Cloud Security on the Dollar Menu - ShellCon MANALO, CISSP, AWS- CSAA SHELLCON 2018. Agenda • Introductions • What RMTS does • Intro AWS security model ... Uber – 57 million

Cloud Security on the Dollar Menu

ARNEL MANALO, CISSP, AWS-CSAASHELLCON 2018

Agenda• Introductions

• What RMTS does

• Intro AWS security model

• Breaches and State Laws

• AWS Recon

• Hardening AWS

About me:

Arnel Manalo, CISSPCybersecurity ArchitectR I C H E Y M A Y T E C H N O L O G Y S O L U T I O N S

• BS, Computer Systems Security, Colorado Technical University

• CISSP

• AWS-CSAA

About Richey May Technology SolutionsRichey May Technology Solutions is a results-driven consulting firm offering the full spectrum of technology solutions for your business. Led by technology experts with decades of cumulative experience in executive IT roles, our team is able to bring you pragmatic, real-world solutions that deliver value to your business.

Governance, Risk, Compliance

& Privacy

Cybersecurity

Marketing Technology

Cloud Services

Technology Management Consulting

Image Source: http://srini.karlekar.com/?p=313

AWS Security Incident Leaderboard1. Uber – 57 million customer/drivers records compromised

2. Time Warner Cable – 4m customer records exposed

3. 10k GitHub users revealed their AWS secret keys

AWS Uber Data Breach• Acquired AWS account credentials via GitHub

• Restricted access and implemented controls AFTERWARDS

Image Source: https://i.imgflip.com/1pgtpk.jpg

AWS Time Warner Breach• Found publicly available S3 Buckets

• Information spanned from November 2010 – July 2017

Image Source: https://assets.rbl.ms/13622690/980x.jpg

Breaches

dwt.com

U.S. State Data Breach Notification Statutes –Form of Data

Breaches

dwt.comdwt.com

U.S. State Data Breach Notification Statutes -Harm Threshold

California Breach Laws• California Breach Notice: California Civil Code s. 1798.29

and California Civ. Code s. 1798.82

• CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

Recent State ChangesStates Increase Focus:Arizona HB 2154:In 2018, Arizona expanded the coverage of their existing data breach notification law; via House Bill 2154. The updated legislation expands the definition of what is considered personally identifiable information; consumer data, as well as adds specific definitions for what the state believes to be a security incident vs a data breach. It also adds civil penalties of $10,000-$500,000

Colorado House Bill 18-1128:Colorado has also passed expanded privacy and cybersecurity legislation requiring covered entities to deploy and maintain reasonable security controls around personally indefinable information of Colorado residents. Colorado also requires defined controls that manage the data life cycle of consumer data from inception, during use, at rest and destruction at end of life. The new law which becomes effective this fall; September 1st 2018, requiring firms develop a formal cybersecurity program focused on protecting information appropriate to the nature of the personal information collected and the size of the business.

Recent State ChangesStates Increase Focus:Ohio Senate Bill 220:Ohio recently signed into law the Ohio Data Protection Act; enabling organizations to limit their liability through a safe harbor rule if the organizations adopted and implemented a written cybersecurity program based on industry accepted frameworks such as the National Institute of Standards and Technology (NIST) 800.53, ISO 27000, or PCI-DSS.

AWS Reconnaissance

Shodan.ionet:"50.112.0.0/16"

GitHub• https://github.com/michenriksen/gitrob

• https://github.com/awslabs/git-secrets

Locating Buckets• https://github.com/gwen001/s3-buckets-finder

• https://github.com/eth0izzle/bucket-stream

• https://github.com/digininja/CloudStorageFinder

• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3

• https://github.com/glen-mac/goGetBucket

gwen001

Image source: https://github.com/gwen001/s3-buckets-finder/blob/master/README.md

eth0izzle

Image source: https://github.com/eth0izzle/bucket-stream/blob/master/README.md

Other• https://github.com/marpaia/AWSome

• https://github.com/dagrz/aws_pwn

• https://github.com/nccgroup/Scout2

• https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Hardening AWS

IAM Roles• Lock Away Your AWS Account Root User Access Keys

• Create Individual IAM Users

• Use Groups to Assign Permissions to IAM Users

• Use AWS Defined Policies to Assign Permissions Whenever Possible

• Grant Least Privilege

• Use Access Levels to Review IAM Permissions

• Configure a Strong Password Policy for Your Users

• Video Presentation About IAM Best Practices

• Enable MFA for Privileged Users

• Use Roles for Applications That Run on Amazon EC2 Instances

• Use Roles to Delegate Permissions

• Do Not Share Access Keys

• Rotate Credentials Regularly

• Remove Unnecessary Credentials

• Use Policy Conditions for Extra Security

• Monitor Activity in Your AWS Account

More reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

S3 Bucket Hardening• Restrict Access to buckets

• Monitor S3 resources

• Use Encryption

S3 Bucket Policy Examples• Permit only specific IP address or website

S3 Bucket Events• Emailed when an object gets created or deleted

• Completed easily with a few steps:

• Create SNS topic to email events

• Permit access of s3 bucket to SNS topic

• Configure Events which to trigger off of

Create SNS Topic• SNS Console -> Create new topic• Select newly created topic -> create subscription*

S3 Access to SNS Topic• Select topic -> edit topic Policy

Configure S3 Bucket Events• Go to S3 console

• Select desired bucket

• Select properties

• Scroll down and select events

Alert Examples

VPC NACL vs. EC2 Security Groups• VPC NACL are what define general outbound and inbound

rules for the specified VPC or network. Default allow

• EC2 Security Groups are what are assigned to specific EC2 instances within VPCs and define inbound/outbound traffic. Default deny

When to use NACL vs Security Group• NACL for generic inbound-outbound to entire VPC

• Security Group for specific host or hosts traffic

• Sometimes both

CloudTrail• Audit, compliance, operational risk

• Marks API calls as Events

• Can forward events to store in S3 or make alerts in CloudWatch

• Two Non-API actions captured:• Service Events – Spot Instance bid prices

• Console Login Attempts

CloudWatch• Monitors AWS services and resources real-time

• Collect and track metrics and/or logs

• Can send off alarms or automatically make changes or start workflows

Monitor Root Account Usage• From the CloudWatch console -> Logs

• Select CloudTrail logs group

• Create Metric Filter

• Assign the metric -> Metric Filter box: RootAccountUsage -> Metric Namespace: CloudTrailMetrics -> Metrics Name: RootAccountUsage -> Metric Value: 1

Monitor Root Account Usage cont.• Create Alarm

• Enter notification information as desired

TrustedAdvisor• AWS Service that scans and compares it to best practices.

• Cost Optimization

• Performance

• Fault Tolerance

• Service Limits

• Security

Trusted Advisor Security – FREE!!• Security Groups – Specific Ports• IAM• S3 Buckets• EBS Snapshots• RDS Snapshots• More specifics on different best practices:

https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/

Billing Alarms• Must be signed in with root account -> billing -> preferences

-> receive billing alerts.• After it’s enabled – go to cloudwatch console and create

alarm specific to billing and set to your desired threshold.

Thank you!

ARNEL MANALO (@ARNSEC)HTTPS://WWW.RICHEYMAYTECH.COM