Welcome to the cloud era; the new storage and computing landscape can be as confusing as a five-sided triangle, with countless acronyms, configurations and endless new cloud applications. Most small, medium, and large businesses now operate in the cloud in various capacities and for various reasons. With such a large rollout of cloud products replacing traditional in-house (on-prem) infrastructure, it can be easy to overlook specific aspects of their cloud environments due to focusing on the public-facing service performance. Whilst the transition from on-premise servers to the cloud can save money on infrastructure, employee headcount, and maintenance, the complex implementation and ongoing management open new avenues for hackers to exploit configuration mistakes.
A common misconception is that moving from in-house infrastructure to the cloud will provide organisations with more significant data security. Although this is mainly correct, businesses tend to rush into implementing cloud as their primary storage service to enable faster DevOps, save maintenance costs or scale their business. Using a cloud environment enables each server to access each other, using its own digital identity to execute actions and provide uninterrupted services. Ultimately, this is the weak point of cloud security, where improper management of permissions and identity can open doorways for attackers to enter.
Throughout Cybra Securitys experience of testing cloud environments, we have been able to replicate the actions of an attacker. Acting as a malicious third party enabled us to steal the identity of servers and directly start to employ server-side request forgery, taking advantage of the APIs involved. From here, we have been able to execute new services, install backdoors, and amend and elevate our permissions to extract confidential information. These acts can all go undetected by software, MSPs and in-house resources, making it extremely hard to eliminate and mitigate the potential ongoing damage. Unfortunately, the actions we listed above are only a handful of the potential malicious attacks that cloud environments are susceptible to.
Past Events:
In 2019, we all heard of the infamous Capital One breach caused by a vulnerability in the configuration of a cloud firewall. They announced that between March 22 and 23 in, 2019, a malicious attacker gained unauthorised access and subsequently exploited a firewall misconfiguration, enabling them to send permitted commands to reach the impacted server. Once exploiting this vulnerability, the hacker executed a series of commands across the banks servers, stealing the identity and credentials for an administrator account. These actions allowed the hacker to gain access to Capital Ones data stored on their AWS servers.
The Imperva breach is a shining example of the importance of securely configuring cloud environments. In Late 2018, Imperva suffered a data breach that affected Impervas Cloud Web Application Firewall (WAF) customers. This breach only occurred due to errors that happened during a migration to a cloud-based database service. According to Impervas Chief Technology Officer at the time, Kunal Anand, Imperva was in the process of migrating its data to the AWS Relational Database Service (RDS) in 2017. Many mistakes were made during this transition period, which allowed an unauthorised party to steal an administrative API key for their cloud Web Application Firewall (WAF). These critical mistakes resulted in the hacker obtaining a database snapshot containing emails and hashed passwords.
Both Capital One and Imperva were breached by attackers exploiting misconfigured servers that lacked the appropriate security settings. This is why penetration testing or undertaking a cloud configuration review can be essential in keeping unwanted and unauthorised actors out. A cloud security review is considered a best practice approach to understanding and securing web-based dashboards and APIs whilst deep diving into the back end of cloud environments. Cloud security reviews are undertaken from a white box point approach, where we are given temporary permissions to your cloud resources), providing the auditors/reviewers with the appropriate access to view and read the configurations of your cloud environment settings.
The following areas should always be included when conducting a cloud security review:
- Mapping the Attack surface,
- Identity and access management,
- User authentication and MFA
- Role-based access control for standard and privileged users
- Monitoring, logging and auditing capabilities,
- Review of cloud and web service policies
- Review the management and configuration of storage services
- Backups, redundancy and disaster recovery
- Compare the environment against industry best practices
Cloud application vulnerabilities:
Generally, these actions will require stakeholder engagement through interviews, documentation and design review, information-gathering scripts and penetration testing. While platforms such as AWS, Azure and GCP have a higher degree of available testing methodologies, benchmarks and security checklists, we can also perform this type of review against any internet-hosted platform.
Data breaches like Capital One and Imperva (mentioned previously in this article) highlight that security misconfiguration in the cloud is the prime cause of companies' cloud services becoming compromised and exploited, ultimately resulting in a severe data breach. Suppose an organisation is looking to undertake certification of ISO 27001 or IRAP. In that case, implementing annual cloud security reviews can be just as important as performing a penetration test across the entire environment or testing specific elements.
With more cyber security regulations and recommendations being placed upon organisations by the Australian government, it is becoming increasingly essential to include cloud penetration testing and security reviews from qualified professionals in any security program. Every business should ask itself the number one question: If attackers gain access to the organisations environment, what can they access, and how much damage can they cause?