CSP Internal ThreatsHussein Mahgoob

Ahmed Ali El-Kosairy

➢CERN (1) defines an insider threat as such:

A malicious insider threat == ➢Organization ➢+ ➢(current or former employee, contractor, or other business partner)➢+ ➢(Authorized access to an Organization's system )

Introduction

Impact Area

➢Example

Edward Snowden (2)

PRISM (2007)Right or Wrong ?!!

➢Something such as Watergate scandal(3)

Introduction

➢How to protect your self from internal threats from Cloud Service provider (CSP) perspective

➢How to protect your self from Internal threats (CSP) from user perspective

Objective

●As a Client we are looking for privacy (please check previous Presentation <Ahmed Nour >)

●As a CSP we are looking for defense in Depth.➢What is DID ?-Multilayer and technology of Security

Objective

●Encryption

●Privilege and Authentication

●Security Policy

Related Approaches

Using Combination of Security Intelligence systems such as :

Our Approach

●Host level

●Network Level

●Formatted Based

●For CSP

Data Loss Prevention

●For CSP and Client

●Try to use Multi layer of Encryption such as SFS for Linux and EFS for Windows with any 3rd party(4).

Encryption

●For CSP and Client.

●Data Right Management (DRM) based on PKI. ●Examples:

●Snap Chat

●Related News (5):●Facebook Tried To Buy Snap chat For $3B.●Snap chat may have rejected a $4 billion offer from

Google.

●Microsoft DRM.

●Apple Fair Play.

DRM

Apple Fair Play

Can We Trust CA,DRM,Security Algorithms!!

●For CSP and Client.

●Use Multi-factor authentication :

➢Something you know. ➢Something you have.

➢Something you are.

➢Two-man rule 0r Two-person integrity (TPI)➢Examples : Nuke Bomb

User Access Authentication

●Security Architecture – Segmentation. ●Risk Management – Assessments (CSP perspective ).

➢Check on vacations.

➢Controls.

➢Mitigate Risk.

●Third Party Audits.

●Policy Enforcement.

And

Again Can We Trust CA,DRM,Security Algorithms !!!

• 2000 Napster Issue Shawn Fanning

• Music Companies “We will revenge”

• Sony BMG copy protection

• When inserted into a computer: ➢the CDs installed one of two pieces of software ➢which provided a form of digital rights management (DRM) by modifying the

operating system. ➢Both programs could not be easily uninstalled. ➢And they unintentionally created vulnerabilities that were exploited by

unrelated malware (6).

• rootkit scandal 2007 :)

Sony BMG DRM

➢ANSSI:

Rogue digital certificates that had been issued by French certificate authority ANSSI, who closely work with the

French Defense agency(7).

ANSSI_CA

Send Encrypted mails to you (He already know Plain text and cipher text )

➢listen to frequency of your CPU by Microphone

➢Use low- and high-pass filters

➢Called acoustic signal Attack➢RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis(9)

RSA 4096-bit Crypto Analysis(8)

We Need to apply DID on Client Level and Provider Level

Conclusion

●Using Combination of Security Intelligence systems such as :

➢DLP➢Encryption (Multi layer of Encryption)➢DRM➢User Access➢Security Architecture - Segmentation➢Risk Management - Assessments➢Third Party Audits➢Policy Enforcement➢And (FDM), etc. …......

Conclusion

But Remember everything came with a price

(1)-Cloud Security, The Notorious Nine Cloud Computing Top Threats in 2013 Alliance , https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (2)-Edward Snowden a 'hero' for NSA disclosures, Wikipedia founder says | World news. The Guardian (2013-11-25)., http://www.theguardian.com/world/2013/nov/25/edward-snowden-nsa-wikipedia-founder,http://en.wikipedia.org/wiki/Edward_Snowden(3)-Watergate scandal,http://en.wikipedia.org/wiki/Watergate_scandal(4)- Rajesh Kumar Pal, Indranil Sengupta, Enhancing File Data Security in Linux Operating System, Computational Intelligence in Cyber Security, 2009. CICS '09. IEEE Symposium on, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=4925089&queryText%3DEnhancing+File+Data+Security+in+Linux+Operating+System+by+Integrating+Secure+File+System (5)-forbes, maybe snapchat is crazy to turn down 3b but was facebook nuts to offer ithttp://www.forbes.com/sites/markrogowsky/2013/11/14/maybe-snapchat-is-crazy-to-turn-down-3b-but-was-facebook-nuts-to-offer-it/(6)-Halderman, J. Alex, and Felten, Edward. "Lessons from the Sony CD DRM Episode" , Center for Information Technology Policy, Department of Computer Science, Princeton University, 2006-02-14., http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal, http://www.copyright.gov/1201/2006/hearings/sonydrm-ext.pdf, http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal(7)-The hacker news, fake google ssl certificates made in,http://thehackernews.com/2013/12/fake-google-ssl-certificates-made-in.html(8)-Extremetech, researchers crack the worlds toughest encryption by listening to the tiny sounds made by your computers cpu,http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu(9)-RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysisdt@infootnoteThe authors thank Lev Pachmanov for programming and experiment support during the course of this research.dt@infootnote - acoustic-20131218.pdf,http://www.cs.tau.ac.il/~tromer/acoustic/

References