Cloud Computing Security Research
Download
1 / 22

Cloud Computing Security Research - PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on

Cloud Computing Security Research. Shane Fry NSA September 28, 2011. Overview. Who am I? What is vulnerability analysis? What is the cloud? Who is the cloud? What are the security concerns? What are some malicious uses of the cloud?. Who am I?. What is Vulnerability Analysis?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Cloud Computing Security Research' - annis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Cloud Computing Security Research

Shane Fry

NSA

September 28, 2011


Overview
Overview

Who am I?

What is vulnerability analysis?

What is the cloud?

Who is the cloud?

What are the security concerns?

What are some malicious uses of the cloud?



What is vulnerability analysis
What is Vulnerability Analysis?

  • Looking for vulnerabilities in software, hardware, or entire systems.

  • The goal:

    • Improve the security of hardware/software/systems

    • Create configuration guidance to mitigate vulnerabilities

  • Two kinds of vulnerability analysis

    • Black box

    • White box




Black box testing
Black box testing

Easy

No source code

Tests boundaries between components

Limited code coverage

Reverse Engineer code to determine where the problem code is, and what is going wrong


White box testing
White box testing

  • Time consuming

  • Greater code coverage

  • Static source code analysis

    • Automated

    • Manual

  • Specific tests for suspected problem code


Grey box testing
Grey box testing

  • Uses both White box and Black box techniques:

    • Fuzzing

    • Reverse Engineering

    • Source code analysis



Nist definition
NIST Definition

On-demand self-service

Broad network access

Resource pooling

Rapid elasticity

Measured service

[2]


Nist definition1
NIST Definition

Visual Model of NIST Working Definition of Cloud Computing

http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.hml

Essential

Characteristics

Delivery

Models

Deployment

Models

[6]


What is the cloud
What is the cloud?

  • Storage

    • Cheap

    • Distributed

    • Automated backups

  • Computing

    • Cheap

    • Scalable

    • No infrastructure to manage

  • Usually both are employed



Security concerns
Security Concerns

What do you think the security concerns are when using the cloud?


Security concerns1
Security Concerns

  • Data center location

  • Network perimeter security

    • Packet replay attacks

    • Information disclosure

  • Infrastructure security

    • Patch process

    • Underlying protocol security


Security concerns2
Security Concerns

  • Physical security

  • Backup location

  • File scrubbing

    • Persistent data storage

    • VM Images

  • VM Image Security

    • OS Security

    • Known good state

    • Modified base image



Malicious use
Malicious Use

WPA cracking [4]

Password cracking [5]

DDoS attacks [3]

Botnets [3]



References
References

  • http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

  • http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

  • http://www.defcon.org/images/defcon-18/dc-18-presentations/Bryan-Anderson/DEFCON-18-Bryan-Anderson-Cloud-Computing.pdf

  • https://www.wpacracker.com

  • http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

  • http://2.bp.blogspot.com/_hnCtHg5syTo/S-QY0NuPrrI/AAAAAAAAAKk/yHswSLD0fQk/s1600/NIST+Cloud.jpg

  • http://blogs.southworks.net/mwoloski/files/2008/08/posterservices.png



ad