Cloud Security Pentesting - Why it’s more needed than ever
Moving to the Cloud makes sense:
The trend of moving to the cloud makes perfect sense for most companies both technically and financially. You can spin up a cloud server in mere minutes, and only pay for what you use. It’s fast, convenient, and endlessly scalable. Cloud environments are dynamic, ever-changing, and unique to every company. And while these aspects add value for your organization, they also make traditional cybersecurity efforts a thing of the past.
Working in the cloud requires a unique and comprehensive cybersecurity approach, with strategy and tools as fluid as your environment. The only way to keep your company and data secure is through a continuous, real-time approach to cybersecurity. If data storage changed, why shouldn´t cybersecurity change too?
The answer: it should. Because companies using cloud environments face new threats that must be approached differently.
This growth brings many advantages with it, but it also implies some risks. Cybersecurity is not keeping up with the expansion and the moving into cloud environments, and leaving it behind may result in bad consequences.
So, what efforts need to be done to prevent big frauds and damages? Just as companies move toward the cloud, security must move in the same direction. We need to find the best way to protect our cloud assets.
Do cloud providers truly protect our assets?
Most IT professionals assume that their cloud provider, whether it’s AWS (Amazon Web Services), Microsoft Azure, or Google Cloud, handles cybersecurity on their behalf. And they do, to a certain extent. They keep their systems updated and patch vulnerabilities daily. The technical end is handled quite well. But there is a threat they don´t seem to solve.
Humans are the problem
What cloud providers can’t control, are the end-users. It turns out that you – yes, you and your employees – are the problem. This means that whether you use AWS; GCP; Axure or hosting services, you likely need cloud security tools to help keep your company protected. Cloud vendor provided tools aren’t enough.
The vast majority of cloud vulnerabilities are user-caused. For example, cloud providers allow admins to get very fine-grained with their permissions, which is appreciated. However, admins sometimes don’t understand the nuances of these permissions. They may assume that checking a box to make a file “public” means only folks within the organization can access it, but it actually means anyone across the globe can get in.
Biggest threats facing your cloud security
- User-caused misconfigurations
- Insecure APIs & Web Applications
- Hijacking of accounts
- Accidental Data Sharing
User-caused misconfigurations: as opposed to common vulnerabilities and expires (CVEs), which are caused by software, misconfigurations are caused by humans. While CVEs can be easily fixed by applying a patch or update, misconfigurations don´t have a unique patch associated with them. So, the solution may be harder to find.
This type of vulnerability is just as dangerous as any CVE and can be used by attackers to hack your company. Sometimes, changes to your cloud may happen without even noticing: accidents happen. With cloud environments becoming more and more advanced, users face more options to edit and make changes to the settings with no deep understanding of the consequences.
Ignorance is not our only problem, if it´s combined with our desire to look for more convenient solutions, things may get even worse. For instance, paying for convenient use of the cloud and changing the settings may leave the company paying for ransomware in the future. Making the user´s life easier is recommended to a certain extent. Removing multi-factor authentication sounds good, but it also sounds like putting your company at risk. The same with setting public folders instead of granting individual permissions.
Other examples include modifying an S3 bucket policy to public, giving every cloud user admin access for convenience, or spinning up a public MongoDB instance without authentication. Settings must be taken seriously and admins shouldn´t change much of them without knowledge.
Insecure APIs & Web Applications:
Applications running with vulnerabilities can be the gateway into a cloud environment. If a hacker compromised a web application 10 years ago, they would have probably landed on a server inside the target's network. Now, it’s more common for hackers to land in the target's cloud environment. For example: if a malicious hacker gets remote code execution on an application running on an AWS EC2 (virtual machine), they can use that as a pivot point to compromise the rest of the cloud.
Hijacking of Accounts:
It's common for applications and developers to use API tokens to interact with the cloud. Sometimes, these tokens are embedded within applications, or if using AWS, it's common to retrieve them by sending an HTTP request to the metadata URL. Once the token is exposed, it can be utilized to hijack the account. For example: If a hacker finds a server-side request forgery (SSRF) vulnerability in a web application, it can be leveraged to retrieve AWS tokens via the metadata URL. Then, the account can be hijacked.
