SlideShare ist ein Scribd-Unternehmen logo

Reducing Your Attack Surface

Alert Logic
Alert Logic

The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
REDUCING YOUR ATTACK SURFACE Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
Real world view from our SOC
#2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Phishing Email Where are they now? Sold to Verizon. Valuation revised by $350M
Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
#3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
AWS S3 Data Leaks Due To Misconfigurations
#4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
Cloud Insight Essentials check Misconfigurations
Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
Attack Surface Factors Factor Impact Technology Triggers Custom built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities. Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors. 3-tier architecture with relational databases Increased risk of SQL injection - #1 web attack method in volume and impact Open and Interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk
Importance of Eliminating Dwell Time
The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study
Thank you.

Empfohlen

Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 

Empfohlen

Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
Alert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
Alert Logic
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
JamieWilliams130
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 

Ähnlich wie Reducing Your Attack Surface

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 

Ähnlich wie Reducing Your Attack Surface (20)

Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
Windows network
Windows networkWindows network
Windows network
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival GuideDSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Security Threat Presentation
Security Threat PresentationSecurity Threat Presentation
Security Threat Presentation
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

Mehr von Alert Logic

Mehr von Alert Logic (17)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas AzureMicrosoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
 

Kürzlich hochgeladen

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Reducing Your Attack Surface

  • 1. REDUCING YOUR ATTACK SURFACE Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
  • 2. Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
  • 3. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
  • 4. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
  • 5. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
  • 6. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
  • 7. What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
  • 8. Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
  • 9. Real world view from our SOC
  • 10. #2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Phishing Email Where are they now? Sold to Verizon. Valuation revised by $350M
  • 11. Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
  • 12. Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
  • 13. Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
  • 14. #3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
  • 15. AWS S3 Data Leaks Due To Misconfigurations
  • 16. #4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
  • 17. 60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
  • 18. Cloud Insight Essentials check Misconfigurations
  • 19. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
  • 20. Attack Surface Factors Factor Impact Technology Triggers Custom built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities. Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors. 3-tier architecture with relational databases Increased risk of SQL injection - #1 web attack method in volume and impact Open and Interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk
  • 22. The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study