SlideShare ist ein Scribd-Unternehmen logo

The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx

lior mazor
lior mazor

Our data and infrastructure were shifted to the cloud, and we are more and more relying on our DevOps engineering and Cloud Providers to keep us safe and secured. Join us virtually for our upcoming "The Hacking Games - Cloud Vulnerabilities" Meetup to learn how hackers can compromise cloud infrastructure, advanced data protection methods and how to survive a Ransomware on the cloud.

Technologie
1 von 90
Join Us: https://www.linkedin.com /company/application- security-virtual-meetups QR Link:
Data Privacy in Our On-Prem and Cloud Products Shlomi Ben-Hur March 2023 That’s Me
Thank You
Discussion Topics • Privacy – Key Terms & Concepts • Cloud-Focused Privacy • Product-Focused Privacy
Why is Privacy SOOO Important?? MONEY!!!, Yes Money, as in.. and plenty of it Go to: https://www.enforcementtracker.com/
Privacy – Key Terms & Concepts • GDPR – General Data Protection Regulation • CPRA – California Privacy Rights Act  Formerly CCPA
Privacy – Key Terms & Concepts • Data Subject: “The identified or identifiable living individual to whom personal data relates.”
Privacy – Key Terms & Concepts • PII – Personally Identifiable Information: “Any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”
Privacy – Key Terms & Concepts • Data Controller: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Privacy – Key Terms & Concepts • Data Processor: “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under their authority. In doing so, they serve the controller's interests rather than their own.”
Privacy – Key Terms & Concepts • What’s GDPR & CPRA are all about: • From OWASP Top10..  To Privacy Top 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10. Supply Chain Obligations 11. Liabilities 12. Transparency
Security & Pseudonymization Data Breach & Notification Right To Be Forgotten Right To Portability Consent & Right To Withdraw Notice Data Transfer DPIA Supply Chain Obligations Liabilities Transparency 12 Key Privacy Indicators (KPIs)
Cloud-Focused Privacy • Privacy 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10.Supply Chain Obligations 11.Liabilities 12.Transparency
Cloud-Focused Privacy Image source: Lightspin
Cloud-Focused Privacy Image source: Cyera Sensitive Data Discovery and classification Detect and Respond to Data Privacy Issues
Cloud-Focused Privacy Image source:
Cloud-Focused Privacy • Privacy 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10.Supply Chain Obligations 11.Liabilities 12.Transparency
Article/Provision Detail the terms and requirements for data protection in “legalese” language that R&D will struggle to translate to clear guidelines Technical Requirements What/How/Where: Detailed requirements for R&D to follow in order to comply with regulations CCPA’s 21 Legal Provisions 99 GDPR Articles ~110 Technical Requirements Product-Focused Privacy Product Privacy Framework is built together with the organizations’ Privacy Counsel!
Product Privacy Framework
Product Privacy Framework – Output to Customers
Benefits of Product Privacy Framework  Clear requirements R&D can understand and implement  Easy to create the product’s gap analysis  Easy to create R&D implementation plan  Measurable. KPIs shared with senior management:  Ensures trust in our customers 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Product A Product B Product C Product D GDPR Technical Framework Maturity Level 3 2 1 2 3 2 Right to be forgotten Portability Notice Liabilities Trasparency Secuirty Product A – Maturity By Category Desired Actual
Ogres have layers Well.. so does privacy  The cloud layer and the product layer
Questions please, Thank You Shlomi Ben-Hur March 2023
PAGE A vulnerability discovered by Pentera Labs research XSS in Azure Functions Pentera Labs™ Series Uriel Gabay Senior Security Researcher 22/03/2023
PAGE What if the cloud provider is vulnerable to XSS? XSS is the ability to inject JavaScript code into another origin’s context. Enables an attacker to: • Read cookies* • Read HTML objects • Read browser storage/DB for this website • Send request on-behalf of infected user • Phishing 26 Pentera Labs™ Series
PAGE Agenda • Understanding the attack surface • Browser security concepts explained • Vulnerability walkthrough • Mitigations 27 Pentera Labs™ Series
PAGE Azure Functions - The attack surface What is Azure Functions Part of the Azure services, a FaaS (Function-as-a-Service) 28 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Azure Functions - The attack surface What is Azure Functions Part of the Azure services, a FaaS (Function-as-a-Service) Goal Infrastructure for building event-driven applications Popularity “Azure is in the top 3 most popular cloud service providers with 21% market share” According to Synergy research group 29 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Browser security concepts explained What is Origin? Defined as: protocol://domain:port Example: http://google.com:80 != http://google.com:81 30 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Browser security concepts explained Sandboxing Isolation of the data related to one origin from another. 31 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT Bank.com’s Cookies
