 Hi everyone, I'm Tanya and okay so my previous job I was like a web app pentester and then I started working at Microsoft and they like let me do whatever I want to Azure which is really cool and I realized that like everyone I know is like can you show me how to do a pentest in Azure and I was like uh maybe I should write a talk. So then I met my friend Terry, Terry's an AWS hero and she can just shatter the crap out of anything, she's amazing and I was like do you want to write a talk with me and then she actually said yes. So she's not here because she got offered so much money that she had to go do something else and I have to say if I got offered that much money I'd probably go too. But anyway so she's really amazing and we wrote this talk together. Okay so where are we gonna, oh yeah I have to stand still. What are we gonna talk about today? So we're gonna talk about doing it yourself. We're gonna talk about doing a security assessment yourself before calling a pentester. So usually when someone like me or someone like Terry who's been like networking forever, they go in like it's the basics that aren't done. People aren't even ready for the pentest and so I want to show you all the stuff that because if I come in and then like everyone if the security's like here then you're not getting your money out of me. Does that make sense? So I want you to be able to do this much yourself so when I come in you're like you have to earn that paycheck. Okay so here's the mandatory about me slide. This is the one where like we prove that we're qualified to do our talk. I like punk rock and I'm Tonya Janka. On the internet she acts purple. I work at that startup company. I don't know if you've heard of us. I'm a developer advocate which means that I get to do my hobby and then they get me money. I'm totally obsessed with a wasp. It's ridiculous. I'm part of Wosec women of security so if you're a woman and you want to make more female friends or work in security you can talk to me and oh also I speak French in case anyone wants to ask questions in French if you're shy. This is Terry. Terry's awesome. I'm Terry's biggest fan. She's a badass cloud hacker. I want to like put over top of this just badass cloud hacker and she's like no Tonya just remain calm. She's a lot more serious and like very professional when she presents and I'm the silly one. So she's been programming forever. She is so basically she does cloud security training and testing and she has a wealth of experience that's just out of this world and I learn from her every time I see her. So Wosec security assessment it's not pentest slightly different. So we find all the vulnerabilities and gaps and then try to help you fix them. Right so we're going to do a lot scanning. We're going to talk to people. We're going to if you'll let us look at like our architecture review we might threat model things and then at the end just the same as a pentest we give you a report except for like it's just I don't know I prefer security assessments but pentests are cooler. Okay so as a pentest so similar to a security assessment except for you burn everything down. It includes exploitation, pivoting to other areas. There may be targets, objectives like things you're supposed to steal. Basically we're trying to prove the systems can be broken into. Terry's way better at this than I am. I'm more like I'm going to help you set up really good policies and do this and do that and she's more like and then everything's on fire. But you still have to do a report. There's no getting around it. Okay so why would you want to do it yourself? Why would you because like we're expensive, pentesters are expensive. Also like almost no places have their own pentesters on staff. Like unless you work out a big startup like I do you can't usually afford like a team of pentesters. You also want to have like not the same pentester come every time because you want a fresh set of eyes but security assessment you can do that yourself. So we're going to go through a big list of things that I want you to go look at if you have Azure. Okay so who here uses Azure? Awesome. Okay I want all of you to have good experiences because then my boss will think I'm cool. No because I want you to be secure. Okay so I want you to be able to do all these things before you bother to call a pentester so I can save you money and because I just I want the internet to be safe the end. Okay so first thing do not test the Azure fabric. You don't want make Chris off to be angry at you. You don't. I don't either. So that means the infrastructure, the fabric of the cloud like that's the thing that is us. That makes us unhappy. So you do not so none of the cloud providers now demand that you tell them in advance if you're doing like if you're going to do a pentest but you should. It's just so much easier because if we see something we might just be like no. Right because we're trying to protect all the people and if what you're doing is kind of like out of the blue and weird we might not understand that. And so if you tell us you're coming you don't need permission you're just like hey tomorrow I'm going to make a mess. Thank you. We'll watch out for that. Okay so here are things that are out of scope. So there's a lot of things I'm not going to cover in this talk. Sometimes after talk people feel like you didn't cover this I'm like yeah that's not what the talk was about. So I'm going to give you a list because I only basically talk about app sec all the time. So we're not going to talk about DevOps security. We're not going to talk about application security, API security, password management, physical security, enterprise security. We're just going to talk about if you were going to assess the security of your Azure implementation how would you do it or if you're a consultant and you're going to do it for someone else. We're only going to cover that. There's also going to be after this slide no more Rick rolling. That's the last one. Okay so let's do this. Okay so the first thing you want to do is define the scope of your assessment. Right? Guess what's bad? It's testing a thing you're not supposed to and then your boss getting pissed. Especially if you're a consultant. This is way way more important if you're a consultant because you don't want to piss off your clients. If you work there full time they know you and they know your intentions but if you're a consultant like you are on the thin ice all the time. I know I've been one. So you want to talk about like is data part of this? Is application security a part of this? Because some of them think that it is and some of them think it's not. And I assure you everyone has a different opinion. I've learned because sometimes they're like oh but you're also going to fish our employees and like no what? You don't want me for that. Everyone has different skill set right? So definitely in this network security is part of it. Access control is going to be a part of it. You need to make sure that each thing is and you want to make sure also that they're not like hey you're supposed to test that and you didn't. Right? So you want to make sure everyone's on the same page. Also often they want to talk about methodology. I've seen a lot of people point to like that. Appendix or methodology web page and it's like copy and pasted and I'm like no. I like I try to explain to them what I'm going to do with like real words that they understand and then actually like write it into an appendix so that they know because I just want them to be comfortable and I'd rather spend a bit more time but that's me. Okay so also are you going to only do cloud stuff or are you going to do internal stuff or do they have a multi-cloud instance? So a lot of what is happening right now I'm not sure if you're aware but so a lot of people are so super-duper-duper in bed with one cloud provider they realize like that is a lot of eggs and only one basket and so what they're doing is they're doing two clouds and they have them talk to each other. They have secure stuff in between and they monitor and both are both clouds in scope. You definitely want to make sure that you know that before you get in trouble. You also want to know if you're supposed to test the incident handling or not. Make sure the incident team knows you're coming. You know that. Okay so you want to make sure that each thing that is or is non-scope. Okay here's the scope of our assessment so we made this talk because I was like trying to so I have like this little show with my friend Nancy and Francesca and Nicole and basically so we just like live stream us being nerdy and so I really wanted to have Terry on so I was like let's do a pen test of our website so we did one as so we did one of devslop.co that's my open source projects website it's ugly I know and so we did also my entire Azure subscription at that moment. We did the SQL database for the app the network stuff I was supposed to have deleted from previous demos but had forgotten and the VMs and there would have been containers but I didn't have any so haha Terry couldn't get them. We didn't test the web app itself because we already do that on the show all the time so that is our scope that we set and we made a video just as an FYI and we were a bunch of articles which I'll share at the end so you can see like in detail all the steps we did and demos and stuff so that and then there's like a checklist that's written down for you so just you know I'm not going to leave you hanging. Okay so the very first thing that Azure will so Azure will nag you it will tell you like this is bad and so the very first thing that always tells you is like go so go check that every single subscription has multi-factor authentication on this is the keys to your kingdom this is the keys to everything ever so it will give you 50 Azure security points it'll congratulate you and be happy it will nag you constantly if you don't do it because MFA multi-factor authentication is so important I was supposed to wear a t-shirt on stage but they didn't have my size but anyway so I made a video about how to do that so on the bottom a bunch of these things are gonna have links and it's either an article or a video about how to do the thing that I'm talking about because again I don't want to leave you hanging sometimes I find it pressuring I go to a technical talk and then I'm like oh that's cool how do I do that or like I look it up and there's like 50 pages I'm like which one's the one that I should look at this is the one I think you should look at but anyway so number one is that you should do that I don't know if anyone follows me online but I've been hassling the crap out of all so I'm from Canada that's why I say a boot yeah I like I don't think that it's weird but anyway so I like I so we only