CompTIA CASP+ CAS-004 – Chapter 05 – Implementing Security for Cloud and Virtualization Technologies Part 3

9. Cloud-Augmented Security Services

All right, so cloud computing is very popular. We’ve talked about that. And everybody’s kind of falling all over themselves to put all their data in the cloud. But there are security issues that arise when you do this. Where is the data residing physically? Is it mingled with other people’s data? How secure is it actually? And it is quite scary to trust the security of your data to others. And so now let’s take a little bit further look at some issues surrounding cloud security and some of the cloud augmented security services that are out there. One method that’s been used to steal data from the cloud infrastructure is process called hash matching or hash spoofing.

A good example of this is an attack in the past on cloud vendor Dropbox. So Dropbox uses hashes to identify the blocks of data that are stored by users in a cloud. It’s part of a data deduplication process. And those hashes which get derived from the actual data used, or data stored there, are used to uniquely identify the data. They’re also used to determine whether the data has changed when a user connects. And that would indicate, consequently, whether they needed to have a synchronization that it did occur. So the attack involves spoofing the hashes in order to gain access to arbitrary pieces of somebody else’s data. Because the unauthorized access was granted from the cloud, the customer whose files were being distributed didn’t even know what was happening.

Now it was discovered, and Dropbox has since addressed the issue through the use of stronger hashing algorithms. But hash matching could still be a concern with any sort of cloud solution. You know, now we know hashes are forces of good as well. Antivirus programs use hashes to identify malware. Signature based AV products are looking for matching hashes and they’re doing that. But the problem that has developed is that malware has evolved. It can now change itself and so it’s thereby changing its hash value. And this is leading to the use of what’s called fuzzy hashing, which, unlike typical hashing, in which an identical match has to occur, fuzzy hashing looks for hashes that are close but not perfect.

So just keep that in mind. That’s a potential attack that is out there and has actually happened. Move on to cloud based antimalware products. These are animal wire that don’t run on your local computer, but run in the cloud. They obviously would create a smaller footprint on the client because they’re utilizing processing power in the cloud. And they have a couple of distinct advantages. They do allow access to the latest malware data within minutes. It eliminates, therefore, the need for updates.

And that’s pretty much across the board with cloud technologies, is that you minimize or eliminate the need for updates. Well, with anti-malware that’s a big deal because we’re getting definition updates all the time. They also make sure that it’s a small client. And so the small client doesn’t require nearly as much processing power. So eliminate the need to continually update. Small footprint doesn’t require a lot of processing power. There are some disadvantages. There’s a client to cloud relationship, which means they can’t really run in the background and they may only be able to scan core Windows files and not the whole computer. And then the obvious one, which is not in the slide, but you probably don’t need it to be, is that well now it’s dependent on the Internet connection.

So if it’s cloud based, you have to have your internet connection up and running in order for you to be able to access that along with Nmlware. Just so you know, there are anti spam services that can be offered from the cloud. Postini is a pretty popular anti spam capability out there. Those are up and running, you can use those. Barracuda has one postini trend micro message labs. All of those have cloud based anti spam that can just filter messages prior to those messages being received by your email server. We have cloud based vulnerability scanning as well. That’s a service that’s being performed from the vendors cloud. It’s a good example of software as a service. The benefits that you get are really the benefits you get from any SaaS offering.

That is, you don’t have any equipment, you don’t have anything locally, no footprint at all, you don’t have to manage updates or anything like that. So it’s got low installation and maintenance cost along with automatic upgrades. But one of the potential disadvantages is that the data findings are stored at the provider instead of the customer, and that is a considerable disadvantage. It means the customer is dependent on the provider to make sure that the vulnerability data is kept secure. But keep that in mind. Sandboxing is the segregation of virtual environments for security purposes. We’ve talked about sandboxing with applications. Well, sandboxed appliances have been used in the past to supplement the security features of a network and they can be used to test suspicious files in a protected network.

Cloud based sandboxing has some advantages over sandboxing that’s performed on prem because it’s number one, free of hardware limitations. It’s very scalable, very elastic, it’s possible to track malware over a period of hours or days, it can be easily updated with any operating system type inversion, and it’s not limited by geography. So we can consider doing our sandboxing in the cloud. One potential disadvantage is that many sandboxing products suffer incompatibility issues with a lot of applications and other utilities like AV products, which just means it’s not going to work in every situation. Filtering of web content is another thing that can be provided as a cloud based solution.

In this case, all of your content is going to be examined through the providers. The benefits are those that you get from any cloud solution savings on equipment, support of the content filtering process while still maintaining control of it. So you get access to the software. But with content filtering, of course there’s a high level of configuration that is done.

So you still have control, but you don’t have to actually purchase the equipment, purchase, licensing, things like that. You still get the policy control reporting all of those. A cloud security broker or cloud access security broker. CASB is a software layer that operates sort of as a gatekeeper between the on prem network and the cloud environment and it can provide a lot of different services. Vendor in that security space are sky high networks. Netscope they give you compliance controls, data security controls, threat protection. DLP that is a can function as a security broker in between you and the actual public cloud provider.

