CLOUD PENETRATION TESTING

Cloud adoption – there’s no two ways about it. The question remains – Whether a cloud service model (IaaS, PaaS, SaaS) provides safe and secure environment to its users? Identify vulnerability, insecure configurations, controls within your cloud systems.

Get In Touch

We will not share your details with third parties.

Shall we keep you informed on the threat reports & useful guidance? No salesy newsletters. View our privacy policy.

What is Cloud Penetration Testing?

An authorised cyber attack simulation exercise against cloud assets hosted on a cloud provider environment.

The main objective of the cloud pentesting is to identify and mitigate security risks in cloud computing.

Cloud security is everyone’s business. Gartner predicts that, through 2020, 95 percent of cloud security failures will be the customer’s fault.

 

Examples Cloud Security

What can't be tested in the Cloud?

Cloud environment that belongs to the cloud management such as underlying infrastructure, cloud provider facilities, other partners or vendors cannot be tested either.  Apart from major public cloud provider offerings, cloud models for a beginner can be fuzzy concept, especially shared responsibility models. This simply means:

Cloud provider is responsible for security of the cloud

Tenant or organisation client is responsible for security in the cloud

The following diagram demonstrates differences between shared responsibility models in the cloud. Whether it’s an Azure pentest, AWS Security Assessment or cloud risk assessment, the following principles are pillars to almost every cloud implementation.

Cloud Security Responsibility

What are the security risks of cloud computing?

In order to easily understand the different security risks, this section provides examples with each risk mentioned below. Security risk areas remain same, the underlying attack vector may change based on the cloud model and/or vendor (Azure, AWS, others). For instance, Amazon buckets have a history of security misconfiguration linked to S3 bucket data leakage. Azure blob storage has been abused more than AWS, and subject to Identity based attacks.

Cloud hosted content such as movies, music, software and lots of other sensitive information are examples of the IP thefts due to insecure cloud resources. Around half of the departing employees unintentionally or deliberately leave with confidential information.
For instance, In health industry, there are set NHS Data Security Standards defined in the Data Security and Protection Toolkit.
Data breach could occur due to data theft, data leakage (insecure storage). Major data breaches covering loss of customer data involving sensitive information directly hit the business revenue. In case of Target data breach, media quotes net losses at $200 million. Senior management including CIO, CISO, CEO resigned as company confirmed up to 40 million payment details were stolen.

For example, a leaving employee uploading CRM data to online space (a cloud storage or a website) to be used later when employed on a new job with a competitor. This can also be a supply chain risk similar to Capital One data breach.

The two most popular password attacks against cloud services are password spraying and credential stuffing attacks. Password spraying involve threat actors attempting one or two most likely used common passwords against large number of users via rented botnets. Credential stuffing attacks include compromised data from a data breach is attempted on internet exposed services based on the confirmation or probability of the affected users utilising the target service.
APIs or Application Programming Interfaces usage is evolving at exponential rate to provide better experience for users. Without doubt, this raises risk profile of APIs to ensure security features are in place against API specific attacks such as authentication, parameter tampering, content manipulation attacks and session cookie tampering.
These attacks are used to render services unavailable for their users and are not used to bypass security controls. DDoS and DoS attacks are sometimes used as a smokescreen for multiple other attack vectors to be successful.

Cloud Provider provides resources, securing it is your responsibility.

Cloud Security Assessment Services

Azure Penetration Testing

Cyphere audits your Azure network consisting of portal, instances and underlying components to uncover any risks to the organisation. These could be misconfiguration, inherent vulnerabilities, or lack of good security practices. This would help the security teams to learn, analyse and remediate vulnerabilities before they are exploited.

AWS Penetration Testing

AWS security reviews covers multiple areas from security perspective. These are mainly around Data Leakages/permissions, misconfiguration, Identity & Access Management, Networking, Logging & Monitoring areas. Unauthenticated checks include leaked credentials, email addresses and cloud resources information disclosure.

Office 365 Tenancy Security Review

Office 365 security offers a good set of security features. We review and ensure that your setup includes Device Management, Account Policies, Application Permissions, Security Controls around authentication, exchange, auditing & storage.

Secure Configuration Review

If a cloud-based server is unhardened or weakly configured, this leaves the underlying business vulnerable, leaving itself open to loss of reputation and other implications. The news has been full of data breaches due to leaky S3 buckets or general misconfigurations.

Cloud Services Risk Assessment

We perform security reviews for Cloud services and/or solutions offered by cloud service vendors. These solutions may cover different service models such as Software-as-a-service (eg. Dropbox, ZenDesk) or Platform-as-a-service (eg. Salesforce).

Cloud Security Testing

Cyphere have the skill-set and extensive experience of working with all the major cloud service providers. As shared services concept is gaining more traction, risks of data leakage are increasing with more blind spots than ever.

