Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Securing the cloud and your assets
1. The cloud & securing your
assets
Marcus Dempsey
2. Shameless plug
Marcus Dempsey
• 24+ years working in IT
• Managing Director for TeraByte IT
• Penetration tester
• Offensive Security Wireless Professional
• Certified Ethical Hacker
• Computer Hacking Forensic Investigator
• F1 fan
3. Why use the cloud?
• Managed services
• Flexibility in deploying and scaling assets
• Disaster recovery in a box
• Pay as you go spending
• Version and document control
• Automatic updating of services
• Environmentally friendly
• Increased security controls
• Infrastructure as a service
• Platform as a service
• No standing in a cold isle at the datacentre
5. What are the dangers?
• Intrusion
• Data theft
• Possible loss of reputation
• Bankruptcy
• Insider attacks
• No control over vendor outages
• Automatic updates may cause incompatibility issues
• Disgruntled employee
• Lack or loss of overall visibility of service health
6. Securing your assets
• Installation of endpoint anti-virus software
• Only allowing inbound / outbound traffic for what’s needed
• Keep machines patched and up to date (including base build images)
• Restrict privileged user access to specific users only
• Make use of auditing, login / logout, privilege changes etc.
• Make use of two-factor authentication especially for high-level accounts
• Regular penetration testing (internal / external)
• Strong certificates which have 2048bit or greater keys and SHA256
• Encrypt traffic between endpoints (HTTPS, IPSEC)
• Microsoft environments, use Windows Server Update Services (WSUS)
7. Mistakes that are made
• Not updating client applications (Java / Adobe)
• Not updating Operating Systems
• Opening access to SSH, RDP to the world
• Not having well defined security controls / policies in place
• Use of weak or common passwords
• Not disabling unused accounts
• Not planning for expansion and resilience from day one
• Not patching critical exploits / 0day
8. 25 common passwords of 2014
123456
password
12345
12345678
qwerty
123456789
1234
Baseball
Dragon
football
1234567
monkey
letmein
abc123
123123
111111
mustang
access
shadow
master
michael
superman
696969
batman
trustno1