More Related Content Similar to Cloud computing security & forensics (manu) Similar to Cloud computing security & forensics (manu) (20) Cloud computing security & forensics (manu)1. CLOUD 9: UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD [CLUBHACK 2010 EDITION] byManu Zacharia MVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCP Certified ISO 27001:2005 Lead Auditor Director – Information Security US Based Consultancy Firm “Aut viam inveniam aut faciam ” Hannibal Barca 3. For paying my bills – I work as Director – Information Security – US Based Consultancy. 7. Author of a Book – Intrusion Alert – An Ethical Hacker’s Guide to Intrusion Detection Systems 12. The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)4 14. AGENDA INTRO & CLOUD ARCHITECTURE CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK EXPLOITING CLOUD & FORENSICS CONCLUSION 6 17. Do you know what is EC2 and S3? 26. Forget about those sleepless nights in your data centers12 28. A web service that provides resizable compute capacity in the cloud13 30. A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing any software desired.14 37. NASDAQ uses Amazon S3 to deliver historical stock information.18 39. application and information resources from the underlying infrastructure, and 44. infrastructure comprised of pools of compute, network, information, and storage resources. 20 52. How cloud is both similar to and different from existing models of computing? 22 58. CLOUD SECURITY – DIFFERENT? Same Client / Server paradigm from Mainframe days – Bruce Schneier 25 78. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, 79. Different physical and virtual resources dynamically assigned and reassigned according to consumer demand.33 81. Customer may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). 34 90. rapidly and elastically provisioned to quickly scale out ; and 92. In some cases this is done automatically.36 95. Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service.37 104. Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies39 106. In many offerings virtualization by hypervisor or operating system container is not utilized.40 108. Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such.41 110. The three fundamental classifications are known as the SPI Model. 138. The consumer does not manage or control the underlying cloud infrastructure51 143. possibly limited control of select networking components (e.g., host firewalls).52 151. The cloud infrastructure is made available to the general public or a large industry group 152. Owned by an organization providing cloud services.55 154. The cloud infrastructure is operated solely for a single organization. 155. It may be managed by the organization or a third party, and may exist on-premises or off-premises.56 157. The cloud infrastructure is shared by several organizations 158. Supports a specific community that has shared concerns57 168. Composition of two or more clouds (private, community, or public) 169. They remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability 60 174. using the cloud when additional compute resources are required temporarily62 180. Traditionally been applied to resource allocation and automated provisioning / de-provisioning of resources 190. But is automation sufficient for cloud? or is it the right thing for cloud?68 193. management of complex computer systems, middleware, and services. 69 203. By interconnecting these resources to the internal resources of a consumers’ datacenter, usually via virtual private network (VPN) connectivity.72 205. They also negotiate relationships between various cloud providers and consumers.73 219. DMTF - Distributed Management Task Force 77 240. Confusion exists - how cloud is both similar to and different from existing models of computing87 243. Different cloud service providers use different API – not compatable with each other for migrating the data 89 253. Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation.94 255. Bankruptcy and catastrophes does not come with an early warning.95 260. This may introduce security vulnerabilities and gaps 261. Result – Loose your certification.98 263. Major downfall in performance and quality metrics may affect your certifications.99 265. Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data. 100 267. Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users.101 269. May be due to security reasons. 270. But end user is finally in the dark.102 274. whether the cloud service provider does it or has they outsourced to some third party, 103 276. is it encrypted and send, 277. is the backup properly destroyed after the specified retention period or104 279. what kind of data wiping technologies are used. 280. The lists of questions are big and the cloud users are in dark105 283. How do you get permission to test your application running on Amazon EC2 when the results of your testing could show you data from another client completely?106 285. "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia107 287. How do you do regression testing? 288. How do you know what version of the search engine google is currently running on?108 290. Then why we move? If its not good, safe or not even new, then why cloud adoption happening? 110 294. There is nobody to put a break when these two people join together.111 302. Go Green or Green IT also influenced many. 303. Powerful - A 64 node Linux cluster can be online in just five minutes - forget about those sleepless nights in your data centers114 307. Have a framework to evaluate cloud risks.116 310. Map the asset to cloud deployment models 318. We can shift parts of functions to the cloud.119 320. Host the main application and data in our own data-centre. 321. Outsource a portion of its functionality to the cloud through Platform as a Service (PaaS).120 325. Data and transaction volumes are often higher than expected.122 333. Can occur when the scope of a project is not properly defined, documented, or controlled.124 335. A detailed valuation is recommended only if the organization has an existing process for that. 125 340. For each asset, ask the following questions: 341. How would we be harmed if the asset became widely public and widely distributed?127 343. How would we be harmed if the process or function were manipulated by an outsider?128 345. How would we be harmed if the information/data were unexpectedly changed?129 349. how those are affected if all or part of the asset is handled in the cloud.131 351. Determine which deployment model is good for the organizational requirement.132 360. Deployment models and locations that fits your security and risk requirements.135 367. Absolutely essential to understand whether, and how, data can move in and out of the cloud before finalizing.138 374. Can skip most of the recommendations — such as on-site inspections, discoverability, and complex encryption schemes. 375. A high-value regulated asset might entail audit and data retention requirements.141 380. INFORMATION WARFARE 風 - Swift as the wind 林 - Quiet as the forest 火 - Conquer like the fire 山 - Steady as the mountain 145 385. A sort of abbreviation to remind officers and troops how to conduct battle147 397. Install Amazon EC2 API Tools on your linux box.sudo apt-get install ec2-api-tools 152 399. Example - use a 32 bit Windows AMI - ami-df20c3b6-g153 403. Extract the admin password for the instanceec2-get-password -k ssh-keypair.pem $instanceID 156 406. RDP into the instance & configure EDPR158 414. EDPR creates a pair of registry values which are used to uniquely identify the agent when connecting to the manager. 415. We need to scrub these values – why?163 417. Output = The job handling will be totally corrupted.164 420. Remember in cloud, bundle is similar to creating a ‘template’ in VMware terminology.166 427. Used to spawn instances of the EDPR agent. Example:IMAGE ami-54f3103d 171 429. to brute an password composed of uppercase letters, lowercase letters, and the numbers 0-9, with a length of between 1 to 8 characters against a PGP ZIP file.172 449. Request to instance amazon EC2 Instance Limit - http://aws.amazon.com/contact-us/ec2-request/185 451. Amazon spot instances - allows us to bid on unused Amazon EC2 capacity and run those instances.186 455. A successful cloud based distributed cracking system.188 458. Bad guys have started using cloud based services and infrastructure for launching attacks 459. Cloud do provide a good platform for incidence response and forensics investigations190 462. Not the case with the traditional infrastructure where the equipments are seized. 465. Enables the user to launch an instance with an Amazon EBS volume that will serve as the root device.193 467. Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way.194 470. This can be easily achieved using the on-demand feature of cloud.195 473. This can be easily achieved using the on-demand feature of cloud.196 475. Amazon Web Services is already providing a good forensic feature where it can provide a MD5 hash of every file that is on the cloud system.197 478. Virtualization of various entities like the applications and host systems, which once used to be in-house is now scattered on the cloud.199 480. Since we are acquiring data from a virtual environment, the forensic investigator should have a clear and precise understanding of how they work and what files are interesting and required to acquire.200 487. A collaborative and collective effort is required to address what we discussed.202 495. GOOD SECURITY PROFESSIONAL A good security professional is someone who always looks both ways before crossing a one-way street. 206