A Penetration Tester's Guide to the Azure Cloud

Presented at The Eleventh HOPE (2016), July 22, 2016, 8 p.m. (60 minutes).

The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment's components.


Presenters:

  • Apostolos Mastoris
    Apostolos Mastoris is an ethical hacker working as a security consultant at MWR InfoSecurity in London. His interest in security began when he was involved in the 2600 meetings in Athens, Greece. His day-to-day activities include application and infrastructure penetration testing and consulting clients on ways to improve the security of their environments. He holds a BSc in computer engineering and an MSc in information security. In his free time (when there's any), he enjoys reading recent updates in the security community, doing some coding, and getting involved in problem solving activities.

Links:

Similar Presentations: