CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+
-
Upload
franklin-campbell -
Category
Documents
-
view
215 -
download
0
Transcript of CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+
![Page 1: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/1.jpg)
CLOUD C
OMPUTI
NG
SE
CU
RI T
Y –
PE
NT
ES
TI N
G T
HE
CL O
UD
Diogenes S. De JesusCEH, Security+
![Page 2: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/2.jpg)
AGENDA
• Cloud Computing Intro
• Pentesting the Cloud
• Advices
• Q&A
![Page 3: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/3.jpg)
CLOUD CHARACTERISTICS
• On-demand self-service
• Broad network access
• Resource pooling (multi-tenant model)
• Rapid elasticity
• Measured Service
NIST - National Institute of Standards and Technology
![Page 4: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/4.jpg)
SERVICE MODELS
• Cloud Software as a Service (SaaS)
• Cloud Platform as a Service (PaaS)
• Cloud Infrastructure as a Service (IaaS)
NIST - National Institute of Standards and Technology
![Page 5: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/5.jpg)
WHAT SECURITY SEES IN ALL THIS?
Cloud computing will move slices of organizational data outside the company’s
perimeter – out of company’s controls.
![Page 6: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/6.jpg)
SECURITY CONTROL IN THE CLOUD
PaaS SaaSIaaS
Customer CSP
![Page 8: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/8.jpg)
TYPICAL NETWORK PENTEST
Reconnaissance
Vulnerability Mapping
Exploitatio
n
![Page 9: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/9.jpg)
IAAS: AMAZONAWS Vulnerability / Penetration Testing Request Form
![Page 10: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/10.jpg)
IAAS: AMAZON
![Page 11: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/11.jpg)
IAAS: AMAZON
![Page 12: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/12.jpg)
IAAS: AMAZON
(Source)
DoS
![Page 13: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/13.jpg)
IAAS: SPECIFICS
• TOS explicitly excludes some tests we would normally do
• The tests are more analytical and less ./execute
• Some CSPs exclude some tests, others may not• Tests tend to be more customized to meet CSP demands
![Page 14: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/14.jpg)
PAAS: WINDOWS AZURE
Cloud OS as a Service (OSaaS)
Source: MSDN
![Page 15: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/15.jpg)
PAAS: SPECIFICS
• Check the contract and TOS for specific backend tests
• Testing one platform doesn’t necessary give you right to test other APIs • Windows platform and SQL backend
• Frontend and backend are different infraestructures for the CSP• Particularly bad for WebApp vulnerability assessment
![Page 16: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/16.jpg)
SAAS: PENTEST?
• Most likely no test
• Availability depends on CSP
![Page 17: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/17.jpg)
ADVICE
![Page 18: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/18.jpg)
ADVICE
23
4
eShop
Customer
Payment Gateway
Merchant
Issuing Bank
1
5
![Page 19: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/19.jpg)
ADVICE
23
4
Customer
Payment Gateway
Cloud Provider Issuing Bank
1
5
![Page 20: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/20.jpg)
ADVICE
1) Am I allowed to run tests throught third-parties?
2) What are the tests I can run on CSP?
3) How flexible is the customization of contracts?
![Page 21: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/21.jpg)
ADVICE
4) Where is your cloud placed, where is our data phisically stored? Compliance with regional laws;
5) The data can be exported to another CSP? Risk of Vendor / Data Lock-In;
6) Virtualization through instance-level isolation? Data leakage; Application conflicts;
![Page 22: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/22.jpg)
ADVICE
Some other questions the Cloud Provider should be asked:
7. Is there a DoS mitigation system in place?
8. What about packet sniffing by other tenants?
9. Is your cloud designed to be a disaster-tolerant solution?
10.How is your backup made? How long it takes for a full system restore?
11.Do you have a security policy and related standards?
12.When was the last time you tested your BCP and DRP?
13.How quickly you can increase the performance of your cloud? How quickly we get the required resources?
14.How many security incidents have you had in the past and which kind?
15.What's your downtime per year?
![Page 23: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/23.jpg)
WRAP UP
• The cloud is a reality and pentesting isn’t much different
• Pentest / vuln. assessment will still exist to meet compliance requirements
• Specifics to cloud• Work with the CSP: good SLA will help doing good tests• Multi-tenant model brings its own limitation and risk to
CSP• Attacks must be carried out carefully to mitigate impact
issues• Watch out for compartmentalized architectures (PaaS)• SaaS limitation
• Future• Separation of duties – third-party testers
![Page 24: CLOUD COMPUTING SECURITY – PENTESTING THE CLOUD Diogenes S. De Jesus CEH, Security+](https://reader036.fdocuments.us/reader036/viewer/2022062518/56649ec45503460f94bce7a1/html5/thumbnails/24.jpg)
Q&A
?