How to Use Amazon EC2 Instance Store Encryption to Protect Data at Rest?

1. Create Amazon S3 bucket: amazon ec2

The created S3 bucket stores the encrypted password file. Encryption of the file system happens using such a password or key. When a boot happens for an Amazon EC2 instance, the files are copied, the encrypted password is read, the password is decrypted, and the plaintext password is retrieved. Utilization of this password happens when encrypting the file system on the instance store disk. Through the first step, the creation of an S# bucket occurs to enable the storage of the encrypted password file on it. Application of necessary permissions happens afterward. Additional permissions to the bucket to enable endpoint access are necessary whenever using Amazon VPC endpoint for Amazon S3.

  1. Sign into the S3 bucket and select “Create Bucket”.
  2. Then, enter the bucket name in the box named “Bucket Name”, then click on “Create”.
  3. All the details of the newly created bucket will appear in the right pane.

2. Configure the IAM roles and permission for the created S3 bucket

Using AWS Key Management Service (KMS), the encrypted password could be decrypted after essentially the encrypted password file being read from S3. One could assume a role with the right access permissions to the bucket of S3 by applying the IAM policy which that is configured in this step. “your-bucket-name” is that bucket used for the purpose of saving and storing the password file on it.

  1. Sign into the AWS Management Console to reach the IAM console.
  2. Then go to the navigation pane to and select “policies”.
  3. Afterward, click the “Create Policy” option.
  4. Then, select the “Create Your Own Policy” option.
  5. Get a name for the policy and a great description for it then proceed with the next step.
  6. Copy and paste the following policy at this point.
    {
    
        "Version": "2012-10-17",
    
        "Statement": [
    
            {
    
                "Sid": "Stmt1478729875000",
    
                "Effect": "Allow",
    
                "Action": [
    
                    "s3:GetObject"
    
                ],
    
                "Resource": [
    
                    "arn:aws:s3:::<your-bucket-name>/LuksInternalStorageKey"
    
                ]
    
            }
    
        ]
    
    }
  7. Then, select “Create Policy”.
  8. To elaborate on the previous policy, the bucket is granted through such policy to read. In other words, the encrypted password could be read because it is storedinsidesuch bucket. The IAM role then needs configuration now since EC2 fundamentally uses the previous policy.
  9. One should select “Roles”  inside the IAM console.
  10. Choose “Create New Role” now.
  11. Inside the first step of “Role Name”, create a name for the role and then press “Next Step”.
  12. Inside the second step of “Select Role Type”, select “Amazon EC2” and then press “Next Step”.
  13. Inside the third step of “Established Trust”, press “Next Step”.
  14. Inside the fourth step of “Attach Policy”, select the policy created in the first step. The following figure illustrates this point in a more concise way. amazon ec2
  15. Inside the fifth step of “Review”, review the configuration before finishing the steps. The IAM role which we just created can be used now with any new launch of EC2 instances, having an access permission on encrypted password file stored in the S3 bucket.
  16. The newly created IAM role becomes listed on the page of “Roles” there.
  17. Finally, select “Roles” and then select the newly created role as illustrated by the upcoming image. class=

3.Encrypt a secret password with KMS and store it inside S3 bucket

In order to accomplish this step successfully, one has to utilize AWS CLI. Fortunately, EC2 Amazon Linux instances already have AWS CLI by default on them. One could further install it on Windows, Mac, or Linux systems as well.

  1. Type the following command in AWS CLI. It will make use of KMS to encrypt the password. Note that you should replace “region name” with your region. In addition, creating keys and putting objects in S3 requires specific permissions that must be present before typing this command.
    aws --region us-east-one kms encrypt --key-id 'alias/EncFSForEC2InternalStorageKey' --plaintext "ThisIs-a-SecretPassword" --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey
    
    aws s3 cp LuksInternalStorageKey s3://<bucket-name>/LuksInternalStorageKey
  2. The file name “LuksInternalStorageKey” will have the encrypted password as per the last used command.
  3. The key alias or name, which is useful for identifying diverse keys, has the name “EncFSForEC2InternalStorageKey”

 

  1. Make the KMS key accessible by the role

  1. Get to the IAM console and especially the navigation pane and choose “Encryption keys”.
  2. Then, choose the key alias named “EncFSForEC2InternalStorageKey”.
  3. If a new role is desired to get installed, and it is actually desired, then “Key Policy” should be scrolled down to it where “Add” should be selected under “Key Users” amazon ec2
  4. At this step, choose the newly created role and then press “Attach”.
  5. Now, this grants the access permission of the key to the role.

 

  1. Configure EC2 with role and configurations run

  1. Launch a new instance inside the EC2 console. But inside the third step “Configure Instance Details”, the IAM role has to be selected as shown in the following figure. amazoon ec2
  2. Expand the section of “Advanced Details” to the previously displayed screen.
  3. Inside “User Data, keep “As text” checked as it is by default. Then, copy and paste the following script into the text box.
    #!/bin/bash
    ## Initial setup to be executed on boot
    
    ##====================================
    
    
    # Create an empty file. This file will be used to host the file system.
    
    # In this example we create a 2 GB file called secretfs (Secret File System).
    
    dd of=secretfs bs=1G count=0 seek=2
    
    # Lock down normal access to the file.
    
    chmod 600 secretfs
    
    # Associate a loopback device with the file.
    
    losetup /dev/loop0 secretfs
    
    #Copy encrypted password file from S3. The password is used to configure LUKE later on.
    
    aws s3 cp s3://an-internalstoragekeybucket/LuksInternalStorageKey .
    
    # Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
    
    LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
    
    # Encrypt storage in the device. cryptsetup will use the Linux
    
    # device mapper to create, in this case, /dev/mapper/secretfs.
    
    # Initialize the volume and set an initial key.
    
    echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
    
    # Open the partition, and create a mapping to /dev/mapper/secretfs.
    
    echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 secretfs
    
    # Clear the LuksClearTextKey variable because we don't need it anymore.
    
    unset LuksClearTextKey
    
    # Check its status (optional).
    
    cryptsetup status secretfs
    
    # Zero out the new encrypted device.
    
    dd if=/dev/zero of=/dev/mapper/secretfs
    
    # Create a file system and verify its status.
    
    mke2fs -j -O dir_index /dev/mapper/secretfs
    
    # List file system configuration (optional).
    
    tune2fs -l /dev/mapper/secretfs
    
    # Mount the new file system to /mnt/secretfs.
    
    mkdir /mnt/secretfs
    
    mount /dev/mapper/secretfs /mnt/secretfs
  4. On your account, enable CloudTrail.
  5. Finally, launch the EC2 instance. Such instance will copy the password file from S3, use KMS to decrypt the file, and configure an encrypted file system.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/ http://searchhealthit.techtarget.com/definition/HIPAA https://aws.amazon.com/s3/ https://digitalguardian.com/blog/what-data-encryption https://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How to become PCI compliant and still be breached?

 What do I need to know PCI?

  • PCI DSS and PCI SSC:
    pci compliant

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Social Engineering:

    pci compliant

A computer security professional has to perform sorts of psychological manipulations on the suspects. This is to know who is responsible for the occurrence of an attack or another similar security incident.

Such terms get an extensive use when talking about information security in general. This is because someone in the organization could reveal confidential data. Those responsible for information security ought to detect and investigate such persons.

In a way or another, many consider this as a confidence trick. The rationale behind it at the end of the day varies from information gathering to fraud, or system access. It is often one of the many steps in a more complex fraud scheme. It is used for diverse social sciences, yet computer security is the main domain of it.

There are plenty of techniques one could utilize for the sake of performing a social engineering action. Instances of such methods are: pretexting, diversion theft, phishing, spear phishing, water holing, baiting, quid pro quo, tailgating, and many others.

  • SSL/TLS/IPsec

    pci compliant

To ensure secure transmission of data packets across a network, one can depend on three internet protocols. This is in order to make such data secure as much as possible while in transit. Internet Protocol Security (IPsec) is capable of performing mutual authentication between agents when the session begins. Transmission of cryptographic keys occurs during the session. This is either between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host).

It is important to understand that IPsec works for the Internet Layer. Elsewhere, there are two other similar internet protocols operating in different upper layers. The Transport Layer Security (TLS) operates in the Transport Layer. On the other hand, Secure Shell (SSH) functions in the Application Layer.

