“are you secure?”€¦ · • performing “scans” against networked systems without...
TRANSCRIPT
Hacking the Cloud
Jason Hart CISSP CISM
VP, Cloud Solutions
“Are you Secure?”
About Me
Legal Disclaimer
ALWAYS GET PERMISSION IN WRITING.
• Performing “scans” against networked systems without
permission is illegal. Password cracking too
• You are responsible for your own actions!
• If you go to jail because of this material it’s not my fault,
although I would appreciate it if you dropped me a postcard.
• This presentation references tools and URLs - use them
at your own risk!
What a great world
Remote Users Internal people 3rd Party Access Branch Offices PDA Users
Users and their workspaces
Today's World
Cloud Applications SaaS Apps
Virtual Word – With Virtual Back Doors
Welcome to the Future
Cloud Computing
Virtual Environment
With Virtual Security holes
During the past 15 years with learnt nothing
We have forgotten
Confidentiality
Integrity
Availability
Accountability
Auditability
We have not learnt
a thing?
Welcome to the 3rd Age of Hacking
• 1st Age: Servers • Servers
• FTP, Telnet, Mail, Web.
• These were the things that consumed bytes from a bad guy
• The hack left a foot print
• 2nd Age: Browsers: • Javascript, ActiveX, Java, Image Formats, DOMs
• These are the things that are getting locked down
– Slowly
– Incompletely
• 3rd Age: Mobile devices: Simplest & getting easier • Target the mobile devices to gain someone's password is the
skeleton key to their life and your business
• Totally invisible – no trace
Password Attack
Welcome to the Future of Hacking
Attack channels: web, mail, open services
Targeted attacks against users and business and or
premium resources
Password attack is totally invisible to you
Mobile devices are becoming an easy target for
Advanced persistent threats (APT)
During the Past 7 Days
10
Quoted from the report:
“…..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset. …
“... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).”
Verizon’s annual Data Breach
Next Generation Hacking
www
Probe requests
Pro
be r
eq
ue
sts
Live Attack A g a i n s t y o u r V i r t u a l W o r l d . . . . A R P A t t a c k
17
More Weapons
Key loggers both software and hardware
So easy
And many more
Facing challenges you can’t address?
SaaS applications
VPNs
Web-based portals Virtual Environments
More users to protect:
employees, partners,
contractors
More data and
applications to protect
More end points being
used