Accidental Data Sharing:
Data is the new gold, which is why it’s the first thing hackers go after. Credit card numbers, social security numbers, passwords, medical records, and more have all been breached at some point due to them being publicly accessible. Hackers routinely probe for open S3 buckets, databases such as ElasticSearch and MongoDB, and more. Sensitive data can be stored almost anywhere. It's important to make sure it's not accidentally exposed to the internet, where it is publicly available to the world.
What can we do to avoid threats and keep data and assets protected?
At Red Sentry, we recommend a combination of ongoing vulnerability scanning and penetration testing, which both have unique benefits for your company.
Vulnerability scanners look for known vulnerabilities and misconfigurations in your cloud environment and report potential exposures. Because vulnerability scanners are automated, they are able to test a larger scope of assets. Thousands of assets can be tested, instead of just a handful. Some scanners, like Red Sentry’s, are also continuous and notify you the second a new vulnerability is found within your environment.
Penetration tests (Pentests) go a step further and exploit the vulnerabilities found to determine the degree to which an attacker can gain access to your assets. Because penetration testers are humans and not software, they’re able to think more like malicious hackers and dive deeper into vulnerabilities, to give you a more realistic idea of your weaknesses.
Most companies undergo only one annual penetration test on their publicly-facing external assets (only). What many people don’t know is that penetration testing can (and should) be done on cloud environments as well. As it’s a newer technique, some IT professionals are often not aware that it’s even an option. Cloud providers don´t offer this as part of their service – it’s up to each cloud customer to get a penetration test for their own environment.
Cloud penetration testing largely works by policy-matching. That is, by checking the company’s cloud permissions to make sure they’re set how they should be. A good cloud penetration tester will check for open S3 buckets, ensure that multi-factor authentication is turned on, attempt privilege escalation, and more.
While performing penetration tests on your cloud environments (as well as your web applications, internal environment, and external assets) will certainly go a long way toward keeping data out of nefarious hands, IT experts should be intentional about what kind of cloud penetration testing expertise they engage with.
Cloud Scanner Methodology: How does it work?
- Onboarding: In order for the scanner to start, we need to add your cloud provider credentials that require permission to work.
- Collecting: We collect all of our security benchmarks. These benchmarks are based on the CIS Benchmark, which provides a standard for cloud security.
- Parsing: Then, we extract and parse all of the information from the target infrastructure.
- Checking: We compare the data extracted from your cloud provider and check it against our list of Benchmarks.
- Reporting: Finally, we show the results in the Cloud Scanner dashboard and its corresponding report.
Who is really in charge of pentests?
There can be widely varying skill levels among penetration testers. Big companies may introduce their customers to their experienced, A-list ethical hackers, but it may be someone far more junior that’s handling the project. When hiring a firm to perform a cloud penetration test, be sure to find information about the team members that will actually be doing the work.
How can I feel protected?
If your annual penetration test doesn’t find any vulnerabilities, don’t assume you’re in great shape until next year. Of course, it usually means good news, but new misconfigurations pop up daily. And there’s also a chance the company or the penetration tester assigned to your project may have missed something. Unfortunately, is not easy to feel safe. Yet, there are some interesting options that bring you closer to that stage.
Automated vulnerability scans can run continuously, so you’re notified as soon as a misconfiguration occurs. These tools are consistent among customers, so you don’t have to worry about the skill of the person assigned to you. Obviously, any technology is only as effective as the team that developed it, so research must be done here too. Watch a demo, get a free trial, read reviews, and ask for references.
Whether you choose a traditional penetration test or an automated vulnerability scanner (or ideally, both), adding this tool to your cybersecurity arsenal will help ensure that user errors don’t compromise the security of your cloud assets.
Have questions or want to learn more? Get in touch here.