January 20, 2016
9 Cloud Security Threats You Should Know
January 20, 2016
Cloud Security Threats and Preventions
By far one of the hottest topics in the cloud industry is security. It is a legitimate concern for anyone that is connected to the internet and/or using a cloud service. With the hacktivist group Anonymous making headlines and large companies suffering data breaches, it is no wonder security is a concern. There is currently an estimated 7 billion mobile devices and over 1 billion PCs now in the world. There is approximately 7.3 billion people on earth. That means the potential of hackers is very high. However it only takes one user with malicious intent to do damage to an organization. One goal of the cloud as an idea is that it makes data accessible from anywhere in the world. The cloud being a relatively new technology to the outside world (we know it's an old technology but a new business model) makes it an extremely daunting challenge to try to protect now billions of internet devices. Cloud providers with high-profile clients make them an attractive target for malicious hackers. Any business whether a startup or multi-billion dollar company are all at risk of attacks. There many different types of attacks and each one has a different intent. From viruses to denial of service attacks. Even though no infrastructure is completely immune to attacks there are measures to take to prevent and dissuade attacks as well as what actions to take when an event does take place. This paper will give an overview of the threats to the cloud along with the how to prevent them.
One of the models that cyber security professionals are taught to use is what is known as the CIA and DAD triads. When assessing an organization or when there is an attack on an infrastructure they may go through this model to help them better understand what is going on. The C stands of Confidentiality. The goal of confidentiality is to prevent unauthorized access to sensitive data. The I stands for Integrity. The goal of integrity is to ensure that data is only modified by authorized users. The A stands for Availability. The goal of availability is to make sure the data is available to authorized users when they access it. The DAD triad is the model for what the black hat hacker is intending. They may not even be aware of the DAD triad but it is exactly opposite to the CIA triad. The D stands for Disclosure. The purpose of disclosure is the opposite of Confidentiality which the hacker tries to gain access to sensitive data without permission. The goal of Alteration in the DAD triad is to try and modify or delete data without authorized credentials. Finally, the goal of Denial is to deny the availability of information of authorized users. These two triads will be ever present to the discussion of threats and preventions.
People often ask when discussing the cloud, “Well what about security?” The answer to that is simple. Threats to cloud computing are as relevant as they are to computers in a non-cloud capacity. Research performed by the well-known cloud security firm Alert Logic reports that cloud security application attacks have increased 45 percent (5). Contrary to what many may believe, the cloud according to Alert Logic is no less secure than one’s own data centers (5). The attacks are as diverse as ever. They range from malware/botnet, brute force, vulnerability scans, web app attacks, recon, DDOS attacks (many of these will be discussed in a later section). The larger the company the more attractive it is to the hacker who is attempting to break in. That does not mean startups are less at risk. One of the most important researches about cloud security threats is CSA’s (Cloud Security Alliance) findings of the 9 Worst Cloud Security Threats. The 9 worst cloud security threats include; Data Breaches, Data Loss, Account or Service Traffic Hijacking, Insecure APIs, Denial of Service, Malicious Insiders, Abuse of Cloud Services, Insufficient Due Diligence, Shared Technology.
1. The number one top threat is Data Breaches. The data breach is a scary scenario for everyone. There are headlines about company’s suffering data breaches almost every month. A significant example is the data breach that happened to Target. The perpetrators ended up stealing credit card information from 110 million customers. According to the CSA report, “If a multi-tenant cloud service database is not properly designed, a flaw in a client’s application could allow an attacker access not only to that clients data but every other client’s data.”
2. Next is Data Loss. Also a headline grabber. CSA gives the example of what happened to a writer for Wired magazine. “Attackers broke into Mat’s Apple, Gmail and Twitter accounts…then used that access to erase all of his personal data …including the baby pictures of his 18-month-old daughter.” Data loss is not only perpetrated by hackers but also from natural disasters, fire, storms, etc. and can even be accidental from a legitimate user. It happens, an administrator or some other authorized user accidentally hits delete.
3. The third top threat is Account or Service Hijacking. This can be considered to be attacks such as phishing, fraud, and exploitation of software vulnerabilities. If an attacker knows your credentials, he or she can “eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites. (2)”
4. The fourth top threat is Insecure Interfaces and APIs. APIs can easily be susceptible to vulnerabilities if not coded right. Organizations use provided interfaces and APIs to build their own services. “Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability.(2)”
5. Next top threat is Denial of Service. Denial of service attacks are aimed at overwhelming computing devices with packets to halt usage. For cloud services, this could be catastrophic because cloud providers and their data centers essentially represent a seemingly endless processing power. If an attacker has access to these cloud servers, they can use them to unleash a crippling DDOS attack on an organization.
