Moving to Cloud Services - Maine Bankers Association...Heroku, Coursera, Bitbucket, Autodesk's cloud, Twilio, Mailchimp, Citrix, Expedia, Flipboard, and Yahoo! Mail Readers also reported

Moving to Cloud ServicesCyber Security Considerations

Copyright Sage Data Security 2019© All Rights Reserved

Agenda

Cloud Services Defined

Catastrophic Failures

Risks & Rewards of Cloud Sourcing

Concentration & Reverse Concentration Risk

CyberCriminal Case Studies

Cloud Service Provider Assessment & Testing

Agenda


Cloud Services DefinedSaaS – You rent a car or truck. No modifications, what you rented is what you get. If it stops working they give you a new one. You often pay based on how far you go and how much gas you used. Terms and conditions apply.

PaaS – You lease a car or truck. You can use it and modify it the way you need it to be. Terms and conditions apply - you break it, you own fixing it.

IaaS – You want to build your own car from parts. Some parts you make yourself and others you buy. You need your own machine shop and garage. You rent the garage to get started.

Hybrids – Not purely one model, all models are theoretical in any case. Your system will likely be a blend.

IaaS (Rent-a-Garage)This model works best for organizations that have Infrastructure and Network Engineers. The on-premise resources become too demanding and expensive to manage. Parts break, warranties expire, space runs out.

Team transitions to managing the same classes of resources remotely in someone else’s “garage”. Most, if not all, resources will be Virtual. Garage owner is responsible for keeping the lights on, lifts lifting, and those fancy air compression pumps running.


PaaS (Lease-a-Car)This model works best for organizations that have Application Engineers and a dedicated programming shop. The on-premise resources cannot keep up with demands for faster performance, more storage, and faster updates to infrastructure. Improvements are curtailed by the capital cost of upgrades.

Team transitions to clicking a button to get resources added. New servers, additional storage, faster processing. Upgrades of resources is a financial issue and not an organizational road block. When you break something in this environment it is all on you.


SaaS (Rent-a-Car)This model works best for organizations that have no interest in directly maintaining a business solution. They just want a solution they can use that solves a business need.

An example is email. Exchange is a complicated and expensive business solution. Under the covers it requires a lot of engineering and design to work correctly. Issues of performance and storage are common with on premise implementations. The business just wants email messaging to work smoothly and be reliable.


SaaSOh – and all those neat and useful email features, we want those now.

Encryption – yesJournaling – yesSpam bullet proofing – yesPhishing protections - yesShared calendars – yesGroup messaging - yesAdd instant message and faxing and voicemail and and and……

SaaS allows you to check a box.


SaaSSo much easier to pick out the car that has all the features you may want and just pay for how much you use it.

Which piece do you want and how much of it today?


Cloud Services Accountability

Things to keep in mind

Vendors providing these services have had spectacular failures. In some cases the clients were put out of business. In other cases the Vendor went out of business. In the worst case both things happen.

• What is your contingency for protecting the data stored in the Cloud?

• What is your contingency for retrieving the data stored in the Cloud?

• What happens when the contract ends?

Agenda

Catastrophic Failures

Cloud Services – Catastrophic Failures

February 2019:• VFEmail wiped out 2019.• 18 Years of Customer Email• This isn’t the first time criminals have targeted VFEmail. in 2015 it

suffered a debilitating distributed denial-of-service (DDoS) attack after declining to pay a ransom demand from an online extortion group.

• Another series of DDoS attacks in 2017 forced VFEmail to find a new hosting provider.

Krebsonsecurity.com

March 2017:• Amazon S3 Service Disruption

in the Northern Virginia (US-EAST-1) Region

• Websites, backups, apps, security cams, IoT gear

• Five-hour disruption was so bad, Amazon couldn't even update its own AWS status dashboard: its red warning icons were stranded, hosted on the broken-down side of the cloud.


www.theregister.co.uk

March 2017 Impacted Sites:• Docker's Registry Hub, Trello, Travis

CI, GitHub and GitLab, Quora, Medium, Signal, Slack, Imgur, Twitch.tv, Razer, heaps of publications that stored images and other media in S3, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Autodesk's cloud, Twilio, Mailchimp, Citrix, Expedia, Flipboard, and Yahoo! Mail Readers also reported that Zoom.us and some Salesforce.com services were having problems, as were Xero, SiriusXM, and Strava.


www.theregister.co.uk

• How Canada’s Biggest Bitcoin Exchange Lost it All.• $190 Million in Crypto Gone Forever. • CEO of Quadriga, a cryptocurrency exchange, who died without

sharing the password to the storage wallets.


