WIXLIB

Tutorial: CloudComputing SecurityWilliam R. Claycomb, PhD.Lead Research ScientistCERT Enterprise Threat and VulnerabilityManagement Team 2007-2012 Carnegie Mellon University

Agenda Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research2

What is Cloud Computing? It’s internet computing Computations are done through the Internet No worry about any maintenance or management ofactual resources Shared computing resources3

So, Cloud Computing is:Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurablecomputing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned andreleased with minimal management effort or service providerinteraction (from NIST)4

5

Five Characteristics On-demand self-service Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service6

Four Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds7

Agenda Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research8

Threats to Cloud Computing1.Abuse and Nefarious Use of Cloud Computing2.Insecure Application Programming Interfaces3.Malicious Insiders4.Shared Technology Vulnerabilities5.Data Loss/Leakage6.Account, Service, and Traffic Hijacking7.Unknown Risk ProfileFrom Cloud Security Alliance, 20109

Abuse and Nefarious Use Password and key cracking DDOS Launching dynamic attack points Hosting malicious data Botnet command and control Building rainbow tables CAPTCHA solving Exploits exist already10

Insecure Interfaces and APIs Could expose more functionality than intended Policy could be circumvented Credentials may need to be passed –is the interfacesecure?11

Malicious Insiders Particularly poignant for cloud computing Little risk of detection System administrator qualifications and vettingprocess for cloud services provider may be differentthat that of the data owner12

Shared Technology Issues Underlying architecture (CPU cache, GPU, etc.) notintended to offer strong isolation properties Virtualization hypervisor used to mediate accessbetween guest OS and physical resources Exploits exist (Blue Pill, Red Pill)13

Data Loss or Leakage Data is outside the owner’s control Data can be deleted or decoupled (lost) Encryption keys can be lost Unauthorized parties may gain access Caused by Insufficient authentication, authorization, andaccess controls Persistence and remanance Poor disposal procedures Poor data center reliability14

Account or Service Hijacking Exploits phishing attacks, fraud, or softwarevulnerabilities Credential reuse15

Unknown Risk Profile How well is the cloud being maintained? Many companies are unwilling to release details Is the infrastructure up to date Patches Firmware Does the combination of different service providerscreate previously unseen vulnerabilities?16

Agenda Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research17

ScopeCloud ComputingCloud Computing SecurityCloud ComputingSecurity – InsiderThreats18

What is CERT?Center of Internet security expertiseEstablished in 1988 by theUS Department of Defenseon the heels of the Morrisworm that created havoc onthe ARPANET, the precursorto what is the Internet todayPart of the Software Engineering Institute (SEI) Federally Funded Research & Development Center (FFRDC) Operated by Carnegie Mellon University (Pittsburgh,Pennsylvania)19

What is the CERT Insider Threat Center?Center of insider threat expertiseBegan working in this area in 2001 with the U.S. SecretServiceOur mission: The CERT Insider Threat Center conductsempirical research and analysis to develop & transitionsocio-technical solutions to combat insider cyber threats.20

Who is a Malicious Insider?Current or former employee, contractor, or otherbusiness partner who has or had authorized access to an organization’s network,system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability ofthe organization’s information or information systems.21

CERT’s Insider Threat Case DatabaseU.S. Crimes by heft of IPMisc22

Critical Infrastructure SectorsU.S. Cases by Critical Industry SectorTransportation1%Postal and Shipping tion andTelecommunications22%Banking and Finance29%Chemical Industry &Hazardous Materials2%Commercial nt-Federal7%Education4%Energy1%Defense Industrial Base2%Emergency Services1%** This does not include espionage cases involving classified information23

How bad is the Insider Threatproblem?24

Insider Threat Issue -1Insiders pose a substantial threat by virtue of their knowledgeof, and access to, their employers’ systems and/or databases.Insiders can bypass existing physical and electronic securitymeasures through legitimate measures.25

Insider Threat Issue -2Has your organization been the victim of an insider attack?Can you confidently say you have not been the victim of aninsider attack?26

2011 CyberSecurity Watch Survey - 1CSO Magazine, USSS, CERT &DeloittePercentage of ParticipantsWho Experienced an InsiderIncident607 respondents10038% of organizationshave more than 5000employees37% of organizationshave less than500 2010Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software EngineeringInstitute CERT Program at Carnegie Mellon University and Deloitte, January 2011.27

2011 CyberSecurity Watch Survey - 246 % of respondentsDamage caused by insider attacks more damaging thanoutsider attacksMost common insider e-crimeUnauthorized access to / use of corporate information(63%)Unintentional exposure of private or sensitive data(57%)Virus, worms, or other malicious code(37%)Theft of intellectual property(32%)Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service,Software Engineering Institute CERT Program at Carnegie Mellon University and28

