Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Moving to Cloud ServicesCyber Security Considerations
Copyright Sage Data Security 2019© All Rights Reserved
Agenda
Cloud Services Defined
Catastrophic Failures
Risks & Rewards of Cloud Sourcing
Concentration & Reverse Concentration Risk
CyberCriminal Case Studies
Cloud Service Provider Assessment & Testing
Agenda
Cloud Services Defined
Cloud Services DefinedSaaS – You rent a car or truck. No modifications, what you rented is what you get. If it stops working they give you a new one. You often pay based on how far you go and how much gas you used. Terms and conditions apply.
PaaS – You lease a car or truck. You can use it and modify it the way you need it to be. Terms and conditions apply - you break it, you own fixing it.
IaaS – You want to build your own car from parts. Some parts you make yourself and others you buy. You need your own machine shop and garage. You rent the garage to get started.
Hybrids – Not purely one model, all models are theoretical in any case. Your system will likely be a blend.
IaaS (Rent-a-Garage)This model works best for organizations that have Infrastructure and Network Engineers. The on-premise resources become too demanding and expensive to manage. Parts break, warranties expire, space runs out.
Team transitions to managing the same classes of resources remotely in someone else’s “garage”. Most, if not all, resources will be Virtual. Garage owner is responsible for keeping the lights on, lifts lifting, and those fancy air compression pumps running.
Cloud Services Defined
PaaS (Lease-a-Car)This model works best for organizations that have Application Engineers and a dedicated programming shop. The on-premise resources cannot keep up with demands for faster performance, more storage, and faster updates to infrastructure. Improvements are curtailed by the capital cost of upgrades.
Team transitions to clicking a button to get resources added. New servers, additional storage, faster processing. Upgrades of resources is a financial issue and not an organizational road block. When you break something in this environment it is all on you.
Cloud Services Defined
SaaS (Rent-a-Car)This model works best for organizations that have no interest in directly maintaining a business solution. They just want a solution they can use that solves a business need.
An example is email. Exchange is a complicated and expensive business solution. Under the covers it requires a lot of engineering and design to work correctly. Issues of performance and storage are common with on premise implementations. The business just wants email messaging to work smoothly and be reliable.
Cloud Services Defined
SaaSOh – and all those neat and useful email features, we want those now.
Encryption – yesJournaling – yesSpam bullet proofing – yesPhishing protections - yesShared calendars – yesGroup messaging - yesAdd instant message and faxing and voicemail and and and……
SaaS allows you to check a box.
Cloud Services Defined
SaaSSo much easier to pick out the car that has all the features you may want and just pay for how much you use it.
Which piece do you want and how much of it today?
Cloud Services Defined
Cloud Services Accountability
Things to keep in mind
Vendors providing these services have had spectacular failures. In some cases the clients were put out of business. In other cases the Vendor went out of business. In the worst case both things happen.
• What is your contingency for protecting the data stored in the Cloud?
• What is your contingency for retrieving the data stored in the Cloud?
• What happens when the contract ends?
Agenda
Catastrophic Failures
Cloud Services – Catastrophic Failures
February 2019:• VFEmail wiped out 2019.• 18 Years of Customer Email• This isn’t the first time criminals have targeted VFEmail. in 2015 it
suffered a debilitating distributed denial-of-service (DDoS) attack after declining to pay a ransom demand from an online extortion group.
• Another series of DDoS attacks in 2017 forced VFEmail to find a new hosting provider.
Krebsonsecurity.com
March 2017:• Amazon S3 Service Disruption
in the Northern Virginia (US-EAST-1) Region
• Websites, backups, apps, security cams, IoT gear
• Five-hour disruption was so bad, Amazon couldn't even update its own AWS status dashboard: its red warning icons were stranded, hosted on the broken-down side of the cloud.
Cloud Services – Catastrophic Failures
www.theregister.co.uk
March 2017 Impacted Sites:• Docker's Registry Hub, Trello, Travis
CI, GitHub and GitLab, Quora, Medium, Signal, Slack, Imgur, Twitch.tv, Razer, heaps of publications that stored images and other media in S3, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Autodesk's cloud, Twilio, Mailchimp, Citrix, Expedia, Flipboard, and Yahoo! Mail Readers also reported that Zoom.us and some Salesforce.com services were having problems, as were Xero, SiriusXM, and Strava.
Cloud Services – Catastrophic Failures
www.theregister.co.uk
• How Canada’s Biggest Bitcoin Exchange Lost it All.• $190 Million in Crypto Gone Forever. • CEO of Quadriga, a cryptocurrency exchange, who died without
sharing the password to the storage wallets.