10. Security as a Service

Another cloud service is Security as a service or SEC AAS. Many organizations don’t have the skill sets locally to provide the required security services, but it doesn’t make business sense in a lot of cases to do that. You have a small number of employees, you got one or two It people, you’re not going to hire a security professional full time, right?

So instead it would make sense for them to engage a security provider because that’s going to give them a lot of advantages, cost savings, they’re still going to get consistent and uniform protection. They’re definitely going to have a greater security expertise. Outsourcing of security related administrative tasks, intuitive administrative interface, those are some of the advantages. Taking the idea of that security is a service a step further than you have managed security service providers, these are full.

You can fully outsource all your information assurance into a third party. So that’s up to each individual, to each individual company. But I had mentioned earlier I work for an MSP. Now, we don’t necessarily do the managed security service provider, but that’s an option. And a lot of we have managed it and we call it as a service. And there are different security aspects, but you can become a full client and so therefore you’re outsourcing your control to us. We come in, we help you make decisions, we do analysis on the environment, we decide what’s best from a performance standpoint, recover, standpoint, backups, security, you name it, we do it. And a lot of organizations will do that. And they’ll turn it over to a third-party provider to take advantage of the expertise that the third-party provider has.

11. Virtualization Vulnerabilities

When a guest operating system is virtualized, they’re going to share a common host machine. So when you have multiple virtual machines, this system sharing on the host has different security requirements. And there are some issues that can arise. First, one of these is the VM escape attack. In this case, the attacker breaks out of a virtual machine’s normally isolated state and can interact directly directly with the hypervisor. And VMs usually share the same physical resources. So if the attacker can figure out how this VM’s virtual resources map to the physical resources, then he or she would be able to conduct attacks directly against the real physical resources.

If the attacker is able to modify the memory in any way, they could exploit how the physical resources are mapped to each VM. And so therefore, by getting from one VM into the hypervisor, the attacker could affect all VMs and potentially other programs on that machine. In order to help mitigate a VM escape attack, the virtual servers should only be on the same physical servers as others in their network segment. In some cases, the dangers of privilege, escalation or elevation in a virtualized environment would be equal to or greater than those in a physical environment.

So when the hypervisor is doing its duty of handling calls between the guest OS and the hardware, any flaws introduced to those calls could allow an attacker to escalate privileges in the guest operating system. A recent case of one of these was in VMware ESX server, as well as the workstation fusion and View products that could have led to an escalation on the host. Now, VMware responded and reacted very quickly to fixed it with a security update. The key to preventing any of these, or a lot of these, is to make sure you have all the latest updates and patches even on your hypervisor.

One of the advantages of virtualized environment is the ability of the system to move a VM or migrate it from one host to another when that’s necessary. This is called a live migration. When VMs are on the network between secured perimeters, an attacker could exploit that network vulnerability to gain unauthorized access. If they have access to images, they can plant malicious code in the images to then plant attacks on data centers where the VMs are traveling between. Okay, so live migration is actually just moving a virtual machine from one host to another.

And if I’m able to plant an attack on that particular VM, then that can travel. Often the protocols that are used for the migration are not encrypted. So it also makes a man in the middle attack on the VM possible while it’s in transit. Key to preventing man in the middle attacks is just the encryption of the images where they are stored and that can stop that from happening. Then we have data remnants and that’s sensitive data that’s inadvertently replicated in VMs, usually as a result of cloud maintenance functions, or possibly remnant data left behind on terminated VMs.

All of that needs to be protected. If you move data, there may be residual data that’s left behind, and unauthorized users may be able to access it. So we need to make sure that any remaining data in the old location is removed. This can be big concern with confidential data in private clouds and any sensitive data in public clouds. There have been some commercial products that have been released to permanently remove data from PCs, servers, data center equipment, et cetera. And that may be something that the organization needs to look into.

12. Topic B: Securing Remote Access and Collaboration

In this topic, we’re going to be looking at securing remote access and collaboration. Increasingly, in today’s environment, workers and the organizations where they work are relying on various and new methods for communicating and working together. And anytime we have methods, new methods for communicating, we have new security concerns. So we need to be familiar with technologies for remote access, for unified collaboration tools and understand the security issues that they raise, as well as be able to implement controls that will help to mitigate security issues.

13. Remote Access

A remote access application simply allow users to access the organization’s resources from a remote connection. These remote connections used to be dial up, but for the most part, those are antiquated. Increasingly, now they’re using the Internet as the network over which the data is transmitted. And so they’re using a virtual private network connection. If an organization is going to allow remote access us to internal resources, then we need to ensure that the data is protected. And we typically do that with encryption to ensure confidentiality.

While the data is being transmitted between the client and the server, most servers will be configured to require encryption. And so any connection attempt that doesn’t use encryption is going to be denied. All right? And we also need to authenticate because we need to identify that you are who you say you are, and then you’re authorized to access resources. Remote access is not new. This is a fairly mature technology, and so the proper security measures have been clearly defined. It’s something we need to think about and talk about, but it’s not you’re not dealing with an up-and-coming technology.