraud losses over the past


Risk Score FactoidRy Remote Access


30/54

3

Factoidy Remote Access

Category: Network


Frequency: High

Impact: High

Vulnerability:

Remote user access has not been subjected to enhanced levels of security.

Threat Actors:

hackers, script kiddies, rogue employees, data thieves and state actors.

Risk:

Insufficiently validated remote users are able to access sensitive systemsand data.

Key Controls:

Multi-factor authentication for remote users, supported by an audit and

penetration testing programme.

60%

The percentage of new vehicthat can remotely access Clo


Risk Score FactoidSi Sniffing & Interception


31/54

3

g p

Category: Network

Class: Data Interception

Frequency: Medium

Impact: High

22%

Perce

told

expe

in im

Vulnerability:

Unencrypted packets sent across the public Internet might be exposed to

interception.

Threat Actors:

hackers and state actors.

Risk:

Exposure of confidential data, session hijacking and man-in-the-middle

attacks.

Key Controls:

All sensitive data should be encrypted during transmission. Audits and

penetration tests should be used to validate the efficacy of this control.


Risk Score FactoidId Insecure disposal


32/54

4

p

Category: Platforms


Frequency: High

Impact: Critical

Vulnerability:

Cloud service providers often change out hardware without notifying the

parties accountable for the data contained within them. If not

professionally disposed of, such equipment may still hold confidential data.

Threat Actors:

Agents of foreign states, data thieves, corporate spies.

Risk:

Forensic recovery of data held on disposed equipment by a third party.

Key Controls:

Contractual and audit procedures to ensure that the data controller is

given advance warning of all equipment swaps and that professional

disposal routines are adopted.

11%

Perc

surve

prefe

The m

Priva


Risk Score FactoidIh Infected Hardware


33/54

3

Category: Platforms

Class: Malware

Frequency: High

Impact: High

Vulnerability:

Grey market hardware and even some hardware from mainstream sources

have been proven to contain Spyware and other forms of APT malware,

apparently pre-installed at the point of manufacture.

Threat Actors:

Manufacturers, state sponsors, channel staff and engineers.

Risk:

Data exposure, crypto-extortion or denial of service attacks.

Key Controls:

Contractual terms that require the secure sourcing of Cloud service

hardware, along with a right to audit clause and a remote auditing

capability.

20%

Perce

alrea

when

Micr

Chine


Risk Score FactoidPf Platform failures


34/54

3

Category: Platforms

Class: Disaster Recovery

Frequency: Low

Impact: Critical

Vulnerability:

As with any IT system, Cloud platforms can fail and the data they contain

can be lost or damaged.

Threat Actors:

Malware developers or other attackers. Cloud service provider staff.

Risk:

Loss of data, corruption of data and loss of service.

Key Controls:

Disaster recovery and business continuity plans, including provisions for

local recovery infrastructure, must be implemented, audited and regularly

tested. Up-to-date anti-malware applications must also be installed.

66%

Perc

infor

com

infra

bigge

to Cl


Risk Score FactoidPs Physical Security


35/54

2

Category: Platforms


Frequency: Low

Impact: Medium

Vulnerability:

Smaller Cloud service providers might not be able to offer the required

standards of physical site security and access control that larger, more

expensive providers can put in place.

Threat Actors:

Intruders.

Risk:

Damage to or theft of hardware, data theft or exposure, data loss.

Key Controls:

Contractual definition of physical security and access control requirements,

confirmed by on-site audits and penetration tests.

99%

Perc

infor

playe

dete

deplo



36/54

Cloud Risks Threat Actors

Fa The Fraudster


37/54

Typical motives

The goal of the

make a financia

loss through th

her motives are

either profit or Profile

The online fraudster comes in many forms,

including the old-fashioned financial

fraudster, the e-commerce fraudster, the

payment card fraudster, the mortgagefraudster, the insurance claim fraudster, and

those attempting to commit market abuse

or similar crimes. Indeed, there are any

number of fraudster profiles online, limited

only by the range of services, payment

mechanisms and business models on offer.


Ha The Hacker


38/54

Profile

The traditional hacker is a technical expert,

often renowned for his or her skill and

generally proud of it. The hacker specialises

in breaking into systems by breaching

security using high-tech methodologies. He

or she may view corporations and

governments with suspicion and will often

hold the opinion that software and data

should be free of charge and free to access

for all. Few in number, experts of this i lk

keep a low profile and use pseudonyms to

disguise their real identities.

Typical motives

The hackers motiv

define with confide

Hollywood stereot

people will come toHowever, those ha

apprehended in th

agreed to speak ab

often included the

challenge and a dis

drivers for their be

reputation is some

additional motive.


Ht Hacktivists


39/54

Profile

The Hacktivist is a politically or ideologically

motivated hacker who tends to focus his or

her activities on particular governments,

organisations or high-profile individuals.

The employees of target organisations are

often targeted as well.

Often less technically skilled than a true

hacker, the hacktivist makes up for this

deficiency through extensive use of social

engineering and espionage, sometimes

placing spies within the target organisation

as employees.

Typical motives

Motives include si

political beliefs, rel

environmental con

corporate profit-mbenefits cuts and r

been important inf

Some hacktivists a

engaged in warfare

rebellions, adding a

conventional milita


Ma The Malware Developer


40/54

Profile

The malware developer has a great d

common with the hacker and may ev

hacker in some cases, but his or her f

on building autonomous pieces of co

have the ability to disseminate them

and infect multiple systems beforeexecuting a variety of payloads.

Increasingly, malware developers are

working along commercial lines and

their skills and their code to generat

revenue. Malware may also be used

hackers to create entry points in targ

systems.

Typical motives

Early malware developers were often

motivated by a desire to demonstrate

security vulnerabilities in software or

organisations, but modern malware

developers appear to be motivated

primarily by profit.


In The Corrupted Insider


41/54

Profile

The Corrupted Insider begins his or heremployment in good faith but is either

tempted or subverted later on. They often

occupy a position of trust with access to

sensitive information or systems, which

makes them an ideal target for subversion.

Typical motives

Temptations often

combination of eit

opportunity. Typica

perceived need to

lifestyle or offers o

external attacker. I

also play an import

person to betray th


Sk The Script Kiddie


42/54

Profile

Far more common than the hacker is the script kiddie. Script kiddies lack the supreme

technical skills of hackers, but have sufficient skill and interest in the topic to be able to re

or view text and videos on hacking methods and to download and execute software scriptspecifically produced by hackers for them. Script kiddies, therefore, represent a channel t

market for hackers who wish to reduce their own risk or increase their scope by using a

multitude of less skilled hands. Many of the prominent denial of service attacks and code

injection attacks witnessed over the last two or three years were executed in large part by

script kiddies.

Typical motives

Because of their number, it is almost impossible to assign any

particular set of motives to this group, and they include single

issue extremists, bored teenagers, would be future hackers and

those with a grudge against a particular organisation or brand.

Se The Social Engineer


43/54

Profile

The online social engineer is the Internet

version of the conman. He or she specialises in

understanding human behaviour and

psychology and in exploiting that to persuade

targets to either take or avoid specific actions,

often going against their better judgement.

Examples include persuading targets to disclose

personal data, bank account information, trade

or organisational secrets, and other confidential

information or opinions, as well as data

belonging to others.

Typical motives

Social engineer

number of reas

themselves, or

developers, Inte

fraudsters and

actor for whom

valuable as a so

areas or as a m

fraud.


Se The Spammer


44/54

Profile

The spammer is engaged in a commercial

activity which involves the distribution ofunsolicited messages by any available

electronic means in order to broadcast

advertising to a large target audience. In its

earliest manifestation, spam was typically

delivered via email, but as the technology

has evolved, the world has seen the

emergence of mobile phone spam, instant

message spam and more recently, social

media spam. Although organisations and

service providers have done a great deal tomanage the impact of spam on users and

consumers, spam remains a problem as it

uses up significant amounts of capacity in

the communications network, and at the

end of the day consumers still pay the cost

of this, though they may not be aware of

the fact.

Typical motives

Almost without

a pure profit mo

of denial of serv

have many of th

the difference b

tend to be direc

number of targe

to as many reci


Se The Spy


45/54

Profile

The online spy may be an agent of the state

or acting in the employ of a corporation. He

or she may also be part of a single issue,

organised crime or terrorist cell. Whatever

the nature of the organisation behind the

spy, the goals and methodologies of spies

are generally consistent; to gather secret

data for the purpose of creating business

intelligence, crime intelligence, military

intelligence or for cyber warfare planning.

This data may include competitive

information, customer data, pricing,

intellectual property, militarily dispositions,

information about Internet infrastructure

and systems, as well as state secrets. Spies

use many of the techniques described

above, including Internet investigations,

malware, hacking, social engineering, and

even fraud to achieve their ends.

Typical motives

A majority of online spies are believed to be

salaried individuals carrying out the

instructions of their employers, and in this

sense, their personal motives are largely

irrelevant. A minority of spies, for examplethose engaged in terrorism or in supporting

single issue extremists, may have purely

ideological motives for their actions.



46/54

Account Session Hijacking


47/54

Hijacking

Session Hijacking, is when you take someones cookieand inje

your browser, letting you log in without the password.

In beginner terms: Session Hijackingis taking the persons uncode (cookie)stored in their browser while they are logged insomething (like GMail). If you have that code, you can put it in

own browser, and trick the system into thinking you are that uis a common method on how you can hack emails.


48/54

Example

Cl d C S M d l


49/54

Cloud Computing Security Models

There are a plethora of different reference

architectures, models and frameworks forCloud Computing. Which one should an

organization adopt? Of course theres no

straightforward answer to that question and

in this research note we provide guidance on

how to organize some of the best ideas that

are emerging in a practical structure thatshould stand the test of time.

Wh Cl S d h ?


50/54

Who uses Clous Security and how ?

S it M d l


51/54

Security Model


52/54


53/54


54/54

cloud computing security breaches

Documents