An insight into the problem

While there are several organizations which claim their complete compliance with PCI DSS, many still suffer attacks by actual breaches. This leads to losing a lot of their money and investment. We have to dig into the grounds of this problem in order to be able to take accurate actions accordingly.

First of all, let’s discuss the reasons for such status

  1. One hundred percent security is impossible and is unachievable by any means. Although standards of PCI DSS are completely awesome and leading to much more secure online payment methods, they can never become the end or the ultimate goal of an organization.

There can never be perfect security for an organization. That is why banks still experience robberies up to date regardless of how secure they are. The only advantage of such standards lies in the fact that the number of successful robberies becomes much less, but it never vanishes.
pci compliant

  1. Several methods are undertaken to manipulate the controls which are compliant with PCI standards. This leads to a breach even when there is PCI compliance for the organization. The following points discuss the said methods:
    1. Imagine that a professional attacker freshly develops a malware. This attacker manages to get his malware through all the antivirus or anti-malware security systems inside the organization. This fact is pretty interesting. This is because such new malware usually has no signature to make it recognizable by an anti-malware software. Consequently, even while there is an antivirus running on the organization’s network or system, new malware could pass through without detection at the very beginning.
      pci compliant
    2. As it is known, a malware has just to find its way into the network and desired data could be collected in time. But how do you think the malware could get into the network in the first place? The answer is social engineering and spear phishing attack. This term refers to those emails which seem as if they are from a friend or someone inside an organization. However, the one who sent such emails was the same individual who attempts to attack the personal data such as passwords, credit card number, bank account numbers, and the financial information on your personal computer (PC). One way to perform such attack effectively is to send a link from a bunch of the organization’s email addresses to the addresses of other peers inside the same organization. Thereafter, when one simply clicks on the link on, the malware goes viral inside the network. That is why security training is highly recommendable to cut off the hazardous numbers of such attacks.
      pci compliant
    3. The problem here is that everything seems as if they are normal with no existence of a threat of such malware. Why is that? Fundamentally, when an attacker launches the malware that scans a network for open ports or other vulnerabilities, the scans are run in a very slow manner such that no heavy traffic generation occurs as a result of such scans. This fact leads to recognizing the traffic as if it is just normal. On the other hand, when a penetration tester attempts to scan a network vulnerability, high traffic generation occurs. It’s then detected as someone who tries to scan the network.  
      1. pci compliant
      2. Furthermore, the backdoor software utilized by an attacker depends on protocols such as SSL/TLS/IPsec. They depend on them to encrypt their transmissions on port numbers 80 or 443 which are both open for getting on the internet. Such encrypted packets are not usually recognizable as malware by antivirus software programs.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://pciguru.wordpress.com/2013/02/06/how-to-be-pci-compliant-and-still-be-breached/

https://in.norton.com/spear-phishing-scam-not-sport/article

https://en.wikipedia.org/wiki/Social_engineering_(security)

https://en.wikipedia.org/wiki/IPsec

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How to apply additional security measurements besides PCI DSS?

What do I need to know about PCI DSS?

  • PCI DSS and PCI SSC:
    PCI DSS

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Spear phishing:

PCI DSS

Spear phishing is mainly a type of attack underlined by the art of social engineering. In this type of phishing, few end users receive customized emails. This is in an attempt to get their private information in a fraudulent manner.

A philosophical question now to ask is this. If spear phishing describes the previously explained behavior; What is then the difference between normal phishing and spear phishing?

Whereas phishing targets a large group of people to send emails to them with no prior research expecting that a few number of people will send a response, spear phishing targets a specific group of people to send them customized emails. This occurs after concise research on such a group of people. They are targeted with the correct message in which they are expected to respond positively and get tricked subsequently.

Phishing attacks reach a significant number of people. However, they receive a very small success rate from the number of links their links receive. Nevertheless, spear phishing attacks do not have that large number of target group but around half of such group click on the sent links or open the attachments.

