Professional Documents
Culture Documents
YURY CHEMERKIN
ITA 2013
[ YURY CHEMERKIN ]
www.linkedin.com/in/yurychemerkin
EXPERIENCED IN :
REVERSE ENGINEERING & AV SOFTWARE PROGRAMMING & DOCUMENTATION MOBILE SECURITY AND MDM CYBER SECURITY & CLOUD SECURITY COMPLIANCE & TRANSPARENCY FORENSICS AND SECURITY WRITING HAKIN9 / PENTEST / EFORENSICS MAGAZINE, GROTECK BUSINESS MEDIA PARTICIPATION AT CONFERENCES INFOSECURITYRUSSIA, NULLCON, ATHCON, CONFIDENCE, PHDAYS, DEFCONMOSCOW, HACTIVITY, HACKFEST CYBERCRIME FORUM, CYBER INTELLIGENCE EUROPE/INTELLIGENCE-SEC, ICITST, CTICON (CYBERTIMES), DeepIntel/DeepSec, I-SOCIETY
http://sto-strategy.com
yury.s@chemerkin.com
Cloud Issues
Known Issues
Threats Privacy Compliance Legal Vendor lock-in Open source / Open standards Security Abuse IT governance Ambiguity of terminology
Known Solutions/Opinions
Customization , security solutions Crypto anarchism CSA, ISO, PCI, SAS 70 Typically US Location Platform, Data, Tools Lock-In Top clouds are not open-source Physical clouds more secured than Public Botnets and Malware Infections/Misuse Depends on organization needs Reference to wide services, solutions, etc.
Abuse Abusing is not a new issue and is everywhere AWS Vulnerability Bulletins as a kind of quick response and stay tuned
Cloud Model
Cloud
CSA CAIQ
CSA CMM
Enhanced Security Model
Mapping
Compliance Model
NIST Framework
The consolidated framework over all NIST documents Logically clearly defined documents, e.g. Categorization systems Selecting control FIPS Forensics Logging (SCAP) Etc. Complementarity Interchangeability Expansibility Dependence Mapping (NIST, ISO only)
NIST Framework
Complementarity NIST Enhance Control Your own security control Interchangeability Replacing basic controls by enhanced controls Expansibility impact or support the implementation of a particular security control or control enhancement Your own way to improve a framework Mapping (NIST, ISO only) NIST->ISO ISO->NIST NIST->Common Criteria (rev4 only)
NIST Framework
Interchangeability
Basic controls arent applicable in case of Information systems need to communicate with other systems across different policy APT Insiders Threats Mobility (mobile location, non-fixed) Single-User operations Interchangeability Replacing basic controls by enhanced controls Expansibility impact or support the implementation of a particular security control or control enhancement Your own way to improve a framework Mapping (NIST, ISO only) NIST->ISO ISO->NIST NIST->Common Criteria (rev4 only)
III. Clouds
Clouds
Amazon Web Services Generally IaaS +SaaS, PaaS Microsoft Azure Generally PaaS Recent changes IaaS BlackBerry Enterprise Service Separated Integrated with Office365 SaaS as a MDM solution
BlackBerry 4,5,6,7
BES 10
BES 5
Office integration
Office Office365 Cisco/VoIP
Clear
compliance requirements
There are many models and architectures There are many ways to built cloud in alignment to
Top known cloud vendors announced they are in compliance with it Some of reports are getting old by now Customers have to control their environment by their needs Customers want to know whether it is in compliance in, especially local regulations and how far Customers want to know whether it makes clouds quite transparency to let to build an appropriate
Vendors general explanations multiplied by general standards recommendations are extremely far away from transparency Clouds call for specific levels of audit logging, activity reporting, security controlling and data retention It is often not a part of SLA offered by providers It is outside recommendations AWS often falls in details with their architecture documents AWS solutions are very well to be in compliance with old standards and specific local regulations NIST 800-53, or even Russian security standards (however the Russian framework is out of cloud framework)
It helps vendors not to have their solutions worked out in details and/or badly documented It helps them to put a lot of references on 3rd party reviewers under NDA (SOC 1 or SAS 70) Bad idea to let vendors fills such documents They provide fewer public details They take it to NDA reports
Information System Regulatory AWS falls in details to comply it that results of differences between CAIQ and CMM Mapping Handling / Labeling / Security Policy AWS falls in details what customers are allowed to do and how exactly while Azure does not
DIFFERENCE (AWS vs. AZURE) As opposed to AWS, Azure does not have a clearly defined statement whether their customers able to perform their own vulnerability test
Retention Policy
AWS points to the customers responsibility to manage data, exclude moving between Availability Zones inside one region; Azure ensures on validation and processing with it, and indicate about data historical auto-backup
Secure Disposal Information Leakage Policy, User Access, MFA Baseline Requirements Encryption, Encryption Key Management Vulnerability / Patch Management Nondisclosure Agreements, Party Agreements User ID Credentials (Non)Production Network Security Segmentation Mobile Code
Third AWS highlights that they does not leverage any 3rd party cloud providers to deliver AWS services to the customers. Azure points to the procedures, NDA undergone with ISO Besides the AD (Active Directory) AWS IAM solution are alignment with both CAIQ, CMM requirements while Azure addresses to the AD to perform these actions
environments, AWS provides more details how-to documents to having a compliance Besides vendor features, AWS provides quite similar mechanism in alignment CAIQ & CMM, while Azure points to features built in infrastructure on a vendor side AWS points their clients to be responsible to meet such requirements, while Azure points to build solutions tracked for mobile code
Cloud :: Azure
Azures vision - Distribution of information CSA , ISO is better applicable than NIST NIST is applicable as a custom controls collection Best way is adopt NIST enhancements with CSA Need to remap CSA->NIST rev4 Technical / Access Control / Security Attributes Attribute Configuration Permitted Attributes for Specified InfoSystems Permitted Values and Ranges for Attributes
Cloud :: AWS
AWSs Vision is not Data Distribution NIST is better applicable than CSA NIST is applicable as a custom controls collection There are many enhancements to include (rev4) Dynamic Account Creation Restrictions on Use of Shared Groups Accounts Group Account Requests Appovals/Renewals Account Monitoring - Atypical Usage e.g. :: log-delivery-write for S3
Cloud :: AWS
NIST-124
Refers to NIST-800-53 and other Sometimes missed requirements such as locking device, however it is in NIST-800-53 A bit details than CSA No statements on permission management
Make you sure to start managing security under uncertain terms without AI
[ DEVICE MANAGEMENT ]
Concurrencyover native & additional security features
= , , , set of OS permissions, set of device permissions, set of MDM permissions, set of missed permissions (lack of controls), set of rules are explicitly should be applied to gain a compliance = + , set of APIs , set of APIs that interact with sensitive data, set of APIs that do not interact with sensitive data To get a mobile security designed with full granularity the set should be empty set to get instead of , so the matter how is it closer to empty. On another hand it should find out whether assumptions , are true and if it is possible to get .
Non-app features
[ DEVICE MANAGEMENT ]
APPLICATION LEVEL ATTACKSVECTOR
GOALS - MOBILE RESOURCES / AIM OF ATTACK DEVICE RESOURCES OUTSIDE-OF-DEVICE RESOURCES ATTACKS SET OF ACTIONS UNDER THE THREAT APIs - RESOURCES WIDELY AVAILABLE TO CODERS SECURITY FEATURES KERNEL PROTECTION , NON-APP FEATURES PERMISSIONS - EXPLICITLY CONFIGURED 3RD PARTY AV, FIREWALL, VPN, MDM COMPLIANCE - RULES TO DESIGN A MOBILE SECURITY IN ALIGNMENT WITH COMPLIANCE TO
MDM features
Kernel protection
Attacks
[ BLACKBERRY. PERMISSIONS ]
BB 10 Cascades SDK Background processing BlackBerry Messenger Calendar, Contacts Camera Device identifying information Email and PIN messages GPS location Internet Location Microphone Narrow swipe up Notebooks Notifications Player Phone Push Shared files Text messages Volume BB 10 AIR SDK + + + + + + + + + + + + + + + PB (NDK/AIR) + via invoke calls + + via invoke calls + + + + + + + +
[ iOS. Settings ]
Component Restrictions :: Native application Restrictions :: 3rd application Unit subcomponents Privacy :: Location Per each 3rd party app For system services Contacts, Calendar, Reminders, Photos Bluetooth Sharing Twitter, Facebook Disables changes to Mail, Contacts, Calendars, iCloud, and Twitter accounts Find My Friends Volume limit Ratings per country and region Music and podcasts Movies, Books, Apps, TV shows In-app purchases Require Passwords (in-app purchases) Multiplayer Games Adding Friends (Game Center) Installing Apps Removing Apps Unit Safari Camera, FaceTime iTunes Store, iBookstore Siri Manage applications* Manage applications* Explicit Language (Siri) Privacy*, Accounts* Content Type Restrictions*
Game Center
Manage applications
[ Android. Permissions ]
List contains~150 permissions
ACCESS_CHECKIN_PROPERTIES,ACCESS_COARSE_LOCATION,
ACCESS_FINE_LOCATION,ACCESS_LOCATION_EXTRA_COMM ANDS,ACCESS_MOCK_LOCATION,ACCESS_NETWORK_STATE, ACCESS_SURFACE_FLINGER,ACCESS_WIFI_STATE,ACCOUNT_ MANAGER,ADD_VOICEMAIL,AUTHENTICATE_ACCOUNTS,BAT
RD_AUDIO,REORDER_TASKS,RESTART_PACKAGES,SEND_SMS
,SET_ACTIVITY_WATCHER,SET_ALARM,SET_ALWAYS_FINISH, SET_ANIMATION_SCALE,SET_DEBUG_APP,SET_ORIENTATION ,SET_POINTER_SPEED,SET_PREFERRED_APPLICATIONS,SET_P ROCESS_LIMIT,SET_TIME,SET_TIME_ZONE,SET_WALLPAPER,S
TERY_STATS,BIND_ACCESSIBILITY_SERVICE,BIND_APPWIDGET
,BIND_DEVICE_ADMIN,BIND_INPUT_METHOD,BIND_REMOTE VIEWS,BIND_TEXT_SERVICE,BIND_VPN_SERVICE,BIND_WALL PAPER,BLUETOOTH,BLUETOOTH_ADMIN,BRICK,BROADCAST_ PACKAGE_REMOVED,BROADCAST_SMS,BROADCAST_STICKY, BROADCAST_WAP_PUSH,CALL_PHONE,CALL_PRIVILEGED,CA MERA,CHANGE_COMPONENT_ENABLED_STATE,CHANGE_CO NFIGURATION,CHANGE_NETWORK_STATE,CHANGE_WIFI_M ULTICAST_STATE,CHANGE_WIFI_STATE,CLEAR_APP_CACHE,C LEAR_APP_USER_DATA,CONTROL_LOCATION_UPDATES,DELE TE_CACHE_FILES,DELETE_PACKAGES,DEVICE_POWER,DIAGN
GROUND_PROCESSES,MANAGE_ACCOUNTS,MANAGE_APP_T