have six banks in Canada unlike America where I hear you have at least 10 and so like only one of them uses multi-factor authentication I'm like yo I gave you all my money I really want to be secure so I've been just hassling them over and over and then so I wrote an article about multi-factor authentication and I'm just it's really really important and so this is just very dear to my heart that I want us to protect all of our customers okay next so identity and access management so you want to make sure that you have roles set up you can make your own custom roles almost everyone does like if you're an enterprise if you're you know if you're a startup whatever if you have six people you don't need to make your own roles but if you have like 20,000 people you're probably gonna have things that are very special for you want to make sure people have the right roles so if I'm a DBA I should have database owner access but I'm not DBA so I should not have it and Azure actually always complains to me about it so you shouldn't have DB owner Tonya I'm like I know so you want to go and verify those you can set those in policies within Azure you can create your own custom policies when I used to think of policies what I thought of was because I worked for the Canadian government and it would be like a website of like white like space and then black text that would just go on endlessly and and it would be boring and I wouldn't understand what it meant but when we say policy here what we mean is it's like a list of rules are kind of true false that you've sets and then it goes in it checks for you in real time and says that guy doesn't have MFA on that websites available via HTTP no that's and so it tells you all the policies that you've broken and so that's what we mean when we say policy so I don't know about you but when I hear policy I think of a lot of text and you also want to make sure that you're doing least privilege so again don't give Tonya database admit owner access because she's not DBA another thing you want to verify is that you're using service accounts when you should use service accounts so if I am a person that is using our network I am I'm Tonya jank on the network but when I make the Devslop app and it needs to talk to my database it shouldn't be Tonya's credentials because what if I quit right or like what if I become evil okay what if I quit and so the idea is that then you have this service principle or a service account that does this you should never be having your apps call things with some developers credentials that's very dangerous that also means that that developer has superpowers you don't want that you want to see Tonya did this but the Devslop database made this request and that they're separate so you when you look at logs that they make sense okay and these apply to everything in Azure you can you can set up a thing for literally everything because that's how it works this can work in multi-cloud situations so if you extend Azure AD onto your premises or into like let's say AWS or GCP it will monitor all the things there so you can have it do all the stuff there or you can use a different identity system within Azure and it also works for Azure stack so Azure stack is like where you have your own data center and you're like no way I'm putting that in Azure but I really like Azure so we're going to bring Azure home and so then here's like so we have this thing called Microsoft learn which are basically free lessons and so I made one I did not make this one but it's basically there around like 45 minutes to an hour like walk through with sandboxes you can try things and play with them and so I made one it's like five security things developers need to do before they pushed a prod but so basically like we have one on most of the things because we want you to do it right okay this is a terry slide so pretend I'm being very serious okay so account structure and governance so this is probably different than in your home data center if you have an on-premise site or if you have an on-premise data center so everything goes down kind of like this you can have this top view where you see everything right or if you're me pretty close to the bottom and so I can only see me and then like my teammates because that's how we've arranged it of course I was like I should use security for our whole team they're like please remain calm no you cannot look in your coworkers subscriptions but anyway so you want to make sure that you have policies and that they cover everything you want to make sure that people only have access to things they're supposed to for instance you don't want me being able to add security to everyone else's apps without their permission all these things so first accounts management group subscriptions and resource groups resource groups are like a directory or a folder in Windows they're not like a real thing they're not like it's not like a network security group it is not protected it's just like oh I'm going to put all the things for this project in this bucket but everything can see everything else just to be clear those are not security borders those are just for organizational purposes so please don't assume that when you put something in a resource group okay but you can give permissions to resource groups okay so who's heard of sis the security for yeah it's under for security internet security it's like crowd sourced security knowledge which is really really really cool and they have best practices benchmarks and there's so much cool stuff so a whole bunch of people so like we contribute to it and we also benefit from it and lots and lots of governments do especially in the United States okay so sis as this is kind of famous for their 20 critical controls so when we're creating all these policies in Azure and by we I mean like they did the hard work one of the things they decided to do is like oh like what if you could just check if you're following the sis benchmarks what if you could just check to see if you're HIPAA compliant so we've added I don't know if I have a screenshot of that but we've added a thing where you can just go check and it'll tell you one by one if you are or not compliant to these and it'll point you to where you're not compliant and you can click it and then you can go down and once the lectures over then you can go fix it well I don't know I think that's pretty cool because I like it when I get point rather than like you have a vulnerability is not up I like to have it be like this virtual machine does not have this enabled or this one's missing this patch I like it to be really specific okay so here's some sample controls inventory and control of software assets who has a perfect list of every single app that is in their cloud or on-prem yeah exactly right so this will tell you so this is an assessment and then there's controlled use of administrative privileges guess who doesn't get administrative privileges at work I know right only see level of executives need that okay so I'm on top of so it oh here it is is here's where it will assess sis benchmarks so we have one for Azure exchange server IIS etc a lot of companies do this because we want you to follow best practices so we want to make it easy so you can go and download the CIS benchmark and have like this checklist of things to check but like I said in Azure it's automated so you can go through and then click on it and it'll tell you okay another thing you can do is you can download images that are already hardened and set to this that's cool I'm lazy I don't want to do things twice if someone else can do it for me that's awesome so we have I believe 126 as of May when we made this slide not bad right okay so one more example control so ensure that restricted access to Azure AD administrative portal is set to yes so then it actually gives you the exact here it is step by step like what menu you click on exactly where you go um Microsoft is Microsoft right it's going to be like glossy we want to hold your hand we want to make sure you know what I mean like it's not like an open source project where it's like you just have to download these 25 other things and compile them yourself and then also you know what I mean like I don't know so we're really won't want you to get to the end okay so then um so my favorite part and the thing that you should probably look at right after you ensure MFA is turned on is that you should just go to the security center um I have a link at the bottom so I'm not I'm not doing a demo one because I don't have time and two because I'm afraid of the internet here and I was just like I am not willing to sign in and use my I'm just not willing to do that on this and it's sorry no offense it's not you it's all people know in this room um but so this is like the start of what it looks like and there's three sections so the first one at the top you can see policy and compliance so we have a secure score was a secure score I know people like oh gamification blah blah blah when I worked in like a not in a sock but like I was on the instant response team and like the enterprise security team it was really hard for me to show my boss I was doing a good job because he would only see me when there was an incident or not at all right so then like if he didn't see me for a month it's like oh it's time you've been working and then when he would see me my name was a swear word and so here I can say like look I went from 48 to 550 like I've done I've checked off these things so you can see like your mark go up of when you improve different things and it also helped you know like what the biggest bang is for your buck like if it we give you five points it's a low priority if we give you 50 points that's the highest you can get and that's for turning on multi-factor authentication and so then also regular regulatory compliance so ISO 27001 etc so you click on those and as best we can we're going to tell you where you've done a good job or not okay this is the part where you can figure out who is or is not covered by Azure Security Center so there's like a free version and then there's like the paid version I work there so I have the paid version the free version is completely awesome and then the paid versions like even better basically you get a bunch of extra tools that we made and you want to make sure that at least the purple is at 100% or the blue you do not want any in the gray of not covered it's free come on so you don't want anything to not at least give you like the list of things you're missing right okay oh and I have like little links at the bottom to all of these because I felt I didn't have enough time to explain all of them and I'm so worried how much time do I have okay sorry okay I better move it all right so and this is where you set security policies