From 0 to secure in 1 minute

Presented at ToorCon San Diego 17 (2015), Oct. 24, 2015, noon (50 minutes).

Recent hacks to IaaS platforms reveled that we need to master the attack vectors used: Automation and API attack vector, insecure instances and management dashboard with wide capabilities. Those attack vectors are not unique to Cloud Computing but there are magnified due to the cloud characteristics. The fact is that IaaS instance lifecycle is accelerating, nowadays we can find servers that are installed, launched, process data and terminate - all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic. In the presentation, I plan to present the full version of a new open source tool called “Cloudefigo” and explain how it enables accelerated security lifecycle. I will demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server’s communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.


Presenters:

  • Nir Valtman as Nir Valtman (@ValtmaNir)
    Nir is employed at NCR Corporation as the CISO of NCR Retail. Before the acquisition of Retalix by NCR, he was Chief Security Officer of R&D at the company. As part of his previous positions, he worked as Chief Security Architect, Senior Technology Consultant, Application Security Consultant, Systems Infrastructure Security Consultant, and a Technological Trainer. While in these positions, Nir was not only consulting, but also performing hands-on activities in various fields, i.e. hardening, penetration testing, and development for personal/internal applications. In addition, Nir is a public speaker (spoke on BlackHat, DEF CON, OWASP, InfoSec etc.) and open source contributor. Among his contributions, he released an open source anti-defacement tool called AntiDef, and wrote a publication about QRbot, an iPhone QR botnet POC he developed. His latest open source tool is Cloudefigo, which planned to be presented in the conference. Nir has a BSc in Computer Science but his knowledge is based mainly on cowboy learning and information sharing with the techno-oriented communities.

Similar Presentations: