CLOUD PENETRATION TESTING
Cloud adoption – there’s no two ways about it. The question remains – Whether a cloud service model provides safe and secure environment to its users? Let us perform cloud penetration testing and identify security vulnerabilities, insecure configurations, controls within your cloud computing environments.
Get In Touch
What is Cloud Penetration Testing?
An authorised cyber attack simulation exercise against cloud assets hosted on a cloud provider environment.
The main objective of cloud penetration testing or cloud pentesting is to identify and mitigate security risks in cloud computing. So that the security posture, strengths and security weaknesses of cloud systems can be assessed. It is composed of external (Internet-facing) and internal cloud penetration test assessments.
Security of cloud infrastructure is everyone’s business. Gartner predicts that, through 2020, 95 percent of security failures in cloud environments will be the customer’s fault.
What can't be tested in the Cloud services?
Cloud environment that belongs to the cloud management such as underlying cloud infrastructure, cloud provider facilities, other partners or vendors cannot be tested in cloud penetration testing. Apart from major public cloud provider offerings, cloud models for a beginner can be fuzzy concepts, especially shared responsibility models. This simply means:
Cloud provider is responsible for security of the cloud
Tenant or organisation client is responsible for security in the cloud
The following diagram demonstrates the differences between shared responsibility models in the cloud. The following design principles are pillars to almost every cloud implementation.
Vulnerabilities identified during cloud security testing
In order to easily understand the different security risks and security posture, this section provides examples with each risk mentioned below. Security risk areas remain the same, the underlying attack vector may change based on the cloud model and/or cloud platform vendors.
For instance, Amazon buckets have a history of security misconfiguration linked to S3 bucket data leakage. Azure blob storage has been the target too and subjects to Identity-based attacks. Office 365 tenancy security configuration is not in line with good security practices.
Intellectual Property Theft
Cloud hosted content such as movies, music, software and lots of other sensitive information are examples of IP thefts due to insecure cloud resources.
Around half of the departing employees unintentionally or deliberately leave with confidential information.
Compliance Violations and/or Regulatory Actions
Loss of compliance such as PCI DSS, ISO 27001, GDPR. For instance, In health industry, there are set NHS Data Security Standards defined in the Data Security and Protection Toolkit.
Data Breaches
A data breach could occur due to data theft, data leakage (insecure storage). Major data breaches covering loss of customer data involving sensitive information directly hit the business revenue. Reveal all possible vulnerabilities in your cloud storage with cloud penetration testing today and avoid any data breaches in future.
In the case of target data breach, media quotes net losses at $200 million. Senior management including CIO, CISO, CEO resigned as company confirmed up to 40 million payment details were stolen.
Insider Threats
For example, a leaving employee uploading CRM data to online space (a cloud storage or a website) to be used later when employed on a new job with a competitor. Insider attacks may include examples related to supply chain risks similar to Capital One data breach. Avoid being a victim to insider threats by performing cloud penetration testing.
Credential Attacks
The two most popular password attacks against cloud services are password spraying and credential stuffing attacks. Password spraying involve threat actors attempting one or two most likely used common passwords against large number of users via rented botnets.
Credential stuffing attacks include compromised data from a data breach that is attempted on internet exposed services based on the confirmation or probability of the affected users utilising the target service.
Insecure APIs
APIs or Application Programming Interfaces usage is evolving at exponential rate to provide better experience for users. Without a doubt, this raises risk profile of APIs to ensure security features are in place against API specific attacks such as authentication, parameter tampering, content manipulation attacks and session cookie tampering.
DDoS Attacks
These attacks are used to render services unavailable for their users and are not used to bypass security controls. DDoS and DoS attacks are sometimes used as a smokescreen for multiple other attack vectors to be successful.
Cloud Pen Testing Services
Azure Penetration Testing Cloud
Whether you are utilising classic portal or ARM.
Our cloud security assessments can help you assess and remediate the security vulnerabilities and insecure misconfiguration in services and products.
AWS Penetration Testing Cloud
These pentests include three different service areas, targeted at cloud application security testing, infrastructure testing and internal cloud components.
Data Leakages/permissions, misconfiguration, Identity & Access Management, Networking, Logging & Monitoring areas are some of the pillars behind your security strategy.
Office 365 Security Review
Cyphere Office365 Security Review includes a thorough review of your current setup against O365 security risks and ensure that your setup follows Office 365 security controls around Device Management, Account Policies, Application security testing Permissions, Security Controls around authentication, exchange, auditing & storage.