PAGE Browser security concepts explained 32 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT SOP (Same Origin Policy) • A policy that forced by the browser.It prevents one origin to send to another a request directly. • This policy forced when the request is “unique”, enabled by default. 1. Client interacts with back.com 2. Bank.com send to the client a request – send a POST with JSON to api.bank.com 3. Client (browser) notice that bank.com isn’t the same origin as api.bank.com 4. Client send a preflight request to api-bank.com 5. In the preflight the Client can understand if api- bank.com allows a request from bank.com. Preflight example script API-BANK.COM
PAGE Browser security concepts explained 33 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT CORS (Cross-Origin Resource Sharing) It’s the policy that defines which origins has the permissions to send unique requests. API-BANK.COM Preflight example script Access-Control-Allow-Origin: api-bank.com Access-Control-Allow-Methods: POST, PUT, OPTIONS Preflight example script CORS policy
PAGE XSS vulnerabilities explained 3 types of XSS vulnerabilities 34 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series PERSISTENCE DOM REFLECTED 01 02 03
PAGE 2 1 Reflected XSS example 35 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series SOMEWEBSITE.CO M CLIENT Server-side code 3 Example of reflected XSS:
PAGE Reflective XSS vulnerability in Azure Functions Description The reflected XSS vulnerability found in functions.azure.com enables an attacker to run JavaScript code in the context of legit Azure website. 36 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 37 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 38 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 39 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 40 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series Found suspicious HTTP request A url parameter returns from server Response content-type is text/html (A prerequisite for XSS) XSS
PAGE Research questions Two limitations of a working XSS: • SOP is enabled by defualt due to application/json content type • Redirect from “attacker’s origin” ’s context to functions.azure.com origin Solution Change the request format to application/x- www-form-urlencoded content-type 41 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Vulnerability exploitation explained End-to-end exploitation flow 42 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series 1 CLIENT 2 4 3
PAGE 43 Vulnerability exploitation explained Phishing example:
PAGE Mitigations Using network proxy or security browser addon: 1. Detect malicious content (JavaScript) been loaded 2. Detect communications to malicious domains * This is very difficult to detect because its very hard to separate legit actions from malicious actions 44 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
PAGE Questions 45 Pentera Labs™ Series
PAGE Check out our blog for a more detailed explanation of the vulnerability or sign up for the Pentera Labs Newsletter at: pentera.io/pentera-labs Contact us • uriel.gabay@pentera.io 46
Thank You. Questions?
Surviving Ransomware in the Cloud
About Me Name: Simon Bruno Occupation: Cybersecurity Engineer at Deepblue
The Problem: Ransomware
“Medibank also confirmed that the attackers even deleted some of this data”
“some of our core systems have been damaged beyond repair or have been permanently deleted.”
“Showing they had access to [..] backup server that contains tens of terabytes”
“[The intruders] managed to also overwrite critical servers, data and backups of that data.”
Imagine… Est. 1954
One day…
Lockbit
In the News for the Wrong Reasons…
Attack Impact
Result
State Law “Healthcare facilities must retain medical records for a minimum of five years beyond the date the patient was last seen” Oklahoma Dept. of Health Reg. Ch. 13, Section 13.13A
How to Survive Ransomware?
Getting Started 1. Do we have backups? 2. Are they immutable?
Create Inventory 1. Interviews 2. Review documents 3. Review configurations
Interviews Interview the following people to get a sense of what’s critical to the organization 1. Executives 2. Team leaders 3. Key persons 4. DevOps & IT
Review Documents ● Confluence, Notion, Sharepoint ● Google Drive, M365 ● Jira, Monday, ServiceNow ● Search terms: backup, DR (Disaster Recovery), BIA (Business Impact Analysis), BCP (Business Continuity Planning)
Review Configurations ● Backup systems ● Native backups: AWS/GCP/Azure
Now that we have an inventory…
Prioritize
Remember when?
Increasing Backup Coverage ● Create backups for unprotected systems
Hardening ● Copy them off-site ● Restrict access ● Make them immutable
What to start with Hardening Coverage
Secure Design Considerations
● Completely separate from IT systems ○ Identities ○ Control ● New domain ● Limit access Separate Backup Tenant - “Paranoid Mode”
Air Gapped Environment Production Backup Production Backup
Project Naming
Monitor Your Backups ● Heartbeat ● Storage sizes ● Access
Cost Optimization
“[They] wrote that no backup of these data exists due to lack of funds allocated by Russia’s Ministry of Finance.”
Retention Policies Sunday Monday Tuesday Wednesday Thursday Friday Saturday 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Daily → 7 day retention Weekly → 1 month retention Monthly - 3 month retention
Storage Selection US (multi-region) $0.026/GB/Month $0.010/GB/Month $0.007/GB/Month $0.0024/GB/Month
Egress ● Keep backups within the same cloud provider ● Try to keep transfers within same region ○ EU to EU ○ US East to US East
Summary
Summary ● Effects of Ransomware ● How to start with a plan ● Design considerations You can reach me at: simon@deepblue.is
Thank You! Questions?
• Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups

Empfohlen

Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Praveen Nair
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Ulf Mattsson
 
Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Ulf Mattsson
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 

Empfohlen

Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and BeyondSecuring the Skies: Navigating Cloud Security Challenges and Beyond
Securing the Skies: Navigating Cloud Security Challenges and Beyond
Praveen Nair
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Ulf Mattsson
 
Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...
Ulf Mattsson
 
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...Practical advice for cloud data protection ulf mattsson - bright talk webin...
Practical advice for cloud data protection ulf mattsson - bright talk webin...
Ulf Mattsson
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
Karim Vaes
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
Amazon Web Services LATAM
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
JacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
PolarSeven Pty Ltd
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNET
Farrukh Shahzad
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing present
James Sutter
 
Cloud assisted mobile-access of health data with privacy and auditability
Cloud assisted mobile-access of health data with privacy and auditabilityCloud assisted mobile-access of health data with privacy and auditability
Cloud assisted mobile-access of health data with privacy and auditability
IGEEKS TECHNOLOGIES
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
Ulf Mattsson
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
Sergio Loureiro
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
Ken Huang
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
Amazon Web Services
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Turtles, Trust and The Future of Cybersecurity
Turtles, Trust and The Future of Cybersecurity Turtles, Trust and The Future of Cybersecurity
Turtles, Trust and The Future of Cybersecurity
Digital Transformation EXPO Event Series
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 

Weitere ähnliche Inhalte

Ähnlich wie The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx

Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing present
James Sutter
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
Ulf Mattsson
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
Sergio Loureiro
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
Amazon Web Services
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 

Ähnlich wie The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx (20)

Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNET
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing present
 
Cloud assisted mobile-access of health data with privacy and auditability
Cloud assisted mobile-access of health data with privacy and auditabilityCloud assisted mobile-access of health data with privacy and auditability
Cloud assisted mobile-access of health data with privacy and auditability
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
 
Emerging application and data protection for multi cloud
Emerging application and data protection for multi cloudEmerging application and data protection for multi cloud
Emerging application and data protection for multi cloud
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Turtles, Trust and The Future of Cybersecurity
Turtles, Trust and The Future of Cybersecurity Turtles, Trust and The Future of Cybersecurity
Turtles, Trust and The Future of Cybersecurity
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
 

