Tutorial: Cloud Computing Security
William R. Claycomb, PhD. Lead Research Scientist CERT Enterprise Threat and Vulnerability Management Team
2007-2012 Carnegie Mellon University
�Agenda
Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research
�What is Cloud Computing?
Its internet computing
Computations are done through the Internet No worry about any maintenance or management of
actual resources
Shared computing resources
�So, Cloud Computing is:
Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST)
�Five Characteristics
On-demand self-service Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service
�Four Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
�Agenda
Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research
�Threats to Cloud Computing
1. 2. 3. 4. 5. 6. 7.
Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service, and Traffic Hijacking Unknown Risk Profile
From Cloud Security Alliance, 2010
�Abuse and Nefarious Use
Password and key cracking DDOS Launching dynamic attack points Hosting malicious data Botnet command and control Building rainbow tables CAPTCHA solving Exploits exist already
10
�Insecure Interfaces and APIs
Could expose more functionality than intended Policy could be circumvented Credentials may need to be passed is the interface secure?
11
�Malicious Insiders
Particularly poignant for cloud computing Little risk of detection System administrator qualifications and vetting process for cloud services provider may be different that that of the data owner
12
�Shared Technology Issues
Underlying architecture (CPU cache, GPU, etc.) not intended to offer strong isolation properties Virtualization hypervisor used to mediate access between guest OS and physical resources Exploits exist (Blue Pill, Red Pill)
13
�Data Loss or Leakage
Data is outside the owners control Data can be deleted or decoupled (lost) Encryption keys can be lost Unauthorized parties may gain access Caused by
Insufficient authentication, authorization, and
access controls Persistence and remanance Poor disposal procedures Poor data center reliability
14
�Account or Service Hijacking
Exploits phishing attacks, fraud, or software vulnerabilities Credential reuse
15
�Unknown Risk Profile
How well is the cloud being maintained?
Many companies are unwilling to release details
Is the infrastructure up to date
Patches Firmware
Does the combination of different service providers create previously unseen vulnerabilities?
16
�Agenda
Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research
17
�Scope
Cloud Computing
Cloud Computing Security
Cloud Computing Security Insider Threats
18
�What is CERT?
Center of Internet security expertise Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today Part of the Software Engineering Institute (SEI)
Federally Funded Research & Development Center (FFRDC) Operated by Carnegie Mellon University (Pittsburgh,
Pennsylvania)
19
�What is the CERT Insider Threat Center?
Center of insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats.
20
�Who is a Malicious Insider?
Current or former employee, contractor, or other business partner who
has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems.
21
�CERTs Insider Threat Case Database
U.S. Crimes by Category
300
250
277
200
150
148
100
99
50
69
Sabotage
Fraud
Theft of IP
Misc
22
�Critical Infrastructure Sectors
U.S. Cases by Critical Industry Sector
Postal and Shipping <1% N/A 4% Manufacturing 2%
Transportation 1% Public Health 7%
Water 1%
Information and Telecommunications 22%
Banking and Finance 29% Chemical Industry & Hazardous Materials 2% Commercial Facilities 6%
Government-State/Local 9%
Food 2% Government-Federal 7%
Education 4% Energy 1%
Defense Industrial Base 2%
Emergency Services 1%
** This does not include espionage cases involving classified information
23
�How bad is the Insider Threat problem?
24
�Insider Threat Issue -1
Insiders pose a substantial threat by virtue of their knowledge of, and access to, their employers systems and/or databases. Insiders can bypass existing physical and electronic security measures through legitimate measures.
25
�Insider Threat Issue -2
Has your organization been the victim of an insider attack? Can you confidently say you have not been the victim of an insider attack?
26
�2011 CyberSecurity Watch Survey - 1
CSO Magazine, USSS, CERT & Deloitte 607 respondents
100
38% of organizations have more than 5000 employees 37% of organizations have less than 500 employees
Percentage of Participants Who Experienced an Insider Incident
80 60 55 40 20 0 2004 2005 2006 2007 2008 2010 41 49 39 51 43
Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
27
�2011 CyberSecurity Watch Survey - 2
46 % of respondents Damage caused by insider attacks more damaging than outsider attacks Most common insider e-crime Unauthorized access to / use of corporate information Unintentional exposure of private or sensitive data Virus, worms, or other malicious code Theft of intellectual property (63%) (57%) (37%) (32%)
Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and
28
�2011 CyberSecurity Watch Survey - 3
How Insider Intrusions Are Handled
8% 12% 3%
Reason(s) CyberCrimes were not referred for legal action
2011 Damage level insufficient to warrant prosecution Could not identify the individual/ individuals responsible for committing the eCrime Lack of evidence/not enough information to prosecute 42% 40% 39% 12% 8% 6% 5% 4% 11% 20% N/A 2010 37% 29% 35% 15% 7% 5% 7% 5% 5% 14% 24%
76%
Concerns about negative publicity Concerns about liability Concerns that competitors would use incident to their advantage Prior negative response from law enforcement Unaware that we could report these crimes
Internally (without legal action or law enforcement) Internally (with legal action) Externally (notifying law enforcement)
Other
Externally (filing a civil action)
Don't know Not applicable
Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and
29
�IT Sabotage
30
�911 services disrupted for 4 major cities
Disgruntled former employee arrested and convicted for this deliberate act of sabotage.
