O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem

1

Picture source: sxc.hu

Cloud Security Alliance

André Serralheiro

2

•  O que é Cloud Compu)ng •  Cloud Security Alliance •  CSA 2013 Top Threats

Agenda

3


CLOUD COMPUTING O que é a computação em nuvem

4

O que é a computação em nuvem (1)

fonte: sxc.hu

“Cloud compuBng is a model for enabling ubiquitous, convenient, on-‐demand network access to a shared pool of configurable compuBng resources (e.g., networks, servers, storage, applicaBons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacBon. This cloud model promotes availability and is composed of five essenBal characterisBcs, three service models, and four deployment models.”

In “NIST Cloud CompuBng Standards Roadmap -‐ Special PublicaBon 500-‐291”

5

O que é a computação em nuvem (2)

fonte: sxc.hu In “Security Guidance for CriBcal Areas of Focus in Cloud CompuBng v3”

6


CLOUD SECURITY ALLIANCE Cloud Security Alliance e Capitulo Brasileiro

7

–  Associação sem fins lucraBvos –  Reúne pessoas ]sicas e empresas –  Oficializada em dezembro de 2008 –  +35mil membros, +130 membros corporaBvos –  Presente em 23 países através de 30 Chapters locais (setembro/2012)

Cloud Security Alliance (CSA)

8

“Promover a uBlização das melhores práBcas para fornecer garanBa de segurança dentro de Cloud CompuBng, e oferecer educação sobre os usos de Cloud CompuBng para ajudar a proteger todas as outras formas de computação.”

Missão


9

•  Segundo Chapter oficial da CSA –  Oficializado em 27 de Maio de 2010

•  Segue Missão e ObjeBvos da CSA Global –  Promover a Segurança em Cloud CompuBng

–  Promover pesquisas e iniciaBvas locais

CSA Brasil

10

•  CerBficação “CerBficate of Cloud Security Knowledge (CCSK)” –  Exame online –  Custo de USD $345.

•  Treinamento –  CCSK training –  PCI Cloud training –  GRC Stack training

Educação hkps://cloudsecurityalliance.org/educaBon

hkps://ccsk.cloudsecurityalliance.org

11

Algumas das inicia)vas de pesquisa

hkps://cloudsecurityalliance.org/research

12

– Estabelece um guia de recomendações para adoptação segura e estavél das operações na nuvem;

– Redifine dominios desde a ulBma versão de forma a enfaBzar segurança, estabilidade e privacidade;

– Estabelece recomendações práBcas e requerimentos que podem ser mensurados e auditados.

Inicia)va de pesquisa: Security Guidance for Cri)cal Areas of Focus in Cloud Compu)ng

hkps://cloudsecurityalliance.org/research/security-‐guidance/

Security Guidance for CriBcal Areas in Cloud CompuBng V.3

13

– Registro gratuito e de acesso público dos controles de segurança de diversos provedores de Cloud CompuBng;

– Relatórios de auto-‐avaliação sobre compliance com as melhores práBcas publicadas pela CSA;

– Ajuda os usuários a avaliarem a segurança dos provedores de Cloud.

Inicia)va de pesquisa: CSA Security, Trust & Assurance Registry (STAR)

hkps://cloudsecurityalliance.org/star/

14

“Este documento destaca algumas das moBvações mais comumente apontadas como jusBficaBvas para a adoção de Computação em Nuvem, bem como alguns dos aspectos a serem considerados quanto a cada uma destas moBvações. Com este documento a CSA Brazil Chapter pretende contribuir com gestores e tomadores de decisão quanto à decisão sobre a adoção de Computação em Nuvem em suas organizações.” –  Uelinton Santos, Luiz Augusto Amelos, Filipe Villar, Eduardo Fedorowicz

Inicia)va de pesquisa: White Paper -‐ Adoção de computação em Nuvem e suas mo)vações

hkps://chapters.cloudsecurityalliance.org/brazil/2012/08/17/white-‐paper-‐adocao-‐de-‐computacao-‐em-‐nuvem-‐e-‐suas-‐moBvacoes/

15


CLOUD SECURITY ALLIANCE CSA Top Threats 2013

16

•  Migração do conceito de cliente-‐servidor para o de serviço, com rapidez na migração e a redução de custos operacionais

•  Não adequação de poliBcas, processos e melhores práBcas

CSA Top Threats 2013 -‐ Porquê?

