SlideShare a Scribd company logo

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

Alert Logic , profile picture
Alert Logic

- The document discusses reducing attack surfaces, particularly in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls and that cloud attack surfaces differ from on-premises environments. - Web application attacks are now the leading cause of data breaches, but less than 5% of security budgets are spent on application security. Various case studies of breaches are presented that resulted from vulnerabilities in web applications and misconfigurations in cloud infrastructure. - Common issues discussed include vulnerabilities in WordPress, exposed AWS S3 buckets, and credential compromises. The importance of rapidly detecting and eliminating threats is also covered.

Technology
Related topics:
Cloud Security Insights
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Thank you.
Thank you.Reducing Your Attack Surface Ryan Holland – Senior Director of Cloud Architecture, Alert Logic
Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
Real world view from our SOC
#2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Exploited a WordPress/PHP vulnerability in 2013 Where are they now? Sold to Verizon. Valuation revised by $350M
Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
#3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
AWS S3 Data Leaks Due To Misconfigurations
#4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
Cloud Insight Essentials check Misconfigurations
Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
Attack Surface Factors
Importance of Eliminating Dwell Time
The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study
Thank you.

More Related Content

PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Reality Check: Security in the Cloud
Alert Logic
 
PDF
Reducing Your Attack Surface
Alert Logic
 
PPTX
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
PPTX
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
PPTX
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Reality Check: Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 

What's hot (20)

PPTX
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
PDF
CSS17: Houston - Protecting Web Apps
Alert Logic
 
PDF
Protecting Against Web Attacks
Alert Logic
 
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
PPTX
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
PDF
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
PPTX
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
 
PDF
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Protecting Against Web Attacks
Alert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Ad

Similar to Reducing Your Attack Surface & Your Role in Cloud Workload Protection (20)

PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
PDF
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PDF
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
PDF
The Anatomy of a Cloud Security Breach
CloudLock
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PPTX
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
PPTX
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
nitinscribd
 
PDF
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
PDF
Protecting Against Web App Attacks
Alert Logic
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PDF
Staying safe in the cloud
Oleg Podsechin
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
PPTX
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
PPTX
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
PDF
Are Your Files Really Safe? The Hidden Cloud Security Threats | CyberPro Maga...
CyberPro Magazine
 
PPTX
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
Garth Boyd
 
DOCX
Cloud Computing Security
Ahmed Banafa
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
The Anatomy of a Cloud Security Breach
CloudLock
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
nitinscribd
 
Slashing Your Cloud Risk: 3 Must-Do's
Security Innovation
 
Protecting Against Web App Attacks
Alert Logic
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Staying safe in the cloud
Oleg Podsechin
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
Are Your Files Really Safe? The Hidden Cloud Security Threats | CyberPro Maga...
CyberPro Magazine
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
Garth Boyd
 
Cloud Computing Security
Ahmed Banafa
 
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Ad

More from Alert Logic (19)

PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
PDF
Managed Threat Detection and Response
Alert Logic
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Security Spotlight: Presidio
Alert Logic
 
PDF
Security Spotlight: Rent-A-Center
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Security Spotlight: Presidio
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
CSS 2018 Trivia
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
The Intersection of Security and DevOps
Alert Logic
 
PDF
Security Spotlight: The Coca Cola Company
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
PDF
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Alert Logic
 
PDF
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Managed Threat Detection and Response
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Security Spotlight: Presidio
Alert Logic
 
Security Spotlight: Rent-A-Center
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Security Spotlight: Presidio
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
CSS 2018 Trivia
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
The Intersection of Security and DevOps
Alert Logic
 
Security Spotlight: The Coca Cola Company
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Alert Logic
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
Alert Logic
 

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Cloud computing and distributed systems.
kkkkkhan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

  • 2. Thank you.Reducing Your Attack Surface Ryan Holland – Senior Director of Cloud Architecture, Alert Logic
  • 3. Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
  • 4. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
  • 5. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
  • 6. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
  • 7. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
  • 8. What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
  • 9. Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
  • 10. Real world view from our SOC
  • 11. #2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Exploited a WordPress/PHP vulnerability in 2013 Where are they now? Sold to Verizon. Valuation revised by $350M
  • 12. Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
  • 13. Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
  • 14. Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
  • 15. #3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
  • 16. AWS S3 Data Leaks Due To Misconfigurations
  • 17. #4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
  • 18. 60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
  • 19. Cloud Insight Essentials check Misconfigurations
  • 20. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
  • 23. The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study