Benefits of Cloud Penetration Testing

How to approach Cloud Pen Testing?

Understanding the policies of cloud provider – Almost all the public cloud providers have pen testing processes in place. This is often known as customer support policy for pen testing. This policy specifically defines what activities are permitted and prohibited under pen testing exercise in their environment. It is similar to other policies such as network stress testing, DDoS simulation testing. Examples of these pen test policies are AWS, Azure and Google Cloud.
Businesses looking to conduct cloud security assessments should have a pen-testing plan in place. This plan should include information related to applications, data access, network access, laws & regulations to comply within the applications or databases and assessment approach (white box, grey box or black box). See our in-depth article for basics of pen testing.

Constantly identifying vulnerabilities in your cloud assets is very important. This ensures that no blind spots are present in your environment. Right toolset is an important component just like on-premises applications. Both cloud and on-premises tools are available, and a thorough requirements analysis should be performed to finalise the correct approach.

This phase is relevant to the previous one based on the tools and resources used. Correct tooling and security resource usage are two most important aspects of vulnerability identification and analysis. Using in-house teams to perform pen testing may miss certain findings due to close familiarity of the environment. Pen testing with the right security provider is not an option these days, it’s the sureshot way to prove that your cloud assets are securing the underlying data.
This phase is relevant to the previous one based on the tools and resources used. Correct tooling and security resource usage are two most important aspects of vulnerability identification and analysis. Using in-house teams to perform pen testing may miss certain findings due to close familiarity of the environment. Pen testing with the right security provider is not an option these days, it’s the sureshot way to prove that your cloud assets are securing the underlying data.
cloud security assessment

Cloud Penetration Testing Methodology

Our cloud security offerings are based on extensive methodlogy we have developed with years of experience working across different sectors. It’s very important that a cyber security consultancy follows an approach that delivers right returns on your investment. At a high level, our approach towards cloud security assessments is as follows:

Step 1
Step 1

Identity and Access Management

This phase involves reviewing identity and access management related controls. Generally, these include checks on the use of higher privilege accounts, use of MFA, password policy, IAM policies, access keys and credentials usage policies

Step 2
Step 2

Review Authentication Architectures

Authentication and authorization problems are prevalent security vulnerabilities. Most mobile apps implement user authentication. Even though part of the authentication and state management logic is performed by the back end service, authentication is such an integral part of most mobile app architectures that understanding its common implementations is important

Step 3
Step 3

Network Security

This area involves checks around network security controls such as ingress, egress rulesets, flow logging, traffic restrictions, and least access privileges.

Step 4
Step 4

Logging API Calls, Events

All major cloud service providers offer web services that record API calls for tenant account. This information contains various parameters such as API source, calls details, requests/response elements. This phase includes a review of API calls for an account, log file validation, encryption at rest, access checks if logs are restricted from public view and access logging, configuration management and monitoring options.

Step 5
Step 5

Monitoring

The monitoring phase is one of the critical tasks responsible for alerting relevant contacts during an incident. This involves reliance on the logging and related configuration parameters to ensure right metric filters are in place. These reviews include checks for real-time monitoring configuration, alarms for any changes made to access control lists, security policy/groups, routing tables, and related parameters.

Recent Blog Entries

Cyber Security Glossary | Security Terms in Simple English

Cyphere, a penetration testing and managed security services provider, offers a detailed article on what is penetration testing and when, why, how it should be done. A good cyber security assessment is a business enabler for growth.

Securing Remote Workers – Advice for Individuals and Businesses

Secure remote worker advice for individuals and businesses to stand against today’s cyber security attacks. Cyphere shares tips straight from our experience consulting small businesses to big retailers and financial institutions.

Malware and Ransomware Attacks : Should You Pay The Ransom? What To Do If Your Business Is Hacked?

Learn about Malware and Ransomware Attacks, their differences. Should you pay ransom to cyber criminals? How to prevent malware incidents and what to do if your business is hacked?

Insider Threats : Types, Examples, Impact, Detection & Mitigation

Cyphere , a cyber security services provider specialising in technical risk offers insights into insider threats. This article covers types of attacks, examples, attack indicators, detection and mitigations.

Cyphere Awarded G-Cloud 12 Framework Agreement

Cyphere , a cyber security service provider, have been awarded G-Cloud 12 framework. Cyphere , as a supplier on G-Cloud 12, aim to help public sector organisations prevent cyber attacks on their most prized assets.

Small Business Cybersecurity Tips

Cyphere , a penetration testing and managed security provider, provides top ten cybersecurity tips for small businesses to protect against the most common cyber attacks. Learn how these tips help you towards an efficient cybersecurity strategy sure to enable business growth.

What is Penetration Testing?

Cyphere, a penetration testing and managed security services provider, offers a detailed article on what is penetration testing and when, why, how it should be done. A good cyber security assessment is a business enabler for growth.

CONTACT US