OKENS,MASTER_CLEAR,MODIFY_AUDIO_SETTINGS,MODIFY_ PHONE_STATE,MOUNT_FORMAT_FILESYSTEMS,MOUNT_UN MOUNT_FILESYSTEMS,NFC,PERSISTENT_ACTIVITY,PROCESS_ OUTGOING_CALLS,READ_CALENDAR,READ_CALL_LOG,READ_ CONTACTS,READ_EXTERNAL_STORAGE,READ_FRAME_BUFFE R,READ_HISTORY_BOOKMARKS,READ_INPUT_STATE,READ_L OGS,READ_PHONE_STATE,READ_PROFILE,READ_SMS,READ_ SOCIAL_STREAM,READ_SYNC_SETTINGS,READ_SYNC_STATS, READ_USER_DICTIONARY,REBOOT,RECEIVE_BOOT_COMPLET ED,RECEIVE_MMS,RECEIVE_SMS,RECEIVE_WAP_PUSH,RECO
ET_WALLPAPER_HINTS,SIGNAL_PERSISTENT_PROCESSES,STA
TUS_BAR,SUBSCRIBED_FEEDS_READ,SUBSCRIBED_FEEDS_WR ITE,SYSTEM_ALERT_WINDOW,UPDATE_DEVICE_STATS,USE_C REDENTIALS,USE_SIP,VIBRATE,WAKE_LOCK,WRITE_APN_SET TINGS,WRITE_CALENDAR,WRITE_CALL_LOG,WRITE_CONTAC TS,WRITE_EXTERNAL_STORAGE,WRITE_GSERVICES,WRITE_HI STORY_BOOKMARKS,WRITE_PROFILE,WRITE_SECURE_SETTIN GS,WRITE_SETTINGS,WRITE_SMS,WRITE_SOCIAL_STREAM,W RITE_SYNC_SETTINGS,WRITE_USER_DICTIONARY,
CONTROLLED 16 GROUPSONLY
CAMERA, VIDEO, VIDEO CONF CERTIFICATES (UNTRUSTED CERTs) CLOUD SERVICES BACKUP / DOCUMENT / PICTURE / SHARING NETWORK, WIRELESS, ROAMING DATA, VOICE WHEN ROAMING CONTENT (incl. EXPLICIT) RATING FOR APPS/ MOVIES / TV SHOWS / REGIONS CONNECTIVITY
MESSAGING (DEFAULT APP) PASSWORD (THE SAME WITH ANDROID, NEW BLACKBERRY DEVICES) PHONE AND MESSAGING (VOICE DIALING) PROFILE & CERTs (INTERACTIVE INSTALLATION) SOCIAL (DEFAULT APP) SOCIAL APPS / GAMING / ADDING FRIENDS / MULTI-PLAYER DEFAULT SOCIAL-GAMING / SOCIAL-VIDEO APPS DEVICE BACKUP AND ENCRYPTION
CONTENT
CONTROLLED 7 GROUPSONLY
PASSWORD (THE SAME WITH ANDROID, iOS) BES MANAGEMENT (SMARTPHONES, TABLETS) SOFTWARE OPEN WORK EMAIL MESSAGES LINKS IN THE PERSONAL BROWSER TRANSFER THOUGH WORK PERIMETER TO SAME/ANOTHER DEVICE BBM VIDEO ACCESS TO WORK NETWORK VIDEO CHAT APP USES ORGANIZATIONS WI-FI/VPN NETWORK WIPE WORK SPACE WITHOUT NETWORK, RESTRICT DEV. MODE VOICE CONTROL & DICTATION IN WORK & USER APPS BACKUP AND RESTORE (WORK) & DESKTOP SOFTWARE PC ACCESS TO WORK & PERSONAL SPACE (USB, BT) PERSONAL SPACE DATA ENCRYPTION
NETWORK ACCESS CONTROL FOR WORK APPS PERSONAL APPS ACCESS TO WORK CONTACTS SHARE WORK DATA DURING BBM VIDEO SCREEN SHARING WORK DOMAINS, WORK NETWORK USAGE FOR PERSONAL APPS
CERTIFICATES & CIPHERS & S/MIME HASH & ENCRYPTION ALGS AND KEY PARAMS TASK/MEMO/CALENDAR/CONTACT/DAYS SYNC ACCESS POINT, DEFAULT GATEWAY, DHCP, IPV6, SSID, IP ADDRESS PROXY PASSWORD/PORT/SERVER/SUBNET MASK
EMAIL PROFILES
WI-FI PROFILES
SECURITY
VPN PROFILES
PROXY, SCEP, AUTH PROFILE PARAMS TOKENS, IKE, IPSEC OTHER PARAMS PROXY PORTS, USERNAME, OTHER PARAMS
CONCLUSION
The best Security & Permissions ruled by AWS Most cases are not clear in according to the roles and responsibilities of cloud vendors & customers May happen swapping responsibilities and shifting the vendor job on to customer shoulders Referring to independent audits reports under NDA as many times as they can CSA put the cross references to other standards that impact on complexity & lack of clarity more than NIST SP800-53
Select Security Controls
CSA
Check Scope
Define Granularity
Remap to NIST
NIST enhanc.
Q&A