3. Did these guys care about cloud security?
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
#RecordsLost
4. Anatomy of an attack
Ercan Findikoglu
and crew
GetsCCdata/PIN
RaisesLimit
Recruits
CopyDataoncards
Cashing crews
Hand to
Money, Money, Money!
6. Letter from Richard Stiennon to President Obama
8 years ago
https://www.linkedin.com/pulse/drastic-times-call-measures-cybersecurity-richard-stiennon
I. All access must be explicitly authorized.
II. All users must be identified and strongly authenticated.
III. All applications must be reviewed for security vulnerabilities.
IV. All network attached systems must be scanned for vulnerabilities on a schedule.
V. All network connections must be fire-walled.
VI. All firewalls must be configured to “deny all except that which is explicitly allowed”.
VII. All government networks must be mapped and understood.
VIII. All data needs to be encrypted at rest
IX. All communication links need to be encrypted
X. All intrusions need to be aggressively analyzed and appropriate responses executed.
7. QUESTION NO. 1 FOR CLOUD
COMPUTING (IN EUROPE)
Where is it stored?
Not a concern for Australia?
8. 1. Secure data transfer
2. Secure software interfaces.
3. Secure stored data
4. User access control
5. Data separation
Source: http://blogs.cisco.com/smallbusiness/the-top-5-security-risks-of-cloud-computing
Cisco’s view:
16. Many organizations are experiencing the following…
• Minutes to deploy a server…weeks to secure it
• Virtually scale beyond physical limits… until you hit
your security limit
• Servers that share resources…security that consumes it
17. Attackers
Potential Risks
• Vulnerability in server exploited to
introduce malicious code
• Company must restrict access
to certain applications
• Admin makes changes to
known good configuration
• Hacker attempts a SQL
injection attack
• Brute force authentication
attack is executed
18. Security principles remain the same;
APPROACH to security must change
CONTEXT Workload and application-aware
SOFTWARE Security that evolves with the data center
PLATFORM Single platform for data center and cloudSiloed
Generic
Hardware
ADAPTIVE Intelligent, dynamic policy enforcement
Automated provisioning specific to platform
Static
19. New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
20. Provisioning securely within a dynamic data center
How do you:
• Secure the VM the moment it is provisioned?
• Apply the right policies to that VM?
• Reduce the time to provision without
compromising on security?
• Securely bring up/down/move your VMs?
22. Simplify provisioning even further with
VMare NSX
• Automated deployment
using ESXi 5.5+
• Automatic activation of
policies
• No maintenance mode
or re-boot required
Security is an available
service among VMware
and other partner services
23. New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
24. Management Challenge: Keeping up-to-date
How do you:
• Quickly and easily identify an issue?
• Keep up to date with patches?
• Manage multiple controls as you execute your
strategy for your data center and cloud?
25. Establish continuous monitoring to quickly
identify issues and respond
• Leverage a comprehensive
dashboard across controls
• Implement reporting and
alerting
• Manage via web console or
API
26. Protect even before you patch
• Protect against
vulnerability exploits
before patches
available
• Save money avoiding
costly emergency
patching
• Patch at your
convenience
Vulnerability Disclosed or
Exploit Available
Patch
Available
Complete
Deployment
Test
Soak
Exposure
Begin
Deployment
Patch
ed
Trend Micro Virtual Patching
27. New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
28. Resource challenges: Address the bottlenecks
How do you reduce the
impact on resources
created by traditional
security capabilities?
29. Optimized for your virtual environments
Network Usage
Scan Speed
CPU/Memory Usage
IOPS
Storage
ESXi
SAN
30. New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to external or public cloud with confidence
31. Public Cloud: Affects every organisation
Public cloud extension of Private Cloud by I.T. (Bursting)
Business groups Bypass IT to use Public Cloud Private
Cloud forced to take on attributes of Public Cloud (ITaaS)
32. Cloud Deployment Dynamics
Instance Awareness
• Dynamic real-time security
visibility and response
Complexity
• Supporting multi-region
and global deployments
Scale & Automation
• Elastic services and
applications managed
with new tools Data Protection
• Protection of all data across
boot & data volumes
Purchasing
• Ability to purchase
security aligned to cloud
models
33. Security in the cloud is a Shared Responsibility
Partner Eco-System
• Operating Systems
• Application
• Security Groups
• OS Firewalls
• Anti-Virus
• Account Management
• Storage Encryption
• Facilities
• Physical Security
• Physical Infrastructure
• Virtualised Infrastructure
Customer
Domain
AWSDomain
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Edge
Locations
Availability Zones
Regions
Enterprise Applications
Enterprise Operation Systems
34. Dr. Raymond Choo
Fulbright Scholar (Cyber Security/Crime and Digital
Forensics) and Inventor
What happens when your organisation is
COMPROMISED?