2011 CyberSecurity Watch Survey - 3How Insider IntrusionsAre Handled8%3%12%76%Internally (without legal action or lawenforcement)Internally (with legal action)Reason(s) CyberCrimes were notreferred for legal action20112010Damage level insufficient to warrantprosecution42%37%Could not identify the individual/ individualsresponsible for committing the eCrime40%29%Lack of evidence/not enough information toprosecute39%35%Concerns about negative publicity12%15%Concerns about liability8%7%Concerns that competitors would useincident to their advantage6%5%Prior negative response from lawenforcement5%7%Unaware that we could report these crimes4%5%Other11%5%Don't know20%14%Not applicableN/A24%Externally (notifying law enforcement)Externally (filing a civil action)Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service,Software Engineering Institute CERT Program at Carnegie Mellon University and29

IT Sabotage30

911 services disrupted for 4 major citiesDisgruntled former employee arrested and convictedfor this deliberate act of sabotage.31

Insider IT Sabotage: True StoryA disgruntled system administratoris able to deploy a logic bomb andmodify the system logs to frame hissupervisor even though he had beendemoted and his privileges shouldhave been restricted.Subject frames hissupervisor forsabotageExpressed feelingsof dissatisfactionand frustration withwork conditions Complained that“he did all the work”Insider haddifficulties prior to Frequently late forworkhiring High school dropout Drug use on the job Fired from prior job Demoted History of drug use Discovered plans tofire him Installed logic bomb todelete all files on allservers Set to execute fromsupervisor’s .profile Included “ha ha”message Also planted in scriptto run when systemlog file reached certainsizeTried to hide actionstechnically, butadmitted to coworker Took great pains toconceal act by deletingsystem logs Forgot to modify onesystem log, which wasused to identify him asperpetrator Told co-worker the daybefore attack that “hewould see some seriousstuff happen”32

Other Cases of IT SabotageFinancial Institution customers lose all access to their money from Fridaynight through Monday Fired system administrator sabotages systems on his way outA logic bomb sits undetected for 6 months before finally wreaking havocon a telecommunications firmA security guard at a U.S. hospital, after submitting resignation notice,obtained physical access to computer rooms Installed malicious code on hospital computers, accessed patient medical recordsSCADA systems for an oil-exploration company is temporarily disabled A contractor, who’s request for permanent employment was rejected, plantedmalicious code following terminationSystem administrator at a manufacturing plant, passed over forpromotion, deployed “logic bomb” prior to resigning, deleting criticalsoftware required to run operation Financial damage 10M; Forced to lay off 80 employees33

Summary of FindingsIT Sabotage% of crimes incase database**Current or formeremployee?35%FormerType of positionTechnical (e.g. sysadmins or DBAs)GenderMale** Does not include national security espionage34

Summary of FindingsIT SabotageTargetAccess usedWhenWhereRecruited byoutsidersCollusionNetwork, systems, ordataUnauthorizedOutside normalworking hoursRemote accessNoneNone35

Theft of IntellectualProperty36

TRUE STORY:Research scientist downloads 38,000 documentscontaining his company’s trade secrets before going towork for a competitor Information was valued at 400 Million37

Other Cases of Theft of IPA technical operations associate at a pharmaceuticalcompany downloads 65 GB of information, including 1300confidential and proprietary documents, intending to start acompeting company, in a foreign country Organization spent over 500M in development costsSimulation software for the reactor control room in a nuclearpower plant was being run from a different country A former software engineer born in that country took it with him when heleft the company.38

Summary of Findings% of crimes incase database**Current or formeremployee?Type of positionIT SabotageTheft of IntellectualProperty35%18%FormerCurrentTechnical (e.g. sysadmins or DBAs)Technical (71%) scientists,programmers,engineersSales (29%)GenderMaleMale** Does not include national security espionage39

Summary of FindingsTheft of IntellectualPropertyIP (trade secrets) –Network, systems, or71%dataCustomer Info –33%UnauthorizedAuthorizedOutside normalDuring normalworking hoursworking hoursRemote accessAt workIT SabotageTargetAccess usedWhenWhereRecruited byoutsidersCollusionNoneLess than 1/4NoneAlmost ½ colludedwith at least oneinsider; ½ actedalone40

Fraud41

An Incident of Insider Fraud42

Fake drivers license sold to undercover agentclaiming to be on the “No Fly list”43

Other Cases of FraudAn accounts payable clerk, over a period of 3 years, issues127 unauthorized checks to herself an others. Checks totaled over 875,000A front desk office coordinator stole PII from hospital. Over 1100 victims and over 2.8 M in fraudulent claimsA database administrator at major US Insurance Co.downloaded 60,000 employee records onto removable andsolicited bids for sale over the InternetAn office manager for a trucking firm fraudulently puts herhusband on the payroll for weekly payouts, and erasesrecords of payments Over almost a year loss of over 100K44