Mehr von lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 

Mehr von lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx

  • 2. Data Privacy in Our On-Prem and Cloud Products Shlomi Ben-Hur March 2023 That’s Me
  • 4. Discussion Topics • Privacy – Key Terms & Concepts • Cloud-Focused Privacy • Product-Focused Privacy
  • 5. Why is Privacy SOOO Important?? MONEY!!!, Yes Money, as in.. and plenty of it Go to: https://www.enforcementtracker.com/
  • 6. Privacy – Key Terms & Concepts • GDPR – General Data Protection Regulation • CPRA – California Privacy Rights Act  Formerly CCPA
  • 7. Privacy – Key Terms & Concepts • Data Subject: “The identified or identifiable living individual to whom personal data relates.”
  • 8. Privacy – Key Terms & Concepts • PII – Personally Identifiable Information: “Any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”
  • 9. Privacy – Key Terms & Concepts • Data Controller: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • 10. Privacy – Key Terms & Concepts • Data Processor: “A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and under their authority. In doing so, they serve the controller's interests rather than their own.”
  • 11. Privacy – Key Terms & Concepts • What’s GDPR & CPRA are all about: • From OWASP Top10..  To Privacy Top 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10. Supply Chain Obligations 11. Liabilities 12. Transparency
  • 12. Security & Pseudonymization Data Breach & Notification Right To Be Forgotten Right To Portability Consent & Right To Withdraw Notice Data Transfer DPIA Supply Chain Obligations Liabilities Transparency 12 Key Privacy Indicators (KPIs)
  • 13. Cloud-Focused Privacy • Privacy 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10.Supply Chain Obligations 11.Liabilities 12.Transparency
  • 15. Cloud-Focused Privacy Image source: Cyera Sensitive Data Discovery and classification Detect and Respond to Data Privacy Issues
  • 17. Cloud-Focused Privacy • Privacy 12 (KPI): 1. Security & Pseudonymization 2. Data Breach & Notification 3. Right To Be Forgotten 4. Right To Portability 5. Consent & Right To Withdraw 6. Notice 7. Profiling & User Behavior 8. Data Transfer 9. DPIA 10.Supply Chain Obligations 11.Liabilities 12.Transparency
  • 18. Article/Provision Detail the terms and requirements for data protection in “legalese” language that R&D will struggle to translate to clear guidelines Technical Requirements What/How/Where: Detailed requirements for R&D to follow in order to comply with regulations CCPA’s 21 Legal Provisions 99 GDPR Articles ~110 Technical Requirements Product-Focused Privacy Product Privacy Framework is built together with the organizations’ Privacy Counsel!
  • 20. Product Privacy Framework – Output to Customers
  • 21. Benefits of Product Privacy Framework  Clear requirements R&D can understand and implement  Easy to create the product’s gap analysis  Easy to create R&D implementation plan  Measurable. KPIs shared with senior management:  Ensures trust in our customers 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Product A Product B Product C Product D GDPR Technical Framework Maturity Level 3 2 1 2 3 2 Right to be forgotten Portability Notice Liabilities Trasparency Secuirty Product A – Maturity By Category Desired Actual
  • 22. Ogres have layers Well.. so does privacy  The cloud layer and the product layer
  • 24. PAGE A vulnerability discovered by Pentera Labs research XSS in Azure Functions Pentera Labs™ Series Uriel Gabay Senior Security Researcher 22/03/2023
  • 25. PAGE What if the cloud provider is vulnerable to XSS? XSS is the ability to inject JavaScript code into another origin’s context. Enables an attacker to: • Read cookies* • Read HTML objects • Read browser storage/DB for this website • Send request on-behalf of infected user • Phishing 26 Pentera Labs™ Series
  • 26. PAGE Agenda • Understanding the attack surface • Browser security concepts explained • Vulnerability walkthrough • Mitigations 27 Pentera Labs™ Series
  • 27. PAGE Azure Functions - The attack surface What is Azure Functions Part of the Azure services, a FaaS (Function-as-a-Service) 28 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 28. PAGE Azure Functions - The attack surface What is Azure Functions Part of the Azure services, a FaaS (Function-as-a-Service) Goal Infrastructure for building event-driven applications Popularity “Azure is in the top 3 most popular cloud service providers with 21% market share” According to Synergy research group 29 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 29. PAGE Browser security concepts explained What is Origin? Defined as: protocol://domain:port Example: http://google.com:80 != http://google.com:81 30 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 30. PAGE Browser security concepts explained Sandboxing Isolation of the data related to one origin from another. 31 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT Bank.com’s Cookies
  • 31. PAGE Browser security concepts explained 32 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT SOP (Same Origin Policy) • A policy that forced by the browser.It prevents one origin to send to another a request directly. • This policy forced when the request is “unique”, enabled by default. 1. Client interacts with back.com 2. Bank.com send to the client a request – send a POST with JSON to api.bank.com 3. Client (browser) notice that bank.com isn’t the same origin as api.bank.com 4. Client send a preflight request to api-bank.com 5. In the preflight the Client can understand if api- bank.com allows a request from bank.com. Preflight example script API-BANK.COM
  • 32. PAGE Browser security concepts explained 33 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series ATTACKER.CO M BANK.COM CLIENT CORS (Cross-Origin Resource Sharing) It’s the policy that defines which origins has the permissions to send unique requests. API-BANK.COM Preflight example script Access-Control-Allow-Origin: api-bank.com Access-Control-Allow-Methods: POST, PUT, OPTIONS Preflight example script CORS policy
  • 33. PAGE XSS vulnerabilities explained 3 types of XSS vulnerabilities 34 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series PERSISTENCE DOM REFLECTED 01 02 03
  • 34. PAGE 2 1 Reflected XSS example 35 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series SOMEWEBSITE.CO M CLIENT Server-side code 3 Example of reflected XSS:
  • 35. PAGE Reflective XSS vulnerability in Azure Functions Description The reflected XSS vulnerability found in functions.azure.com enables an attacker to run JavaScript code in the context of legit Azure website. 36 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 36. PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 37 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 37. PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 38 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 38. PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 39 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 39. PAGE Reflective XSS vulnerability in Azure Functions Vulnerability discovery process 40 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series Found suspicious HTTP request A url parameter returns from server Response content-type is text/html (A prerequisite for XSS) XSS
  • 40. PAGE Research questions Two limitations of a working XSS: • SOP is enabled by defualt due to application/json content type • Redirect from “attacker’s origin” ’s context to functions.azure.com origin Solution Change the request format to application/x- www-form-urlencoded content-type 41 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 41. PAGE Vulnerability exploitation explained End-to-end exploitation flow 42 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series 1 CLIENT 2 4 3
  • 43. PAGE Mitigations Using network proxy or security browser addon: 1. Detect malicious content (JavaScript) been loaded 2. Detect communications to malicious domains * This is very difficult to detect because its very hard to separate legit actions from malicious actions 44 Understanding the attack surface Browser security concepts explained Vulnerability walk-through Mitigations Pentera Labs™ Series
  • 45. PAGE Check out our blog for a more detailed explanation of the vulnerability or sign up for the Pentera Labs Newsletter at: pentera.io/pentera-labs Contact us • uriel.gabay@pentera.io 46
  • 48. About Me Name: Simon Bruno Occupation: Cybersecurity Engineer at Deepblue
  • 50. “Medibank also confirmed that the attackers even deleted some of this data”
  • 51. “some of our core systems have been damaged beyond repair or have been permanently deleted.”
  • 52.
  • 53. “Showing they had access to [..] backup server that contains tens of terabytes”
  • 54. “[The intruders] managed to also overwrite critical servers, data and backups of that data.”
  • 55.
  • 59. In the News for the Wrong Reasons…
  • 62. State Law “Healthcare facilities must retain medical records for a minimum of five years beyond the date the patient was last seen” Oklahoma Dept. of Health Reg. Ch. 13, Section 13.13A
  • 64.
  • 65. Getting Started 1. Do we have backups? 2. Are they immutable?
  • 66. Create Inventory 1. Interviews 2. Review documents 3. Review configurations
  • 67. Interviews Interview the following people to get a sense of what’s critical to the organization 1. Executives 2. Team leaders 3. Key persons 4. DevOps & IT
  • 68. Review Documents ● Confluence, Notion, Sharepoint ● Google Drive, M365 ● Jira, Monday, ServiceNow ● Search terms: backup, DR (Disaster Recovery), BIA (Business Impact Analysis), BCP (Business Continuity Planning)
  • 69. Review Configurations ● Backup systems ● Native backups: AWS/GCP/Azure
  • 70. Now that we have an inventory…
  • 73. Increasing Backup Coverage ● Create backups for unprotected systems
  • 74. Hardening ● Copy them off-site ● Restrict access ● Make them immutable
  • 75.
  • 76. What to start with Hardening Coverage
  • 78. ● Completely separate from IT systems ○ Identities ○ Control ● New domain ● Limit access Separate Backup Tenant - “Paranoid Mode”
  • 79. Air Gapped Environment Production Backup Production Backup
  • 81. Monitor Your Backups ● Heartbeat ● Storage sizes ● Access
  • 83. “[They] wrote that no backup of these data exists due to lack of funds allocated by Russia’s Ministry of Finance.”
  • 84. Retention Policies Sunday Monday Tuesday Wednesday Thursday Friday Saturday 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Daily → 7 day retention Weekly → 1 month retention Monthly - 3 month retention
  • 86. Egress ● Keep backups within the same cloud provider ● Try to keep transfers within same region ○ EU to EU ○ US East to US East
  • 88. Summary ● Effects of Ransomware ● How to start with a plan ● Design considerations You can reach me at: simon@deepblue.is
  • 90. • Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups