Cloud Security on the Dollar Menu ARNEL MANALO, CISSP, AWS-CSAA - PowerPoint PPT Presentation

Cloud Security on the Dollar Menu ARNEL MANALO, CISSP, AWS-CSAA SHELLCON 2018

Agenda • Introductions • What RMTS does • Intro AWS security model • Breaches and State Laws • AWS Recon • Hardening AWS

About me: Arnel Manalo, CISSP Cybersecurity Architect RICHEY MAY TECHNOLOGY SOLUTIONS • BS, Computer Systems Security, Colorado Technical University • CISSP • AWS-CSAA

About Richey May Technology Solutions Richey May Technology Solutions is a results-driven consulting firm offering the full spectrum of technology solutions for your business. Led by technology experts with decades of cumulative experience in executive IT roles, our team is able to bring you pragmatic, real-world solutions that deliver value to your business. Cybersecurity Cloud Services Governance, Technology Risk, Compliance Management & Privacy Consulting Marketing Technology

Image Source: http://srini.karlekar.com/?p=313

AWS Security Incident Leaderboard 1. Uber – 57 million customer/drivers records compromised 2. Time Warner Cable – 4m customer records exposed 3. 10k GitHub users revealed their AWS secret keys

AWS Uber Data Breach • Acquired AWS account credentials via GitHub • Restricted access and implemented controls AFTERWARDS Image Source: https://i.imgflip.com/1pgtpk.jpg

AWS Time Warner Breach • Found publicly available S3 Buckets • Information spanned from November 2010 – July 2017 Image Source: https://assets.rbl.ms/13622690/980x.jpg

Breaches U.S. State Data Breach Notification Statutes – Form of Data dwt.com

Breaches U.S. State Data Breach Notification Statutes - Harm Threshold dwt.com dwt.com

California Breach Laws • California Breach Notice: California Civil Code s. 1798.29 and California Civ. Code s. 1798.82 • CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

Recent State Changes States Increase Focus: Arizona HB 2154: In 2018, Arizona expanded the coverage of their existing data breach notification law; via House Bill 2154. The updated legislation expands the definition of what is considered personally identifiable information; consumer data, as well as adds specific definitions for what the state believes to be a security incident vs a data breach. It also adds civil penalties of $10,000-$500,000 Colorado House Bill 18-1128: Colorado has also passed expanded privacy and cybersecurity legislation requiring covered entities to deploy and maintain reasonable security controls around personally indefinable information of Colorado residents. Colorado also requires defined controls that manage the data life cycle of consumer data from inception, during use, at rest and destruction at end of life. The new law which becomes effective this fall; September 1 st 2018, requiring firms develop a formal cybersecurity program focused on protecting information appropriate to the nature of the personal information collected and the size of the business.

Recent State Changes States Increase Focus: Ohio Senate Bill 220: Ohio recently signed into law the Ohio Data Protection Act; enabling organizations to limit their liability through a safe harbor rule if the organizations adopted and implemented a written cybersecurity program based on industry accepted frameworks such as the National Institute of Standards and Technology (NIST) 800.53, ISO 27000, or PCI-DSS.

AWS Reconnaissance

net:"50.112.0.0/16" Shodan.io

GitHub • https://github.com/michenriksen/gitrob • https://github.com/awslabs/git-secrets

Locating Buckets • https://github.com/gwen001/s3-buckets-finder • https://github.com/eth0izzle/bucket-stream • https://github.com/digininja/CloudStorageFinder • https://github.com/RhinoSecurityLabs/Security- Research/tree/master/tools/aws-pentest-tools/s3 • https://github.com/glen-mac/goGetBucket

gwen001 Image source: https://github.com/gwen001/s3-buckets-finder/blob/master/README.md

eth0izzle Image source: https://github.com/eth0izzle/bucket-stream/blob/master/README.md

Other • https://github.com/marpaia/AWSome • https://github.com/dagrz/aws_pwn • https://github.com/nccgroup/Scout2 • https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Hardening AWS

IAM Roles • Lock Away Your AWS Account Root User Access Keys • Enable MFA for Privileged Users • Create Individual IAM Users • Use Roles for Applications That Run on Amazon EC2 Instances • Use Groups to Assign Permissions to IAM Users • Use Roles to Delegate Permissions • Use AWS Defined Policies to Assign Permissions Whenever Possible • Do Not Share Access Keys • Grant Least Privilege • Rotate Credentials Regularly • Use Access Levels to Review IAM Permissions • Remove Unnecessary Credentials • Configure a Strong Password Policy for Your Users • Use Policy Conditions for Extra Security • Video Presentation About IAM Best Practices • Monitor Activity in Your AWS Account More reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

S3 Bucket Hardening • Restrict Access to buckets • Monitor S3 resources • Use Encryption

S3 Bucket Policy Examples • Permit only specific IP address or website

S3 Bucket Events • Emailed when an object gets created or deleted • Completed easily with a few steps: • Create SNS topic to email events • Permit access of s3 bucket to SNS topic • Configure Events which to trigger off of

Create SNS Topic • SNS Console -> Create new topic • Select newly created topic -> create subscription*

S3 Access to SNS Topic • Select topic -> edit topic Policy

Configure S3 Bucket Events • Go to S3 console • Select desired bucket • Select properties • Scroll down and select events

Alert Examples

VPC NACL vs. EC2 Security Groups • VPC NACL are what define general outbound and inbound rules for the specified VPC or network. Default allow • EC2 Security Groups are what are assigned to specific EC2 instances within VPCs and define inbound/outbound traffic. Default deny

When to use NACL vs Security Group • NACL for generic inbound-outbound to entire VPC • Security Group for specific host or hosts traffic • Sometimes both

CloudTrail • Audit, compliance, operational risk • Marks API calls as Events • Can forward events to store in S3 or make alerts in CloudWatch • Two Non-API actions captured: • Service Events – Spot Instance bid prices • Console Login Attempts

CloudWatch • Monitors AWS services and resources real-time • Collect and track metrics and/or logs • Can send off alarms or automatically make changes or start workflows

Monitor Root Account Usage • From the CloudWatch console -> Logs • Select CloudTrail logs group • Create Metric Filter • Assign the metric -> Metric Filter box: RootAccountUsage -> Metric Namespace: CloudTrailMetrics -> Metrics Name: RootAccountUsage -> Metric Value: 1

Monitor Root Account Usage cont. • Create Alarm • Enter notification information as desired

TrustedAdvisor • AWS Service that scans and compares it to best practices. • Cost Optimization • Performance • Fault Tolerance • Service Limits • Security

Trusted Advisor Security – FREE!! • Security Groups – Specific Ports • IAM • S3 Buckets • EBS Snapshots • RDS Snapshots • More specifics on different best practices: https://aws.amazon.com/premiumsupport/trustedadvisor/best -practices/

Billing Alarms • Must be signed in with root account -> billing -> preferences -> receive billing alerts. • After it’s enabled – go to cloudwatch console and create alarm specific to billing and set to your desired threshold.

Thank you! ARNEL MANALO (@ARNSEC) HTTPS://WWW.RICHEYMAYTECH.COM