31
�Insider IT Sabotage: True Story
A disgruntled system administrator is able to deploy a logic bomb and modify the system logs to frame his supervisor even though he had been demoted and his privileges should have been restricted.
Subject frames his supervisor for sabotage Expressed feelings of dissatisfaction and frustration with work conditions Complained that he did all the work Insider had difficulties prior to Frequently late for work hiring High school dropout Drug use on the job Fired from prior job Demoted History of drug use Discovered plans to fire him Installed logic bomb to delete all files on all servers Set to execute from supervisors .profile Included ha ha message Also planted in script to run when system log file reached certain size
Tried to hide actions technically, but admitted to coworker
Took great pains to conceal act by deleting system logs Forgot to modify one system log, which was used to identify him as perpetrator Told co-worker the day before attack that he would see some serious stuff happen
32
�Other Cases of IT Sabotage
Financial Institution customers lose all access to their money from Friday night through Monday
Fired system administrator sabotages systems on his way out
A logic bomb sits undetected for 6 months before finally wreaking havoc on a telecommunications firm A security guard at a U.S. hospital, after submitting resignation notice, obtained physical access to computer rooms
Installed malicious code on hospital computers, accessed patient medical records
SCADA systems for an oil-exploration company is temporarily disabled
A contractor, whos request for permanent employment was rejected, planted malicious code following termination
System administrator at a manufacturing plant, passed over for promotion, deployed logic bomb prior to resigning, deleting critical software required to run operation
Financial damage $10M; Forced to lay off 80 employees
33
�Summary of Findings
IT Sabotage
% of crimes in case database** Current or former employee? Type of position Gender
35% Former Technical (e.g. sys admins or DBAs) Male
** Does not include national security espionage
34
�Summary of Findings
IT Sabotage
Target Access used When Where Recruited by outsiders Collusion
Network, systems, or data Unauthorized Outside normal working hours Remote access None None
35
�Theft of Intellectual Property
36
�TRUE STORY:
Research scientist downloads 38,000 documents containing his companys trade secrets before going to work for a competitor
Information was valued at $400 Million
37
�Other Cases of Theft of IP
A technical operations associate at a pharmaceutical company downloads 65 GB of information, including 1300 confidential and proprietary documents, intending to start a competing company, in a foreign country
Organization spent over $500M in development costs
Simulation software for the reactor control room in a nuclear power plant was being run from a different country
A former software engineer born in that country took it with him when he left the company.
38
�Summary of Findings
IT Sabotage Theft of Intellectual Property 18% Current Technical (71%) scientists, programmers, engineers Sales (29%)
% of crimes in case database** Current or former employee?
35% Former
Type of position
Technical (e.g. sys admins or DBAs)
Gender
Male
Male
** Does not include national security espionage
39
�Summary of Findings
Theft of Intellectual Property IP (trade secrets) Network, systems, or 71% data Customer Info 33% Unauthorized Authorized Outside normal During normal working hours working hours Remote access At work IT Sabotage None Less than 1/4 Almost colluded with at least one insider; acted alone
Target Access used When Where Recruited by outsiders Collusion
None
40
�Fraud
41
�An Incident of Insider Fraud
42
�Fake drivers license sold to undercover agent claiming to be on the No Fly list
43
�Other Cases of Fraud
An accounts payable clerk, over a period of 3 years, issues 127 unauthorized checks to herself an others...
Checks totaled over $875,000
A front desk office coordinator stole PII from hospital...
Over 1100 victims and over $2.8 M in fraudulent claims
A database administrator at major US Insurance Co. downloaded 60,000 employee records onto removable and solicited bids for sale over the Internet An office manager for a trucking firm fraudulently puts her husband on the payroll for weekly payouts, and erases records of payments
Over almost a year loss of over $100K
44
�Summary of Findings
IT Sabotage Theft of Intellectual Property 18% Current Technical (71%) scientists, programmers, engineers Sales (29%) Fraud 40% Current Non-technical, lowlevel positions with access to confidential or sensitive information (e.g. data entry, customer service) Fairly equally split between male and female
45
% of crimes in case database** Current or former employee?
35% Former
Type of position
Technical (e.g. sys admins or DBAs)
Gender
Male
Male
** Does not include national security espionage
�Insider Threats in the Cloud
Identified by Cloud Security Alliance (CSA) Top Threats to Cloud Computing, v 1.0
Malicious insider working for cloud provider
But there are other insider threats related to cloud computing
46
�Provider / Organization Relationship
Resources Employee Data
Cloud Provider
Resources/Availability
Employee
Data
Victim Organization
47
�Cloud-Related Malicious Insider Threats Malicious Cloud Provider Employee
Rogue Administrator
Weve seen cases of insider threats from trusted business partners True examples of cloud service providers are rare, but do exist Important to weigh the risks carefully; the provider has much to lose as well
48
�Rogue Administrators
49
�Cloud-Related Malicious Insider Threats Malicious Local Employee
Exploiting weaknesses of the Cloud
Example weakness the organization may not have direct control of the resources providing data/services Most likely Fraud or Theft of IP Dont count out sabotage, though
Attacking organization data in the cloud
Access control models may be different Effecting change quickly may be difficult
Example case: Email provider Similar to Byzantine Generals Problem
50
Example exploit: Replication Lag
�Cloud-Related Malicious Insider Threats Malicious Local Employee
Using the cloud to attack the organization
Example
weakness the Cloud is a very powerful tool; and a very powerful weapon, what if it is turned back on the org itself?
A financially troubled insider exploits the processing power of
cloud services to crack password files, allowing unrestricted access to company bank accounts.
A
disgruntled insider uses several relatively cheap, easily configured cloud systems to launch a distributed denial of service attack on his organization, hindering incident investigation and limiting forensic analysis.
insider planning to leave the company leverages cloud storage to consolidate and exfiltrate sensitive information to take to a new job with a competitor.
51
�Protecting Against Malicious Insiders
Rogue Administrators
From CSA Supply chain management HR requirements as part of legal contracts Require information security and management practices transparency Determine security breach notification processes Enforcement of SLAs Encryption Where do you keep the keys? What is the cost to the host provider?
52
�Protecting Against Malicious Insiders
Those that exploit weaknesses in the Cloud
Diligence in planning during implementation, transition, migration, and maintenance of cloud services Current research continues in authorization and access control Directory Virtualization RBAC Clear plans for handling incidents Including authentication and authorization between org and host provider
53
�Protecting Against Malicious Insiders
Those that use the Cloud against you
Data Loss Prevention (DLP) Limit access to potential exfiltration resources Create separate environments for external communication
54
�Future Research Cloud Insider Threats
Socio-technical approach Predictive models Identifying cloud-based indicators Virtualization and hypervisors Awareness and reporting Normal user behavior analysis Policy integration
55
�Predictive Models
Centre for the Protection of National Infrastructure (CPNI)
Ongoing insider threat risk management program, beginning before hire
Greitzer, et al.
Identifies and weighs indicators of insider risk Develops a reasoning system to integrate multiple data sources
56
�Identifying Cloud-based Indicators
Many indicators from other domains also apply here
Unusual search activity Acquiring unknown access paths
What about Cloud-specific indicators?
SLA violation Improper virtual machine management Using suspicious software Performing similar activities across different platforms and/or customer systems Lack of concern for company policy or protection of others data
Four types of indicators (Ilgun, et al.)
Threshold, anomaly, rule-based, model-based
57
�Virtualization and Hypervisors
Attacks practically require authorized access to carry out
Hard to accidentally leak information across the hypervisor
New technologies to separate virtualization at the hardware level
58
�Awareness and Reporting
May 2012 FBI news story, Economic Espionage: How to Spot a Possible Insider Threat. Many insiders in CERTs database were detected through co-worker reporting
Or should have been detected
59
�Normal User Behavior Analysis
Necessary to detect the clever insider Very little research in the literature on insider threat research that compares indicators to normal data Also useful for benchmarking, etc.
60
�Policy Integration
Necessary to merge policies from the org and the cloud Takabi et al. propose a trust management framework for policy integration and an ontology to address semantic heterogeneity among policies. Researchers should be careful to note implementation and/or enforcement constraints real-world organizations face.
61
�Agenda
Background: Cloud Computing Threats to Cloud Security Insider Threats in the Cloud Present, Past, and Future Attacks Threats to Cloud Security 2.0 Future Research
62
�Past Threats
Blue Pill, Red Pill
Joanna Rutkowska, Black Hat 2006 Blue Pill Infect machine Red Pill Detect infection
Cloudburst
63
�Present Threats
US-CERT VU#649219 (CloudBurst) SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware
64
�Future Threats
Encryption Supply chain Targeted attacks corporate espionage
Provider collusion
65
�Future Research
Measurement/metrics Forensics Incident Response SLA enforcement Isolation Attack vectors CSA Reference Architecture ???
66
�Threats to Cloud Security 2.0
Web site Opportunity to contribute
67
�Thank You!
Contact Info: William R. Claycomb claycomb@[Link] Lead Research Scientist CERT Insider Threat Research Center Carnegie Mellon University
68
