Bill Carver
- Lack of multi-factor authentication – A cloud breach is often achieved by using common vulnerabilities, public data exposures, and active credential guessing attacks, for example by enumerating a potential email address off of a public data source and guessing credentials. You may find it surprising that many cloud services do not use multifactor authentication right out of the box.
- Integration of cloud and on-premise networks – Integrating cloud and on-premise environments makes it easier to migrate resources, users, and accounts out to a cloud provider. However, it does increase risk, especially if federated authentication, shared user accounts, and the same active directory environment are used. This makes it much easier for attackers to pivot into traditional (often less secure) network resources once they have gained access to the cloud.
- Poor permission configuration – Security can sometimes take a back seat when developers are trying to be agile and for simplicity, accounts can be over-permissioned. This is a growing problem, in part because of the increasing popularity of public repositories and Internet services like GitHub to manage code and configurations. This has led to a rise in accidental pastes of copied user names and passwords on the Internet, which can be leveraged by malicious actors.
How You Can Protect Yourself
With these issues in mind, what steps can you take to improve your cloud security? First, it’s important to practice proper cloud hygiene at the outset by: (a) clearly defining requirements, (b) isolating development, staging, and production environments, and (c) limiting privileges in all environments to guard against escalation by malicious actors.
Second, NetSPI recommends pentesting regularly and fully. This includes penetration testing all layers of your environment and using cloud configuration reviews to evaluate how well the security controls your cloud provider has available are actually protecting your cloud application(s). Traditional penetration testing does not go deep enough when you are running cloud applications, which is why more rigorous cloud penetration testing is critical.
In addition to the common insights gained from an external penetration test, a cloud penetration test goes much further to include testing on cloud hosts and services. Internal network layer testing of virtual machines and services from the cloud virtual networks are included, as well as external network layer testing of externally exposed services. In addition, a configuration review of cloud services also includes reviews of firewall rules, access controls (IAM/RBAC) of users/roles/groups/policies, as well as utilized cloud services (storage, databases, etc.).
Recommendations for Undertaking Cloud Penetration Testing
It’s clear that full and regular pentesting is a sure-fire way to improve the security of your applications and data residing in the cloud and ultimately your on-premise network if both environments are closely integrated. If you are planning on undertaking cloud penetration testing, NetSPI recommends the following best practices:
- Ensure systems and services are updated and patched in accordance with industry/vendor recommendations
- Verify if identity and access management (IAM) and role-based access control (RBAC) roles are assigned appropriately and not over-permissioned and there is no provision for permission escalation
- Use security groups and firewall rules to limit access between services and virtual machines
- Ensure that sensitive information is not written in clear text to any cloud storage services and encrypt data prior to storage
- Verify user permissions for any cloud storage containing sensitive data and ensure that the rules represent only the users who require access to the storage
- Ensure only the appropriate parties have access to key material for decryption purposes
One Last Thought
As a security vendor, we hear statements every day like, “Cloud doesn’t change anything from a security perspective because it’s all the same stuff, just in a different place” or “My cloud provider takes care of security.” In the rush to embrace cloud and its advantages, some security best practices have fallen by the wayside. Now’s the time to refocus on securing assets by working proactively with your cloud services provider and cloud penetration testing regularly. The last thing you want is to be included in those ever-increasing cloud breach statistics.
Learn about NetSPI’s cloud penetration testing services for AWS, Azure, and Google Cloud.
[post_title] => Your Cloud Assets are Probably Not as Secure as You Think They Are [post_excerpt] => Despite a plethora of available tools and resources, there are still many ways to configure cloud services incorrectly. According to a Wall Street Journal article published earlier this year, research and advisory firm Gartner Inc. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => your-cloud-assets-are-probably-not-as-secure-as-you-think-they-are [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:51:07 [post_modified_gmt] => 2024-03-29 22:51:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=14043 [menu_order] => 549 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 17411 [post_author] => 53 [post_date] => 2020-02-26 10:40:32 [post_date_gmt] => 2020-02-26 16:40:32 [post_content] =>Overview
Nearly every organization is talking about moving to the cloud, developing a strategy to move to the cloud, in the process of moving to the cloud, or already all in on the cloud. Where do you fall in this journey?
Join two of NetSPI’s cloud security experts, VP of Research Karl Fosaaen and former CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think they are.
Key highlights:
- 1:33 – Moving to the cloud
- 6:05 – Are your cloud assets as protected as you think?
- 7:45 – Common cloud security challenges
- 12:18 – How you can protect yourself
- 15:35 – How cloud penetration testing differs from external pentesting
- 18:00 – Recommendations for cloud testing
Moving to the Cloud
Cloud security is challenging, and many companies are behind in protecting their cloud assets. Part of the reason is that for years, the cloud was seen as a buzzword, and companies often thought it wouldn’t have much of an impact from a security perspective. Even some experienced security professionals have minimized or overlooked the security challenges associated with the cloud.