those are the things like the checklist will basically like one of the things for instance I want I only want my apps to be available via HTTPS I do not want HTTP to be available external anymore that's my personal policy slash that's what Microsoft also wants so and so like that is one of the things that would be in my custom policy so you can set your policies here okay so cloud security zero trust you can do zero trust in your own data center however okay who's here has heard of zero trust okay yeah so the idea is is what we used to do is we would have firewalls we call it zoning or network security groups and just firewall and everything inside it's like you're probably okay we're all in the data zone everything's probably fine but then if a bad person a malicious actor got in then they could just pivot to any any of the other ones and get all of the things but now with zero trust you're just nothing trusts anything and the reason why this is important is because of pivoting and if you do it for everything it's a lot easier I'm going to show you like a way that you can do it in Azure and we have like a couple automatic things so you can do this in regards to ports you can do this in regards to firewalls you can do this in regards to your apps okay terry made this graphic she I told her to print pictures or stickers of it I love it I want to stick her on my laptop hackers hard flat networks okay so um don't have a flat network that's what this slide means basically like good points for good network design basically follow best practices of networking in the cloud right like some things don't change when you move to the cloud okay next um has anyone seen this article um vignesh uh wrote it and it's about how basically there is a vulnerability and confluence where everyone just left something open and then he managed to report on over 50 um uh bug uh bug bounties in like just a few hours and he was really happy and so sometimes if you find one vulnerability you can just go to all of the bug bounties and get the money and he did that and it's just a lesson for all of us that we need to make sure everything is following zero trust okay network security groups also known as firewalls it's just like zoning and that's what we call it in Canada um okay so yes we should um basically what we used to do is we used to have most the ports open instead now we have all the parts closed except for the one you need and is the next one zero trust no okay never mind I'm gonna tell you more about closing ports in a second another cool thing another cool feature is network watcher and then there's a section and it's really small and it's highlighted there on the left and I know it's hard to see but it says effective security rules so the network will it's like wire shark kind of but for Azure and it's part of it and so you can watch everything as it goes back and forth um but then there's like a special security sections where we just highlight that it also so like let's say that this is what your app looks like then you can go in there and I know it's hard to see because it's small but it will actually map it all out for you visually which is pretty sweet no more sitting there with Vizio for 10 hours trying to make this oh my gosh um so Azure makes us own a firewall we basically make one of everything now except for password managers and so we have a firewall it's just like a regular firewall except it's from us um and you can use it to set up these privileges rules you can put it around storage accounts logging always turn on the logging right no heads nodding um so you can turn on logging and then um you should turn on monitoring okay next VPN virtual private network we also have one of those I feel like Terry's slides are so much prettier than mine this is a Terry's slide so this is what it looks like um but we also have something slightly different in Azure called Azure Express Route so what a lot of people are doing is they have so no one's like oh tomorrow we went to the cloud like we went on one day it usually takes a few years and basically the new things go there and a transformation or migration takes months to years right so in the meantime we have Express Route which is a VPN in between you um and Azure and they also make sure that you go really really really really fast okay next Bastion host so who here has heard of a Bastion host okay who here calls it jumpbox because that's what I call it and Terry and I are both like what are you talking about okay so it's also a jumpbox so you can have the box that you go into from outside the network and then you hop you jump to the other or you bastion you jump to the other boxes right but instead of that a thing that you can do now is called just in time which I'll explain in a minute okay I'm going to talk about a couple things that are only available in Azure which means awesome okay so adaptive application controls that's wait listing just in time VM access that is instead of a jumpbox network hardening um which is not in preview anymore it's out now uh it just tells you like this is bad you should change this it just helps you harden your network it's really cool file in time and then you have to preview anymore it's out now uh it just tells you like this is bad you should change this it just helps you harden your network it's really cool file integrity monitoring which I feel goes really well with the