17

•  Condução de quesBonários direcionados a especialistas da indústria para mapear quais as maiores possíveis vulnerabilidades da adoção de Cloud Compu)ng

•  Compilação e comparação dos resultados com o relatório anterior (2010)

•  Elaboração do report que deve servir de suporte para uBlizadores provedores, na tomada de decisão em relação a miBgação de riscos dentro da cloud strategy

•  Este report deve ser uBlizado com os guias de melhores práBcas: •  “Security Guidance for CriBcal Areas in Cloud CompuBng V.3” •  “Security as a Service ImplementaBon Guidance.”

CSA Top Threats 2013 -‐ Como e com que obje)vo?

18

1.  Data Breaches 2.  Data Loss 3.  Account Hijacking 4.  Insecure APIs 5.  Denial of Service 6.  Malicious Insiders 7.  Abuse of Cloud Services 8.  Insufficient Due Diligence 9.  Shared Technology Issues

CSA Top Threats 2013 – Quais?

19

Como analisar cada ameaça? SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

CSA REFERENCE

Domain X

•  Qual o modelo de serviço impactado pela ameaça em parBcular

•  Qual a relação entre o Risco atual e Percepção de Risco

•  Quais capítulos do guia* tratam sobre a ameaça ou como a miBgar

RISK ANALYSIS

CIANA STRIDE

•  Quais os riscos do ponto de vista de: CIANA (ConfidenBality, Integrity, Availability, Non-‐RepudiaBon, AuthenBcaBon) STRIDE (Spoofing, Tampering, RepudiaBon, InformaBon disclosure, Denial of service, ElevaBon of privilege)

* -‐ Security Guidance for CriBcal Areas in Cloud CompuBng V.3”

20

(1) Top Threat: Data Breaches SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

CSA REFERENCE

Domain 5: InformaBon Management and Data Security Domain 10: ApplicaBon Security Domain 12: IdenBty, EnBtlement and Access Management Domain 13: VirtualizaBon

RISK ANALYSIS

CIANA: ConfidenBality STRIDE: InformaBon Disclosure

It’s every CIO’s worst nightmare: the organizaBon’s sensiBve internal data falls into the hands of their compeBtors. While this scenario has kept execuBves awake at night long before the advent of compuBng, cloud compuBng introduces significant new avenues of akack. In November 2012, researchers from the University of North Carolina, the University of Wisconsin and RSA CorporaBon released a paper describing how a virtual machine could use side channel Bming informaBon to extract private cryptographic keys being used in other virtual machines on the same physical server. However, in many cases an akacker wouldn’t even need to go to such lengths. If a mulBtenant cloud service database is not properly designed, a flaw in one client’s applicaBon could allow an akacker access not only to that client’s data, but every other client’s data as well.

21

(2) Top Threat: Data Loss SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

CSA REFERENCE

Domain 5: InformaBon Management and Data Security Domain 10: ApplicaBon Security Domain 12: IdenBty, EnBtlement and Access Management Domain 13: VirtualizaBon

RISK ANALYSIS

CIANA: Availability, Non-‐RepudiaBon STRIDE: RepudiaBon, Denial of Service

For both consumers and businesses, the prospect of permanently losing one’s data is terrifying. Just ask Mat Honan, writer for Wired magazine: in the summer of 2012, akackers broke into Mat’s Apple, Gmail and Twiker accounts. They then used that access to erase all of his personal data in those accounts, including all of the baby pictures Mat had taken of his 18-‐month-‐old daughter. Of course, data stored in the cloud can be lost due to reasons other than malicious akackers. Any accidental deleBon by the cloud service provider, or worse, a physical catastrophe such as a fire or earthquake, could lead to the permanent loss of customers’ data unless the provider takes adequate measures to backup data. Furthermore, the burden of avoiding data loss does not fall solely on the provider’s shoulders. If a customer encrypts his or her data before uploading it to the cloud, but loses the encrypBon key, the data will be lost as well.

