cloud security on the dollar menu
play

Cloud Security on the Dollar Menu ARNEL MANALO, CISSP, AWS-CSAA - PowerPoint PPT Presentation

Feb 12, 2024 •415 likes •819 views

Cloud Security on the Dollar Menu ARNEL MANALO, CISSP, AWS-CSAA SHELLCON 2018 Agenda Introductions What RMTS does Intro AWS security model Breaches and State Laws AWS Recon Hardening AWS About me: Arnel Manalo,

  1. Cloud Security on the Dollar Menu ARNEL MANALO, CISSP, AWS-CSAA SHELLCON 2018

  2. Agenda • Introductions • What RMTS does • Intro AWS security model • Breaches and State Laws • AWS Recon • Hardening AWS

  3. About me: Arnel Manalo, CISSP Cybersecurity Architect RICHEY MAY TECHNOLOGY SOLUTIONS • BS, Computer Systems Security, Colorado Technical University • CISSP • AWS-CSAA

  4. About Richey May Technology Solutions Richey May Technology Solutions is a results-driven consulting firm offering the full spectrum of technology solutions for your business. Led by technology experts with decades of cumulative experience in executive IT roles, our team is able to bring you pragmatic, real-world solutions that deliver value to your business. Cybersecurity Cloud Services Governance, Technology Risk, Compliance Management & Privacy Consulting Marketing Technology

  5. Image Source: http://srini.karlekar.com/?p=313

  6. AWS Security Incident Leaderboard 1. Uber – 57 million customer/drivers records compromised 2. Time Warner Cable – 4m customer records exposed 3. 10k GitHub users revealed their AWS secret keys

  7. AWS Uber Data Breach • Acquired AWS account credentials via GitHub • Restricted access and implemented controls AFTERWARDS Image Source: https://i.imgflip.com/1pgtpk.jpg

  8. AWS Time Warner Breach • Found publicly available S3 Buckets • Information spanned from November 2010 – July 2017 Image Source: https://assets.rbl.ms/13622690/980x.jpg

  9. Breaches U.S. State Data Breach Notification Statutes – Form of Data dwt.com

  10. Breaches U.S. State Data Breach Notification Statutes - Harm Threshold dwt.com dwt.com

  11. California Breach Laws • California Breach Notice: California Civil Code s. 1798.29 and California Civ. Code s. 1798.82 • CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

  12. Recent State Changes States Increase Focus: Arizona HB 2154: In 2018, Arizona expanded the coverage of their existing data breach notification law; via House Bill 2154. The updated legislation expands the definition of what is considered personally identifiable information; consumer data, as well as adds specific definitions for what the state believes to be a security incident vs a data breach. It also adds civil penalties of $10,000-$500,000 Colorado House Bill 18-1128: Colorado has also passed expanded privacy and cybersecurity legislation requiring covered entities to deploy and maintain reasonable security controls around personally indefinable information of Colorado residents. Colorado also requires defined controls that manage the data life cycle of consumer data from inception, during use, at rest and destruction at end of life. The new law which becomes effective this fall; September 1 st 2018, requiring firms develop a formal cybersecurity program focused on protecting information appropriate to the nature of the personal information collected and the size of the business.

  13. Recent State Changes States Increase Focus: Ohio Senate Bill 220: Ohio recently signed into law the Ohio Data Protection Act; enabling organizations to limit their liability through a safe harbor rule if the organizations adopted and implemented a written cybersecurity program based on industry accepted frameworks such as the National Institute of Standards and Technology (NIST) 800.53, ISO 27000, or PCI-DSS.

  14. AWS Reconnaissance

  15. net:"50.112.0.0/16" Shodan.io

  16. GitHub • https://github.com/michenriksen/gitrob • https://github.com/awslabs/git-secrets

  17. Locating Buckets • https://github.com/gwen001/s3-buckets-finder • https://github.com/eth0izzle/bucket-stream • https://github.com/digininja/CloudStorageFinder • https://github.com/RhinoSecurityLabs/Security- Research/tree/master/tools/aws-pentest-tools/s3 • https://github.com/glen-mac/goGetBucket

  18. gwen001 Image source: https://github.com/gwen001/s3-buckets-finder/blob/master/README.md

  19. eth0izzle Image source: https://github.com/eth0izzle/bucket-stream/blob/master/README.md

  20. Other • https://github.com/marpaia/AWSome • https://github.com/dagrz/aws_pwn • https://github.com/nccgroup/Scout2 • https://github.com/toniblyx/my-arsenal-of-aws-security-tools