Build Configuration Review
If a cloud-based server is unhardened or weakly configured, this leaves the underlying business vulnerable, leaving itself open to loss of reputation and other implications.
The news has been full of data breaches and cyber-attacks due to leaky S3 buckets or general misconfigurations.
GCP Penetration Testing
Google cloud penetration testing to meet all your GCP security demands. These services cover different cloud models such as Software as a service solutions or PaaS security risks.
Our GCP security tests help you to assess and remediate risks to keep your assets with minimal attack surface.
SaaS Security Testing
Cyphere have the skill-set and extensive experience of working with all the major cloud service providers.
As shared cloud services concept is gaining more traction, risks of data leakage are increasing with more blind spots than ever.
Benefits of Cloud Pentesting
- Cloud penetration testing gives better visibility on cloud process aligning
- Secure validation of internal and third-party integrations
- Support ever changing regulatory/compliance requirements
- Penetration testing cloud ensure strong authentication, authorisation, encryption mechanisms
- Cloud penetration testing demonstrate data security commitment
- Less is more - reduced costs, servers and staff
How to pentest cloud computing environments?
1. Understanding Cloud Provider
Understanding the policies of cloud providers – Almost all public cloud providers have cloud pen testing processes in place. This is often known as the customer support policy for penetration testing cloud. This policy specifically defines what activities are permitted and prohibited under cloud penetration testing exercise in their environment.
It is similar to other policies such as network stress testing, DDoS simulation testing. Examples of these cloud penetration test rules of engagement (such as Microsoft, Amazon Web Services, Google or Oracle Cloud Security Testing) or permission policies are available on cloud provider portals.
2. Creating a Pen Test Plan
Businesses looking to conduct testing cloud penetration testing (or security assessments) should have a cloud penetration test plan in place. This plan should include information related to applications, data access, network access, laws & regulations to comply with the cloud application security testing or databases and assessment approach (white box, grey box or black box). See our in-depth article for the basics of security reviews.
3. Vulnerability Identification Process
Constantly identifying vulnerabilities in cloud environments is very important. Cloud penetration testing ensures that no blind spots are present in your environment.
The right toolset is an important component just like on-premises for cloud application security testing or a security audit. Both cloud and on-premises tools are available, and a thorough requirements analysis should be performed to finalise the correct approach.
4. Resource Risk Analysis
This phase is relevant to the previous one based on the tools and resources used. Correct tooling and security resource usage are the two most important aspects of vulnerability identification and analysis.
Using in-house teams to perform cloud penetration testing may miss certain findings due to close familiarity with the cloud environment. Cloud testing with the right cloud service provider is not an option these days, it’s the surest way to prove that your cloud assets are securing the underlying data.
5. Risk Remediation
Risk remediation is an important element, that feeds back into the risk management programme of an organisation. All risk advice is provided in our deliverables after cloud pentesting services and cloud environment to help the security team analyse and devise remediation plans. It includes a description of risks in the context of the environment, followed by attack probability and impact.
If required, Cyphere provides additional remediation consultancy given the complexity around risk and specific skill-set required for risk remediation of cloud penetration testing findings.
Your trusted Cloud penetration testing services provider
Cloud Security Penetration Test Methodology
Our cloud security offerings are based on extensive methodology we have developed with years of experience working across different sectors. It’s very important that a cyber security consultancy follows an approach that delivers right returns on your investment. At a high level, our approach towards cloud security assessments is as follows:
Identity and Access Management
This phase involves reviewing identity and access management related controls.
Generally, these include checks on the use of higher privilege accounts, use of MFA, password policy, IAM policies, access keys and credentials usage policies
Review Authentication Architectures
Authentication and authorisation problems are prevalent security vulnerabilities. Most mobile apps implement user authentication.
Even though part of the authentication and state management logic is performed by the back end service, authentication is such an integral part of most mobile app architectures that understanding its common implementations is important
Network Security
This area involves checks around network security controls such as ingress, egress rulesets, flow logging, traffic restrictions, and least access privileges.
Logging API Calls, Events
All major cloud service providers offer web services that record API calls for tenant account. This information contains various parameters such as API source, calls details, requests/response elements.
This phase includes a review of API calls for an account, log file validation, encryption at rest, access checks if logs are restricted from public view and access logging, configuration management and monitoring options.
Monitoring
The monitoring phase is one of the critical tasks responsible for alerting relevant contacts during an incident. This involves reliance on the logging and related configuration parameters to ensure right metric filters are in place.
These reviews include checks for real-time monitoring configuration, alarms for any changes made to access control lists, security policy/groups, routing tables, and related parameters.
