Security analyst's cookbook for virtual computing

Introduction xxi   Chapter 1 Virtualized Environment Attacks 1    A Brief Introduction to the Cloud 1    Flavors of \"Cloud\" 3    Powering the Cloud 3    Why the Cloud Is Here to Stay 4    Managing Cloud Security 5    Principles of Information Security 6    Information Assets 7    Potential Threats 8    Potential Vulnerabilities 8    Potential Consequences 8    Incremental Risk Mitigation 9    Deny by Default 9    Never Trust Input
 Assume the Worst 11    Confidentiality, Integrity, and Availability 12    The Human Factor 13    Managing Cloud Risks 14    Asset Management 20    Vulnerability Assessment 22    Communication 22    Authentication and Authorization 23    Software 25    Managing Cloud Compliance 31    Defining Compliance and Security 33    Making Use of Warnings 34    Cloud and the PKI 35    Summary 36    Chapter 2 Attacking from the Outside 41    Who Is an Outsider? 41    HR Policies and Procedures 42    Contracting and Outsourcing Talent 44    Friends and Family Discount 45    Configuring Cloud Audit Logs 46    Keeping Tabs on Accounts 50    Extending and Trusting Communication 50    Delegating and Spreading Roles in Order to Scale 62    Novice Users Empowered by Cloud Environments 62    Outsourced and Offshored Resources 62    SaaS Software Development at    Cloud Speed    63    The Needs of Bespoke Solutions 63    Ensuring Continuity 64    Underspecialization 65    How to Piggyback on Fixes 66    Sudo and Shell Logging 70    Spoofi ng a Certifi cate 73    Summary 74    Chapter 3 Making the Complex Simple 77    Looking Around Without Getting Caught 78    Checking to See If Anyone Is Watching 78    Checking for Gaps in Awareness 79    Checking for Responsiveness 80    Complexity and the Cloud 81    Choosing a Spot with a View 83    The Hypervisor 83    The Director/Orchestrator/Manager 88    Assessing the Risk from Assessors 93    Slicing and Dicing Data 94    Detecting Layers of Virtualization Technology 94    Identifying and Targeting Assets 96    Versions 102    Supporting Infrastructure 103    Mail Servers 103    Web Servers 103    Domain Name Service 104    Databases and Directory Services 104    Timing an Attack 104    Long-versus Short-Term Objectives 104    How Long before You Are Ready to Attack? 104    How Long before You Can Attack Again? 105    Summary 106    Chapter 4 Denial of Service 109    Finding Signal in Noise 109    Improving Denial 111    Distributing Denial 112    Defi ning Success 113    Finding Service Vulnerabilities 115    Scanning and Validating Service Levels 115    Abstracting and Overcommitting 115    Validating Complexity 118    Limits of Penetration Testing 120    Denial of Testing 120    Testing for Denial 121    Abusing Proximity of Services: Step Attacks and Speed Attacks 125    Exploiting Service Vulnerabilities 127    Breaking Connections Between Services 127    Exhausting Resources 130    CPU 130    Memory 130    Disk Space and IOPS 131    The Dangers of Overcommitment 132    Locking Out Others 132    Summary 137    Chapter 5 Abusing the Hypervisor 141    Replacing Hardware Layers with Software 142    Relating Physical to Virtual 142    Displays 143    Memory 144    Disk 145    Network 147    Compromising the Kernel 147    Low-Level Interception 148    Real-World Example: Duqu 148    Classification and Defense 150    Breaking Out of KVM 151    Attacking Virtual CPU and Memory 161    The Cup Is Half Secure 162    Taking Plato   s Shadow Pill 162    Demonstrating the Risks 163    Qualifying Fear and Uncertainty 164    Measuring Failure Rates 165    Focusing on the Shortcomings of New Technology 166    Finding the Different Yet Old Attack Surfaces 167    Network 168    Systems 171    Databases 172    Escaping Jails, Sandboxes, and Buffers 174    What Is the Purpose of Root, Anyway? 176    Breaking Away from Identifi ers 177    Every Door Is the Front Door 178    Summary 180    Chapter 6 Finding Leaks and Obtaining a Side Channel 185    Peeping Toms 186    Working Around Layer 2 and Layer 3 Controls 187    Becoming a Regular Man in the Middle 189    VMware vmKernel, vMotion, and Management Traffic 190    Xen and Live Migration 190    Mayhem with Certificates 191    Eliciting a Response by Manipulating State 193    Noisy Neighbors 194    Working on Shared Paths 195    Risk of Co-Tenancy 195    Detecting Co-Tenancy 197    IP-Based Detection 197    Timestamp Fingerprinting 198    Latency Testing 198    Cache-Based Detection 199    Conclusion 199    Forcing Co-Tenancy 199    Avoiding Co-Tenancy 200    Summary 201    Chapter 7 Logging and Orchestration 205    Logging Events 205    Virtualization and Cloud Logs 208    Multitenancy 210    Collating, Archiving, and Protecting 216    What to Look for in a SIEM Solution 217    Safety and Reliability 219    Sampling, or Getting Ready for the Auditors 219    Testing Incident Responsiveness 220    Tampering with Infrastructure 220    Adding, Duplicating, Deleting, and Modifying VMs 226    Modifying Logs: Hiding from SIEM 234    Orchestration: Good and Evil 236    Solving Business Challenges 237    Why Orchestrate? 237    The Power of Elasticity and Agility 238    Devops and the Cloud 238    Risks Resulting from Orchestration 239    Outdated Images or Templates 239    Archived Exploits 241    Runaway Infrastructure Intelligence 242    Exploiting Orchestration Directly 243    Tarnishing Gold Images 243    Exploiting Image Customization to Modify VMs 246    Attacks Against Backups and Snapshots 248    P2V 249    Summary 249    Chapter 8 Forcing an Interception 251    Mapping the Infrastructure 251    Finding and Exploiting the Middle Ground 258    Abuse of Management Interfaces 259    APIs and System Communication 261    Getting around API Blockades 264    Playing Games with Management Tools 265    Elastic Nightmares: Moving Data in the Clear 265    Finding Secure Boundaries 266    Summary 270    Chapter 9 Abusing Software as a Service 273    When All You Are Is a Nail, Everything Wants to Be a Hammer 274    Managing Identities 277    Centralizing and Federating 278    Finding Integrity Bugs 279    Finding Confidentiality Bugs 282    Trusting Authorities 285    Secure Development 287    Data Entropy 290    The Ubiquity of the Browser 299    Average Users and the Pain of Software Evolution 301    Stuck on JavaScript 303    The Risks of SaaS 305    The Attackers Have Your Environment 310    Homogeneity and the Rate of Infection 312    Summary 313    Chapter 10 Building Compliance into Virtual and Cloud Environments 319    Compliance versus Security 319    Virtualization Security 322    Brokering 326    Proxies 327    Federation 329    Virtualization Compliance 330    Working with Auditors and Assessors 335    Using Checklists and a Master Matrix 339    Should Do versus How To 341    ISO 27001, SAS 70, and SOC 2 341    Managing Expectations 342    Service Organization Controls 344    Automating Scope Assessments 347    Managing Change 348    HIPAA 351    FISMA, NIST, and FedRAMP 353    Summary 356    Appendix A Building a Virtual Attack Test Lab 361    Components of the Virtual Penetration Testing Lab 362    Physical versus Virtual 362    Hungry for RAM 363    Installation Order 363    Bill of Materials 364    Building the Gateway 364    Building the ESXi Hypervisor System 367    Configuring Shared Client Networking 372    Adding a Secondary IP Address to Windows 7 372    Adding a Secondary IP Address to a Mac 374    Adding a Secondary IP Address to a Linux System 375    Building Xen 376    Building KVM 383    Using Your Virtual Environments: Virtual Attacks 392    Adding Vulnerable Virtual Machines 392    Setting Up Backtrack 396    Where to Go from Here 398    Build the Cloud Stack 398    Eucalyptus 399    VMware vCloud 399    OpenStack 399    Amazon AWS 399    Start Building an Archive 400    Appendix B About the Media 401    Index 403