Emerging cloud threats and how to address them

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2126

As organizations deploy and harness private, community and hybrid clouds,
they encounter new types of threats, along with the old ones they've been
battling for years. Many of these threats come from sharing physical,
virtual, and software infrastructure with other clients of varying security
postures, and relying on a cloud provider to implement the right security
measures. Public and community clouds can be appealing targets for hackers
looking to disrupt or steal information from scores of organizations with
one successful strike.

Here are some emerging security threats and issues cloud providers and
their clients should be aware of.

Isolation breakout

Most public and community cloud environments employ a multi-tenant
architecture in which a customer owns one or more virtual machines (VM) on
physical servers shared with scores or hundreds of other customers on other
VMs. Effective tenant isolation is critical in such environments, as
without it one tenant could potentially disrupt or get access to another's
applications and sensitive data.

Isolation breakout (also sometimes called guest breakout or hypervisor
breakout), occurs when hackers gain access to the root virtualization
operating system, memory, other guest virtual machines and storage located
on the same physical server. Once they have access, they can inject
malicious code or steal sensitive client data either stored in the cloud or
accessed by an application running in the cloud.

A number of techniques for isolation breakout have been discovered over the
past few years, including exploiting vulnerabilities in hypervisor drivers,
hardware emulation layers, APIs, and hypervisor hard disk handling. It's
not necessary to attack the core hypervisor directly. Up-to-date security
patching is an essential requirement for addressing this issue as hackers
have clever techniques for analyzing interactions between virtual machines
and the hypervisor to determine and exploit the latter's patch level. One
of the challenges faced by legacy security solution vendors is to map
existing security components such as firewalls and intrusion prevention to
new cloud architectures.

Cloud access key leakage

One of the most popular uses of Infrastructure as a Service (IAAS) and
Platform as a Service (PAAS) is for software development, testing and
deployment. Clients often get access to their IAAS and PAAS accounts
through access keys and often write these keys into their application code.
If anyone gets hold of the access code, he or she has the information
needed to access the corresponding cloud accounts.

That's why code sharing sites such as GitHub can be juicy targets for
hackers looking to gain access to cloud service accounts for DOS attacks
and data theft and destruction.

Access keys can also be stolen via social engineering tactics hackers use
to gain access to systems containing source code. In one case, a developer
was steered to a malicious Web site that used a Java exploit to get access
to the developer's workstation, which contained access keys to a FreeBSD
source code repository. The attacker was able to inject a malicious script
allowing him to harness all systems running that code to craft a botnet.

Zero day vulnerabilities

Cloud services are subject to the same types of zero-day vulnerabilities as
legacy datacenters and user systems, including those in commonly used
services such as RDP, IIS, SSH, and FTP. Heartbleed is a recent example of
a vulnerability in OpenSSL that left hundreds of private and public cloud
environments susceptible to attack, according to a Cloud Security Alliance
blog, even days after it was publicized.

Another example is Windows cloud images vulnerable to RDP and other Windows
exploits. A few years ago, it was found that Rackspace and AWS were
vulnerable to RDP exploits by default. Many cloud users assume that cloud
providers are providing VM's with a reasonable secure set of default
firewall rules, but that's not always the case.

DevOps

After development projects are complete, many of the systems used for
development and testing sit unpatched, unmaintained, and unmonitored,
making them prime targets for hackers. Many have been deployed to cloud
environments. When these systems are compromised, hackers tend to cover up
their tracks by removing all log file evidence of the attack. One solution,
aside from maintaining, monitoring, and patching development and test
systems over their entire lifetime, is to deploy central storage of all
system log files for forensics purposes.

Auditing gaps

Organizations hire reputable third-party auditors to analyze their
infrastructure for vulnerabilities, but auditors rarely (if ever) audit a
cloud service's customers or its software for badly written code that could
potentially expose them to attack.

Agent-based malware protection

Many cloud environments rely on antimalware and other security agents
installed on each individual VM for malware detection and eradication.
Unfortunately, skilled hackers can detect, subvert, and disable these
agents, rendering them useless or worse, harmful. One of the earliest
examples of malware with this capability was the Conflicker worm. A better
solution in a cloud environment is hypervisor level security.

Tips

Aside from standard cloud best practices there are other measures that
cloud providers should consider taking to address cloud vulnerabilities and
attacks.

- Deploy a honeypot, which is a digital trap set to attract and detect
unauthorized use of information systems. The honeypot appears to the hacker
to be an active member of the network with important information, but in
reality it's isolated from the rest of the network and monitored on an
ongoing basis. Honeypots can be used to attract and analyze attackers and
their methods in order to protect the network more successfully. In some
cases they imitate the actual production systems to see what services
attackers are targeting.
- An auditor should have in-depth knowledge of all elements of your
architecture, infrastructure and the technologies you use so they can run
white box testing with enough preexisting knowledge to exploit all your
vulnerabilities. Many organizations prefer black box testing, in which the
auditor has to use hacking techniques to acquire this information in order
to penetrate the client network. White box testing is likely to find more
vulnerabilities than the black box method, however.
- Another option is to hire a skilled ethical hacker to try to penetrate
your cloud infrastructure.
- Cloud providers should provide central, hypervisor-level security to
avoid the exploitation of potentially vulnerable security agents installed
by clients on hundreds of virtual machines. Centralized security can help
protect instances running many different operating systems with different
patch levels and with minimal impact on the applications they run. Anomaly
based security solutions have become an essential component of an effective
security infrastructure as solutions based primarily on signatures and
related techniques prove less and less effective against increasing numbers
of more sophisticated zero layer attacks. Solutions exist that can analyze
mountains of system and security log data to alert users of anomalies that
are likely to indicate an attack.

Of course, continuing education can help prevent developers from posting
access keys to GitHub or falling victim to social engineering exploits.

As with most security, cloud security is a moving target that promises to
evolve rapidly as the cloud matures. Organizations running or harnessing
the cloud have to keep up to date with the latest threats and attack
vendors if they don't want to become easy targets.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!