You are on page 1of 34

lleasaot Sk|es ot Gatlet|oq Stotm

1le GooJ aoJ lv|l o[ Secot|ty Setv|ces |o tle ClooJ
Adum ColdsLeln - l1 SecurlLv Lnglneer, LurLmouLh College
Rvun Speers ÷ LurLmouLh Cluss of zo±±, CSl Member, lASP
Rlckv Melgures ÷ LurLmouLh Cluss of zo±±, CSl Member
Securlng Lhe eCumpus - 1ulv z8,zooo
uattmootl Cybet-Secot|ty lo|t|at|ve (CSl)
· 1he CSl ls ongolng colluboruLlon beLween fuculLv,
sLuff, und sLudenLs
· locused on pro|ecLs ulmed uL lmprovlng Lhe
securlLv of Lhe College's lnformuLlon svsLems.
· CoordlnuLes reseurch lnLeresLs wlLh prucLlcul
· SLudenL purLlclpunLs ln lusL veur:
÷ 6 undergruduuLes (CS und 1huver)
÷ z MusLers sLudenLs (CS und 1huver)
÷ ¸ PhL cundlduLes (CS)
Cotteot CSl ltojects
· ClSCO CrlLlcul lnformuLlon Assurunce
Croup: NeLwork SecurlLv Lub
· Publlc compuLlng und prlvucv
· PKl Pollcles ln Lhe LnLerprlse
· °Achlllesº vulnerublllLv AssessmenL
· NeLflow proflllng und unulvsls
· Cloud CompuLlng securlLv
lteseotat|oo Ootl|oe
· Overvlew
÷ LeflnlLlons
÷ lnLeresL
÷ Approuch
· 1esL Process und llndlngs
· °Mul-Usersº ln Lhe Cloud
· Rlsk Lo CusLomers
· RecommenduLlons und NexL SLeps
ClooJ Compot|oq- ue[|o|t|oos
· SofLwure us u Servlce (SuuS)
÷ Coogle Apps,, HosLed MS Lxchunge
· PluLform us u Servlce (PuuS)
÷ Coogle App Lnglne, MS Azure,
· Infrasctucture as a 5ervice (Iaa5)
÷ Amazon ECz
÷ Rackspace C|oud
÷ GoGrid
Secot|ty Setv|ces |o tle ClooJ- Wly
· Cenerul depurLmenL lnLeresL ln reseurchlng
luuS (e.g. lL's cheup)
· Munv securlLv °servlcesº could be good
cundlduLes for Lhe cloud
÷ Onlv needed for u shorL Llme
÷ NoL needed zil,
÷ NoL mlsslon-crlLlcul
÷ LlmlLed senslLlve duLu*
ClooJ lt|c|oq (1oly zooo)
Rackspace :RAM Hourly Monthly
256MB $0.015 $10.95
512MB $0.03 $21.90
1024 MB $0.06 $43.80
2048 MB $0.12 $87.60
Amazon EC2 :RAM/CPUs Hourly Monthly
1.7GB/1 $0.10 $72.00
1.7GB/5 $0.20 $144.00
7.5GB/4 $0.40 $288.00
7GB/20 $0.80 $576.00
Secot|ty Setv|ces |o tle ClooJ:
· LxLernul vulnerublllLv scunnlng und
peneLruLlon LesLlng
· LxLernul servlce monlLorlng
· AppllcuLlon und sofLwure evuluuLlon
· SecurlLv Lool Lrulnlng
· lncldenL response
ClooJ Setv|ces ÷ 1est|oq llao
· SeL up uccounLs for followlng servlces
÷ Ruckspuce Cloud
÷ Amuzon LCz
÷ CoCrld
· 1esLs
÷ Scunnlng
÷ vulnerublllLv AssessmenL
÷ Uploud cupublllLles
Secot|ty Setv|ces |o tle ClooJ:
Acceptable use lol|c|es
· ln generul, problng vour own svsLems from
Lhe cloud ls ullowed
· MosL AUP's prevenL problng Lhe cloud
servlces wlLhouL expllclL consenL from Lhe
Acceptable use lol|c|es:
· Ruckspuce Cloud:
“Unauthorized access to or use of data, systems or networks, including any
attempt to probe, scan or test the vulnerability of a system or network or to
breach security or authentication measures without express authorization
of the owner of the system or network”
· Amuzon LCz:
“You may make network connections from Amazon EC2 hosted servers to
other hosts only with the permission and authorization of the destination
hosts and networks. Examples of unacceptable network traffic include:
• Unauthorized probes and port scans for vulnerabilities.
• Unauthorized penetration tests, traffic that circumvents authentication
systems or other unauthorized attempts to gain entry into any
Acceptable use lol|c|es:
1est|oq aqa|ost tle ClooJ
· Ruckspuce AUP:
“You may not attempt to probe, scan, penetrate or test the
vulnerability of a Rackspace Cloud system or network
or to breach the Rackspace Cloud's security or
authentication measures, whether by passive or
intrusive techniques, without the Rackspace Cloud's
express written consent.”
1est l|oJ|oqs - Scaoo|oq
· ConducLed NMAP scuns of boLh
LurLmouLh LuLu CenLers
· Cloud provlders dld noL block scuns or rulse
ulerLs on Lhe ucLlvlLv
1est l|oJ|oqs ÷ Scaoo|oq (z)
· 8efore whlLellsLlng on our lPS: 8o± hosLs
scunned ln ¸o seconds
· AfLer whlLellslLlng:
÷ lzz subneLs (±ozi hosLs) uveruged ¸¸ seconds
÷ Mux rLL LlmeouL of ±ooms produced uccuruLe
1est l|oJ|oqs ÷Scaoo|oq (,)
· Used scun resulLs Lo creuLe u °llrewull
· Compurlng open porLs wlLh flow duLu Lo
muke flrewull recommenduLlons
· lnLernul scunner sLlll needed Lo LesL prlvuLe
1est l|oJ|oqs ÷ voloetab|l|ty Scaoo|oq
· CompuLlng Servlces rouLlnelv conducLs
vulnerublllLv scuns from un lnLernul server
· Sume scuns were conducLed from Lhe Cloud
· Aguln, no blocks or ulerLs were generuLed from
Lhe vendor
· LxplolL Lools were ulso lnsLulled on Lhe Cloud
1est l|oJ|oqs ÷ voloetab|l|ty Scaoo|oq (z)
· Scun of zoo servers
· AlmosL ¸o,ooo posslble LesLs per hosL
· CompleLed ln 6 mlns. ¸6s
Scaoo|oq [tom tle ClooJ- Cost Aoalys|s
· CurrenL dedlcuLed scunnlng server: s±¸ol
monLh hurdwure ÷ uddlLlonul cosLs
(buckup, power, coollng)
· Move Lo LurLmouLh vlrLuul Muchlne: s,8l
· HosL ln Lhe Cloud:
÷ Amuzon LCz: s±zlmonLh
÷ RuckSpuce Cloud: s,.zolmonLh
1est|oq ÷ uploaJ Capab|l|t|es
· lnLeresLed ln uslng Lhe Cloud for lncldenL
response und dlglLul forenslcs
÷ Processlng power
÷ Sculuble
÷ Onlv puv us-needed
· 1esLed uploud cupublllLles of Cloud servlces
· z¸o kbps wus besL we uchleved
· lnudeouuLe for drlve lmuge uplouds
Gatlet|oq Stotm?
lf Lhe Cloud cun be used for good, cun lL ulso
be used for evll?
Appeal o[ tle ClooJ to "Mal-osets´
· Whv use Lhe Cloud for mullclous
÷ Cheup
÷ Powerful
÷ 1emporurv svsLems
÷ WlLh fruud un lncreuslng moLlvuLor of °mul-
usersº, less sklll or lnLeresL ln compromlslng
÷ Anonvmous?
Access to tle ClooJ
· Onlv u vulld credlL curd und e-mull uddress
ure reoulred Lo seL up u cloud server.
· Servers ure conLrolled vlu web-console und
SSH. Lusv Lo uccess Lhrough 1or or un
· SLeullng Amuzon credenLluls cun ullow u
mul-user Lo seL up Cloud servers.
Cleap lowet
· Uslng own eoulpmenL for processor
lnLenslve Lusks ls llkelv cosL prohlblLlve
· Amazon ECz Hiqh-CPU Extra Larqe
÷ , C8 of memorv
÷ zo CPUs
÷ ±6oo C8 of lnsLunce sLoruge
÷ Prlce: so.8o per lnsLunce hour
M|o|mal 1eclo|cal Coottols
· lrom our LesLlng, no securlLv conLrols on
whuL cun be run ln Lhe cloud
· Recelved no wurnlngs for scunnlng,
vulnerublllLv probes, or explolLs
R|sks to Costomets- ll aJJtess|oq
· lllLerlnglbluckllsLlng
÷ ALLucks from Lhe cloud Lo vour neLwork?
÷ Wlll lL be hurd Lo deLecL or block uLLucks from
populur cloud servlces?
÷ Wlll vou be blocked lf oLher hosLs ln cloud ure
creuLlng problems?
R|sk to Costomets ÷ ClooJ lmaqe 1tojaos
· lrom Amuzon LCz AUP:
“You may not share or publish Amazon Machine Images
(“AMIs”) or other content or applications on the AWS
Website that are intended to cause, or have the
consequence of causing, the user to be in violation of
the terms and conditions of this Agreement.”
R|sks to Costomets ÷ ueo|al o[ Setv|ce
· No conLrol of lnbound fllLerlng Lo cloud servers
· Some AUP's sLuLe LhuL u server cun be blocked lf
under uLLuck
· lrom CoCrld AUP:
“GoGrid may also disable Customer's service if GoGrid suspects that
such service is the target of an attack or in any way interferes with
services provided to other customers, even if Customer is not at
· Wlll scuns or oLher probes ugulnsL u cloud server
be enough Lo huve Lhe provlder block lL?
R|sks to costomets ÷ l|m|teJ secot|ty aoJ|t|oq
· Aguln, some AUPs prohlblL performlng
securlLv LesLs ugulnsL cloud servers
· Mlnlmul undersLundlng of buck-end
÷ WhuL cun cloud compunles uccess?
÷ WhuL conLrols do Lhev huve ln pluce? (HR,
R|sks to costomets ÷ uata teteot|oo/e-
· No publlshed pollcles on how Cloud
provlders hundle e-dlscoverv reouesLs
· WhuL remulns when server or sLoruge ls
· Lo Cloud provlders perform Lhelr own
buckups? WhuL ls Lhelr reLenLlon pollcv?
· Lo provlders collecL und reLuln uccess logs?
R|sks to costomets ÷ AJm|o|sttat|ve Coosole
· Provlders use u web-bused udmln console Lo
conLrol server lnsLunces
· Console uccounLs usernumelpussword
· Loesn'L muLLer how well vou lock down servers lf
uLLucker cun geL console credenLluls
÷ Phlshlnglspeurflshlng
÷ Shurlng credenLluls
÷ Cuesslng
÷ Snlfflng
· PleusunL skles:
÷ verv uLLrucLlve cosL
÷ Lusv Lo use
÷ Lxumple servlces
· Clussroom pro|ecLslLrulnlng
· 1esL or plloL servers
· LevelopmenL svsLems for low securlLv pro|ecLs
· SvsLem monlLorlng und exLernul LesLlng
÷ How munv svsLems ln vour duLu cenLer could be
Cooclos|oos ÷ Gatlet|oq Stotm
· Our recommenduLlons
÷ Cloud servers noL Lo be used for unv senslLlve
÷ NoL Lo be used for mlsslon crlLlcul servlces
÷ NoL us cosL-effecLlve for zil, servlces
÷ lnsLlLuLlonul Cloud server pollcv needed
÷ Server udmlnlsLruLlon sLundurds needed
÷ MonlLor lnLruslon PrevenLlon SvsLems for
Cloud lP's
Next steps [ot CSl ClooJ teseatcl
· Work wlLh Cloud provlders Lo perform
securlLv ussessmenL of Cloud hosLlng
· lurLher °uploudº LesLlng wlLh Cloud
sLoruge servlces
· Reseurch e-dlscoverv ln Lhe cloud

Adum ColdsLeln
l1 SecurlLv Lnglneer
PeLer KlewlL CompuLlng Servlces
Rvun Speers ÷ LurLmouLh zo±±
Rlckv Melgures ÷ LurLmouLh zo±±