Add to collection(s) Add to saved
  1. Business
  2. Management

Democratizing Insecurity: Bringing security weaknesses to the tech

advertisement 
Bringing security weaknesses to the tech masses
Democratising insecurity
About Me
Alistair Chapman
• Queensland University of Technology
• Network Security Engineer
• Trained as network engineer
• Specialising in IDS and technical architecture
• Corporate and IS Governance Consultant
au.linkedin.com/in/alistairchapman/
alistair@agchapman.com
Alistair Chapman
/in/alistairchapman/
Industry
Context
Dark Side of
Growth
Solution
Strategy
Strategic
Model
1
2
3
4
AGENDA
Industry and Technology Context
Context: Easy availability of simple VPS
• New container-based virtualisation
• Lowered cost of entry to market
• Increased competition, lower costs
• Simplified processes, minimal verification
• Basic management and support
Alistair Chapman
/in/alistairchapman/
Case Study: DigitalOcean
• Less than a cent per hour
• Provisioned in under a minute
• 100%/99.9% SLA
• From 100 to 100,000 hosts in 2
years
• Service built on quick build,
high quantity instances
Alistair Chapman
/in/alistairchapman/
Case Study: OVH
• 15% growth in North America
• Expansion from Europe to
North America in 2014
• Offer full spectrum of services
from VPS to full storagebacked cloud infrastructure
• Offer services from as little as
$3/month, all with SLAs.
Alistair Chapman
/in/alistairchapman/
The Dark Side of Growth
Problem: Poor account practices
“Plaintext Offenders”
• OVH.com
• Macincloud.com
• Eurospace
• Crocweb
• DigitalPacific
• WHMCS
Alistair Chapman
/in/alistairchapman/
Problem: Weak default configurations
Application Templates
• Many providers offer pre-built
template instances
• Default passwords
• Weak standard configurations
• Little to no warnings
Alistair Chapman
/in/alistairchapman/
Effect: Poor Management Control
Reduced effectiveness of controls
VM
VM
VM
VM
VPS
Secured Domain
• Single-instance servers outside
of corporate domain
• May not fall under security
policies or centralised
administration
• Often provisioned ad-hoc, or
independently
UNSECURE
Alistair Chapman
/in/alistairchapman/
Effect: Increased risk of spam and C&C
Servers are “prime targets”
Lower maintenance hosts
• Weak default configurations
combined with public access
• Simple targets for email spam
• Additional risk for C&C and
botnet attacks
• Typical server uses are lowmaintenance, low touch roles.
• Administrators may not check
their servers for months at a
time.
Alistair Chapman
/in/alistairchapman/
Solution Strategy and Implementation
Solution Overview
Secure Default Configurations
Secure Billing and Backend
Services
Improved Cloud
Security Coverage
Improved monitoring and
governance of cloud services
Increased provider responsibility
Alistair Chapman
/in/alistairchapman/
Secure Default Configurations
• Particularly important for preconfigured application
instances
• Services should be disabled by
default.
• Restrict initial access to VPN
for added security
Alistair Chapman
/in/alistairchapman/
Secure Billing and Backend Services
Billing Services
WHMCS Example
• Billing services should be
secure at a process level
• Customer data should be
transmitted when absolutely
necessary.
Alistair Chapman
/in/alistairchapman/
Secure Billing and Backend Services
Authentication and Customer
Data
• NEVER EMAIL PASSWORDS
• Secure KVM access to virtual
hosts
• VM Control Panels and APIs
must be secure
Alistair Chapman
/in/alistairchapman/
Improved Monitoring and Governance
Monitoring
Governance
• Should be streamlined to
encourage adoption
• Hooks, APIs and compatibility
with external providers
• Provide rudimentary alerting
system
• 100% Customer Responsibility
• Keep external cloud hosts
under central IT
• Use provisioning and endpoint
management where possible
Alistair Chapman
/in/alistairchapman/
Increased Provider Responsibility
Active Monitoring
Management Responsibility
• Virtualisation provides unique
opportunities
• Take lead from ISP market
• Public services should be optin
• Identity Validation and tracking
• Used to track abuse
• Tiered levels of capability
• DNS (ICANN)
• SSL (subdomains)
• PayPal
Alistair Chapman
/in/alistairchapman/
Case Study: Microsoft Azure
Overview
Responsibility
• Not a perfect product
• Has the advantage of
multinational corporate
backing
• Global infrastructure and nearunlimited funds a unique
ability.
• Major corporate brand
• Significant PR and client
commitments made
Alistair Chapman
/in/alistairchapman/
Secure Processes
Authentication
Application Configuration
• Initial system accounts are set
by user at provisioning
• Host can be used with external
authentication
• Strongly suggest use of
PowerShell for security
• Still uses insecure defaults
• Uses “Endpoints” to hide
services
• Primarily “security through
obscurity”
Alistair Chapman
/in/alistairchapman/
Secure Processes
Governance
Monitoring
• Allows for direct integration
into existing infrastructure
• Pre-provisioning configuration
available on some hosts
• All communication done
through secure web portal
• Active, real-time monitoring
available
• Configurable alerts available
on all services
• Tight integration with existing
(Microsoft) tools.
Alistair Chapman
/in/alistairchapman/
Vision of the Future
GOAL
Improved Security of Isolated Cloud Nodes
STRATEGIES
Reduced
Attack
Surface
Improved
Resource
Management
Effective
Support
Services
TACTICS
Improve
OOBE
Security
Monitoring
and
Governance
Secure
Backend
Services
OUTCOMES
Hardened
application
Fully
integrated
instances
Holistic,
Full-Stack
Security Model
Implementation Guidelines
Providers
Users
• Verify standard system and
application configurations
• Perform and complete active
monitoring of instances
• Change services to opt-in
where possible
• Obfuscate insecure services at
provision-time
• Secure communication only
• Never put default
configurations in production
• Never make insecure services
public
• Install services only on an asneeded basis
• Configure ACLs, firewalls and
admin limits early.
Alistair Chapman
/in/alistairchapman/
Summary and Overview
Summary
• Proliferation of providers and services is not a problem, its an
asset
• Improves customer choice
• Also makes security failing much more apparent and accessible
• Responsibility lies with all stakeholders
• Holistic effort required to fully improve situation
Alistair Chapman
/in/alistairchapman/
Role-based model
APNIC Partners
(Hosting Providers)
• Improve new service templates and processes
• Improve access to hardening and obfuscation measures
Sysadmin | NetSec
Developers
• Pay equal attention to backend/billing service security
• Secure OOBE application configurations
Users and
Businesses
• Follow best practices for securing public services and
applications
• Integrate into any existing governance and monitoring
Thank You
Alistair Chapman
(w) https://agchapman.com/
(e) alistair@agchapman.com
(ln) http://lnkd.in/bceQ5SG
Related documents
Alistair Gibson - Earlswood Vets
Alistair Gibson - Earlswood Vets
1408075059_461963
1408075059_461963
'Theory X' 'Theory Y'
'Theory X' 'Theory Y'
Johari Window model
Johari Window model
2010-11 schedule
2010-11 schedule
Crystal_Yellow
Crystal_Yellow
Guidelines for Emergencies Abroad
Guidelines for Emergencies Abroad
Download
advertisement