6. The sixth top threat to cloud computing according to the Cloud Security Alliance is Malicious Insiders. This is when a current or former employee has or had some level of access to a company’s infrastructure and they use that against the company in a malicious way.
7. The seventh threat is the Abuse of Cloud Services. If attacker has access to cloud resources he or she could use it crack encryption keys in minutes what would take years to crack on just one machine. “This threat is more of an issue for cloud service providers. (2)”
8. The eighth top threat is Insufficient Due Diligence. Many companies tend to rush into adopting cloud services without knowing what they are getting into. “The bottom line for organizations moving to a cloud technology model is that they must have capable resources, and perform extensive internal and CSP due-diligence to understand the risks it assumes by adopting this new technology model. (2)” Says the report.
9. The final threat in the CSA top 9 is a Shared Technology and Vulnerabilities. A misconfiguration of a service can “lead to a compromise across an entire provider’s cloud.” CSA says “a compromise of an integral piece of shared technology such as hypervisor, a shared platform component…exposes more than just the customer but the entire environment to a potential compromise and breach.(2)”
So there exists threats of different kinds to cloud computing. Companies should take heed of threat eight because they can be the reason for their own compromises by not properly researching the implications of adopting a cloud service. Also by understanding that the cloud is not invincible to natural disasters just like everything else. What’s important for companies considering a cloud service is what the provider has in place in the event of a natural disaster. However when black hat hackers decide to target a company or organization they can choose from a number of different weapons from their cyber arsenal.
As mentioned briefly earlier, the DDOS attack is a serious pending threat against any organization. Essentially by overwhelming a targets processing power, it cripples it because the computer cannot handle the load. There are three types of DDOS attacks worth mentioning. First the most basic is the ping flood. The ping flood works by sending an overwhelming number of icmp packets to the intended target thus clogging network resources and processing power (4). The second type of DDOS attack is the smurf attack. The attacker fakes its own IP address so that it’s the same as the targets. With the attacker appearing like a legitimate host, it then sends the flood of requests to the whole network (4). The third type of DDOS attack is known as the SYN/ACK attack. This particular DDOS attack takes advantage of the three-way handshake that occurs every time a network device attempts to reach another network. The attack works by the attacker sending a SYN request to the target. The target then replies with a SYN/ACK response back to the attacker just as it normally would. However, the attacker instead of replying with an ACK to acknowledge the connection, it just does not send it, leaving the victim to wait and consume resources (4). The point of DDOS attacks is not to completely bring down a network or hack into anything, the CSA describes it as “being caught in rush-hour traffic gridlock: there is no way to get to your destination, and nothing you can do about it except sit and wait. (2)” While halting an organization does not do any lasting damage, a DDOS attack can cause it to lose money, clients, and cause everyone extreme frustration by not being able to do their job. According to Akamai in their research, the number of DDOS attacks has actually increased by 180 percent (6). There are actually two rising DDOS cybercrime groups that specialize in this attack they are known as DD4BC and Armada Collective. They use DDOS for extortion. These cyber crime groups threaten the companies to give them money by sending emails saying they will use a DDOS attack against them unless they send the desired amount.
Another weapon a malicious hacker uses is the Cloud Malware Injection. What this attack does is injects malicious software or service into a target to allow the attacker to use the target for any purpose they have in mind (3). By creating a their own malicious service module or VM instance all they have to do is add it to the cloud system which tricks it because it treats the malicious instance as legitimate. When successful, the cloud directs all user requests to the module which in then runs the attacker’s code. The attacker is able then to eavesdrop or even use it for a DDOS attack. A common counter measure is to simply run a service integrity check before using a service instance (3). This is an example of when a hacker uses all three of the DAD triad, Disclosure, gaining access without permission, Alteration, modifying or deleting data without authorized credentials, and Denial, which denies the availability of the service to valid users.
The next kind of attack is the Authentication Attack. The authentication attack exploits mechanisms that are used to secure the authentication of a user (3). It focuses on passwords and other login credentials. There are also different types of authentication attacks. The first one is called the brute force attack. The goal of using a brute force attack is to figure out a password. How it works is the program uses a dictionary of known words and tries all combinations until its finds the right one. With one computer, it can take quite a while to crack a password with this method, but with help of cloud resources, can take minutes. Also if a vendor has a weak password recovery validation the attacker can enter the victims email to recover the password to access the intended target.
The next form of attack is the Man-in-the-Middle attack. The attacker sets up in between two hosts and intercepts communication. By intercepting the traffic say between a bank and a client, the client will unknowingly be sending all credentials and other confidential information to the attacker thinking it’s going to the bank. A man-in-the-middle attack is what is known as eavesdropping (3). The attacker would be utilizing the disclosure principle in the DAD triad.
Many of the mentioned attacks are traditionally non-cloud based but they all still apply to cloud services. Many of the large cloud service providers are well aware of the security concerns. Microsoft Azure, IBM, and Amazon all offer; identity and access management, encryption and key management, network security, threat management which includes threat detection and mitigation. Microsoft actually has a team of penetration testers that try to find vulnerabilities in their own products in order to improve security. Amazon has developed techniques for mitigated DDOS attacks.
What Amazon Web Services does is try and minimize the attack surface. To minimize the attack surface they use a VPC or Virtual Private Cloud, which essentially like a VPN. “It allows you to hide instances from the internet” Amazon reports. Another way AWS mitigates DDOS attacks is by absorbing it. If DDOS is meant to drain resources, the logical thing to do is just increase processing power, to out power the attack so it is harder for attackers to cause any damage. It is called increasing resiliency. Increasing resiliency is done by horizontal and vertical scaling. The idea behind horizontal scaling is that it adds more instances and services to one’s current infrastructure. The idea behind vertical scaling is that it adds more hardware type resources including memory, CPU, and storage. Other ways Amazon mitigates DDOS attacks includes using Elastic Load Balancing to manage network traffic, and Auto Scaling to make sure apps are available (7), this is just a few among a plethora of mitigation techniques that Amazon is doing to fight against the DDOS attack.
In conclusion, cyber-attacks are as prevalent to cloud computing as they are to traditional computing. The attacks can be catastrophic as in Target’s case, resulting in millions losing their credit card information to theft. The attacks can be extremely frustrating as is the case with DDOS attacks. They can also be extremely crafty like with man-in-the-middle attacks, making the end host think it’s communicating with a legitimate user. Just as new technologies evolve so do the attacks. However there are ways to combat these cyber threats. Many cloud providers have plans in place when something does occur. They are well aware and constantly improving their security measures. Companies intrigued by cloud services just for the sake of saving money should think again and research everything about the cloud, including security details. It is also important when implementing cloud services to make sure it is configured correctly, because CSA noted that a slight misconfiguration and a hacker can detect it and do damage to the entire network. It would make the answer to the question, what about security in the cloud, more complete by adding that although cloud computing is also vulnerable to the same types of threats, even though hackers can target anyone they want but that does not mean they will, and that at least the major cloud service providers are actively doing something about it thus making cloud computing safe enough to use.
(1) Dorrier, Jason. "There Are 7 Billion Mobile Devices On Earth, Almost One For Each Person - Singularity HUB." Singularity HUB. N.p., 18 Feb. 2014. Web. 02. Dec. 2015.<https://singularityhub.com/2014/02/18/there-are-7-billion-mobile-devices-on- earth almost-one-for-each-person/>.
(2) Babcock, Charles. "9 Worst Cloud Security Threats - InformationWeek." InformationWeek. N.p., 03 Mar. 2014. Web. 02 Dec. 2015. <http://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud- security-threats/d/d-id/1114085>.
(3) Singh, Ajey, and Maneesh Shriastava, Dr. Overview of Attacks on Cloud Computing 1.4 (2014): 1-3. Web. Nov.-Dec. 2015. <http://www.ijeit.com/vol%201/Issue%204/IJEIT1412201204_57.pdf>.
(4) Gonzalez, Jason. "What Is a DDoS Attack and How Can You Prevent One?" Corporate Compliance Insights. N.p., 14 Feb. 2011. Web. 02 Dec. 2015. <http://corporatecomplianceinsights.com/what-is-a-ddos-attack-and-how-can-you- prevent-one/>.
(5) Olavsrud, Thor. "Cloud Attacks Are Following Enterprise Workloads." CIO. CIO, 23 Apr. 2014. Web. 09 Dec. 2015. <http://www.cio.com/article/2376881/cloud-computing/cloud- attacks-are-following-enterprise-workloads.html>.
(6) Constantin, Lucian. "DDoS Attacks Increase in Number, Endanger Small Organizations." CSO Online. CSOonline, 08 Dec. 2015. Web. 09 Dec. 2015. <http://www.csoonline.com/article/3013032/security/ddos-attacks-increase-in-number-endanger-small-organizations.html#tk.lin_cso>.
(7) "AWS Best Practices for DDOS Resiliency." Amazon Web Services, June 2015. Web. 9 Dec. 2015. <https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf>.
"Real-time Visibility into Global Cyber Attacks." Norse. N.p., n.d. Web. 02 Dec. 2015.<http://www.norse-corp.com/>.