Auditors can have a significant positive impact on Cybersecurity. This slide deck is from a sold out presentation on Azure for Auditors for ISACA and IIA in Seattle. How can auditors help cloud security? What should auditors and those performing cloud security assessments consider when evaluating cloud security on Azure? If you'd like to learn more check out my cybersecurity classes at https://2ndsightlab.com
8. @teriradichel
Cost of a Breach
• It goes up daily…
• Executives know this.
• They say they care.
• So why all the breaches?
9. @teriradichel
The cost will keep going up…
• GDPR: 4% of revenue.
• More regulation likely coming if we don’t fix it.
• Regulations cost a lot and make EVERYTHING more complicated.
• Fix it before that happens.
11. @teriradichel
The bigger cost
• Democracy
• Cyberwar
• Critical infrastructure
• Healthcare systems
• Some people call this FUD.
• I call it reality.
12. @teriradichel
Definition of war and insurance
• Check the definition of war.
• Check your policy.
• Insurance companies may have an out.
• Maybe you can change your policy.
• Talk to your lawyer about definitions.
• Better yet…
• Instead of relying on insurance – let’s protect the systems.
13. @teriradichel
Auditors are key!
• Audit the systems.
• Show the problems.
• Translate into potential realities.
• Raise awareness.
• Explain to them why it matters.
• Help obtain resources and training.
• Get companies to fix problems.
15. @teriradichel
Azure Internet Connections
• Anything exposed to Internet will be scanned and attacked.
• Storage Accounts
• Databases
• Virtual Machines
• Containers
• Serverless Functions
• Common problems: RDP Brute Force and Misconfigured Data Stores
18. @teriradichel
Understand network layers and protocols
• OSI Model – Layers 1-7 – protections at different network layers.
• TLS doesn’t always save you.
• It doesn’t encrypt everything.
• DNS over HTTPS is coming out.
• This will hide DNS traffic used by security systems to spot malware.
• Good or bad??
• Do you know the difference between an SSL and IPSEC VPN?
• One encrypts more traffic than the other.
19. @teriradichel
What was the original purpose of a VPN?
• What was the initial purpose of a VPN?
• Not to hide your traffic so you can watch videos in a foreign country.
• Not for pentesting so people can’t tell where you are coming from.
• Not for end users to hide their traffic from their ISP.
• What was it?
20. @teriradichel
Connect to private network from anywhere
Firewall
Trusted Users Only
Authenticated
Encrypted tunnel
Specific CIDR block
Network
restrictions
Specific to VPN
network traffic
ranges
21. @teriradichel
VPN + Bastion Host + JIT
VPN +
Firewall
Or
NSG
Trusted Users Only
Bastion
Host +
JIT
VM
VM
VM
Internet
22. @teriradichel
Private Network + Bastion Host + JIT
Firewall
Or
NSG
Trusted Users Only
Bastion
Host +
JIT
VM
VM
VM
Express Route
Or Azure VPN
24. @teriradichel
How are systems connected?
• Azure Connectivity – VPN or Express Route? Or Internet?
• What about Cloud Shell traffic via a web browser?
• Connections from Azure to third-parties?
• What traffic is and is not visible to security team and monitored?
• Who approves, tracks, and sets up new network connections?
• Is DLP in place to spot potential exfiltration?
• What paths exist from your most sensitive data to the Internet?
25. @teriradichel
Azure
Cloud App Security
• Works as CASB
• Identifies Shadow IT
• What apps connected to Azure?
• Can they exfiltrate data?
• Third-Party: McAfee, Netskope
29. @teriradichel
How they are stolen
• Credentials in code
• Phishing attacks
• Shared
• Malicious insider
• Malware on machine
• Social engineering
30. @teriradichel
What they are used for…
• Steal data
• Ransomware
• Cryptominers
• Delete systems – or an account!
• Maintain a foothold
• Monitor communications
• Steal intellectual property
• Attack other systems
32. @teriradichel
IAM – Integrate and Automate
• Azure AD
• Integrated with main Active Directory store
• Using same HR processes
• Automated
• When someone leaves is there access automatically removed?
• When someone changes roles, is their access automatically changed?
• Is creation of users automated to prevent human error?
33. @teriradichel
MFA– Is it in place and is it effective?
• Is MFA in place – for everyone?
• How long is MFA cached?
• Is it truly two-factor?
• How can MFA be bypassed?
• And yes, it can be!
34. @teriradichel
IAM – Segregation, Least Privilege
• Least privilege
• Humans, compute resources, all permissions
• Only privileges to do what is needed
• Segregation
• If one person’s creds stolen – how much can those creds access?
• What can they do?
36. @teriradichel
Application and user permissions
• Service principles or managed identities for applications
• Only permissions required granted to users and resources
• Cannot create resources with higher permissions than themselves
• JIT enforced for remote access
• Only required network ports and rules allowed
• Verify someone is monitoring logs and responding to events
• Network traffic, application, OS, Active Directory, Activity logs
37. @teriradichel
Secrets management
• No secrets in code
• Secrets stored in vault
• Azure Key Vault
• HashiCorp Vault
Running code
retrieves
secrets from
vault
Azure
Key Vault
contains
[encrypted!]
secrets
Application can only retrieve secrets that belong
to it, not secrets for other applications. In a
SAAS application, users can only retrieve their
own secrets!
38. @teriradichel
Where are secrets exposed?
• Metadata, configuration files, documentation
• Logs, backup files, caches, environment variables, registry
• GitHub and other source control systems
• Databases, unencrypted
• On developer documentation systems (Confluence)
• In Slack, chat, IM
• Email, Support Tickets
40. @teriradichel
Subscriptions and resource groups
• Is the organization using access segregation effectively to limit risk?
• How are subscriptions and resource groups organized and managed?
• Are different teams, lines of business, SDLC functions segregated?
• Different projects, different microservices, different trust levels
• Are permissions between each limited to what is required?
• Can get complicated – a dedicated team?
41. @teriradichel
Deployment systems
• How are deployment systems and networks architected?
• Do they provide adequate governance?
• How are deployment systems secured (Jenkins, Repositories)
• Who has access to change the Deployment systems?
• Can the deployment systems be bypassed by manual changes?
• Are security scans and checks built into deployment processes?
• Is the security team monitoring deployment systems?
42. @teriradichel
Other ways malware get into systems
• Cryptominers inserted into third-party software, web pages
• E-skimming software – CMS, plugins
• Software packages – Docker Hub containers, Python libraries
• Source code changes
• Misconfigurations, developer induced vulnerabilities
• Third party code included via URLs
• PS: Don’t expose your CMS Admin site to Internet!
44. @teriradichel
Azure and OWASP Top 10
• WAF
• Front Door
• Advanced
Threat
Protection
• Azure
Security
Center
45. @teriradichel
Vulnerability scanning
• Before Deployment
• Automated
• In the deployment pipeline
• Segregation of Duties - Not manually or controlled by Devs
• Serverless scanning mainly depends on static code analysis
• After Deployment
• Cloud Native options – agents will report to Azure Security Center
• Third parties – Azure integrates with Qualys, others
• Azure security center will tell you if it finds agent scanning or not
47. @teriradichel
Patching
• Including DevOps systems!
• Check the Jenkins server…
• Check Kubernetes…
• Immutable deployments are better than patching live systems!
• Make sure systems can’t change once they are scanned.
48. @teriradichel
Encryption
• Is everything encrypted
• Disks, Databases, Files, Storage Accounts, Logs, Queues, Metadata?
• Is the boot disk encrypted – Azure uses BitLocker?
• Who has access to keys – can this be limited via automation?
• Are the keys rotated frequently (30-90 days or even less?)
• In a SAAS environment – does each customer have separate keys?
• Are appropriate algorithms, modes, and key lengths used?
50. @teriradichel
Proper configurations
• Every single service on Azure has a configuration.
• If you can see it, touch it, change it – it’s your responsibility.
• Understand best practices for each service.
• Understand how it might be attacked (threat modeling)
• Secure accordingly.
• Customer configurations are one of the biggest risks in the cloud!
51. @teriradichel
CIS Benchmarks in Azure Security Center
• CIS Benchmarks:
best practices for
Azure, Docker,
Operating
Systems, and
more
• Check some of
these with Azure
Security Center
52. @teriradichel
Architect for Availability
• Is the architecture structured to prevent downtime?
• What if an Azure datacenter fails?
• Your architecture should be resilient to this if required.
• BCP and DR plans aligned with business needs.
• What if your systems are hit with ransomware?
• Do you have backups?
• Have they been tested?
54. @teriradichel
Security Functions
• Threat modeling to design to prevent breaches
• Security team has access to ALL logs
• Event monitoring and incident response
• Security requirements
55. @teriradichel
ALL the logs….
• What logs exist?
• Are they turned on?
• Is anyone looking at them?
• Do they KNOW what to look for?
• Are they centralized?
• Log shipping – ephemeral resources
• Who can change them? (No one hopefully – check permissions)
57. @teriradichel
Third-Party Products ~ CloudNeeti
• Met at Seattle
AWS
Architects
and Engineers
Meetup
• Cross-cloud
• SAAS - obtain
customer
consent
58. @teriradichel
Tools for Auditors on Azure
• No role – have to find or create one that gives least privilege
• Azure Security Center is your friend!
• Learn how to write scripts to query resources (Power BI, CLI, Insights)
• Network Watcher
• Become familiar with all the logs
• Review recommendations and best practices for each service.
59. @teriradichel
Cloud systems can make security worse.
Would you trust a
software developer
or business person
operate on you?
Why not?
60. @teriradichel
Training…at every level
• Train the Decision Makers
• Different types of training
• Risk and Governance
• Research and reverse engineering malware
• Cloud specific configurations
• Application security (OWASP top 10)
• Network security
• Pentesting
• DFIR (monitoring and responding to incidents)
But, when the user selects the Keep me signed in check box during authentication, a persistent session token is stored.
Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 180 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 180 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes