Upload File

Download - Securing the cloud and your assets

Transcript
Page 1: Securing the cloud and your assets

The cloud & securing your assets

Marcus Dempsey

Page 2: Securing the cloud and your assets

Shameless plugMarcus Dempsey

• 24+ years working in IT• Managing Director for TeraByte IT• Penetration tester• Offensive Security Wireless Professional• Certified Ethical Hacker• Computer Hacking Forensic Investigator• F1 fan

Page 3: Securing the cloud and your assets

Why use the cloud?• Managed services• Flexibility in deploying and scaling assets• Disaster recovery in a box• Pay as you go spending• Version and document control• Automatic updating of services• Environmentally friendly• Increased security controls• Infrastructure as a service• Platform as a service• No standing in a cold isle at the datacentre

Page 4: Securing the cloud and your assets

Cloud Providers

Page 5: Securing the cloud and your assets

What are the dangers?• Intrusion• Data theft• Possible loss of reputation• Bankruptcy• Insider attacks• No control over vendor outages• Automatic updates may cause incompatibility issues• Disgruntled employee• Lack or loss of overall visibility of service health

Page 6: Securing the cloud and your assets

Securing your assets• Installation of endpoint anti-virus software• Only allowing inbound / outbound traffic for what’s needed• Keep machines patched and up to date (including base build images)• Restrict privileged user access to specific users only• Make use of auditing, login / logout, privilege changes etc.• Make use of two-factor authentication especially for high-level accounts• Regular penetration testing (internal / external)• Strong certificates which have 2048bit or greater keys and SHA256• Encrypt traffic between endpoints (HTTPS, IPSEC)• Microsoft environments, use Windows Server Update Services (WSUS)

Page 7: Securing the cloud and your assets

Mistakes that are made• Not updating client applications (Java / Adobe)• Not updating Operating Systems• Opening access to SSH, RDP to the world• Not having well defined security controls / policies in place• Use of weak or common passwords• Not disabling unused accounts• Not planning for expansion and resilience from day one• Not patching critical exploits / 0day

Page 8: Securing the cloud and your assets

25 common passwords of 2014123456password1234512345678qwerty1234567891234BaseballDragonfootball1234567monkeyletmein

abc123

123123111111mustangaccessshadowmastermichaelsuperman696969batmantrustno1

Page 9: Securing the cloud and your assets

Things that make sysadmins cry

Page 10: Securing the cloud and your assets

More informationAmazon AWS• http://aws.amazon.com/whitepapers/aws-security-best-practices• http://aws.amazon.com/security

Microsoft Azure• http://

blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspx

• http://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx

Vulnerability News• https://technet.microsoft.com/en-us/security/cc307424.aspx• https://cve.mitre.org/• http://www.securityfocus.com/vulnerabilities

http://aws.amazon.com/whitepapers/aws-security-best-practices
http://aws.amazon.com/whitepapers/aws-security-best-practices
http://aws.amazon.com/whitepapers/aws-security-best-practices
http://aws.amazon.com/security
http://aws.amazon.com/security
http://blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspx
http://blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspx
http://blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspx
http://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx
http://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx
http://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx
https://technet.microsoft.com/en-us/security/cc307424.aspx
https://technet.microsoft.com/en-us/security/cc307424.aspx
https://technet.microsoft.com/en-us/security/cc307424.aspx
https://cve.mitre.org/
https://cve.mitre.org/
http://www.securityfocus.com/vulnerabilities
http://www.securityfocus.com/vulnerabilities
Page 11: Securing the cloud and your assets

Any Questions?


Top Related

Securing ERP ERP Cloud - docs.oracle.com · Oracle ERP Cloud Securing ERP Chapter 1 Introduction 1 1 Introduction Securing Oracle ERP Cloud: Overview Oracle ERP Cloud is secure as
Securing ERP ERP Cloud - docs.oracle.com · Oracle ERP Cloud Securing ERP Chapter 1 Introduction 1 1 Introduction Securing Oracle ERP Cloud: Overview Oracle ERP Cloud is secure as
Securing Your Cloud Applications
Securing Your Cloud Applications
Presentation fortinet securing the cloud
Presentation fortinet securing the cloud
Cloud Customer Architecture for Securing Workloads · PDF fileCloud Customer Architecture for Securing ... Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads · PDF fileCloud Customer Architecture for Securing ... Cloud Customer Architecture for Securing Workloads on Cloud Services
STORMY WEATHER SECURING CLOUD COMPUTING
STORMY WEATHER SECURING CLOUD COMPUTING
Securing and Governing Cloud APIs
Securing and Governing Cloud APIs
Management Cloud Oracle Human Capital · Oracle Human Capital Management Cloud Securing HCM. Oracle Human Capital Management Cloud Securing HCM
Management Cloud Oracle Human Capital · Oracle Human Capital Management Cloud Securing HCM. Oracle Human Capital Management Cloud Securing HCM
141.10 - Securing Information Technology Assets … on Office of the Chief Information Officer () Home > Policies > 141 - Securing Information Technology Assets > 141.10 - Securing
141.10 - Securing Information Technology Assets … on Office of the Chief Information Officer () Home > Policies > 141 - Securing Information Technology Assets > 141.10 - Securing