into the cloud & other horror stories - csa congress · 1. data breaches 2. insufficient...
TRANSCRIPT
![Page 1: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/1.jpg)
Into the Cloud & Other Horror Stories
Michael F. Angelo - CISSP, CRISC
![Page 2: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/2.jpg)
About Me…• Doing formalized Threat Modeling
• over 15 years • thousands of models
• Doing Threat and Security Analysis • over 30 years
• Doing security in some way shape and form• forever
![Page 3: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/3.jpg)
Agenda• How we got here• Threats and models• Short Term Solutions• The World is Changing
![Page 4: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/4.jpg)
How we got here
Need to optimize expenditures (reduce cost while increasing performance of technology).
![Page 5: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/5.jpg)
Enter the Cloud• 90% of organizations are using a cloud service• Cloud services include Office 365 or G suite• AWS, Google Cloud and Azure
![Page 6: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/6.jpg)
More Cloud Stats• Yahoo – 1 Billion• Equifax – 143 Million• LinkedIn – 167 million accounts• Dropbox – 68 million accounts• Home Depot – 56 million credit cards• Verizon – 14 million customer records• Accenture, Time Warner Cable, Uber
![Page 7: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/7.jpg)
Threats Cloud Stats (EU Breaches)• Greenwich University• Cambridge Analytica
• APT15 target UK military contractor• Uber users compromised
• Equifax - 694 UK (14 million names / data of Birth UK)• Cash Converters
• London Bridge Plastic Surgery clinic• Deloitte
• CEX/WeBuy
• Wongo
![Page 8: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/8.jpg)
Oopsss…
![Page 9: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/9.jpg)
New Tech
Bug Fix Perf Bug Fix
Feature Bug Fix Perf Threat
Security Cycle
Threats and Models - Technology / Usage
![Page 10: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/10.jpg)
Threat
mitigation
New threat
new mitigation
Threat
mitigation
New threat
new mitigation
Usage Change
Threat
Mitigation
New threat
New mitigation
Usage change
Threat Cycle
![Page 11: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/11.jpg)
Threats to Cloud - CSA Top 12 1. Data Breaches2. Insufficient Identity,
Credential and Access Management
3. Insecure Interfaces and APIs
4. System Vulnerabilities5. Account Hijacking6. Malicious Insiders
7. Advanced Persistent Threats
8. Data Loss9. Insufficient Due Diligence10.Abuse and Nefarious Use
of Cloud Services11.Denial of Service12.Shared Technology
Vulnerabilities
https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/ https://www.csoonline.com/article/3043030/security/12-top-cloud-security-threats-for-2018.html
![Page 12: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/12.jpg)
TM - Storage as a Service
• Users put files on Cloud Service• Administrators, operators, and hackers could access files• Solution: Encrypt files before upload J
![Page 13: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/13.jpg)
TM: Company Just moved to cloud
• Where is my cloud?• Can my cloud migrate?• Where can it migrate? • Who has access to my cloud?
![Page 14: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/14.jpg)
TM: Company in the Cloud
![Page 15: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/15.jpg)
TM: Software as a Service
• Software downloaded to your environment.
Request Software
Software
![Page 16: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/16.jpg)
TM: Software as a Service
• Software started up• Send Data
Send Data
Visualize
![Page 17: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/17.jpg)
TM: Truisms• After 12 years, 95% of all cloud issues can be taken care of
with basics (see CSA guidelines) • Don’t forget basic configuration!!
• Each cloud implementation has its own risks• Risks must be weighed vs potential harm to company
![Page 18: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/18.jpg)
Short Term• When looking at the Cloud ask Questions• What do you mean by the Cloud?
• How do we set it up?• What type of cloud?• How is it Partitioned / Am I sharing the cloud?• Where is my [cloud,data,processing] located• Where can it [cloud,data,processing] migrate• Who is responsible for protecting it and how• Who is in control
• What are the risks?• Customer Data / Proprietary Information
![Page 19: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/19.jpg)
The World is Changing - Cloud IoT• What could go wrong?
![Page 20: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/20.jpg)
The World is Changing• Would you put data in the cloud?• GDPR
• Requires you to protect Employee & Customer PII• Cloud Act (US)
• Requires US Entities to hand over on government order
![Page 21: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/21.jpg)
Getting there from here…
There
here
![Page 22: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/22.jpg)
The Last Slide• Remember
• Security trumps privacy• Better, faster, cheaper trumps security. Until some one gets caught• Security incidents are not free
• Don’t be afraid to ask:• What can go wrong and how can it be mitigated
• Finally,• If you can’t mitigate it, think twice about doing it
![Page 23: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/23.jpg)
I Lied..
![Page 24: Into the Cloud & Other Horror Stories - CSA Congress · 1. Data Breaches 2. Insufficient Identity, Credential and Access Management 3. Insecure Interfaces and APIs 4. System Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070719/5edf5eb4ad6a402d666ab853/html5/thumbnails/24.jpg)
Thank YouMichael F. Angelo
[email protected], [email protected]@mfa0007
more background look at "Michael F.Angelo" AND Security