securing the cloud and your assets

Download Securing the cloud and your assets

Post on 16-Apr-2017

129 views

Category:

Technology

1 download

Embed Size (px)

TRANSCRIPT

PowerPoint Presentation

The cloud & securing your assetsMarcus Dempsey

1

Shameless plugMarcus Dempsey

24+ years working in ITManaging Director for TeraByte ITPenetration testerOffensive Security Wireless ProfessionalCertified Ethical HackerComputer Hacking Forensic InvestigatorF1 fan

Why use the cloud?Managed servicesFlexibility in deploying and scaling assetsDisaster recovery in a boxPay as you go spendingVersion and document controlAutomatic updating of servicesEnvironmentally friendlyIncreased security controlsInfrastructure as a servicePlatform as a serviceNo standing in a cold isle at the datacentre

3

Cloud Providers

What are the dangers?IntrusionData theftPossible loss of reputationBankruptcyInsider attacksNo control over vendor outagesAutomatic updates may cause incompatibility issuesDisgruntled employeeLack or loss of overall visibility of service health

Securing your assetsInstallation of endpoint anti-virus softwareOnly allowing inbound / outbound traffic for whats neededKeep machines patched and up to date (including base build images)Restrict privileged user access to specific users onlyMake use of auditing, login / logout, privilege changes etc.Make use of two-factor authentication especially for high-level accountsRegular penetration testing (internal / external)Strong certificates which have 2048bit or greater keys and SHA256Encrypt traffic between endpoints (HTTPS, IPSEC)Microsoft environments, use Windows Server Update Services (WSUS)

Mistakes that are madeNot updating client applications (Java / Adobe)Not updating Operating SystemsOpening access to SSH, RDP to the worldNot having well defined security controls / policies in placeUse of weak or common passwordsNot disabling unused accountsNot planning for expansion and resilience from day oneNot patching critical exploits / 0day

25 common passwords of 2014123456password1234512345678qwerty1234567891234BaseballDragonfootball1234567monkeyletmein

abc123123123111111mustangaccessshadowmastermichaelsuperman696969batmantrustno1

Things that make sysadmins cry

More informationAmazon AWShttp://aws.amazon.com/whitepapers/aws-security-best-practiceshttp://aws.amazon.com/security

Microsoft Azurehttp://blogs.msdn.com/b/mast/archive/2013/02/05/security-best-practices-for-windows-azure.aspxhttp://blogs.msdn.com/b/usisvde/archive/2012/03/07/windows-azure-security-best-practices-part-1-the-challenges-defense-in-depth.aspx

Vulnerability Newshttps://technet.microsoft.com/en-us/security/cc307424.aspxhttps://cve.mitre.org/http://www.securityfocus.com/vulnerabilities

10

Any Questions?

View more >