Cloud Services – Catastrophic Failures
Agenda
Risks & Rewards of Cloud Sourcing
Risks
• Lack of transparency into actual control environment.• Loss of internal control.• Potential loss of “Institutional Memory” of critical services
delivery.• Reliance on agreements, often significantly weighted toward CSP.• Out of sight-out of mind.
• Tendency to think risk and accountability are outsourced.• Failure to implement adequate Complementary User Controls.
Cloud Services Risks & Rewards
Rewards
• Augmentation of capabilities and expertise.• Reduced risk of personnel shortages.• Reduce risk of skills deficits.• Contractual leverage for service delivery.• Infrastructure resilience.• Monthly expenses over capital purchases.
• Someone else upgrades and updates.
Cloud Services Risks & Rewards
Agenda
Concentration & Reverse Concentration Risk
Concentration Risk
“An increasing concentration risk corresponds to financial institutions' increased use of third-party service providers. That, in conjunction with industry consolidation, has resulted in fewer, more specialized TSPs providing services to larger numbers of financial institutions. This trend increases the potential impact of a scenario in which a TSP is required to support recovery services to large numbers of financial institutions due to a widespread disaster...”
*Appendix J – IT Examiners Handbook – Business Continuity
Concentration Risk
• Move to use cloud SaaS and IaaS providers provides attractive attack vector
• One to many• Simultaneous attack on vendor and customer(s)
• Office 365 / Azure• AWS• Core System providers• “Monoculture” concept of vulnerability
• Shared similar or same infrastructure• One key picks one lock – shared by many doors
Concentration Risk
• Using single or few providers to provide majority of services
• This is reality –Don’t make good the enemy of best
Reverse Concentration Risk
• Risk realized when multi-client provider is compromised, and all client customers are downstream
• …or a software vendor’s source code is compromised and then distributed in compromised state to customers/clients.
• Represents a clear strategic shift in cybercrime organizations.
• Case study: Magecart
Agenda
CyberCriminalCase Studies
Case Study: NotPetya
• 2015 and 2016, a group of Russian agents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies.
• They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data.
• In the winters of both years, they caused widespread power outages—the first confirmed blackouts induced by hackers.
http://www.wired.com
Case Study: NotPetya• In the spring of 2017, Russian military hackers hijacked the
company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have
• June 2017, the saboteurs used that back door to release a piece of malware called NotPetya, their most vicious cyberweapon yet.
• Eternal Blue – penetration tool (a patched Windows vulnerability)• Mimikatz – memory scraper for passwords• Infect unpatched computers, then use Mimikatz to compromise
patched computers• NotPetya resembled ramsomware “Petya”, but was not
ransomware.• Purely destructive goal
http://www.wired.com
Case Study: Wolverine Solutions Group
• Healthcare Billing Services Vendor • More than 600,000 Michigan residents may have had their
information compromised in the breach at Detroit-based Wolverine Solutions Group, according to a statement from Michigan Attorney General Dana Nessel and Anita Fox, director of the state's department of insurance and financial services.
https://www.healthcareinfosecurity.com
Case Study: Wolverine Solutions Group
• Clients Include:• Blue Cross Blue Shield of Michigan • Health Alliance Plan• McLaren Health Care,• Three Rivers Health• North Ottawa Community Health System
https://www.healthcareinfosecurity.com
Case Study: Wolverine Solutions Group
• Data Exposed:• Names, • Addresses, • Phone numbers, • Dates of birth, • Social Security numbers, • Insurance contract information • Medical information.
https://www.healthcareinfosecurity.com
Case Study: Wolverine Solutions Group
• Ransomware:• On approximately Sept. 25, 2018, WSG discovered that an
unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG's records, which made them inaccessible, in an effort to extort money from us," the company says.
https://www.healthcareinfosecurity.com
Case Study: Wolverine Solutions Group
• Disclose the Breach?• The Office for Civil Rights (OCR) ransomware guidance
• Consider lack of availability when determining whether an incident is a reportable breach,
• No consensus on how much weight this factor should be given. • Organizations come to very different conclusions regarding whether a
ransomware incident, where evidence indicates no exfiltration of data, is reportable.
• "Most PHI ransomware cases need to be treated as a HIPAA breach, unless forensic examination clearly shows no data exfiltration," Kate Borten, president of The Marblehead Group
https://www.healthcareinfosecurity.com
Case Study: Wolverine Solutions Group
• Disclose the Breach?• “Having logged events to refer back to can help determine the
likelihood of a breach due to ransomware. Reviewing firewall logs can help identify if ransomware exfiltrated data.”
• "Data-exfiltrating malware often extracts sensitive information over outbound encrypted channels. Without the necessary inspection in place, an organization may not be able to tell what specific information may have been exfiltrated."
https://www.healthcareinfosecurity.com
Case Study: Who is Magecart?
• Massive digital credit card-skimming campaign affecting over 800 e-commerce sites world-wide.
• Ticketmaster – multiple sites compromised.• Third-party vendor to Ticketmaster, Inbenta’s code was compromised.• SQL and Java script injection attacks are their primary weapons.• The instances observed in which Inbenta’s custom JavaScript scripts for
Ticketmaster had been wholly replaced with Magecart skimmers indicates that Inbenta was breached.
• British Airways – 40,000 compromised.
Case Study: Who is Magecart?
www.riskiq.com
“Even more disturbing, the Ticketmaster breach demonstrates that the Magecart actors are continuing to refine their
techniques and get better at target selection. Previously, they compromised individual websites and added new Javascript or links to remote Javascript files, but they seem to have gotten smarter—rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts
and add their skimmer.”
Case Study: Who is Magecart?
www.riskiq.com
“To give you an idea of the targets the Magecart actors are after, here is another third-party supplier that is, as of this writing, affected by the Magecartskimmer. This supplier, known as PushAssist, provides analytics for websites, similar to Google Analytics. Their server has been breached and is still serving analytics with the Magecartskimmer. The service boasts having over 10 thousand websites using its analytics platform”
Agenda
Cloud Service Provider Assessment
What To Know
Software Development Lifecycle (SDLC)• How much do you know about your vendor’s SDLC controls? Here are
some key questions to ask:• Are the developers training in security coding practices? • How are test and development networks segregated? • What segregation of duties controls are in place between development
and test environments? • Where is source code stored and what extra protections are applied? • What security testing is performed at each development stage, and
against the final versions?• What is the remediation practice to mitigate findings from testing
engagements?• What detective controls are in place, such as activity and access reviews?
What To Know
Malware-Proof Replication• Considering the success advanced ransomware variants capable of
finding and infecting backup storage locations, we need to know that backup and replication functions are specifically engineered to prevent and detect malware compromise of data at rest. Some questions to consider:
• What are the “air-gap” controls applied to replicated data stores?• How often are backups and replicated virtual environments tested
for integrity?• How often are these environments security tested?• What are the detective controls applied to these stores and
environments?
What To Know
Multifactor Authentication (MFA)• Unfortunately, there are still many examples of single-factor remote access in the
community banking sector. From 0ffice 365 to critical banking systems, we are still writing frequent findings in this control area. It’s worth noting that there is some confusion over what constitutes MFA. True MFA consists of multiple active challenges to the user attempting access. Installed certificates and IP Restriction are great controls, but they are not examples of MFA. I’ll address them in the next section.
• MFA includes:• Something you know.• Something you have.• Something you are.
• In each of these three components of MFA, the “you” refers to a challenge to the active user, not a computer or user account.
• Does your service provider allow single-factor remote access to its information systems and resources by its employees? Do employees at your TSPs with Administrator privilege use MFA for all access, and do they use separate accounts for daily activities that don’t require elevated privilege?
What To Know
Multi-Layer Authentication• User-based digital certificates installed on laptops and
tablets are excellent multi-layer authentication controls. • Not MFA: the certificates are associated with the user account
and don’t actively require an action from a user, once installed
• IP Restriction is a great multi-layer control. • no active challenge to the user, but rather, a coded challenge to
the device’s IP Address of origin, at work.
What To Know
Personnel at CSP• Experience and Expertise• Certifications and Qualifications• Workforce-to-Customer Ratios
What To Know
Redundancy & Resilience• Data Center replication• Data Center Geo-location• Backups• 4th-party sub-service providers?
What To Do
Assess the Risk:• Consume SOC reports, but don’t stop there.• Consume all independent security testing and audit reports
• Always request your own security testing• Read CSP policies and program documents• Engage in co-continuity and DR testing
• At minimum, consume internal COOP and DR test reports• Engage in co-IRP testing
• At minimum, consume internal IRP testing reports• Understand IR procedures
• Notification of incidents• Notification of new vulnerabilities
• Speak with clients and customers
ReCap
• Know the distinctions• SaaS, IaaS, PaaS
• Decide the best course for you, a blend is likely• Stay vigilant, risk cannot be outsourced• Strategic shift in cybercrime organizations means our
attention must shift• Ask the right questions of vendors and service providers
• Seek the right answers• Engage is shared testing exercises• Invest in the Culture of Know
Thank You
John H. Rogers, CISSPDirector of Advisory Services
E: [email protected]: (207) 781-2260 Ext. 2338
Copyright Sage Data Security 2019© All Rights Reserved