penetration testing the cloud - vlad gostom

演讲题目

Penetrat ion Test ing the

Thank You

• Cloud Connect China

• Sponsors

• Department 83

• Peoples Republic of China

Background

• Vlad Gostomelsky

• Managing Consultant

• Penetration Tester 16+ years

• Spirent Communications

• Banks, Vehicles, ICS, Wireless, Embedded Systems, Satellites, Power Generation

Assumptions

• Currently deployed cloud hosting

• Plan to transition to cloud hosted data center

Advantages

• Overhead Costs

• Pay only for what’s used

• Elastic Capacity

• Agile

• Infrastructure as a Service

• Public

• Private

• Community

• Hybrid

Attack Surface

• External Attacks

• Internal Attacks

Cloud Attack Surface

• External Attacks

• Internal Attacks

• Provider

• Misconfiguration

• Hypervisor Attacks

• Government/National Security Letters

External Attacks

• Front End

• Exposed Interfaces

• Misconfigurations

• Malicious Clients

Internal Attacks

• Malicious Employees

• Disgruntled former Employees

• Incompetence

Provider Attacks

• Hypervisor

• Trust

• Routing

• Certificates

Hypervisor Attacks

• Vulnerability in the virtualization platform

• Known 0 days

• Transparency from Providers

• Auditing

• Code Review

Routing

• DOS/DDOS

• Preferred DNS

• Shunning

• False BGP Route advertising

• Load Balancing

• Content Injection

Certificates

• Certificate Authority

• Forged Certificates

Public Cloud

• Shared Environment

• Malicious Clients

• Profiling

• Crossover Attacks

• Increased Exposure due to Other Services

Private Cloud

• Isolated Environment

• Profiling

Differences

Conventional Attacks

• Exposed Services

• API

• Unauthenticated API Calls

Admin Interface

• Malicious Insiders

• Misconfiguration

• Routing Errors

Internal IPs

• Compromise

• Entrench

• Pivot

• Repeat

Testing

• Upload Malicious Hypervisor

• Back-Doored OS

• Ability to download and examine OS

• Transparency

• Pivot

Migration

• Most vulnerable point

• All data virtualized

• Unsupervised transfer

• Potential for tampering

Migration Done Right

• Process

• Plan

• Audit

• Verification

Questions

• SecurityLabs@Spirent.com

penetration testing the cloud - vlad gostom

Internet

povestiri duhovnicesti vol.3 - monah pimen vlad...povestiri...

composer: vlad pĂduraru

batrîncea vlad

vlad, the impaler

fraunhofer vlad

vlad presentation

vlad tepeş

vlad musatescu

vlad ȚepeȘ

dracula dit vlad tepes - libris.ro dit vlad tepes.pdftitle:...

vlad monica

stoicescu vlad tepes

proiect vlad

dogotovljavanje jela pred gostom - nastava

prezentare vlad

vlad panenko

dr. tiberu vlad & dr. cristian vlad - psihologia si...

najčešće nedoumice - hgk.hr · profesionalac ili...

mosoi vlad

lucrare vlad