The Context of Cloud and Virtualized Environment Attacks

• Introduction to the Cloud
• Managing Cloud Security
• Principles of Information Security
• The Human Factor
• Managing Cloud Risks
• Managing Cloud Compliance

Attacking from the Outside

• HR Policies and Procedures
• Configuring Cloud Audit Logs
• Outsourced and Offshored Resources
• SaaS Software Development at ?Cloud Speed?
• Ensuring Continuity
• Spoofing a Certificate

Making the Complex Simple

• Checking to See If Anyone Is Watching
• Checking for Gaps in Awareness and Responsiveness
• Hypervisor, Director, Orchestrator, Manager
• Detecting Layers of Virtualization Technology
• Identifying and Targeting Assets
• Timing an Attack

Denial of Service

• Variations
• Finding Service Vulnerabilities
• Testing for Denial
• Exploiting Service Vulnerabilities
• Breaking Connections Between Services
• Exhausting Resources

Abusing the Hypervisor

• Relating Physical to Virtual
• Compromising the Kernel
• Breaking Out of KVM
• Finding the Different Yet Old Attack Surfaces
• Escaping Jails, Sandboxes, and Buffers
• Every Door Is the Front Door

Finding Leaks and Obtaining a Side Channel

• Working Around Layer 2 and Layer 3 Controls
• Becoming a Regular Man in the Middle
• Mayhem with Certificates
• Eliciting a Response by Manipulating State
• Working on Shared Paths
• Co-Tenancy

Forcing an Interception

• Mapping the Infrastructure
• Abuse of Management Interfaces
• Getting around API Blockades
• Finding Secure Boundaries

Abusing Software as a Service

• Managing Identities
• Finding Confidentiality and Integrity Bugs
• Secure Development
• The Ubiquity of the Browser
• Average Users and the Pain of Software Evolution
• The Risks of SaaS

Building Compliance into Virtual and Cloud Environments

• Compliance versus Security
• Working with Auditors and Assessors
• Managing Expectations
• Managing Change
• Compliance Requirements: ISO 27001, SAS 70, SOC 2, HIPAA, FISMA, NIST, FedRAMP etc