Upload
ahmed-ali-el-kosairy
View
214
Download
0
Embed Size (px)
DESCRIPTION
Cloud Service Provider Internal Threats
Citation preview
CSP Internal ThreatsHussein Mahgoob
Ahmed Ali El-Kosairy
➢CERN (1) defines an insider threat as such:
A malicious insider threat == ➢Organization ➢+ ➢(current or former employee, contractor, or other business partner)➢+ ➢(Authorized access to an Organization's system )
Introduction
Impact Area
➢Example
Edward Snowden (2)
PRISM (2007)Right or Wrong ?!!
➢Something such as Watergate scandal(3)
Introduction
➢How to protect your self from internal threats from Cloud Service provider (CSP) perspective
➢How to protect your self from Internal threats (CSP) from user perspective
Objective
●As a Client we are looking for privacy (please check previous Presentation <Ahmed Nour >)
●As a CSP we are looking for defense in Depth.➢What is DID ?-Multilayer and technology of Security
Objective
●Encryption
●Privilege and Authentication
●Security Policy
Related Approaches
Using Combination of Security Intelligence systems such as :
Our Approach
●Host level
●Network Level
●Formatted Based
●For CSP
Data Loss Prevention
●For CSP and Client
●Try to use Multi layer of Encryption such as SFS for Linux and EFS for Windows with any 3rd party(4).
Encryption
●For CSP and Client.
●Data Right Management (DRM) based on PKI. ●Examples:
●Snap Chat
●Related News (5):●Facebook Tried To Buy Snap chat For $3B.●Snap chat may have rejected a $4 billion offer from
Google.
●Microsoft DRM.
●Apple Fair Play.
DRM
Apple Fair Play
Can We Trust CA,DRM,Security Algorithms!!
●For CSP and Client.
●Use Multi-factor authentication :
➢Something you know. ➢Something you have.
➢Something you are.
➢Two-man rule 0r Two-person integrity (TPI)➢Examples : Nuke Bomb
User Access Authentication
●Security Architecture – Segmentation. ●Risk Management – Assessments (CSP perspective ).
➢Check on vacations.
➢Controls.
➢Mitigate Risk.
●Third Party Audits.
●Policy Enforcement.
And
Again Can We Trust CA,DRM,Security Algorithms !!!
• 2000 Napster Issue Shawn Fanning
• Music Companies “We will revenge”
• Sony BMG copy protection
• When inserted into a computer: ➢the CDs installed one of two pieces of software ➢which provided a form of digital rights management (DRM) by modifying the
operating system. ➢Both programs could not be easily uninstalled. ➢And they unintentionally created vulnerabilities that were exploited by
unrelated malware (6).
• rootkit scandal 2007 :)
Sony BMG DRM
➢ANSSI:
Rogue digital certificates that had been issued by French certificate authority ANSSI, who closely work with the
French Defense agency(7).
ANSSI_CA
Send Encrypted mails to you (He already know Plain text and cipher text )
➢listen to frequency of your CPU by Microphone
➢Use low- and high-pass filters
➢Called acoustic signal Attack➢RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis(9)
RSA 4096-bit Crypto Analysis(8)
We Need to apply DID on Client Level and Provider Level
Conclusion
●Using Combination of Security Intelligence systems such as :
➢DLP➢Encryption (Multi layer of Encryption)➢DRM➢User Access➢Security Architecture - Segmentation➢Risk Management - Assessments➢Third Party Audits➢Policy Enforcement➢And (FDM), etc. …......
Conclusion
But Remember everything came with a price
(1)-Cloud Security, The Notorious Nine Cloud Computing Top Threats in 2013 Alliance , https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (2)-Edward Snowden a 'hero' for NSA disclosures, Wikipedia founder says | World news. The Guardian (2013-11-25)., http://www.theguardian.com/world/2013/nov/25/edward-snowden-nsa-wikipedia-founder,http://en.wikipedia.org/wiki/Edward_Snowden(3)-Watergate scandal,http://en.wikipedia.org/wiki/Watergate_scandal(4)- Rajesh Kumar Pal, Indranil Sengupta, Enhancing File Data Security in Linux Operating System, Computational Intelligence in Cyber Security, 2009. CICS '09. IEEE Symposium on, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=4925089&queryText%3DEnhancing+File+Data+Security+in+Linux+Operating+System+by+Integrating+Secure+File+System (5)-forbes, maybe snapchat is crazy to turn down 3b but was facebook nuts to offer ithttp://www.forbes.com/sites/markrogowsky/2013/11/14/maybe-snapchat-is-crazy-to-turn-down-3b-but-was-facebook-nuts-to-offer-it/(6)-Halderman, J. Alex, and Felten, Edward. "Lessons from the Sony CD DRM Episode" , Center for Information Technology Policy, Department of Computer Science, Princeton University, 2006-02-14., http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal, http://www.copyright.gov/1201/2006/hearings/sonydrm-ext.pdf, http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal(7)-The hacker news, fake google ssl certificates made in,http://thehackernews.com/2013/12/fake-google-ssl-certificates-made-in.html(8)-Extremetech, researchers crack the worlds toughest encryption by listening to the tiny sounds made by your computers cpu,http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu(9)-RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysisdt@infootnoteThe authors thank Lev Pachmanov for programming and experiment support during the course of this research.dt@infootnote - acoustic-20131218.pdf,http://www.cs.tau.ac.il/~tromer/acoustic/
References