Democratising insecurity Bringing security weaknesses to the tech masses

Democratising insecurity

Bringing security weaknesses to the tech masses

Alistair Chapman /in/alistairchapman/

• Queensland University of Technology• Network Security Engineer• Trained as network engineer• Specialising in IDS and technical

architecture

• Corporate and IS Governance Consultant

au.linkedin.com/in/alistairchapman/

[email protected]

About Me

Alistair Chapman

1 2 3 4

AGENDA

Industry Context

Dark Side of Growth

Solution Strategy

Strategic Model

Industry and Technology Context


Context: Easy availability of simple VPS

• New container-based virtualisation• Lowered cost of entry to market• Increased competition, lower costs

• Simplified processes, minimal verification• Basic management and support


Case Study: DigitalOcean

• Less than a cent per hour• Provisioned in under a

minute• 100%/99.9% SLA

• From 100 to 100,000 hosts in 2 years• Service built on quick

build, high quantity instances


Case Study: OVH

• 15% growth in North America• Expansion from Europe to

North America in 2014• Offer full spectrum of

services from VPS to full storage-backed cloud infrastructure• Offer services from as

little as $3/month, all with SLAs.

The Dark Side of Growth


• OVH.com• Macincloud.com• Eurospace• Crocweb• DigitalPacific

• WHMCS

Problem: Poor account practices

“Plaintext Offenders”


• Many providers offer pre-built template instances• Default passwords• Weak standard

configurations• Little to no warnings

Problem: Weak default configurations

Application Templates


• Single-instance servers outside of corporate domain• May not fall under security

policies or centralised administration• Often provisioned ad-hoc,

or independently

Effect: Poor Management Control

Reduced effectiveness of controls

Secured Domain

VM VM

VM VM

VPS

UNSECURE


• Weak default configurations combined with public access• Simple targets for email

spam• Additional risk for C&C

and botnet attacks

• Typical server uses are low-maintenance, low touch roles.• Administrators may not

check their servers for months at a time.

Effect: Increased risk of spam and C&C

Servers are “prime targets” Lower maintenance hosts

Solution Strategy and Implementation


Solution Overview

Secure Default Configurations

Secure Billing and Backend Services

Improved monitoring and governance of cloud services

Increased provider responsibility

Improved Cloud Security

Coverage


Secure Default Configurations

• Particularly important for pre-configured application instances• Services should be

disabled by default.• Restrict initial access to

VPN for added security


• Billing services should be secure at a process level• Customer data should be

transmitted when absolutely necessary.


Billing Services WHMCS Example


• NEVER EMAIL PASSWORDS• Secure KVM access to

virtual hosts• VM Control Panels and

APIs must be secure


Authentication and Customer Data


• Should be streamlined to encourage adoption• Hooks, APIs and

compatibility with external providers• Provide rudimentary

alerting system

• 100% Customer Responsibility• Keep external cloud hosts

under central IT• Use provisioning and

endpoint management where possible

Improved Monitoring and Governance

Monitoring Governance


• Virtualisation provides unique opportunities• Take lead from ISP market• Public services should be

opt-in

• Identity Validation and tracking• Used to track abuse• Tiered levels of capability• DNS (ICANN)• SSL (subdomains)• PayPal

Increased Provider Responsibility

Active Monitoring Management Responsibility


• Not a perfect product• Has the advantage of

multinational corporate backing• Global infrastructure and

near-unlimited funds a unique ability.

• Major corporate brand• Significant PR and client

commitments made

Case Study: Microsoft Azure

Overview Responsibility


• Initial system accounts are set by user at provisioning• Host can be used with

external authentication• Strongly suggest use of

PowerShell for security

• Still uses insecure defaults• Uses “Endpoints” to hide

services• Primarily “security

through obscurity”

Secure Processes

Authentication Application Configuration


• Allows for direct integration into existing infrastructure• Pre-provisioning

configuration available on some hosts• All communication done

through secure web portal

• Active, real-time monitoring available• Configurable alerts

available on all services• Tight integration with

existing (Microsoft) tools.

Secure Processes

Governance Monitoring

Vision of the Future

GOAL

STRATEGIES

TACTICS

OUTCOMES

Improved Security of Isolated Cloud Nodes

Improve OOBE

Security

Monitoring and

Governance

Secure Backend Services

Hardened application

Fully integrated instances

Holistic,Full-StackSecurity Model

Reduced Attack Surface

Improved Resource

Management

Effective Support Services


• Verify standard system and application configurations• Perform and complete

active monitoring of instances• Change services to opt-in

where possible• Obfuscate insecure

services at provision-time• Secure communication only

• Never put default configurations in production• Never make insecure

services public• Install services only on an

as-needed basis• Configure ACLs, firewalls

and admin limits early.

Implementation Guidelines

Providers Users

Summary and Overview


Summary

• Proliferation of providers and services is not a problem,

its an asset

• Improves customer choice

• Also makes security failing much more apparent and

accessible

• Responsibility lies with all stakeholders

• Holistic effort required to fully improve situation

Role-based model

• Improve new service templates and processes• Improve access to hardening and obfuscation

measures

APNIC Partners(Hosting

Providers)

• Pay equal attention to backend/billing service security

• Secure OOBE application configurations

Sysadmin | NetSec

Developers• Follow best practices for securing public services

and applications• Integrate into any existing governance and

monitoring

Users and Businesses

Thank You

Alistair Chapman(w) https://agchapman.com/(e) [email protected](ln) http://lnkd.in/bceQ5SG

https://agchapman.com/

mailto:[email protected]

http://lnkd.in/bceQ5SG



Documents

Democratising insecurity Bringing security weaknesses to the tech masses