Professional Documents
Culture Documents
Yury Chemerkin Deepintel 2013
Yury Chemerkin Deepintel 2013
EXPERIENCED IN :
REVERSE ENGINEERING & AV
SOFTWARE PROGRAMMING & DOCUMENTATION
MOBILE SECURITY AND MDM
CYBER SECURITY & CLOUD SECURITY
COMPLIANCE & TRANSPARENCY
FORENSICS AND SECURITY WRITING
HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA
PARTICIPATION AT CONFERENCES
INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS,
DEFCONMOSCOW, HACTIVITY, HACKFEST
CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC,
ICITST, CTICON (CYBERTIMES), ITA, I-SOCIETY
I. Opinions & Facts
Cloud Issues
Known Issues Known Solutions/Opinions
Threats Customization , security solutions
Privacy Crypto anarchism
Compliance CSA, ISO, PCI, SAS 70
Legal Typically US Location
Vendor lock-in Platform, Data, Tools Lock-In
Open source / Open standards Top clouds are not open-source
Security Physical clouds more secured than Public
Abuse Botnets and Malware Infections/Misuse
IT governance Depends on organization needs
Ambiguity of terminology Reference to wide services, solutions, etc.
What is about Public Clouds
Some known facts about AWS & Azure in order to issues mentioned above
Top clouds are not OpenSource Tools Lock-in
OpenStack is APIs compatible with Amazon EC2 Longing for an inter-cloud managing tools that are
and Amazon S3 and thus client applications written industrial and built with compliance
for AWS can be used with OpenStack with minimal APIs Lock-In
porting effort, while Azure is not Longing for inter-cloud APIs, however there were
Platform lock-in known inter-OS APIs for PC, MDM, Mobiles, etc.
There are Import/Export tools to migrate from/to No Transparency
VMware, while Azure doesn’t have Weak compliance and transparency due to SAS 70
Data Lock-in and NDA relationships between cloud vendor and
Native AWS solutions linked with Cisco routers to third party auditors and experts
upload, download and tunneling as well as 3rd party Abuse
storage like SMEStorage (AWS, Azure, Dropbox, Abusing is not a new issue and is everywhere
Google, etc.)
AWS Vulnerability Bulletins as a kind of quick
response and stay tuned
Clouds: Public vs. Private
Known security issues of Public Clouds and significant researches on it as a POC
"All Your Clouds are Belong to us – Security Analysis of “The most dangerous code in the world: validating SSL
Cloud Management Interfaces", 3rd CCSW, October 2011 certificates in non-browser software”, 19th ACM
A black box analysis methodology of AWS control Conference on Computer and Communications Security,
interfaces compromised via the XSS techniques, October 2012
HTML injections, MITM Incorrect behavior in the SSL certificate validation
[AWS] :: “Reported SOAP Request Parsing Vulnerabilities” mechanisms of AWS SDK for EC2, ELB, and FPS
Utilizing the SSL/HTTPS only with certificate [AWS] :: “Reported SSL Certificate Validation Errors in API
validation and utilizing API access mechanisms Tools and SDKs”
like REST/Query instead of SOAP Despite of that, AWS has updated all SDK (for all
Activating access via MFA and creating IAM services) to redress it
accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509
Limiting IP access enhanced with API/SDK & IAM
Clouds: Public vs. Private
It is generally known, that private clouds are most secure There is no a POC to prove a statement on public clouds
[AWS] :: “Xen Security Advisories” “7.0. Threat: Abuse of Cloud Services // Cross-VM
There are known XEN attacks (Blue Pills, etc.) Side Channels and Their Use to Extract private
Keys”
No one XEN vulnerability was not applied to the
AWS, Azure or SaaS/PaaS services “4.0. Threat: Insecurity Interfaces and APIs”
Besides of Reality of CSA Threats
Very customized clouds
[CSA] :: “CSA The Notorious Nine Cloud Computing Top 1.0 & 7.0 cases highlight how the public clouds
Threats in 2013” e.g. AWS EC2 are vulnerable
Replaced a document published in 2009 1.0 & 7.0 cases are totally focused on a private
cloud case (VMware and XEN), while there is no a
Such best practices provides a least security
known way to adopt it to AWS.
No significant changes since 2009, even examples
4.0 case presents issues raised by a SSO access
Top Threats Examples
not related to public clouds (except Dropbox,
“1.0. Threat: Data Breaches // Cross-VM Side SkyDrive) and addressed to insecurity of APIs.
Channels and Their Use to Extract private Keys”,
II. CSA Framework
• Cloud • Basic
Model Security
Model
CSA
Cloud
CAIQ
CSA
Mapping
CMM
• Enhanced • Compliance
Security Model
Model
II. NIST Framework
NIST Framework
Complementarity
NIST Enhance Control
Your own security control
Interchangeability
Replacing basic controls by enhanced controls
Expansibility
impact or support the implementation of a particular security control or control enhancement
Your own way to improve a framework
Mapping (NIST, ISO only)
NIST->ISO
ISO->NIST
NIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
BES 10 BES 5
Unified
Office
Device
integration
Platform
• Android, iOS • Office
• Unified • Office365
Management • Cisco/VoIP
IV. Cloud & Compliance Specific
Cloud & Compliance Specific
CAIQ/CCM provides equivalent of recommendations over Vendors general explanations multiplied by general
several standards, CAIQ provides more details on security standards recommendations are extremely far away from
and privacy but NIST more specific transparency
Clouds call for specific levels of audit logging, activity
CSA recommendations are pure with technical details reporting, security controlling and data retention
It helps vendors not to have their solutions worked It is often not a part of SLA offered by providers
out in details and/or badly documented It is outside recommendations
It helps them to put a lot of references on 3rd party AWS often falls in details with their architecture documents
reviewers under NDA (SOC 1 or SAS 70) AWS solutions are very well to be in compliance with old
Bad idea to let vendors fills such documents standards and specific local regulations
They provide fewer public details NIST 800-53, or even Russian security standards
They take it to NDA reports (however the Russian framework is out of cloud
framework)
Description DIFFERENCE (AWS vs. AZURE)
Third Party Audits As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own
Information
Mapping
SystemCompliance: from Cloud Vendor’s viewpoint
vulnerability test
Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM
Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
Retention Policy AWS points to the customers’ responsibility to manage data, exclude moving between Availability Zones inside one region; Azure
Compliance, Transparency, Elaboration
ensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal Not seriously, AWS relies on DoD 5220.22 additionally while Azure does NIST 800-88 only
Information Leakage AWS relies on AMI and EBS services, while Azure does on Integrity data
Policy, User Access, MFA No both have
Baseline Requirements AWS provides more high detailed how-to docs than Azure, allows to import trusted VM from VMware, Azure
Encryption, Encryption Key AWS offers encryption features for VM, storage, DB, networks while Azure does for XStore (Azure Storage)
Management
Vulnerability / Patch Management AWS provides their customers to ask for their own pentest while Azure does not
Nondisclosure Agreements, Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to
Party Agreements the procedures, NDA undergone with ISO
User ID Credentials Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to
the AD to perform these actions
(Non)Production environments, AWS provides more details how-to documents to having a compliance
Network Security
Segmentation Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in
infrastructure on a vendor side
Mobile Code AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
Compliance: from CSA’s viewpoint
Examinationof CSA
LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET
TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
[ Android. Permission Groups ]
But there only 30 permissions groups I have ever seen that on old BlackBerry devices too
THERE 55 GROUPS CONTROLLED IN ALL EACH UNIT CAN’T CONTROL ACTIVITY UNDER
EACH GROUP CONTAINS FROM 10 TO 30 UNITS ITSELF
ARE CONTROLLED TOO ‘CREATE, READ, WRITE/SAVE, SEND,
EACH UNIT IS UNDER A LOT OF FLEXIBLE PARAMs DELETE’ ACTIONS IN REGARDS TO
INSTEAD OF A WAY ‘DISABLE/ENABLED & MESSAGES LEAD TO SPOOFING BY
HIDE/UNHIDE’ REQUESTING A ‘MESSAGE’ PERMISSION
EACH EVENT IS
ONLY
CONTROLLED BY CERTAIN PERMISSION
SOME PERMISSIONS AREN’T REQUIRED (TO
ALLOWED TO CONTROL BY SIMILAR DELETE ANY OTHER APP)
PERMISSIONS TO BE MORE FLEXIBLE
SOME PERMISSIONS ARE RELATED TO APP,
DESCRIBED 360 PAGES IN ALL THAT IN FOUR TIME
WHICH 3RD PARTY PLUGIN WAS EMBEDDED
MORE THAN OTHER DOCUMENTS
IN, INSTEAD OF THAT PLUGIN
CONCLUSION
Select
Security
The best Security & Permissions ruled by AWS Controls
Most cases are not clear in according to the roles
and responsibilities of cloud vendors & customers
May happen swapping responsibilities and shifting CSA
the vendor job on to customer shoulders
Referring to independent audits reports under Check Define
NDA as many times as they can Scope Granularity
CSA put the cross references to other standards
that impact on complexity & lack of clarity more
than NIST SP800-53 NIST
Remap
to NIST enhanc.