  21. Hardening AWS

  22. IAM Roles • Lock Away Your AWS Account Root User Access Keys • Enable MFA for Privileged Users • Create Individual IAM Users • Use Roles for Applications That Run on Amazon EC2 Instances • Use Groups to Assign Permissions to IAM Users • Use Roles to Delegate Permissions • Use AWS Defined Policies to Assign Permissions Whenever Possible • Do Not Share Access Keys • Grant Least Privilege • Rotate Credentials Regularly • Use Access Levels to Review IAM Permissions • Remove Unnecessary Credentials • Configure a Strong Password Policy for Your Users • Use Policy Conditions for Extra Security • Video Presentation About IAM Best Practices • Monitor Activity in Your AWS Account More reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

  23. S3 Bucket Hardening • Restrict Access to buckets • Monitor S3 resources • Use Encryption

  24. S3 Bucket Policy Examples • Permit only specific IP address or website

  25. S3 Bucket Events • Emailed when an object gets created or deleted • Completed easily with a few steps: • Create SNS topic to email events • Permit access of s3 bucket to SNS topic • Configure Events which to trigger off of

  26. Create SNS Topic • SNS Console -> Create new topic • Select newly created topic -> create subscription*

  27. S3 Access to SNS Topic • Select topic -> edit topic Policy

  28. Configure S3 Bucket Events • Go to S3 console • Select desired bucket • Select properties • Scroll down and select events

  29. Alert Examples

  30. VPC NACL vs. EC2 Security Groups • VPC NACL are what define general outbound and inbound rules for the specified VPC or network. Default allow • EC2 Security Groups are what are assigned to specific EC2 instances within VPCs and define inbound/outbound traffic. Default deny

  31. When to use NACL vs Security Group • NACL for generic inbound-outbound to entire VPC • Security Group for specific host or hosts traffic • Sometimes both

  32. CloudTrail • Audit, compliance, operational risk • Marks API calls as Events • Can forward events to store in S3 or make alerts in CloudWatch • Two Non-API actions captured: • Service Events – Spot Instance bid prices • Console Login Attempts

  33. CloudWatch • Monitors AWS services and resources real-time • Collect and track metrics and/or logs • Can send off alarms or automatically make changes or start workflows

  34. Monitor Root Account Usage • From the CloudWatch console -> Logs • Select CloudTrail logs group • Create Metric Filter • Assign the metric -> Metric Filter box: RootAccountUsage -> Metric Namespace: CloudTrailMetrics -> Metrics Name: RootAccountUsage -> Metric Value: 1

  35. Monitor Root Account Usage cont. • Create Alarm • Enter notification information as desired

  36. TrustedAdvisor • AWS Service that scans and compares it to best practices. • Cost Optimization • Performance • Fault Tolerance • Service Limits • Security

  37. Trusted Advisor Security – FREE!! • Security Groups – Specific Ports • IAM • S3 Buckets • EBS Snapshots • RDS Snapshots • More specifics on different best practices: https://aws.amazon.com/premiumsupport/trustedadvisor/best -practices/

  38. Billing Alarms • Must be signed in with root account -> billing -> preferences -> receive billing alerts. • After it’s enabled – go to cloudwatch console and create alarm specific to billing and set to your desired threshold.

  39. Thank you! ARNEL MANALO (@ARNSEC) HTTPS://WWW.RICHEYMAYTECH.COM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
1 2 3 4 5 For certain users, when selecting items in the Enterprise Menu, the Menu will be

1 2 3 4 5 For certain users, when selecting items in the Enterprise Menu, the Menu will be

1 2 3 4 5 For certain users, when selecting items in the Enterprise Menu, the Menu will be shrunk horizontally and text will only be viewable by using the scroll bar at the bottom of the page. 6 In the previous release users security

527 views • 31 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
Security : a snapshot from W3C Virginie GALINDO July 2014 Menu ? 30 minutes to taste web,

Security : a snapshot from W3C Virginie GALINDO July 2014 Menu ? 30 minutes to taste web,

Security : a snapshot from W3C Virginie GALINDO July 2014 Menu ? 30 minutes to taste web, standard and security cocktail (no drone, no demo, no hack, no code, just gossips) 2 #RMLL2014 Virginie Galindo 3 #RMLL2014 Web Security ?