  • Tokenization

PCI DSS

Whenever sensitive data is dealt with, tokenization has to be mentioned. This is in order to ensure that such data is secured to a great extent. Fundamentally, such valuable information gets replaced with a token number which is of no actual use except for merely this process. A token number is a number which makes no sense for an attacker or even for whoever uses it. It gets mapped back to its valuable specific piece of information associated with it.

In this process, the need for a tokenization system is a must, where such tokens could be requested, generated, and detokenized back to get the data. Therefore, such data becomes secured to the maximum using this method. There is still one aspect which should be cared about; it is the security of the tokenization system in the first place. Such system has to get secured following best security practices such as standards of sensitive data protection, secure storage, audit, authentication, and authorization.

  • Jump Server

PCI DSS

It is essential to understand the concept of a jump server when talking about network and security and securing the data flow within it. Devices in a separate security zone could be managed through such jump server. One of the most commonly used example for such concept is the demilitarized zone (DMZ). It could be managed by trusted networks or computers through a jump server.

A jump server has to have specific administrators who have authorized credentials on it for the sake of gaining access to DMZ for instance. All other requested access attempts from non-authorized users have to get logged for next audit. This server could work as single audit point for traffic, securing the data inside DMZ to the maximum.

How to apply additional security measurements besides PCI DSS?

  1. An organization’s administration should recognize the potential of being breached at any instant of time in the first place. Security standards could be set very high, and they could be followed very strictly. Whereas still, any security incident could still occur. Well, what is the benefit of security controls then? They are mainly meant to get the number of such events as much minimal as possible. Besides, such controls make the probability of obtaining sensitive data very low. How is that? Imagine that an organization was breached, such restrictions shall play a significant role in identifying a risk or an attack before an attacker gets his desired information from the network.
  2. Highly sensitive data should no longer be saved or stored in the system. This is because as long as they are there, there is always a vulnerability in the system which could be exploited to get such valuable information. On the other hand, if an organization or a merchant is obliged to get such data saved. Then, tokenization is the perfect solution for this case, for not saving data on the system.
  3. Get any sensitive data isolated inside the network or the organization’s system. In this regard, approaches like of the model of Forrester’s “Zero Trust” or McGladrey Ultra Secure could be followed. This is to ensure a very high level of security on sensitive data.

    PCI DSS

  4. Another attractive solution is to minimize the number of authorized accesses to sensitive data. Accordingly, whenever an incident happens to occur, there should be a small focus group on which social engineering could be applied by information security responsible persons.
  5. A “jump box” or a “jump server” should be made use of in order to force users to log into such server first of all before getting any access to sensitive data. The cardholder data environment shall be restricted to those who have the capability to correctly log into the jump box. This could be further coupled through using different credentials required for the sake of gaining access to such data. All activity performed on the jump box could be also captured by adding in full instrumentation of the jump box. Subsequently, the jump box could be monitored for any suspicious accesses.
    PCI DSS
  1. Internet Protocol (IP) addresses should be limited to the people inside an organization. While all traffic using HTTP or HTTPS should still be open for all the business’ use to satisfy their needs, they cannot be though unrestricted to access any desired IP address or URL. The solution for this is to apply proper white or black list IP addresses. Accordingly, an attacker will not simply work from any IP address or URL to play around with the network.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://pciguru.wordpress.com/2013/02/06/how-to-be-pci-compliant-and-still-be-breached/

https://usa.kaspersky.com/resource-center/definitions/spear-phishing

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

https://en.wikipedia.org/wiki/Tokenization_(data_security)

https://en.wikipedia.org/wiki/Jump_server

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How does Amazon AWS deal with data encryption?

What is PCI DSS?
amazon aws

To begin with, the Payment Card Industry Data Security Standards (PCI-DSS) provides a checklist with which organizations dealing with online credit card payments have to comply. Such list ascertains organizations follow the appropriate security standards to prevent any breach cases from occurring. Otherwise, merchants who refuse to comply face with great financial penalties thereafter.

What is HIPAA?
amazon aws

Health Insurance Portability and Accountability Act (HIPAA) is legislation which is concerned with making the medical information as safe as possible through making sure of data privacy and other security provisions.

Cyber attacks and ransomware attacks deploy upon health insurance data including both insurers and providers of such service. Such attacks are of a great concern of HIPAA. HIPAA aims to protect such sensitive data from any potential breaches on contaminated systems.