Agenda

Risks & Rewards of Cloud Sourcing

Risks

• Lack of transparency into actual control environment.• Loss of internal control.• Potential loss of “Institutional Memory” of critical services

delivery.• Reliance on agreements, often significantly weighted toward CSP.• Out of sight-out of mind.

• Tendency to think risk and accountability are outsourced.• Failure to implement adequate Complementary User Controls.

Cloud Services Risks & Rewards

Rewards

• Augmentation of capabilities and expertise.• Reduced risk of personnel shortages.• Reduce risk of skills deficits.• Contractual leverage for service delivery.• Infrastructure resilience.• Monthly expenses over capital purchases.

• Someone else upgrades and updates.

Cloud Services Risks & Rewards

Agenda

Concentration & Reverse Concentration Risk

Concentration Risk

“An increasing concentration risk corresponds to financial institutions' increased use of third-party service providers. That, in conjunction with industry consolidation, has resulted in fewer, more specialized TSPs providing services to larger numbers of financial institutions. This trend increases the potential impact of a scenario in which a TSP is required to support recovery services to large numbers of financial institutions due to a widespread disaster...”

*Appendix J – IT Examiners Handbook – Business Continuity

Concentration Risk

• Move to use cloud SaaS and IaaS providers provides attractive attack vector

• One to many• Simultaneous attack on vendor and customer(s)

• Office 365 / Azure• AWS• Core System providers• “Monoculture” concept of vulnerability

• Shared similar or same infrastructure• One key picks one lock – shared by many doors

Concentration Risk

• Using single or few providers to provide majority of services

• This is reality –Don’t make good the enemy of best

Reverse Concentration Risk

• Risk realized when multi-client provider is compromised, and all client customers are downstream

• …or a software vendor’s source code is compromised and then distributed in compromised state to customers/clients.

• Represents a clear strategic shift in cybercrime organizations.

• Case study: Magecart

Agenda

CyberCriminalCase Studies

Case Study: NotPetya

• 2015 and 2016, a group of Russian agents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies.

• They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data.

• In the winters of both years, they caused widespread power outages—the first confirmed blackouts induced by hackers.

http://www.wired.com

Case Study: NotPetya• In the spring of 2017, Russian military hackers hijacked the

company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have

• June 2017, the saboteurs used that back door to release a piece of malware called NotPetya, their most vicious cyberweapon yet.

• Eternal Blue – penetration tool (a patched Windows vulnerability)• Mimikatz – memory scraper for passwords• Infect unpatched computers, then use Mimikatz to compromise

patched computers• NotPetya resembled ramsomware “Petya”, but was not

ransomware.• Purely destructive goal

http://www.wired.com

Case Study: Wolverine Solutions Group

• Healthcare Billing Services Vendor • More than 600,000 Michigan residents may have had their

information compromised in the breach at Detroit-based Wolverine Solutions Group, according to a statement from Michigan Attorney General Dana Nessel and Anita Fox, director of the state's department of insurance and financial services.

https://www.healthcareinfosecurity.com


• Clients Include:• Blue Cross Blue Shield of Michigan • Health Alliance Plan• McLaren Health Care,• Three Rivers Health• North Ottawa Community Health System



• Data Exposed:• Names, • Addresses, • Phone numbers, • Dates of birth, • Social Security numbers, • Insurance contract information • Medical information.



• Ransomware:• On approximately Sept. 25, 2018, WSG discovered that an

unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG's records, which made them inaccessible, in an effort to extort money from us," the company says.



• Disclose the Breach?• The Office for Civil Rights (OCR) ransomware guidance

• Consider lack of availability when determining whether an incident is a reportable breach,

• No consensus on how much weight this factor should be given. • Organizations come to very different conclusions regarding whether a

ransomware incident, where evidence indicates no exfiltration of data, is reportable.

• "Most PHI ransomware cases need to be treated as a HIPAA breach, unless forensic examination clearly shows no data exfiltration," Kate Borten, president of The Marblehead Group



• Disclose the Breach?• “Having logged events to refer back to can help determine the

likelihood of a breach due to ransomware. Reviewing firewall logs can help identify if ransomware exfiltrated data.”

• "Data-exfiltrating malware often extracts sensitive information over outbound encrypted channels. Without the necessary inspection in place, an organization may not be able to tell what specific information may have been exfiltrated."


Case Study: Who is Magecart?

• Massive digital credit card-skimming campaign affecting over 800 e-commerce sites world-wide.

