senior solutions architect (wwps), amazon cloud · pdf filesenior solutions architect (wwps),...
TRANSCRIPT
Cloud Security, Compliance, and Incident Response in the Amazon EC2 Cloud
Brad DispensaSenior Solutions Architect (WWPS), Amazon Cloud Services, Amazon
Tom ArnoldHead of Digital Forensics, Payment Software Company (PSC)
TopicsSelect list of topics important to Cloud-based PCI DSS compliance
Security in the Amazon EC2 cloud Services and tools provided by AWS
Best practices for setting up instances and the environment Access controls (IAM and 2 factor authentication to console)
Logging and tracking (Introduce AWS CloudTrail and other services)
Securing hosts and configuration of hosts How configuration standards for systems might need to be altered Segmenting and layering the virtual network Firewall functionality
Preparing for a PCI DSS compliance audit for systems in EC2 What artifacts and evidence needs to be collected
What changes to policies and procedures need to be done
Incident Response Why prepare for an incident Focus on the first responder and actions that should be taken
Security in Amazon Web Services
Services and toolsAvailable from AWS to help secure EC2 resources
Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
Amazon
Inspector
AWS
WAF
flow
logs
Amazon
VPC
AWS Shared Responsibility Model
. Scope of responsibility depends on the type of service offered by AWS: Infrastructure, Container, Abstracted Services
Understanding who is responsible for what is critical to ensuring your AWS data and systems are secure!
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability
Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content Customers are responsible for their security and
compliance IN the Cloud
AWS is responsible for the
security OF the Cloud
Cu
sto
mer
AW
S
Defense-in-Depth
AWS Compliance
Program
Third Party
AttestationsPhysic
al
Security Groups
VPC Configuration
Ne
two
rk Web App Firewalls
Bastion Hosts
Encryption In-Transit
Hardened AMIs
OS and AppPatch Mgmt.
IAM Roles for EC2
IAM Credentials
Syste
m S
ecuri
ty
Logical Access Controls
User Authentication
Encryption At-RestD
ata
Se
curi
ty
AWS CloudTrailWeb service that records AWS API calls for your account and delivers logs.
CloudTrail
Console AWS SDK CLI
S3
AWS Partner
NetworkCloudSearch EMR/Redshift
AWS CloudWatchMonitoring services for AWA Resources and AWS-based Applications.
EC2
AutoScaling
ELB
Route 53
EBS
Storage Gateway
CloudFront
DynamoDB
ElastiCache
RDS
EMR
SNS
SQS
EBS
Billing
Collect an
d T
rack
Metr
ics
Custom
Monitor and Store Logs
Set Alarms
View Graphs and Statistics
AWS ConfigManaged service for tracking AWS inventory and configuration, and configuration change notification.
AW
S C
on
fig
EC2
VPC
EBS
CloudTrail
Change
ManagementAudit ComplianceSecurity Analysis Troubleshooting Discovery
Best Practicesfor setting up instances
virtual private cloud
security group
Amazon machine image
Account A Account B
orELK
Best Practices cont.for setting up instances
Preparing for an assessment
Preparation is keyCloud assessments can be more time consuming and costly
No magic when youre in the Cloud
Cover most all 12 major areas of PCI DSS Network and perimeter security
Servers and system hardening
Protection of stored data
Transport security
Anti-malware
Software and application security
Authorization and Authentication controls
Logging and monitoring
Security controls
Policy and procedural controls
PCI DSS Assessment ReadinessLets examine some of the differences
Network and perimeter security
Firewalls still exists Standard adapted for AWS Security Groups
Security groups for egress, ingress and DMZ control
Network segmentation Methods for logical control of intra-Cloud communications
Tied to access controls
Servers and systems
Standards and approach for system hardening
Harden server administrative accounts
Use AWS config tools & scanning tools to test
Assessment ReadinessReview of key differences and approaches
Protection of stored data Retention
Numerous AWS cloud services can be leveraged
Approach for data removal may be different
Encryption Key management and key storage
Transport security Ingress encryption and certificates
Load balancers
Outbound encryption to payment gateway
Anti-malware Reporting and alerting
Applications are the MOST significant area to focus on
Application security Area of most exposure Development of secure applications Testing of applications Access controls and permissions Vulnerability review and patching done every 2-weeks
Access controls Front-line of defense
Change group admin accountsCreate local accounts
Remote console access must be filtered and protected Leverage AWS Multi-factor auth controls Leverage AWS Security groups to filter access
Frequent pen-testing of applications and access (quarterly)!
Assessment Readiness
A few final thoughts
Logging and monitoring Central logging should leverage AWS tools
Isolate access to logs Review logs at least daily for access violations
Security controls Scanning, testing, and penetration testing controls same Test FIM daily on production, public facing servers
Policy and procedural controls Update all documents to fit environment
Incident response readiness changes dramatically
Assessment Readiness
Incident response planning
Consider this.What do you think of this log extract?
Log extract from forensic investigation
Examination of wtmp
So, what happened next?Heres the rest of the story
1. There were15,000 unsuccessful ssh login attempts; each six seconds apart
2. End user types name and password in login field, then hits enter (this is what last output showed)
3. Real end-user logs in at some time later using root account
4. At shell prompt, end user types in a curl command to outside sites
5. Uses wget command to downloaded a file into web-root/images folder
6. End user launches the file through a remote web browser
7. Modifies php script to write all encoded card data to a .jpg file in images
8. End user logs out
9. Each time a customer clicks on the buy it button, a connection to http://authorizet.com/ opens
And then, there is thisDDoS and AWS are like water on a fire
This is a DDoS extortion attack
AWS EC2 are uniquely
constructed to respond to this
How would this attack affect your
incident response plan?
RefresherWhat is an incident? Most important fact to agree on
Classic definition
The strict definition of an incident is any violation of policy, law, or unacceptable act that involves information assets, such as computers, networks, smartphones, tablets, voice recording systems, cameras, and etc.
Bejtlich, R. (2005). The Tao of network security monitoring: Beyond intrusion detection. Boston: Addison-Wesley.
Planning objectivesReview the components of an incident response plan
Rapid detection of an incident Understand the nature of the threat Minimize loss or destruction Initial short-term mitigation Implement clear first-response plan Complete short-term containment Restoration and recovery
Planning for EC2 responseHow and why a first response plan for EC2 is important
Influencers on plan EC2 environment is dynamic
Physical v. logical environments Scalability of environment that dynamically evolves
Application security threat vectors
First responders impact Knee-jerk response can make matters worse
Termination v. stopping of systems may destroy evidence Rebuilding systems may re-introduce vulnerabilities
Reality checkAppropriate planning and detail response objectives are key
Amazon Elastic Compute Cloud Richest and most robust cloud environments
Even cottage entrepreneur has computing power and Internet presence of a Fortune 500
Numerous security features
Two of the weakest factors: Humans
They still screw things up
Applications and programmatic interfaces
Must establish detailed