Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

Cloud Penetration Testing

Cloud Penetration Testing

Cloud Penetration Testing

What is Cloud Penetration Testing?

An authorised cyber attack simulation exercise against cloud assets hosted on a cloud provider environment.

The main objective of cloud pen-testing is to identify and mitigate security risks in cloud computing.

Cloud security is everyone’s business. Research predicts that, through 2020, 95 percent of cloud security failures will be the customer’s fault.

01

What can’t be tested in the Cloud?

 

Cloud environment that belongs to the cloud management such as underlying infrastructure, cloud provider facilities, other partners or vendors cannot be tested either.  Apart from major public cloud provider offerings, cloud models for a beginner can be fuzzy concepts, especially shared responsibility models.

This simply means:

  • Cloud provider is responsible for the security of the cloud
  • Tenant or organisation client is responsible for security in the cloud

What are the security risks of cloud computing?

 

In order to easily understand the different security risks, this section provides examples of each risk mentioned below. Security risk areas remain the same, the underlying attack vector may change based on the cloud model and/or vendor (Azure, AWS, others). For instance, Amazon buckets have a history of security misconfiguration linked to S3 bucket data leakage. Azure blob storage has been abused more than AWS, and subject to Identity-based attacks.

Intellectual Property Theft

Cloud-hosted content such as movies, music, software, and lots of other sensitive information are examples of IP thefts due to insecure cloud resources. Around half of the departing employees unintentionally or deliberately leave with confidential information.

Compliance Violations and/or Regulatory Actions

Loss of compliance such as PCI DSS, ISO 27001, GDPR. For instance, In the health industry, there are set NHS Data Security Standards defined in the Data Security and Protection Toolkit.

Data Breaches

Data breach could occur due to data theft, data leakage (insecure storage). Major data breaches covering loss of customer data involving sensitive information directly hit the business revenue. In the case of a Target data breach, the media quotes net losses at $200 million. Senior management including CIO, CISO, CEO resigned as the company confirmed up to 40 million payment details were stolen.

Insider Threats

For example, a leaving employee uploading CRM data to online space (cloud storage or a website) to be used later when employed on a new job with a competitor. Insider attacks may include examples related to supply chain risks similar to the Capital One data breach.

Credential Attacks

The two most popular password attacks against cloud services are password spraying and credential stuffing attacks. Password spraying involves threat actors attempting one or two most likely used common passwords against a large number of users via rented botnets. Credential stuffing attacks include compromised data from a data breach is attempted on internet exposed services based on the confirmation or probability of the affected users utilizing the target service.

Insecure APIs

APIs or Application Programming Interfaces usage is evolving at an exponential rate to provide a better experience for users. Without a doubt, this raises the risk profile of APIs to ensure security features are in place against API-specific attacks such as authentication, parameter tampering, content manipulation attacks, and session cookie tampering.

DDoS Attacks

These attacks are used to render services unavailable for their users and are not used to bypass security controls. DDoS and DoS attacks are sometimes used as smokescreen for multiple other attack vectors to be successful.

Benefits of Cloud Penetration Testing

– Ensure strong authentication, authorisation, encryption        mechanisms
– Demonstrate data security commitment
– Less is more – reduced costs, servers and staff

How to approach Cloud Pen Testing?

  • Understanding Cloud Provider
02
Change Language
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar
Compare
Wishlist 0
Open wishlist page Continue shopping