shared responsibility in action
DESCRIPTION
TRANSCRIPT
![Page 1: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/1.jpg)
Mark Nunnikhoven @marknca
Shared Responsibility
…In Action
![Page 2: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/2.jpg)
MODELLING SECURITY on AWS
![Page 3: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/3.jpg)
Traditional Responsibility Model
!
Operating System
Application
Account Management
You
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer
![Page 4: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/4.jpg)
Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network Configuration
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer
More info on the model is available at http://aws.amazon.com/security
![Page 5: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/5.jpg)
Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network Configuration
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization
Verify
Compliance information available at http://aws.amazon.com/compliance
![Page 6: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/6.jpg)
Common View
More information on the model at http://aws.amazon.com/security
![Page 7: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/7.jpg)
Infrastructure
Container
Abstract
Better View
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
![Page 8: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/8.jpg)
Service Type *aaS
SQS, S3, Route53 Abstract SaaS
RDS, EMR, OpsWorks Container PaaS
EC2, EBS, VPC Infrastructure IaaS
Service Examples
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA
![Page 9: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/9.jpg)
Less responsibilities
More responsibilities
Distribution of Security
![Page 10: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/10.jpg)
Options : Responsibilities
Distribution of Security
Rough correlation between # of options & level of responsibilities
![Page 11: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/11.jpg)
RE:BOOT
![Page 13: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/13.jpg)
Protecting Instances
A small percentage of instances on EC2 are scheduled for a reboot
![Page 14: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/14.jpg)
For EC2
Nothing for cloud-native architectures
Manage availability for traditional architectures
For RDS
Nothing for Multi-AZ instances
Standard maintenance window for single instances
Actions to Take
![Page 15: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/15.jpg)
POODLE
![Page 16: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/16.jpg)
CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption
![Page 18: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/18.jpg)
For ELB
Select a non-affected cipher suite (e.g., ELBSecurityPolicy-2014-10)
For Web Servers
Enable TLS_FALLBACK_SCSV
Disable support for SSL 3.0*
Disabling SSL 3.0 may cause compatibility issues
Actions to Take
![Page 19: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/19.jpg)
Shellshock
![Page 21: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/21.jpg)
(){}; attack
10/10 vulnerability : widespread & easy to exploit
![Page 22: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/22.jpg)
Steps to protection
Update bash
Use an intrusion prevention system
Actions to Take
![Page 23: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/23.jpg)
Applied at the boundary
Majority of traditional controls are applied at the boundary
Shifting Controls
![Page 24: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/24.jpg)
Applied to each instance
Same controls required in AWS, now applied to the instance
Shifting Controls
![Page 26: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/26.jpg)
“View Source”, find cgi URL to exploit
![Page 27: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/27.jpg)
Run attack via curl
![Page 28: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/28.jpg)
Return contents of /etc/passwd with a simple custom header
![Page 29: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/29.jpg)
Add intrusion prevention controls to the instance
![Page 30: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/30.jpg)
Intrusion prevention resets connection when attack is detected
![Page 31: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/31.jpg)
Options : Responsibilities
Where does you deployment fall on the scale?
![Page 32: Shared Responsibility In Action](https://reader036.vdocuments.us/reader036/viewer/2022070303/54980cd8b479594c4d8b5326/html5/thumbnails/32.jpg)
Learn more at
testdrive.trendmicro.com
Thank you!
Follow me on Twitter @marknca