Cloud Security Audits, Cloud VAPT, Penetration Testing

Why businesses are failing to protect Cloud and PII data?

  • Increasing cloud adoption is also leading to increased cloud risks due to moving to the cloud without a security architecture design.
  • Some of the top cloud risks include Misconfiguration, Insecure Interfaces and API Risks, Weak Control Planes, Access and Key Management, Account Hijacking, etc.resulting in increased data breaches.
  • IaaS Providers state that the data security lies with the PaaS, SaaS providers or the organizations that store data on the cloud platforms.
  • Organizations are failing to protect sensitive data in the cloud. Businesses are taking advantage of the cloud, but not applying adequate security.
  • The challenge in addressing the threat of data loss and data leakage is that the organizations opt to keep offline backups of data to reduce data loss, which eventually increases the exposure to data breaches.
Accedere Inc

Understanding Attack Scenario:

During an attack, an outside party attempts to flood an organization’s systems using a numerous amount of connections to overwhelm the system. Since the hackers can use programs or bots to generate numerous attacks, organizations cannot block just one IP address from shutting down a specific process.

There are three basic categories of attack:

  • Volume-based attacks: which use high traffic to inundate the network bandwidth
  • Protocol attacks: which focus on exploiting server resources
  • Application attacks: which focus on web applications and are considered the most sophisticated and serious type of attacks

Studies agree that providers need more comprehensive cloud security measures to mitigate an attack, such as a DDoS incident. However, organizations should also be aware that the main purpose of an attack is to not just disrupt a system but to steal data as well.

Accedere Inc
Accedere Inc
Accedere Inc

Attacks on OSI Layers:

OSI Layer

Protocol Data Unit (PDU)

Protocols

Examples of at each Level considering OWASP Risks

Potential Impact of an Attack

Application Layer

Data

Uses the protocols FTP, HTTP, POP3, & SMTP and uses Gateway as its device.

PDF GET Requests, HTTP GET, HTTP POST, website forms(login, uploading photo/video, submitting feedback)

Reach resource limits of services; Resource starvation

Presentation Layer

Data

Uses the protocols Compression & Encryption.

Malformed SSL Requests -- Inspecting SSL encryption packets is resource-intensive. Attackers use SSL to tunnel HTTP attacks to target the server.

The affected systems could stop accepting SSL connections or automatically restart.

Session Layer

Data

Uses the protocols Logon/Logoff.

Telnet DDoS-attacker exploits a flaw in a Telnet server software running on the switch, rendering Telnet services unavailable.

Prevents administrators from performing switch management functions.

Transport Layer

Segment

Uses the protocols TCP & UDP.

SYN Flood, Smurf attack

Reach bandwidth or connection limits of hosts or networking equipment.

Network Layer

Packet

Uses the protocols IP, ICMP, ARP, RARP, & RIP and uses Routers as its device.

ICMP Flooding - A Layer 3 infrastructure DDoS Attack method that uses ICMP messages to overload the targeted network's bandwidth.

It can affect available network bandwidth and impose extra load on the firewall.

Datalink Layer

Frame

Uses the Protocols 802.3 & 802.5 and its devices are NICs, switches bridges & WAPs.

MAC flooding - inundates the network switch with data packets.

Disrupts the usual sender to recipient flow of data - blasting across all ports.

Physical Layer

Bits

Uses the Protocols 100Base-T & 1000 Base-X and uses Hubs, patch panels, & RJ45 Jacks as devices.

Physical destruction, obstruction, manipulation, or malfunction of physical assets.

Physical assets will become unresponsive and may need to be repaired to increase availability.

Areas covered by our Comprehensive Assessments for the Cloud:

The following are some of the security concerns addressed during our Cloud Assessment:

  • Cloud Vulnerability Assessment and Penetration Testing (Cloud VAPT)
  • Authentication, authorization, and identity management
  • Cloud network architecture review
  • Cloud compute architecture review
  • Cloud storage architecture review
  • Configurations architecture review
  • IaaS, PaaS, SaaS audit including Cloud VAPT
  • Data Backup and encryption configuration
  • More on SOC Reporting Services
  • More on SOC 2 vs ISO/IEC 27001, 27017 for Cloud Security.

Our methodology used to develop and execute these reviews is an amalgam of techniques that features in best practices from cloud service providers and security standards from reputable sources (including hardening guides such as the NIST Benchmarks). We periodically align our methodology to the compliance and regulatory standards that many organizations have to adhere to when implementing computing services.