(pdf) yury chemerkin i-society 2013
TRANSCRIPT
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
1/16
Limitations of Security Standards against
YU
International Conference on Information Society (
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
2/16
Experienced in :
Reverse Engineering & AVSoftware Programming & DocumentationMobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparencyand Security Writing
Hakin9 Magazine, PenTest Magazine, eForensics Magazine,
Groteck Business MediaParticipation at conferences
InfoSecurityRussia, NullCon, AthCon, CONFidence, PHDAYS
CYBERCRIME FORUM, Cyber Intelligence Europe/Intelligence-SecICITST, CyberTimes, ITA
[ Yury Chemerkin ]
www.linkedin.com/in/yurychemerkin
http://sto
-
strategy.com yury.chemerk
http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://sto-strategy.com/http://sto-strategy.com/mailto:[email protected]://sto-strategy.com/mailto:[email protected]://www.linkedin.com/in/yurychemerkinhttp://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/mailto:[email protected]://sto-strategy.com/http://www.linkedin.com/in/yurychemerkin -
8/13/2019 (PDF) Yury Chemerkin I-society 2013
3/16
ThreatsPrivacyComplianceLegal
Vendor lock-inOpen source / Open standardsSecurityAbuseIT governanceAmbiguity of terminology
Customization and best practiceCrypto anarchismCSA, ISO, PCI, SAS 70Typically US Location
Platform, Data, Tools Lock-InTop clouds are not open-sourcePhysical clouds more secured thBotnets and Malware InfectionsDepends on organization needsReference to wide services, solu
Cloud Issues
Known Issues Known Solutio
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
4/16
Common Security Recommendations
Object What to doData Ownership Full rights and access to data
Data Segmentation An isolation data from other customers dataData Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recoveryData Destruction An Ability to securely destroy when no longer neede
Access Control Who has access to data?Log Management A data access that logged and monitored regularlyIncident Response Are there processes and notifications in place for incide
(including breaches) that affect data?
Security Controls An appropriate security and configuration control to protection
Patch Management Patching for the latest vulnerabilities and exploits?
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
5/16
Top clouds are not OpenSource
OpenStack is APIs compatible with Amazon EC2and Amazon S3 and thus client applications writtenfor AWS can be used with OpenStack with minimalporting effort, while Azure is not
Platform lock-in
Beside of OpenStack, there are Import/Export toolsto migrate from/to VMware, while Azure is not
Data Lock-in
Native AWS solutions linked with Cisco routers toupload, download and tunneling as well as 3 rd partystorage like SMEStorage (AWS, Azure, Dropbox,Google, etc.) , while Azure is not
Tools Lock-in
Longing for an inter-cloud manaindustrial and built with complian
APIs Lock-In
Longing for inter-cloud APIs, howknown inter-OS APIs for PC, MD
No TransparencyWeak compliance and transparencand NDA relationships between clthird party auditors and experts
Abuse
Abusing is not a new issue and is eAWS Vulnerability Bulletins as a kresponse and stay tuned
What is about Public Clouds
Some known facts about AWS & Azure in order to issues menti
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
6/16
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
7/16
[Intel] :: The Essential Intelligent Client
Applied are known for VMware
Ability to control clouds due the IntelAMT commands or else is applied for
VMwareThere were not known successfulimplementations for AWS, Azure, GAE orother clouds.
[Elcomsoft] :: Cracking PassworBreaking PGP on EC2 with EDPR
Serious performance probleof where the trusted/untrustagents are
Overloading the virtual OSCPU commands and system
Overloading is multiplied bthe best of all demonstratedGPU (Elcomsoft, GPU Cra
Clouds: Public against Private
Longing for managing CPU, Memory and other closed resourc
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
8/16
[AWS] :: Xen Security Advisories
There are known XEN attacks (Blue Pills, etc.)No one XEN vulnerability was not applied to theAWS servicesVery customized clouds
[CSA] :: CSA The Notorious Nine Cloud Computing TopThreats in 2013
Replaced a document published in 2009Such best practices provides a least securityNo significant changes since 2009, even examples
Top Threats Examples
1.0. Threat: Data Breaches // Cross-VM SideChannels and Their Use to Extract private Keys,
7.0. Threat: Abuse of Cloud SeSide Channels and Their Use to Keys
4.0. Threat: Insecurity InterfacBesides of Reality of CSA Threats
1.0 & 7.0 cases highlight how th
e.g. AWS EC2 are vulnerable1.0 & 7.0 cases are totally focusecloud case (VMware and XEN), known way to adopt it to AWS.4.0 case presents issues raised bynot related to public clouds (exceSkyDrive) and addressed to inse
Clouds: Public against Private
It is generally known, that private clouds are most secure There is no a POC to prove a statemen
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
9/16
The Goal is bringing a transparency of cloud controls andfeatures, especially security controls and featuresSuch documents have a claim to be up-to-date withexpert-level understanding of significant threats andvulnerabilitiesUnifying recommendations for all clouds
Up to now, it is a third revisionAll recommendations are linked with other standards
PCI DSSISONISTCOBITFEDRAMP
Top known cloud vendors announcecompliance with itSome of reports are getting old by nowCustomers have to control their environeedsCustomers want to know whether it is i
especially local regulations and how farCustomers want to know whether it matransparency to let to build an appropriate
Compliance: from CSAs viewpo
