Foundations of Cyber Security

Cloud Security Explained! Hear from a Pro Hacker!
Hey guys, welcome back to another episode on How to Defend and today we discussing about cloud security and learning about how we can protect many of our cloud workloads, our deployments online, how we could still continue to serve to hundreds of millions of users who may be assessing your different kind of applications, many different use cases that you have for deploying many of your workloads onto the cloud. So what exactly is cloud? So the first thing we want to think about is as more and more enterprises are transitioning onto the cloud because of the key advantages in terms of the ability to focus on more of the higher level offerings, in terms of application levels and in terms of platform levels, and of course, the three key areas that we can look at, number one is software as a service, platform as a service as well as infrastructure as a service.
So this is what we call the Shared Responsibility Model. This is a responsibility that is shared together with the cloud provider. In this case, if you’re deploying say software as a service only, so there is more specific controls that you have to put in place at the software layer and of course, as you move down the stack, including both the platform as a service as well as software as a service so you have to manage the security on both of these levels and finally infrastructure as service. So if you’re deploying your operating systems, you’re deploying your virtual private clouds on to the different cloud providers and vendors then you have to be able to configure all across the stack, including your operating system level, your network level, your platform as a service and your software as a service, they’re all deployed within your private cloud or onto your public cloud environment and such. So this is a Shared Responsibility Model that is being utilized across by many different cloud providers. There are increasing levels of responsibility as you take on more stack inside the workloads.
I want to go back in terms of the security controls in the cloud. I want to go back into the cyber attack chain or the [miter attack 00:02:22] framework. All right. So over here, the whole idea is to look from the hackers point of view, how would they continue to conduct operations, hacking operations against your cloud workloads? So again, if we look at the most left site, we have the reconnaissance, weaponization, the delivery of tax, exploitation, installation, command and control as well as the final part, which is on actions and of objectives. So by looking at this, we can map back again. How would the hackers be able to scan for your publicly exposed instances or workloads? What kind of services are you offering through your cloud platforms that could easily be flagged out by the hackers? What versions are those services running? And after which those data configuration application version numbers, operating system levels, the data puff that transacts from your web application server, all the way down to your databases, all of the versions and controls in it.
What kind of information can they gather based on their interaction with your site, based on your interaction with your mobile application and from there on which provides the opening into the rest of your deployments? So what can you find? All right, either through search engines, through assessing and going through the normal data path, what can they actually gather from working and exposure into your systems and after which the hackers will then start weaponizing. Right. So data will start creating payloads either via, say for example, SQL injection, via buffer overflows, via all these tutorials that you’ve seen on the channel. And of course it would begin delivering all these attacks and all the delivery can be through multiple places. So if you have different cloud providers who are running different virtual private clouds, they could also be subjected to different kinds of attacks based on delivery mechanisms, especially in terms of configuration and security hardening, if they’re not properly in control, then those delivery can be done very, very quickly.
And as you’re, for example, if you’re running infrastructure as a service and you have say a Windows server that you’re running or Linux server that you’re running and there is a human interaction. So the administrator of those services are able to actually say, for example, surf the internet, log into their emails and be able to download attachments. That in itself can be a form of delivery opening for the hackers where they could send an attachment and the attachment can lead to the complete compromise of the system. So there are multiple delivery mechanisms that can be utilized as part of the hack. And this is the part where the exploitation installation comes into play, where the hacker now has excess and control into the system. So they would need a reverse connection all the way out into the internet.
Then the question is, how can we identify what kind of malicious IP addresses are there? Where are the hackers connecting to and what can of data are they transferring ultimately back to the command control server and what kind of processes has been spawned out as a result of those hacks? And finally, what are the actions and the objectives of the hackers? Do they have full control, at which stage of the cyber attack are they currently at? So of course the miter attack framework has a huge list of all these possible tactics and techniques that the hackers could be utilizing. And ultimately going back to the bottom part of the slide, which are the security controls. So very importantly, how can we stop reconnaissance? How can we stop the hackers, being able to weaponize the payloads and gain full access into the systems and stopping them from being able to deliver and install additional processes into the system and ultimately giving them control from a remote commanding control server.