35. Have you NOT read about a high profile cyber
security incident, OR NOT heard of an
organisation in your sector or government
agency that has been breached (e.g. malware
infection and theft of corporate data, such as
customer information and intellectual property)
in the last 12-month or financial year?
39. Challenges
• Attribution and identification: More likely to be able to infer or identify
the offender in a physical crime based on the physical location of
the crime and/or the types of weapons / technologies than their
cyber analogues
• Responding: Uncertainty about physical location complicates efforts
by governments to respond and investigate and to use retaliation as
a deterrent (simply on the basis of the cui bono logic or
circumstantial evidence)
Cyber attacks more sophisticated and going ‘under the radar’
43. Digital forensics
“the process of identifying, preserving, analysing and presenting
digital evidence in a manner that is legally acceptable”
McKemmish’s Key
Elements
• Identification
• Preservation
• Analysis
• Presentation
NIST Key
Elements
• Collection
• Examination
• Analysis
• Reporting
McKemmish, R 1999, 'What is Forensic Computing?', Trends & Issues in Crime and Criminal Justice, vol. 118, pp. 1 - 6. p.1
Kent, K, Chevalier, S, Grance, T & Dang, H 2006, Guide to Integrating Forensic Techniques into Incident Response, U.S. Department of Commerce,
<http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf>.
44. • Reconstructing of the incident and establish facts such as
• Where did the attack come from?;
• What vulnerability (ies) was/were exploited?; and
• What data / which systems was/were compromised?
• Etc
• Inform risk mitigation strategy
• Evidence collected can be used in:
• the prosecution of the offender in a court of law; or
• a civil litigation (e.g. such services are increasingly offered
by consultancy companies such as Deloitte, E&Y, KPMG, and
PwC).
The importance of digital forensics (evidence
collection) in incident handling
45. Digital forensics: Challenges of cloud computing
“little guidance exists on how to acquire and conduct forensics in a cloud environment”
(National Institute of Standards and Technology 2011, p.64)
“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and
often outdated. There are no guidelines specific to evidence gathered in the cloud…”
(Birk and Wegener 2011, p.9)
“[m]ore research is required in the cyber domain, especially in cloud computing, to identify
and categorize the unique aspects of where and how digital evidence can be found. End
points such as mobile devices add complexity to this domain. Trace evidence can be found
on servers, switches, routers, cell phones, etc” by previous Director of US Department of
Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force
Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)
46. Our cloud forensics framework
Iterative
1. Commence (Scope)
Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise.
2. Identification and Preservation
It is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is
combined with identification in this model.
3. Collection
The potential difficulties in collection of cloud computing data dictates the requirement for collection to be
represented as a separate step.
4. Examination and Analysis
Examination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this
data into evidence.
5. Reporting and Presentation
This step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged.
6. Feedback and Complete
This step relates to a review of the findings and a decision to finalise the case or expand the analysis.
47. “Cloud Storage Forensics” http://store.elsevier.com/product.jsp?isbn=9780124199705.
• Forewords written by Australia’s Chief Defence Scientist (首席澳大利亚国防科学家及国防科技组织
(DSTO)领导人) and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of
Australian and New Zealand Forensic Laboratories.
• Highly Commended Award in the 2014 “Best Chapter in a Book” Category by Australia New Zealand
Policing Advisory Agency (ANZPAA) National Institute of Forensic Science (NIFS)
48. Remote Evidential Data Collection System
(REDCoS)
• Limitations due to current forensic techniques making use of vendor
data communication facilities built into the client devices (e.g. iTunes
backup for iOS devices), inability to circumvent advanced security
features and anti-forensic features, etc
• Data (remote) collection / exfiltration techniques for forensic /
criminal intelligence (Australian Provisional Patent filed December
2014; PCT filed July 2015)
• Big forensic data reduction method (Australian Provisional Patent,
filed December 2014, and PCT to be filed in September 2015)
49. Remote Evidential Data Collection System
(REDCoS)
• Provides organisations with the capability to collect electronic
evidence, from a range of data sources, in a forensically sound
manner without the need for specially trained staff.
• Evidence sources need not be physically collocated with the
evidence collection staff.
• REDCoS only requires network access and, as such, is particularly
suitable for evidence collection from sources such as cloud
computing and remote unmanned equipment.
50. Remote Evidential Data Collection System
(REDCoS)
• Suitable for collection of local and remote evidence (e.g. evidential
data stored in the cloud and systems located offshore);
• Can be operated by IT personnel without forensic training;
• Cost effective, permits remote collection without requiring forensic
consultants or prohibitive travel expenses;
• Efficient, focuses only on collection of evidential data;
• Real time evidence collection and review.
51. Dr. Kim-Kwang Raymond Choo
Research Director, CSA Australia Chapter
Co-Chair, CSA Asia Pacific Education Council
Co-Founder, Cloud Forensics International
raymond.choo@fulbrightmail.org