On CSA side On vendors and custom
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
10/16
CAIQ/CCM provides equivalent of recommendations overseveral standards, CAIQ provides more details on securityand privacy but NIST more specific
CSA recommendations are pure with technical details
It helps vendors to pass a compliance easier
It helps not to have their solutions worked out indetails and/or badly documentedIt helps to makes a lot of references on 3 rd partyreviewers under NDA (SOC 1 or SAS 70)
Bad idea to let vendors fills such documents
They provide fewer public detailsThey take it to NDA reports
Vendors general explanations multiplstandards recommendations are extremelytransparencyClouds call for specific levels of audreporting, security controlling and data reten
It is often not a part of SLA offere
It is outside recommendationsAWS often falls in details with their architecAWS solutions are very well to be in costandards and specific local regulations such
It additionally need to use CLI, APthird party solutions and implemenIt offers a PenTest opportunity
Compliance: fromCloud Vendors view
Compliance, Transparency, Elabo
Description DIFF (AWS vs AZURE)
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
11/16
Compliance: fromCloud Vendors view
Compliance, Transparency, Elabo
Description DIFF (AWS vs. AZURE)Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to p
vulnerability test
Information System RegulatoryMapping
AWS falls in details to comply it that results of differences between CAIQ and CMM
Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy AWS points to the customers responsibility to manage data, exclude moving between Availability Zonesensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal No serious, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data
Policy, User Access, MFA No both haveBaseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, AzureEncryption, Encryption KeyManagement
AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not
Nondisclosure Agreements, ThirdParty Agreements
AWS highlights that they does not leverage any 3 rd party cloud providers to deliver AWS services to thethe procedures, NDA undergone with ISO
User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements whthe AD to perform these actions
(Non)Production environments,Network Security
AWS provides more details how-to documentsto having a compliance
Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure poininfrastructureon a vendor side
Mobile Code AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions trac
w/o CE w CE
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
12/16
Compliance: fromCloud Vendors view
Compliance, Transparency, Elabo
NAME w/o CE w CE
AWS Azure AWS AzureAccess Control Policy and Procedures Y Y None NoneAccount Management Y Yexc. g Y: 1, 4, 6, 7; prebuilt: 2, 5a-b; poss.3,5c,5d Y: 1-4, 5a, 6
Access Enforcement Y Y Y: 1,2;prebuilt: 3-6 Y exc. 3
Information Flow Enforcement Y Y prebuilt:1-8,10-17;N/A:9 Y exc. N/ALeast Privilege Y Y Y Y
Security Attributes prebuilt prebuilt exc.N/A:5 None None
Use of External Information Systems Y Y Y YAuditable Events Y Y None NoneAudit Review, Analysis, and Reporting Y Y p.internal t.internal
Protection of Audit Information Y Y poss. poss.Security Function Isolation t.internal t.internal t.internal t.internal
Denial of Service Protectionp.internal p.internal p.internal p.internal
Boundary Protection
prebuilt prebuiltprebuilt:1-6,11 exc. poss. 4c; prebuilt:7,8,9,12,15,16; prebuilt:10 exc. N/A: iii,t.internal:v;p.internal:13,14,17
prebuiltN/A: 3-4poss. 7,p.interna
Architecture & Provisioning forName/Address Resolution Service
prebuilt t.internal prebuilt t.internal
Honeypots poss. poss. None NoneOS Inde pendent Applications poss. poss. None NoneProtecti on of data at Rest poss. poss. None None
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
13/16
Out of paper example (MDM) : Efficiency o
16,67 19,05
60,00
5,88 14,29 5,5616,67
66,67
11,76
66,67
25,0050,00
25,00 25,00
50,0
16,673,45
12,50
5,08
14,29
3,37 6,25
8,704,26
66,67
9,09
66,67
5,262,17
88
0,00
50,00
100,00
150,00
200,00
250,00
% m+a activity vs perm % m+a derived activity vs perm
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
14/16
Out of paper example (MDM) : Efficiency o
BlackBerry Old iOS BlackBerry QNX Quantity of Groups 55 16 7 Average perm per group 20 5 7 Efficiency 80,00 38,46 31,82 Totall permissions 1100 80 49
55
16
7 20 5 7
80,00
38,46 31,82
1100
80
49
0
10
20
30
40
50
6070
80
90
100
Quantity of Groups Average perm per group Efficiency Totall permissions
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
15/16
The best Security & Permissions ruled by AWS among other clouds
Most cases are not clear in according to the roles and responsibilities of cloud vendors and their custo
Some of such cases are not clear on background type: technical or non-technical
Swapping responsibilities and shifting the vendor job on to customer shoulders
Referring to independent audits reports under NDA as many times as they can
All recommendations should be enhanced by independent analysis expert in certain areas
CSA put the cross references to other standards that impact on complexity & lack of clarity like NIST
NIST is more details and well documented with cross references and AWS matches to the NIST more
CONCLUSION
THEVENDOR SECURITYVISION HAS NOTHING WITH REALITY AGGRAVA
-
8/13/2019 (PDF) Yury Chemerkin I-society 2013
16/16
Q&A THA
https://plus.google.com/108216608239392698703mailto:[email protected]://twitter.com/sto_bloghttps://twitter.com/yury.chemerkinhttp://scribd.com/ychemerkinhttps://www.facebook.com/yury.chemerkinhttp://www.slideshare.net/YuryChemerkin/http://www.linkedin.com/in/yurychemerkinhttp://sto-strategy.com/http://eforensicsmag.com/http://pentestmag.com/http://hakin9.org/