nélson rafael joão faria diogo ribeiro daniel...
TRANSCRIPT
![Page 1: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/1.jpg)
Daniel PereiraDiogo Ribeiro
João FariaNélson Rafael
Cloud Computing
SSIN 2015
![Page 2: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/2.jpg)
Summary
● Introduction● Cloud Computing
○ Vulnerabilities○ Threats○ Breaches○ Attacks○ Countermeasures
● Practical Demonstration of Openstack Vulnerabilities
![Page 3: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/3.jpg)
Cloud Computing Service Providers on Cloud Service Models
Cloud Service Models Cloud Service Providers
SaaSAntenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM, and Joyent
PaaSAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and JoyentAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyent
IaaSAmazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint
![Page 4: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/4.jpg)
The cloud reference architecture. We map cloud-specific vulnerabilities to components of this reference architecture, which gives us an overview of which vulnerabilities might be relevant for a given cloud service.
![Page 5: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/5.jpg)
Taxonomy of Cloud Computing Threats
● Hackers might abuse the forceful computing capability provided by clouds by conducting illegal activities.
● Hackers could rent the virtual machines, analyze their configurations, find their vulnerabilities, and attack other customers’ virtual machines within the same cloud.
● IaaS also enables hackers to perform attacks, e.g. brute-forcing cracking, that need high computing power.
● Data in all three cloud models can be accessed by unauthorized internal employees, as well as external hackers.
![Page 6: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/6.jpg)
Factors contributing to risk according to the Open Group’s risk taxonomy. Risk corresponds to the
product of loss event frequency (left) and probable loss magnitude (right). Vulnerabilities influence the
loss event frequency.
![Page 7: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/7.jpg)
Vulnerabilities
● Session Riding● Virtual Machine Escape● Reliability and Availability of Service● Insecure Cryptography● Data Protection and Portability● CSP Lock-in● Internet Dependency
![Page 8: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/8.jpg)
Threats
● Ease of Use● Secure Data Transmission● Insecure APIs● Malicious Insiders● Shared Technology Issues● Data Loss
● Data Breach● Account/Service Hijacking● Unknown Risk Profile● Denial of Service● Lack of Understanding● User Awareness
![Page 9: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/9.jpg)
Data Breaches
● Malicious Insider
● Online Cyber Theft
![Page 10: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/10.jpg)
Cloud Security Attacks
● Malware Injection Attack
● Wrapping Attack
![Page 11: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/11.jpg)
Countermeasures● Security Policy Enhancement
● Access Management
● Data Protection
● Security Techniques Implementation
![Page 12: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/12.jpg)
Practical Demonstration
● Credential Theft
● Session Hijacking (sidejacking method)
● Malicious Insider (memory dump scanning method)
![Page 13: Nélson Rafael João Faria Diogo Ribeiro Daniel Pereirajmcruz/ssi/ssi.1516/trabs-als/final/G2T6... · João Faria Nélson Rafael Cloud Computing SSIN 2015. Summary Introduction Cloud](https://reader034.vdocument.in/reader034/viewer/2022042800/5a775efe7f8b9a93088dc94e/html5/thumbnails/13.jpg)
#Questions?