Why Data Encryption at Rest?


amazon aws

An essential requirement which both PCI DSS and HIPAA enforces to be applied inside an organization’s system is to have the sensitive data either cardholder data or health insurance data respectively in an encrypted format.

Before we proceed on to this point, let’s get some more insight about the notion of data encryption. Encrypting data means having data in another form, or code. This is such that having access to the decryption key is a must to understand such stored data.

Almost all organizations depend on this technique since it has been extremely popular and effective in securing data. Getting into more details, there are two sorts of encryption commonly in use around the globe. These are asymmetric encryption or the public key encryption method, and the symmetric encryption.

Symmetric encryption has privilege over the asymmetric encryption due to its speed. During the process, an exchange of the encryption key occurs between the sender and recipient before decrypting it.

Accordingly, huge quantities of keys have to get distributed and managed by companies in order for them to be capable of utilizing such encryption method. Therefore, it has become usual for companies to use a symmetric algorithm to encrypt data. After this, we use an asymmetric algorithm for the sake of exchanging the secret key.

On the other hand, asymmetric encryption or public-key cryptography uses two different keys: one public and one private. At the same time when a public key is known and everyone can share it, the private key is highly protected for security purposes.

One of the most widely used encryption algorithms is Sharmir-Adleman (RSA) algorithm. One could secure sensitive data through such an algorithm which depends on the public key cryptography technique.  The insecure network just as the internet is a perfect place to harness such an algorithm.

The confidentiality, integrity, authenticity, and non-reputability of electronic communications and data are assured by the use of such algorithm which encrypts data using both the public and private keys before sending it to an insecure network. Digital signatures are used within such process as well.

What is AES?


AED

The Advanced Encryption Standard (AES) also known as Rijndael is a means of encrypting data. Originally, the U.S. National Institute of Standards and Technology created such specification back in 2001.

With the evolution of such standard, the Data Encryption Standard (DES) became superseded and not used anymore for any advanced encryption purposes in organizations seeking high levels of security. The US government also adopted AES and made use of it in data encryption.

The symmetric key encryption algorithm is adopted by such standard, which means that encrypting and decrypting the data both use the exact same key.

What does Amazon S3 offer in this regard?

amazon s3

Amazon Simple Storage Service is a service where collecting, storing, and analyzing data of different formats and sizes could be possible and easy. Through Amazon Web Services (AWS), one can store and retrieve back.

Sources of such data could vary from websites and mobile apps to corporate applications, and data from sensors or devices of the Internet of Things (IoT).  Media storage and distribution have the capability to depend on Amazon S3. This is such as the “data lake” for big data analytics. Even computation applications which are serverless can utilize Amazon S3.

Mobile device photos and videos or other captured data, backups of mobile or other devices, backups of a machine, log files generated by a machine, streams created by an IoT sensor and images which are of a high resolution could all efficiently make use of Amazon S3.

It is then possible to configure Buckets of Amazon S3 for server-side encryption (SSE) making use of AES-256 encryption.

What can Amazon EC2 offer for decryption?
amazon ec2

One could use instance storage on Amazon EC2. Such instance storage allows for data to become stored in a temporary period of time. Information that frequently changes, such as buffers, caches, and scratch data are the mostly stored on such instance storage but in an unencrypted format.

One could utilize Linux dm-crypt in this process. It is essentially a Linux kernel-level encryption mechanism. It is possible to mount an encrypted file system, making it available to the operating system. Then, applications can easily deal with all files in the file system with no more needed interactions.

Dm-crypt basically resides between the physical disk and the file system. Data becomes encrypted when writing it from the operating system into the disk as shown in the following figure.

Finally, it is important to note that an application never knows a thing about such encryption. That is due to the fact that applications use a specific mount point to store and retrieve files. In the meanwhile, encryption occurs on such data during storage in the disk. Therefore, there is no use of data if the hard disk becomes stolen or lost.

amazon aws
amazon aws

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/

http://searchhealthit.techtarget.com/definition/HIPAA

https://aws.amazon.com/s3/

https://digitalguardian.com/blog/what-data-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!