Download - Securing the cloud and your assets
The cloud & securing your assets
Marcus Dempsey
Shameless plugMarcus Dempsey
• 24+ years working in IT• Managing Director for TeraByte IT• Penetration tester• Offensive Security Wireless Professional• Certified Ethical Hacker• Computer Hacking Forensic Investigator• F1 fan
Why use the cloud?• Managed services• Flexibility in deploying and scaling assets• Disaster recovery in a box• Pay as you go spending• Version and document control• Automatic updating of services• Environmentally friendly• Increased security controls• Infrastructure as a service• Platform as a service• No standing in a cold isle at the datacentre
Cloud Providers
What are the dangers?• Intrusion• Data theft• Possible loss of reputation• Bankruptcy• Insider attacks• No control over vendor outages• Automatic updates may cause incompatibility issues• Disgruntled employee• Lack or loss of overall visibility of service health
Securing your assets• Installation of endpoint anti-virus software• Only allowing inbound / outbound traffic for what’s needed• Keep machines patched and up to date (including base build images)• Restrict privileged user access to specific users only• Make use of auditing, login / logout, privilege changes etc.• Make use of two-factor authentication especially for high-level accounts• Regular penetration testing (internal / external)• Strong certificates which have 2048bit or greater keys and SHA256• Encrypt traffic between endpoints (HTTPS, IPSEC)• Microsoft environments, use Windows Server Update Services (WSUS)
Mistakes that are made• Not updating client applications (Java / Adobe)• Not updating Operating Systems• Opening access to SSH, RDP to the world• Not having well defined security controls / policies in place• Use of weak or common passwords• Not disabling unused accounts• Not planning for expansion and resilience from day one• Not patching critical exploits / 0day
25 common passwords of 2014123456password1234512345678qwerty1234567891234BaseballDragonfootball1234567monkeyletmein
abc123
123123111111mustangaccessshadowmastermichaelsuperman696969batmantrustno1
Things that make sysadmins cry
More informationAmazon AWS• http://aws.amazon.com/whitepapers/aws-security-best-practices• http://aws.amazon.com/security
Microsoft Azure• http://
blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspx
• http://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx
Vulnerability News• https://technet.microsoft.com/en-us/security/cc307424.aspx• https://cve.mitre.org/• http://www.securityfocus.com/vulnerabilities
Any Questions?