22

(3) Top Threat: Account Hijacking SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

CSA REFERENCE

Domain 2: Governance and Enterprise Risk Management Domain 5: InformaBon Management and Data Security Domain 7: TradiBonal Security, Business ConBnuity, and Disaster Recovery Domain 9: Incident Response Domain 11: EncrypBon and Key Management Domain 12: IdenBty, EnBtlement, and Access Management

RISK ANALYSIS

CIANA: AuthenBcity, Integrity, ConfidenBality, Non-‐repudiaBon, Availability STRIDE: Tampering with Data, RepudiaBon, InformaBon Disclosure, ElevaBon of Privilege, Spoofing IdenBty

Account or service hijacking is not new. Akack methods such as phishing, fraud, and exploitaBon of so�ware vulnerabiliBes sBll achieve results. CredenBals and passwords are o�en reused, which amplifies the impact of such akacks. Cloud soluBons add a new threat to the landscape. If an akacker gains access to your credenBals, they can eavesdrop on your acBviBes and transacBons, manipulate data, return falsified informaBon, and redirect your clients to illegiBmate sites. Your account or service instances may become a new base for the akacker. From here, they may leverage the power of your reputaBon to launch subsequent akacks. In April 2010, Amazon experienced a Cross-‐Site ScripBng (XSS) bug that allowed akackers to hijack credenBals from the site. In 2009, numerous Amazon systems were hijacked to run Zeus botnet nodes.

23

CSA REFERENCE

Domain 5: InformaBon Management and Data Security Domain 6: Interoperability and Portability Domain 9: Incident Response Domain 10: ApplicaBon Security Domain 11: EncrypBon and Key Management Domain 12: IdenBty, EnBtlement, and Access Management

Cloud compuBng providers expose a set of so�ware interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestraBon, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authenBcaBon and access control to encrypBon and acBvity monitoring, these interfaces must be designed to protect against both accidental and malicious akempts to circumvent policy. Furthermore, organizaBons and third parBes o�en build upon these interfaces to offer value-‐added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizaBons may be required to relinquish their credenBals to third-‐parBes in order to enable their agency.

RISK ANALYSIS

CIANA: AuthenBcity, Integrity, ConfidenBality STRIDE: Tampering with Data, RepudiaBon, InformaBon Disclosure, ElevaBon of Privilege

(4) Top Threat: Insecure APIs SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

24

(5) Top Threat: Denial of Service SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

CSA REFERENCE Domain 8: Data Center OperaBons Domain 9: Incident Response Domain 10: ApplicaBon Security Domain 13: VirtualizaBon Domain 14: Security as a Service

RISK ANALYSIS CIANA: Availability STRIDE: Denial of Service

Simply put, denial-‐of-‐service akacks are akacks meant to prevent users of a cloud service from being able to access their data or their applicaBons. By forcing the vicBm cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space or network bandwidth, the akacker (or akackers, as is the case in distributed denial-‐of-‐service (DDoS) akacks) causes an intolerable system slowdown and leaves all of the legiBmate service users confused and angry as to why the service isn’t responding. While DDoS akacks tend to generate a lot of fear and media akenBon (especially when the perpetrators are acBng out of a sense of poliBcal “hacBvism”), they are by no means the only form of DoS akack. Asymmetric applicaBon-‐level DoS akacks take advantage of vulnerabiliBes in web servers, databases, or other cloud resources, allowing a malicious individual to take out an applicaBon using a single extremely small akack payload – in some cases less than 100 bytes long.