If you look at the bottom side, a lot of times by setting strong, secure firewall policies, the ingress and egress, looking at how the services and the workloads communicating with one another, having a proof list of how data should be transacted from the application server, all the way to the databases, what are considered as a proof list and what are the disallowed list of payloads that are actually being injected into the system? Are there sanitization, do you have antivirus running in all your systems? Do you have configuration checks at all times against the hacker? All this, again, ultimately we can map back to, for example, National Institute of Standards and Technology or even under Center for Internet Security, security controls. Making sure that you have all those controls in place and then you can map them back, for example, on this case here that I have help you create it, you can map them back very quickly based on the cyber attack chain or miter attack framework on how we are able to actually try to stop those attacks.
So here we have a Technical Architecture. On the most left side, we have the hacker coming in through from the internet and assessing and to say your Apache server and we have a Win server 2016 and you have a Microsoft SQL database at the end, storing all this data. We can also think of the attacks, not just from external adversaries, so it could also be insider threats. In this case, we have an insider threat on the bottom right side that you have a select al; from user. So we can see that maybe some of your users have a lot of privileges inside the system and they could easily query all this information out and some of your databases may have tables that contain sensitive and critical data.
You can look at credit card information, date of birth, addresses and so on. So all these data could easily be found even from insiders. All right. So the whole idea is how can we build a security Technical Architecture? So we can firstly, going from the most left side again, we have users and hackers who are coming in and there is a web application firewall. So WAF stands for web application firewall that would actually do the first round of filtering, sanitization of inputs, what are allowed and what are not allowed before it actually reaches into the application server. And of course, we also have DDoS. DDoS protection, distributed denial service. So if there are specific IP addresses that are coming into your systems and some of this IP addresses are known, from the trend intelligence, from security researchers across the world, who has highlighted some of this servers with malicious activities, immediately we can stop and block those malicious IP addresses from doing a direct attack against your systems.
And of course at the bottom of WAF and DDoS, we have identity access management. So this is the part where we could introduce, for example, governance or dating as well as risk based accesses into your systems, meaning that we have single sign on capability and on top of that, we have identity and governance, meaning that we can flag out which user may have over privileges to more systems and applications. So all these are different ways that we can introduce multi-factor authentication, single sign on, looking at the user, looking at their attributes, whether they have any risky behaviors, maybe this user usually connect from one particular city and now this user is connecting from another part of the world using a completely different device attribute, a completely different cursor attributes. All those can be highlighted as increasing risks levels before you’re assessing, given permission to access into your systems and on the right side, all right, we have on the top right side, continuous policy check, certifications and all that.
So we are able to actually audit your private cloud environment, all data across all your workloads and be able to check out, for example, your Win server, your Microsoft SQL instance, your Apache web server. Whether they have any misconfiguration, whether they’re out of date. All these different security checks are put in place to harden the servers that you have deployed so that you can prevent many of those easy, simple hacks that the hackers could easily utilize. And in terms of data protection, we also have to introduce encryption or data monitoring. So on the most right side, if you look at the database table right now, we can see that the credit card information, the password, the mobile, they have either been masked out, meaning that the hackers or even insider will no longer be able to actually see those data or two, they have been encrypted. Encrypted, meaning that you have to manage the key as well as those encryptions.
So it can be encrypted down to the columns, roles levels. All this introduction of security mechanisms is very important because if you look at the bottom part, you have an insider track and firstly is to look at who are the ones issuing those queries into the database system? Do they have direct access to looking at all this private information, financial data? And we are able to stop those queries from coming in or at the same time, if they do get in, meaning that maybe the hackers crafted a payload and managed to bypass the WAF, web application firewall, then we’ll be able to very quickly, even if the hacker managed to pull all those data, all they see will be gibberish data because they do not have access to the encryption key. And finally at the bottom right side, making sure that you have security operations center running.
So, if you look at the… There’s an icon there, like a CCTV camera, that’s monitoring or dating everything that’s happening and at the same time, flagging out, if there’s any anomaly, if there are any possible threats coming in. So it’s like a CCTV capturing what everyone is doing and on top of that, being able to flag out when there are any malicious behaviors, at which stage are cyber attacks coming in and also in terms of incident response. So once again, I hope you have learned something valuable in today’s lecture and if you have any questions, feel free to leave a comment below and I’ll try my best to answer any of your queries and like share, subscribe to channel so that you can be kept abreast of the latest cybersecurity tutorial. Thank you so much once again, for watching.