• Ticketmaster – multiple sites compromised.• Third-party vendor to Ticketmaster, Inbenta’s code was compromised.• SQL and Java script injection attacks are their primary weapons.• The instances observed in which Inbenta’s custom JavaScript scripts for

Ticketmaster had been wholly replaced with Magecart skimmers indicates that Inbenta was breached.

• British Airways – 40,000 compromised.


www.riskiq.com

“Even more disturbing, the Ticketmaster breach demonstrates that the Magecart actors are continuing to refine their

techniques and get better at target selection. Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have gotten smarter—rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts

and add their skimmer.”


www.riskiq.com

“To give you an idea of the targets the Magecart actors are after, here is another third-party supplier that is, as of this writing, affected by the Magecartskimmer. This supplier, known as PushAssist, provides analytics for websites, similar to Google Analytics. Their server has been breached and is still serving analytics with the Magecartskimmer. The service boasts having over 10 thousand websites using its analytics platform”

Agenda

Cloud Service Provider Assessment

What To Know

Software Development Lifecycle (SDLC)• How much do you know about your vendor’s SDLC controls? Here are

some key questions to ask:• Are the developers training in security coding practices? • How are test and development networks segregated? • What segregation of duties controls are in place between development

and test environments? • Where is source code stored and what extra protections are applied? • What security testing is performed at each development stage, and

against the final versions?• What is the remediation practice to mitigate findings from testing

engagements?• What detective controls are in place, such as activity and access reviews?

What To Know

Malware-Proof Replication• Considering the success advanced ransomware variants capable of

finding and infecting backup storage locations, we need to know that backup and replication functions are specifically engineered to prevent and detect malware compromise of data at rest. Some questions to consider:

• What are the “air-gap” controls applied to replicated data stores?• How often are backups and replicated virtual environments tested

for integrity?• How often are these environments security tested?• What are the detective controls applied to these stores and

environments?

What To Know

Multifactor Authentication (MFA)• Unfortunately, there are still many examples of single-factor remote access in the

community banking sector. From 0ffice 365 to critical banking systems, we are still writing frequent findings in this control area. It’s worth noting that there is some confusion over what constitutes MFA. True MFA consists of multiple active challenges to the user attempting access. Installed certificates and IP Restriction are great controls, but they are not examples of MFA. I’ll address them in the next section.

• MFA includes:• Something you know.• Something you have.• Something you are.

• In each of these three components of MFA, the “you” refers to a challenge to the active user, not a computer or user account.

• Does your service provider allow single-factor remote access to its information systems and resources by its employees? Do employees at your TSPs with Administrator privilege use MFA for all access, and do they use separate accounts for daily activities that don’t require elevated privilege?

What To Know

Multi-Layer Authentication• User-based digital certificates installed on laptops and

tablets are excellent multi-layer authentication controls. • Not MFA: the certificates are associated with the user account

and don’t actively require an action from a user, once installed

• IP Restriction is a great multi-layer control. • no active challenge to the user, but rather, a coded challenge to

the device’s IP Address of origin, at work.

What To Know

Personnel at CSP• Experience and Expertise• Certifications and Qualifications• Workforce-to-Customer Ratios

What To Know

Redundancy & Resilience• Data Center replication• Data Center Geo-location• Backups• 4th-party sub-service providers?

What To Do

Assess the Risk:• Consume SOC reports, but don’t stop there.• Consume all independent security testing and audit reports

• Always request your own security testing• Read CSP policies and program documents• Engage in co-continuity and DR testing

• At minimum, consume internal COOP and DR test reports• Engage in co-IRP testing

• At minimum, consume internal IRP testing reports• Understand IR procedures

• Notification of incidents• Notification of new vulnerabilities

• Speak with clients and customers

ReCap

• Know the distinctions• SaaS, IaaS, PaaS

• Decide the best course for you, a blend is likely• Stay vigilant, risk cannot be outsourced• Strategic shift in cybercrime organizations means our

attention must shift• Ask the right questions of vendors and service providers

• Seek the right answers• Engage is shared testing exercises• Invest in the Culture of Know

Thank You

John H. Rogers, CISSPDirector of Advisory Services

E: [email protected]: (207) 781-2260 Ext. 2338

Copyright Sage Data Security 2019© All Rights Reserved

Documents

Moving to Cloud Services - Maine Bankers Association...Heroku, Coursera, Bitbucket, Autodesk's cloud, Twilio, Mailchimp, Citrix, Expedia, Flipboard, and Yahoo! Mail Readers also reported