LASCON 2015

iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use in the breaches that make headline News (and the breaches that don't).
Organizations that use Cloud Services to provision an operating environment to support a product, or use Cloud Service Providers to outsource elements of traditional enterprise IT into the Cloud, can find those very aspects used against them in an attack. While the potential attack surface for a breach changes, in many ways the use of Cloud infrastructure can make it easier for an attacker to gain access to critical systems and data. In this session the speaker will describe methods of penetration used during recent tests, illustrating how Cloud Services are viable entry points that lead to significant compromises. The following areas will be discussed:
- Common mistakes in deploying Internet-facing Cloud infrastructure
- Replication and communication paths between Cloud and on-premises infrastructure
- Effective ways for attackers to gain access to the Cloud Service administration console
- How the use of Cloud Services is weakening enterprise IT security
- Methods for securing Cloud Services, closing vulnerabilities and protecting the company