Date post: | 13-Jan-2015 |
Category: |
Internet |
Upload: | oleg-podsechin |
View: | 420 times |
Download: | 0 times |
Staying Safe in the Cloud
/whois me
define: security
● availability○ no access
● reliability○ data loss
● privacy○ data leak
Availability● Pingdom● Where’s it Up?● StatusPage.io
○ status.myservice.com: ~ 10%
● Hosting & Infrastructure○ CDNs like CloudFlare - test with Blitz etc.○ DaaS like AWS RDS, MongoHQ etc.○ deployment, e.g. NPM○ third party JS, tag management e.g. GTM○ DDOS with botnets, HTTPX
Reliability
● Funding or lack thereof, business model○ or corporate strategy, think Google Reader, G+
● PEBKAC○ Google Docs, Yammer
● API availability ~ data backup an option○ programmableweb.com○ Kimono
● Backupify, Import2
Privacy
● Third party JS, GA has 20M accounts○ BuiltWith
● Retargeting cookies● Email/IP to user info on social media
○ Rapleaf, Rapportive○ Intercom○ FOAF
● FastMail, Minerva Fabric○ PGP
Attack Vectors
● Social engineering, war driving, sniping, drones?○ Apple Amazon hack
● Rootkits, keyloggers○ Vodafone Greece example (pre NSA)
● Packet sniffing, port scanning● 0 day exploits, exploit marketplaces
○ WebGL, Java, Rails, OpenSSL/Heartbleed● DNS, SSL intercept
○ compromised rootcerts○ Arab Spring example
Attack Vectors
● Infrastructure providers○ HDDs reused○ Internal sniffing, e.g. MongoDB○ OSS clients libs not audited, Nodetime example
● Phishing mails● Cross site attacks: XSS, CSRF● Malicious extensions: e.g. Window Resizer● OAuth, third party app access
○ ~60% use Google for login● etc. etc.
Countermeasures
● Encrypted laptop drives● Secure passwords
○ LastPass or PwdHash● Two Factor Authentication 2FA
○ Not enforced by most● Suspicious activity detection● Access logs
○ per user audit trail?
Preemption
● Security audits● “Honeypots”● Production/Staging divide● Bug bounty programs
Politics: NSA, etc.
● Hosting outside of US by a non-US legal entity is a competitive advantage○ e.g. Upcloud, younited○ caveat: traffic goes via Sweden
● How many SaaS companies from Estonia?○ Sportlyzer○ Weekdone○ GoWorkaBit○ InventoryAPI
Shadow IT
● Bring Your Own Device (BYOD)● Bring Your Own Service (BYOS)
● Most companies don’t know what software their employees use○ … and don’t want to know
● Shared accounts○ Bitium, Meldium
Case Study: StartHQ
● first contact:○ password reset mails○ access log monitoring○ break in○ disable /admin○ apply fix
● two weeks later:○ second break in○ mail sent to all @starthq.com○ apply second fix, more attempts, no more breakins
Case Study: Buffer
Trade-offs
● Self Reliance vs. Reliability○ Self host MongoDB or go with MongoHQ○ Speed and time to market critical
● Security vs. Convenience?
Reality
● Everyone gets hacked○ Atlassian story
● Users largely don’t care
● Case in point: StartHQ extension○ see video
Resources
Security Engineering by Ross AndersonLight Blue Touchpaper blog
Resources
OWASP Top 10 ProjectHomakov blog
Thank you!@olegpodsechin