Moving a service or an infrastructure to a cloud-based environment provides a major challenge for cybersecurity practitioners. This is different to hosting the service or infrastructure within the enterprise premises, but in order to identify defense in depth layers and security issues, we need to identify the level of complexity and the surface.
This includes entry points, authorized changes, timeframe, and other aspects. Cloud could host different technology and manage by different entity. This could raise the surface level and complexity.
To aid this, penetration testers can be the right people to identify the enterprise’s surface, complexity, and cyber weaknesses. Why is this? Because penetration testers and security assessors follow the same host-based principles in assessing services that are hosted in the cloud.
However, the threat surface can be different depending on the threat actor’s location and skills. In a cloud environment, penetration testers will usually focus on misconfigurations and resource limitation to identify threats such as storage exposure, storage takeover, interfaces’ data theft, credential theft, unprotected console, and compute takeover.
Cloud storage’s data confidentiality and integrity can be exposed due to misconfigurations and access control weaknesses. Penetration testers search for these flaws in addition to data disclosure such as a clear password or confidential data.
In addition, cloud security experts may not consider securing cloud storage services and ports. For example, a penetration tester may conduct a network fingerprint against the cloud storage to identify and abuse a Telnet service for the storage.
In addition, penetration testers may take advantage of a weak S3 (Simple Storage Services) bucket. These can give penetration testers various options to access cloud storage.
A cloud fingerprint could show information that enables takeover of the cloud storage by identifying weak services, ports, and access controls. The main advantage of penetration testers, over other functions such as vulnerability assessment, is stressing the vulnerability to identify potential attack trees. Penetration testers can illustrate better visibility of risks and threats.
Penetration testers can also steal credentials on various layers. An Application Program Interface (API) might utilize clear text protocols that the penetration testers can intercept or abuse such as HTTP. In addition, APIs could raise major security issues if they are recklessly adopted.
The risk of unsecure APIs could expose cloud for remote code execution (RCE), data leakage and DDoS attack. Penetration testers could utilize APIs to enumerate resources to expand their attack surface.
The domains could frustrate business decision makers, who may consider utilizing the cloud. However, moving to the cloud could be necessary. In addition, cloud technology is similar to host-based technology in term of security and operational principles. Therefore, cloud utilizers should penetrate their systems before a hacker would do.
Nawwaf Alabdulhadi is an IT security expert, where Nawwaf’s experience in IT field involved more than 7 years in executing IT security projects, providing consultation, and assessment in various countries, roles, and companies. Nawwaf has Computer Science Bachelor degree from Northumbria University, UK, Master Degree in Information Security Policy and Management from Carnegie Mellon University, US, and leading industry certificates such as CISSP from ISC2 and CPT from IACRB. Nawwaf currently works as a senior IT Security specialist in a leading enterprise (Saudi Aramco).