25

CSA REFERENCE

Domain 2: Governance and Enterprise Risk Management Domain 5: InformaBon Management and Data Security Domain 11: EncrypBon and Key Management Domain 12: IdenBty, EnBtlement and Access Management

(6) Top Threat: Malicious Insiders SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

RISK ANALYSIS STRIDE: Spoofing, Tampering, InformaBon Disclosure

The risk of malicious insiders has been debated in the security industry. While the level of threat is le� to debate, the fact that the insider threat is a real adversary is not. CERN defines an insider threat as such*: “A malicious insider threat to an organizaBon is a current or former employee, contractor, or other business partner who has or had authorized access to an organizaBon's network, system, or data and intenBonally exceeded or misused that access in a manner that negaBvely affected the confidenBality, integrity, or availability of the organizaBon's informaBon or informaBon systems.”

* -‐ hkp://www.cloudtweaks.com/2012/10/insider-‐threats-‐to-‐cloud-‐compuBng/

26

(7) Top Threat: Abuse of Cloud Services SERVICE MODEL

IaaS PaaS

RISK MATRIX

N/A

RISK ANALYSIS

CIANA: N/A STRIDE: N/A

CSA REFERENCE

Domain 2: Governance and Enterprise Risk Management Domain 9: Incident Response

One of cloud compuBng’s greatest benefits is that it allows even small organizaBons access to vast amounts of compuBng power. It would be difficult for most organizaBons to purchase and maintain tens of thousands of servers, but renBng Bme on tens of thousands of servers from a cloud compuBng provider is much more affordable. However, not everyone wants to use this power for good. It might take an akacker years to crack an encrypBon key using his own limited hardware, but using an array of cloud servers, he might be able to crack it in minutes. Alternately, he might use that array of cloud servers to stage a DDoS akack, serve malware or distribute pirated so�ware.

27

CSA REFERENCE

Domain 2: Governance and Enterprise Risk Management Domain 3: Legal and Electronic Discovery Domain 8: Data Center OperaBons Domain 9: Incident Response, NoBficaBon and RemediaBon

(8) Top Threat: Insufficient Due Diligence

SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

RISK ANALYSIS

STRIDE: All

Cloud compuBng has brought with it a gold rush of sorts, with many organizaBons rushing into the promise of cost reducBons, operaBonal efficiencies and improved security. While these can be realisBc goals for organizaBons that have the resources to adopt cloud technologies properly, too many enterprises jump into the cloud without understanding the full scope of the undertaking. Without a complete understanding of the CSP environment, applicaBons or services being pushed to the cloud, and operaBonal responsibiliBes such as incident response, encrypBon, and security monitoring, organizaBons are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks.

28

CSA REFERENCE

Domain 1: Cloud compuBng architectural framework Domain 5: InformaBon management and data security Domain 11: EncrypBon and key management Domain 12: IdenBty, enBtlement, and access management Domain 13: VirtualizaBon

(9) Top Threat: Shared Technology Issues

SERVICE MODEL

IaaS PaaS SaaS

RISK MATRIX

Perceived Risk

Actual Risk

RISK ANALYSIS

STRIDE: InformaBon Disclosure, ElevaBon of Privilege

Cloud service providers deliver their services in a scalable way by sharing infrastructure, pla�orms, and applicaBons. Whether it’s the underlying components that make up this infrastructure (e.g. CPU caches, GPUs, etc.) that were not designed to offer strong isolaBon properBes for a mulB-‐tenant architecture (IaaS), re-‐deployable pla�orms (PaaS), or mulB-‐customer applicaBons (SaaS), the threat of shared vulnerabiliBes exists in all delivery models. A defensive in-‐depth strategy is recommended and should include compute, storage, network, applicaBon and user security enforcement, and monitoring, whether the service model is IaaS, PaaS, or SaaS. The key is that a single vulnerability or misconfiguraBon can lead to a compromise across an enBre provider’s cloud.

29

André Serralheiro - [email protected] •  Cloud Security Alliance

https://www.cloudsecurityalliance.org •  Cloud Security Alliance

https://chapters.cloudsecurityalliance.org/brazil •  Twitter - @csabr •  Fan Page - https://www.facebook.com/

CSA.CapituloBrasil

Contato

30


OBRIGADO

André Serralheiro

O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem

Technology

Transcript of O Outro Lado BSidesSP Ed. 5 - As Nove Principais Ameaças na Computação em Nuvem