Now, nearly every organization is either:
- Talking about moving to the cloud
- Developing a strategy to move to the cloud
- In the process of moving to the cloud
- Already in the cloud
However, from a security perspective, the narrative has often been:
- Cloud providers are taking care of security
- Cloud security is the same as traditional security
- Cloud security expertise has kept pace
- Outsourcing your assets reduces risk
In some cases, individuals within companies have taken shortcuts by adopting the cloud and using cloud applications without information security oversight, which presents significant risks from a security perspective. And this leaves security professionals behind in implementing best practices to effectively protect organizations’ cloud assets.
Are Your Cloud Assets as Protected as You Think?
Given the momentum surrounding moving to the cloud and the fact that most security teams have been slow to respond, cloud assets likely aren’t protected as some may think.
Some challenges with securing cloud assets include:
- Despite available resources, there are still many ways to configure services incorrectly
- Public and non-public breaches seem to happen weekly, and the maturity of information security programs doesn’t seem to influence the likelihood of a breach
- A single mistake in a cloud environment could be disastrous
- Many of the technologies and designs that have resulted in recent cloud breaches are used in most environments
Common Cloud Security Challenges
At NetSPI, our expert human pentesters regularly run cloud penetration tests against client environments. A common pattern is that similar issues are found across different platforms, environments, and verticals.
Top challenges include:
- Credentials can be obtained by numerous sources: By utilizing common vulnerabilities, public data exposures, and active credential guessing attacks, attackers can gain access to cloud environments.
- Properly configuring permissions can be difficult: Security can often take a backseat when developers are trying to be agile.
- Integrating cloud can create risk for on-premise technology: By integrating cloud and on-premise environments, organizations are making it easier for attackers to pivot into traditional (often less secure) network resources.
How You Can Protect Yourself
Given the challenges related to cloud security, it’s important for organizations to understand how to protect against risks. A key to effective cloud security is to shift the mindset away from thinking that the cloud is the same or similar to traditional infrastructure.
As more breaches happen across organizations, this mindset is changing and security teams are thinking more about cloud-centric activities like conducting risk assessments of cloud infrastructure, establishing recurring processes and methodologies, and adopting and documenting cloud security control checklists.
Some steps organizations and security teams can take to protect cloud assets include:
- Practice proper cloud hygiene
- Define requirements
- Isolate your development, staging, and product environments
- Limit privileges in all environments
- Test regularly and fully
- Penetration test all the layers of your environment
- Utilize cloud configuration reviews
How Cloud Penetration Testing Differs from External Network Penetration Testing
With Cloud Penetration Testing compared to External Network Penetration Testing (which is more of the traditional environment review), the cloud penetration test focuses on all of the standard issues we're going to look for on any cloud service.
While many penetration deliverables are applicable to both external and cloud pentesting, some additional deliverables specific to cloud penetration testing include:
- Network penetration testing includes internal network layer testing of all virtual machines and services from the cloud virtual networks, along with external network layer testing of externally exposed sources
- Configuration of cloud services: review of firewall rules, IAM/RBAC, review of users/roles/groups/policies, review of utilized cloud services (including but not limited to, servers, databases, and serverless computing)
Are you getting the most out of your penetration testing reports? See our Penetration Testing Report Example to double check.
Recommendations for Cloud Testing
For cloud testing to be effective, companies and security teams need to take a proactive role in understanding the full scope of their cloud environments and the services or applications they have, and ensuring systems and services within these cloud environments are being updated.
Once you have a grasp on the full scope of your cloud environment, some best practices for cloud testing include:
- Ensure systems and services are updated and patched in accordance with industry/vendor recommendations
- Verify IAM/RBAC roles are assigned appropriately
- Utilize security groups and firewall rules to limit access between services and virtual machines
- Ensure that sensitive information is not written in cleartext to any cloud services, and encrypt data prior to storage
- Verify user permissions for any cloud storage containing sensitive data and ensure that the rules represent only the users who require access to the storage
- Ensure only the appropriate parties have access to key material for decryption purposes
Protect Your Assets with NetSPI’s Cloud Penetration Testing
Whether your company is at the early stages of talking about moving to the cloud, already in the cloud—or at any stage in between—prioritizing cloud security is critical to protecting your cloud assets.
NetSPI’s Cloud Penetration Testing services can help your business identify vulnerabilities in your AWS, Azure, or GCP cloud infrastructure, reduce organizational risk, and improve cloud security. Our expert cloud pentesters follow manual and automated penetration testing processes and focus on Configuration Review, External Network Cloud Pentesting, and Internal Network Pentesting.
Learn more about NetSPI’s Cloud Penetration Testing Services to schedule a demo to discuss in more detail.
[wonderplugin_video iframe="https://youtu.be/l3OAJyauhBA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => Best Practices to Protect Your Organization's Cloud Assets [post_excerpt] => Nearly every organization is talking about moving to the Cloud, developing a strategy to move to the Cloud, moving to the Cloud, or already all in on the Cloud. Join two of NetSPI’s cloud security experts, Practice Director Karl Fosaaen and CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => best-practices-to-protect-your-organizations-cloud-assets [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:48:57 [post_modified_gmt] => 2024-03-29 22:48:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=17411 [menu_order] => 82 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 3 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 48601efb8082b61117f6c1bd42dd2cb8 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )