Kia Manoochehri.  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”

Slides:

Advertisements

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Advertisements

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Security Issues and Challenges in Cloud Computing

Security Controls – What Works

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

This paper states that one of the major problem to the adoption of cloud computing is that of security.  Existing cloud computing problem or concerns.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Cloud Computing Cloud Security– an overview Keke Chen.

Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.

Securing Information Systems

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

Information Security Technological Security Implementation and Privacy Protection.

SEC835 Database and Web application security Information Security Architecture.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.

Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Computer Science and Engineering 1 Cloud ComputingSecurity.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

HPCC 2015, August , New York, USA Wei Chang c Joint work with Qin Liu a, Guojun Wang b, and Jie Wu c a. Hunan University, P. R. China b. Central.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Sensitive Metric Collection and Reporting System Michael Aiello Hanning Gao Martin Goldberg Michael Sosonkin Jason Woloz.

Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.

Security in the Clouds 1 Professor Sadie Creese London Hopper 2010 May 2010.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

COMP1321 Networks in Organisations Richard Henson March 2014.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.

Information Security What is Information Security?

Daniel Cuschieri Information Security Distance Learning Weekend Conference August 2013.

Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Current Security Threats and Prevention Measures Relating to Cloud Services, Hadoop Concurrent Processing, and Big Data ATHER SHARIF, SARAH COONEY, SHENGQI.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

CLOUD COMPUTING-3.

Elizabeth Muli Technical University of Kenya & James Kimutai Moi University 1.

Chapter 1: Security Governance Through Principles and Policies

What does it mean for Records and Information Management.

Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.

Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.

Information Security Management Goes Global

CS457 Introduction to Information Security Systems

Basic Terms and Concepts – 1/3

Design for Security Pepper.

Cloud Security– an overview Keke Chen

Data and database administration

VIRTUALIZATION & CLOUD COMPUTING

E-commerce Application Security

Threat Landscape for Data Security

Computer Science and Engineering

Module 4 System and Application Security

Cloud and Database Security

Presentation transcript:

Kia Manoochehri

 Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”  Contractual Obligations

 Security: “freedom from risk and danger”  In Computer Science we define security as… ◦ “the ability of a system to protect information and system resources with respect to confidentiality and integrity”

 Three core areas ◦ Confidentiality ◦ Integrity ◦ Authentication

 Some other security concepts ◦ Access Control ◦ Nonrepudiation ◦ Availability ◦ Privacy

 Cloud Service Providers (CSP) provide a “target rich environment”  Consolidation of information draws potential attackers  Potential problematic areas in the field of Cloud Computing aren’t transparent.

 Three broad classifications ◦ Traditional Threats ◦ Availability Threats ◦ Third-Party Control Threats

 Anytime a computer is connected to the internet they are at risk… ◦ When we are dealing with Cloud based applications we are amplifying these threats  Question of responsibility ◦ User vs Provider

 Authorization and Authentication ◦ Individual access vs enterprise access  One solution would be to have tiered access ◦ Not every user is created equal!

 Distributed Denial of Service attacks (DDoS)  SQL Injection  Phishing  Cross-Site Scripting

 Digital forensics cannot be applied to the cloud ◦ Difficult to trace where an attack is from  Virtual Machine vulnerabilities extend to the cloud as well

 System failures ◦ /06/30/amazon-cloud-goes-down-friday-night- taking-netflix-instagram-and-pinterest-with-it/ /06/30/amazon-cloud-goes-down-friday-night- taking-netflix-instagram-and-pinterest-with-it/ ◦ Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning.  Netflix, Instagram, and Pintrest were down for at least a few hours.

 Problem stems from CSP outsourcing certain aspects of their operation ◦ How does this affect  Introduces more points of entry and vulnerability to the Cloud

 In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing  February 2013 yielded their “Notorious Nine” list ◦ 9 major threats in Cloud Computing

 Data Breaches ◦ Currently the biggest threat ◦ The solution is encryption… but  What if you lose the key? ◦ Backing up the data is not viable either  Example: Epsilon

 Data Loss ◦ Malicious deletion ◦ Accidental deletion by CSP ◦ Physical catastrophe ◦ Loss of the encryption key  Compliance policies require audit audit records  Example: Mat Honan

 Account/Service Hijacking ◦ Phishing, fraud, software exploits ◦ Organizations should be proactive ◦ Two-Factor authentication  Example: XSS attack on Amazon

 Insecure Interfaces and APIs ◦ Any vulnerability in an API bleeds over ◦ Can effect security and availability ◦ Partially falls on the consumer

 Denial of Service ◦ From the user end… most frustrating ◦ Can cost cloud users $$$ ◦ Makes the user doubt the cloud

 Malicious Insiders ◦ Straightforward ◦ Systems that only depends on the CSP for security are at greatest risk ◦ If data-usage encryption is used the data is still vulnerable during storage

 Abuse of Cloud Services ◦ Using CSP for malicious purpose ◦ Hacking encryption keys via cloud ◦ DDoS attacks via cloud ◦ Problems of detection arise

 Insufficient Due Diligence ◦ Insufficient user experience ◦ Unknown levels of risk when using CSP ◦ Design and architecture issues for devs ◦ Countered by:  Capable resources  Extensive internal understanding of risks

 Shared Technology Vulnerabilities ◦ CPU caches, GPUs are not designed to be isolated ◦ A single vulnerability can lead to an entire environment being compromised

Buffer Overflow SQL Injection Privilege escalation SSL Certificate spoofing Attacks on browser caches Phishing attacks Limiting resources Privilege-related attacks Data Distortion Injecting additional operations DDoS attacks

 Goal is to minimize the security risks  Contract between the CSP and user should: ◦ State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws ◦ Spell out CSP liability for mishandling information ◦ Spell out CSP liability for data loss ◦ Spell out rules governing ownership of data ◦ Specify the geographical regions where information and backups can be stored.

Kia Manoochehri