CSA Treacherous 12 Concerns: 1-4
Advanced Persistent Security Podcast
Guest: Leighton Johnson
May 3, 2016
If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
CSA Treacherous 12 Concerns: 1-4 Show Notes
Per the Cloud Security Alliance, “The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
CSA operates the most popular cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance program of self assessment, 3rd party audit and continuous monitoring.
CSA launched the industry’s first cloud security user certification in 2010, the Certificate of Cloud Security Knowledge (CCSK), the benchmark for professional competency in cloud computing security.
CSA’s comprehensive research program works in collaboration with industry, higher education and government on a global basis. CSA research prides itself on vendor neutrality, agility and integrity of results.
CSA has a presence in every continent except Antarctica. With our own offices, partnerships, member organizations and chapters, there are always CSA experts near you. CSA holds dozens of high quality educational events around the world and online. Please check out our events page for more information.”
About the CSA Treacherous 12 Concerns
Cloud Security is nothing new. However, it is growing in implementation and popularity. This is causing a ripple effect in terms of attacks originating in the cloud, attacking assets in the cloud, and using cloud resources for availability attacks. The purpose of this podcast is to discuss the CSA Treacherous 12 Concerns.
The CSA Treacherous 12 Concerns provide:
A list of the 12 Most Critical Cloud Security Threats/Concerns. For each threat/concern, it provides:
Anecdotes and Examples
Relevant Links (in master PDF; link is in Resources below)
Security Concern 1: Data Breach
When people think of IT, Information, and Cybersecurity, they often only think of data breaches. The media and (to a certain degree) industry further perpetuate this idea. In this sense, we discuss data breaches in the cloud and methods that are unique to the cloud. We also discuss reasons and ideologies as to why the cloud becomes a hacker’s target. We provide a distinction between a data breach versus a defacement or denial of service attack, showing that data breaches are mostly aimed at data exfiltration and compromising availability.
Security Concern 2: Insufficient Identity, Credential, and Access Management
We discuss the various issues with password and ICAM. This is a topic that is universal across all types of IT; client-server or cloud. We provide a few scenarios of what we have seen in terms of a manager wanting a 6 character password (because his dog’s name was 6 letters) and the necessity in provisioning and de-provisioning users. This is nothing new at all to IT.
Security Concern 3: Insecure Interfaces and APIs
This is the concern that begins the descent into the technical realm. This is when an organization gives outsiders access to use parts of their system. This can be reverse engineered or in conjunction with concern #2, can be disasterous if the API keys (among other ‘private’ or ‘sensitive’ keys) are in the source code. This begins a discussion about secure coding principles and code reviews.
Security Concern 4: System Vulnerabilities
This is the same old situation that has made many security researchers a lot of money over the years. This becomes a debate of who is responsible and Service Level Agreements. The various levels of cloud: Infrastructure (IaaS), Platform (PaaS), or Software (SaaS) as a Service introduce various issues for their respective layer. This brings forth a discussion about the principles of Information Security and confronts cultural issues within vulnerability management.
Examples: Shellshock and Spotify
Link to haveibeenpwned
Link to the CSA Treacherous 12 Security Concerns
Leighton Johnson, the CTO of ISFMT (Information Security Forensics Management Team), a provider of computer security, forensics consulting & certification training, has presented computer security, cyber security and forensics classes and seminars all across the United States, Japan and Europe. He has over 40 years experience in Computer Security, Cyber Security, Software Development and Communications Equipment Operations & Maintenance; Primary focus areas include computer security, information operations & assurance, incident response & forensics investigations, software system development life cycle focused on modeling & simulation systems, systems engineering and integration activities, database administration, business process & data modeling.
He holds CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CIFI (Certified Information Forensics Investigator), CSSLP (Certified Secure Software Lifecycle Professional), CAP (Certified Authorization Professional), CRISC (Certified in Risk & Information Systems Control), CMAS (Certified Master Antiterrorism Specialist), ATOL2 (DOD Anti-Terrorism Officer Level 2), CAS-CTR (Certified Antiterrorism Specialist – Cyber Terrorism Response) and MBCI (Certified Member Business Continuity Institute) credentials. He has taught CISSP, CISA, CISM, Security +, CAP, DIACAP, ISSEP, CRISC, Anti-Terrorism, Digital and Network Forensics, and Risk Management courses all around the world over the past 7 years.
He was the regional CIO and Senior Security Engineer for a 450 person directorate within Lockheed Martin Information Systems & Global Solutions Company covering 7 locations within the Eastern and Midwestern parts of the U.S. He taught Digital and Network Forensics courses at Augusta State University.He has presented at Techno Security – 2015, ISRM-NA-2014, CACS-NA-2014, ISRM-NA-2013, ISRM-NA 2011, ISRM-EU 2011, EuroCACS 2010, ISMC 2007, ISMC 2006, CyberCrime Summit 2007 and INFOSEC WORLD 2005 conferences and delivered multiple presentations for military and civilian conferences for customers and clients worldwide. He is a member of the CSA CloudSIRT working group developing the model for collaboration among cloud providers, CERT organizations, responders and users; the CSA Security-as-a-Service working group developing the definitions for SECaaS requirements and models, as well as a member of the IEEE Education working groups on Cloud Security and on Secure Software Code.
He recently served as a member of the IS Alliance – NIST joint working group on VOIP SCAP security. He is a contributing author to the “Encyclopedia of Information Assurance”, ISBN: 978-1-4200-6620-3, where he contributed two chapters on Security Incident Response and Configuration Management. He authored “Computer Incident Response and Forensics Team Management”, ISBN: 978-1-59749-996-5”, which provides security professionals with a complete handbook of computer incident response from the perspective of forensics team management. This unique approach teaches professionals the concepts and principles they need to conduct a successful incident response investigation, ensuring that proven policies and procedures are established and followed by all team members.”
APS Blog Posts
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.
Enter your email address:
Delivered by FeedBurner
Subscribe to our mailing list
* indicates required
Email Address *