796 views • 33 slides
WELCOME THANK YOU ! WHY NO HAT? WHITE HAT BLACK HAT WHITE or BLACK ? OUR MENU

WELCOME THANK YOU ! WHY NO HAT? WHITE HAT BLACK HAT WHITE or BLACK ? OUR MENU

WELCOME THANK YOU ! WHY NO HAT? WHITE HAT BLACK HAT WHITE or BLACK ? OUR MENU MORNING Hardware Security Vulnerabilities Malware OUR MENU MORNING AFTERNOON Hardware Security Cybercrime Vulnerabilities Communities

222 views • 18 slides
Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste

Towards Supercloud Computing: User-Centric Security Management for Clouds of Clouds Marc Lacoste Orange Labs SEC2 ComPAS15 Workshop on Cloud Security Lille, June 30, 2015 Cloud Security Today Security = key concern in cloud adoption for the

2.73k views • 33 slides
CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns

CS573 Data privacy and security in the cloud in the cloud Slide credits: Ragib Hasan, Johns Hopkins University What is Cloud Computing ? Lets hear from the experts 2 What is Cloud Computing ? The infinite wisdom of the crowds (via

709 views • 38 slides
Dollar Cost Averaging DCA: invest gradually in equal dollar amounts, rather than investing the

Dollar Cost Averaging DCA: invest gradually in equal dollar amounts, rather than investing the

Why Dollar Cost Averaging Doesnt Work - And Why Investors Use It Anyway Simon Hayley Cass Business School Dollar Cost Averaging DCA: invest gradually in equal dollar amounts, rather than investing the desired total in one lump sum.

413 views • 13 slides
Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of

Agenda Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard 2. To detail the deployment considerations and related initiatives Wong Onn Chee, Cloud

352 views • 6 slides
A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 , Joss Wright 2 , Dogan

A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 , Joss Wright 2 , Dogan

A Practical Complexity-Theoretic Analysis of Mix Systems Vinh Pham 1 , Joss Wright 2 , Dogan Kesdogan 1 Siegen University, Germany 1 , University of Oxford, United Kingdom 2 1/13 Motivation Anonymity definition [Pfitzmann & K ohntop

778 views • 30 slides
Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
Welcome PolicyWorks for Philanthropy seeks to effectively engage regional associations of

Welcome PolicyWorks for Philanthropy seeks to effectively engage regional associations of

* 6 mute * 6 mute * 7 unmute Welcome PolicyWorks for Philanthropy seeks to effectively engage regional associations of grantmakers in policy work that helps to ensure a vibrant philanthropic sector able to strengthen t ib t hil th i t bl t t th

610 views • 35 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

825 views • 71 slides
with new hadronic top-tagging techniques T T.A. du Pree, P. Harris, J. Marrouche, N. Wardle

with new hadronic top-tagging techniques T T.A. du Pree, P. Harris, J. Marrouche, N. Wardle

Search for top+ E miss with new hadronic top-tagging techniques T T.A. du Pree, P. Harris, J. Marrouche, N. Wardle [CERN] M. Cremonesi, B. Jayatilaka, J. Lewis, C.M. Suarez, N. Tran [Fermilab] D. Abercrombie, B. Allen, Z. Demiragli, G. G

346 views • 34 slides
Outline 1. Introduction 2. Spectral Energy Distributions 3. Beaming Effect in Fermi Blazars 4.

Outline 1. Introduction 2. Spectral Energy Distributions 3. Beaming Effect in Fermi Blazars 4.

The Spectral Energy Distributions and Beaming Effect for Fermi Blazars Junhui Fan Guangzhou University Collaborators: J H Yang, Y Liu, C Lin, Y.H. Yuan, H B Xiao Black Holes and Friends 2 11-13 April 2016, Fudan Univ. China Outline 1.

693 views • 65 slides
Good Machine Learning = Generalization Goal of machine learning: build models that generalize

Good Machine Learning = Generalization Goal of machine learning: build models that generalize

Good Machine Learning = Generalization Goal of machine learning: build models that generalize well to predicting new data Overfitting: fitting the training data too well, so we lose generality of model o Example: linear regression vs.

120 views • 11 slides
9. Discrete Transistor Amplifiers Lecture notes: Sec. 6 Sedra & Smith (6 th Ed): Sec. 5.6,

9. Discrete Transistor Amplifiers Lecture notes: Sec. 6 Sedra & Smith (6 th Ed): Sec. 5.6,

9. Discrete Transistor Amplifiers Lecture notes: Sec. 6 Sedra & Smith (6 th Ed): Sec. 5.6, 5.8, 6.6 & 6.8 Sedra & Smith (5 th Ed): Sec. 4.6, 4.8, 5.6 & 5.8 ECE 65, Winter2013, F. Najmabadi How to add signal to the bias Bias &

579 views • 29 slides

More recommend