Apostolis Mastoris, Security Consultant of MWR InfoSecurity is speaking at this year’s HOPE, taking place at the Hotel Pennsylvania in New York City this Friday and during the weekend. The session includes a demonstration, for the first time publicly of MWR InfoSecurity’s new tool Azurite, created for penetration testers and auditors to use during enumeration and reconnaissance activities within an Azure environment.
Speaking about the challenge organizations face, Apostolis explains, “The wide adoption and the benefits of Cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing Cloud services has become an essential task and in order to carry out such assessments, familiarization with certain components of the target environments is required. This has been the main drive behind this talk - exploring the capability offered by Azure Cloud services to perform security assessments and trying to identify the main elements that an assessor needs to focus during an engagement.”
Apostolis’ session, titled ‘A Penetration Tester’s Guide to the Azure Cloud’ is at 8pm (EDT) on Friday 22nd July 2016. It will provide an insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, the main security controls and configurations associated with each of the mainstream Azure components will be explored and any key points that need to be reviewed will be highlighted. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing and monitoring of activities within the Azure Cloud environment.
MWR’s new tool, Azurite, includes two helper scripts - the Azurite Explorer and the Azurite Visualizer. The scripts are used to passively collect verbose information about the main components within a deployment in order to be reviewed offline and visualize the associations between the deployment’s resources using an interactive representation.