Managing Cloud Security Design and Implementation in a Ransomware World
Download as PPTX, PDF0 likes986 views
1) The document discusses security design and implementation considerations for managing cloud security in a ransomware world. 2) It provides examples of security design reviews that can be conducted, including checking for authentication, authorization, port listening, and firewall configurations. 3) The document also gives examples of how to implement authentication and authorization securely in MongoDB, such as binding to localhost by default and using IP whitelisting.
Managing Cloud Security Design and Implementation in a Ransomware World
- 1. #MDBW17 Davi Ottenheimer, Product Security Managing Cloud Security Design and Implementation in a Ransomware World
- 3. #MDBW17 Whoami >20 years of flyingpenguin ● Security Ops ● Assessments ● Investigations ● Products
- 4. #MDBW17 Realities of Securing Big Data “Why trust a strategic knowledge system?”
- 5. #MDBW17 Security is Evolution ● Evolution is the process not a destination ● Escalation a function of competitions ● Economics impacts risk mitigation #MDBW17
- 6. #MDBW17 Security is Evolution ● Audit everything (Check your health) ● People who could behave responsibly may not ● BitCoin “mining” changed behavior economics ● Authentication hygiene still is top threat to security #MDBW17
- 7. #MDBW17 Ignaz Semmelweis 1847 “Savior of mothers” discovered hand washing standards can drop childbed fever from 30% to 1% “There is one cause, all that matters is cleanliness” Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/
- 8. #MDBW17 Economics of “Getting Bit” ● Mining with AWS keys is wasteful ○ 1 instance per day is ~$8 cost for ~$2 mined (variable) ○ ~$6/day loss per instance ○ “Better use of dollars to buy coins instead of instance time” ● Stolen AWS key shifts waste to victims ○ Attacker spins victim instances ASAP ○ $10,000/hour victim cost burden ○ $2,500/hour attacker profit
- 10. #MDBW17 RANSOMWARE! ● Use of access to deny access, unless ransom paid ● US gov: 4,000/day ransomware attacks in 2016 (300% over 2015) Source: https://www.justice.gov/criminal-ccips/file/872771/
- 12. #MDBW17 Ransomware Evolution 1994 2004 2007 2010 2014 Botnets Adware Spyware Rogueware For-Profit “Advanced Persistent” Key & Cert GPCODE CRYPTOLOCKERCRYPTOVIRUS 1989 AIDS ... Viruses Worms Trojans CRYPTOWALL TORRENTLOCKER TESLACRYPT LOCKER R.I.P. Tron 1998 R.I.P. Hagbard 1989 LOCKY “KGB Hack” > DM 100K + drugs over 3 years > Burned to death > http://phrack.org/issues/25/10.html
- 13. #MDBW17 An Economics Perspective X ● Old-method experienced cost inflation ○ Cloud agility = DDoS more expensive ○ Expensive race condition for pay ● New-method experienced cost deflation ○ Scan/Exploit kits (easy to find victims) ○ Social engineering kits (easy to phish) ○ Key management kits (easy to encrypt) ○ Monetization kits (easy to extort) “I’ve never actually stormed a castle, but I’ve taken a bunch of siege-management courses.”
- 14. #MDBW17 Big DDoS attacks affect some AWS customers, but chief Andy Jassy assures cloud is secure ● DDoS targeted Dynamic Network Services (Dyn) ● Dyn one of many AWS DNS providers ● AWS services (Shield) help, and 3rd party too but… “...agility single biggest reason enterprise move to cloud” 2016 Q4 Akamai “State of the Internet” Report: ● 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016 ● 3 of 10 were in 2016 Q4 Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/, https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/
- 15. #MDBW17 2008 Terry Childs Case ● San Francisco City Government Loses Control of Cloud ○ Emergency Services (Fire, Police, etc.) ○ “Almost Included Utilities” (Wastewater Treatment) ● Own Administrator (Childs) Charged With DoS ○ Deadman Traps on Switches (Erase Config) ○ Encrypted Storage (Fiber Tap at Core Led to Hidden Servers) ○ Withheld “Keys” From Staff and Management ● Found Guilty by Court ○ “His boss’ boss was an authorized user, could not be legally denied access” ○ Jury included 13 Year Network Admin and CCIE Source: http://www.computerworld.com/article/2468913/cybercrime-hacking/terry-childs-found-guilty-of-san-francisco-fiberwan-lockout.html
- 16. #MDBW17 “Rock Solid, Secure…” June 16, 2014
- 17. #MDBW17 “...completely deleted” June 17, 2014
- 19. #MDBW17 1. Seek vulnerable access 2. Lock and/or Encrypt 3. Extort How Ransomware Works Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
- 20. #MDBW17 Seek Vulnerable Access 1. Find a foothold using credential (or even non-credentialed) • Internet facing services • User devices • Platforms (github, pastebin, facebook, etc.) 2. Pivot and traverse • Gather credentials • Elevate privileges • Find valuable data North South East West Users Apps User Dir User Dir
- 21. #MDBW17 Lock and/or encrypt • Anything believed to be valuable to target • Any backups (prevent restores) • Using modern algorithms (AES256) • Unique keys on remote infrastructure
- 22. #MDBW17 Extort • Name of “Replaced” DB • README • ReadmePlease • PLEASE_READ • IHAVEYOURDATA • WARNING • WARNING_ALERT • PWNED • PWNED_SECURE_YOUR_STUFF_SILLY • DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB • to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD ● Amount ○ 0.1 BTC ○ 0.15 BTC ○ 0.2 BTC ○ 0.25 BTC ○ 0.5 BTC ○ 1 BTC Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0 { "_id" : ObjectId("9854a4532b5e63f722fcc9da"), "mail" : "user@domain.com", "note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }
- 24. #MDBW17 Are You Ready? ● Asset Management Lifecycle ● Dependencies on Providers ● Incident Response Procedures ● Disaster Recovery Plan (Backups!) ● Identity and Access Management ○ Components ○ Standards* ● AES256 ● TLS1.2 ● FIPS 140-2 *https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html { ● PCI/DSS ● SOC2 ● ISO 27000x ● HIPAA-HITECH ● GDPR ● FedRamp (NIST 800-53)
- 25. #MDBW17 Design Considerations ● Critical Severity Vulnerability ○ Remediate Immediately (R = 0) ○ Patch Within 24 hours (e.g. HEARTBLEED) ● High Severity (R = 5 Days) ● Medium Severity (R = 60 Days) ● Low Severity ○ Business Impact Analysis ○ Customer Impact Analysis
- 26. #MDBW17 Design Considerations (RFC2904) X ● Authentication ● Authorization ● Accounting Source: https://tools.ietf.org/html/rfc2904
- 27. #MDBW17 Security Design Review Services • Providers* • AWS Trusted Advisor, Inspector • Azure Security Center • GCP Cloud Security Scanner • Self • Scan for Accidental Secret Leaks (“Github Commit Crawler”) • Detect and Identify Assets (API Call, OVF Scan) • Assess Configurations (SCAP, XCCDF, SSLcheck) *https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
- 28. #MDBW17 Implementation Example 1 • Is authentication disabled? > if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){ print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")} • Is a default port listening (27017, 29017)? > db.adminCommand('getCmdLineOpts').parsed.net.port Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/
- 29. #MDBW17 Implementation Example 2 Service connected to wide area network lacking any “security group” or firewall? 1. On system outside network, grab mongodb client > wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz > tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1 2. Test by connecting to Internet hostname > ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>
- 31. #MDBW17 Implementation Example 2 • Bind to localhost by default in v3.5.8 • IP Whitelisting option in v3.6 • Associate IP addresses/ranges to auth roles • If IP fail, then authentication fail • Can restrict __system user to authenticate from only cluster nodes
- 32. #MDBW17 Design Improvement Cycles ● Daily Full Credential Scan of Any New Instance ● Weekly Full Credential Scan of Builds Prior to Staging ● Quarterly “Approved Scanning Vendor” (ASV) Report ● Biannually ○ “Full” Penetration Test ○ Code Review #MDBW17
- 33. #MDBW17 Managing Cloud Security Design and Implementation in a Ransomware World Thank You!