first one wait listing so if any of the core files within your system changes it tells you right away because something bad's happening so oh yeah so we're going to talk about that one first oh and that one too I recorded lots of demos and then realized that I had less time okay just in time is like a zero trust for ports so it closes all of your ports um that's one of my apps call or one of my virtual machines is called devslop decheck and it's part of the devslop project and I have OASP SAP installed on it and so I have all the ports closed 100% of the time if I want to use one of the ports I have to make a request let's see if I have yeah so I request access and then I tell it how long I want it for so for um 8 8 or 3 3 8 9 so I want to already pee into it so I click on I say only my IP address so it means I have to have use multi factor authentication to get into the Azure portal and then I have to have like access to go into there then I turn it on and then it's on for only three hours and you have to be coming from my IP to get in and then there's a 64 bit random character password that you have to do so between all of that even though I live stream I'll go in and I'll be live streaming no one's come in pretty good so instead of a bastion host I do that adaptive application controls wait listing um it's basically so again on the same virtual machine I have OASP SAP installed which is a hacker tool right like I could do malicious things if I were malicious with it so I really don't want anyone else using it so I have wait listing turned on when what that means is system things can run on the virtual machine because it's windows so the basic windows stuff and zap and the zap API because I call it and nothing else can run on there so if someone tries to install something on it it won't run and if someone tries to change one of the core system files it will alert me and that won't run because of file integrity monitoring so together it means my VMs pretty damn safe especially with all the ports closed yes I'm okay so another thing that I like to do is so Azure will set up alerts I don't know if I have time to tell the story of Azure telling on me my second week at Microsoft I like okay no I don't and so anyway it will give you alerts that are really great and so you can turn on threat protection which will stop things and also alert you for storage and also for your databases it's um it's not a web application firewall it's at the network level next a WAF a web application firewall that is at the application level as opposed to the network level who here's heard of a WAF awesome so guess what we make one so here we have the WAF application firewall rules and they call them the OWASP rules but they're actually the core rule set rules which is an OWASP project and you can have level 2.7 or you can have level three obviously you want the new one who's like oh give me the old rules no one anyway okay so network watcher not only um can you see um all sorts of things going back and forth like you can watch the flow of traffic so yeah there's some there's some wire shark for us I was going to say doesn't this look oh that is wire shark you're like is this Terry's slide I can't tell um okay so there's a whole bunch of network tools including so there's intrusion prevention intrusion detection um there's DLP there's DNS there's firewalls and WAF so firewall network level oh two minutes okay there's stuff we also make a sim sorry we also make a sim it's called sentinel and there's a company named sentinel one and we're not the same thing but they're also cool um and then we also have advanced data security so you can classify your data so you know when there's an incident if it's the end of the world or if like you can go get a snack um and we'll also we have we can run automatic VA's all the time okay so I'm really sorry but I only have two minutes and I'm just gonna skip to the end where we do the checklist with you okay so here are the things I need you to go check and then you can go watch this online after set your scope only only check things in scope verify account structure identity access control all the same best practices apply it's just different settings right you already know all of that set an Azure policy and then if someone is not obeying it go buy them donuts and ask them nicely and then after go check turn on Azure security center so after you turn on MFA turn on Azure security center at least on the free level it's free and then just go through and do all the recommendations and fix them use the cloud native features so there's threat detection adaptive application controls file integrity monitoring just in time and now there's network security hardening and follow the network best practices like they all still apply so network security groups routes access network watcher firewalls express route jump boxes and make sure you're on top of your alerts a thing that you can do is you can like go through and start customizing them so it stops of learning you on things that are annoying there's a lot less alerts in here than there are on other sims I've used because we know ourselves as opposed to when you plug in a different Sam you have to teach it for a long time oh I'm so done done I'm done now I'm done okay so what we learned today other than we're done we learned this and here's the resources just take a picture of this that's it thank you