1 Abuse and nefarious use of cloud computing((IaaS, PaaS) --
The easiness of registering for IaaS solutions and the relative anonymity they offer attracts many a cyber criminal. IaaS offerings have been known to host botnets and/or their command and control centers, downloads for exploits, Trojans, etc. There is a myriad of ways in which in-the-cloud capabilities can be misused - possible future uses include launching dynamic attack points, CAPTCHA solving farms, password and key cracking and more
Remediation -
-Stricter initial registration and validation processes.
-Enhanced credit card fraud monitoring and coordination.
-Comprehensive introspection of customer network traffic.
- Monitoring public blacklists for one’s own network blocks
2 Insecure interfaces and APIs (IaaS, PaaS, SaaS) -
As software interfaces or APIs are what customers use to interact with cloud services, those must have extremely secure authentication, access control, encryption and activity monitoring mechanisms - especially when third parties start to build on them..
Remediation-
-Analyze the security model of cloud provider interfaces.
- Ensure strong authentication and access controls are implemented in concert with encrypted transmission.
- Understand the dependency chain associated with the API
3 Malicious insiders (IaaS, PaaS, SaaS) -
The threat of a malicious insider is well-known to most organizationsThis threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.
Remediation-
-Enforce strict supply chain management and conduct a comprehensive supplier assessment.
-Specify human resource requirements as part of legal contracts.
-Require transparency into overall information security and management practices, as well as compliance reporting.
-Determine security breach notification processes.
4 Shared technology issues (IaaS)-
Sharing infrastructure is a way of life for IaaS providers. Unfortunately, the components on which this infrastructure is based were not designed for that. To ensure that customers don't thread on each other's "territory", monitoring and strong compartmentalization is required, not to mention scanning for and patching of vulnerabilities that might jeopardize this coexistence.
Remediation -
Implement security best practices for installation/configuration.
-Monitor environment for unauthorized changes/activity.
-Promote strong authentication and access control for administrative access and operations. Enforce service -level agreements for patching and vulnerability remediation.
-Conduct vulnerability scanning and configuration audits.
5 Data loss or leakage( IaaS, PaaS, SaaS)-
There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable,
as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data. The threat of data compromise increases in the cloud, due to thenumber of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
Remediation -
-Implement strong API access control.
-Encrypt and protect integrity of data in transit.
-Analyzes data protection at both design and run time. Implement strong key generation, storage and management, and destruction practices. Contractually demand providers wipe persistent media before it
is released into the pool.
-Contractually specify provider backup and retention strategies.
6 Account or service hijacking(IaaS, PaaS, SaaS) -
Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may
become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks.
Remediation -
-Prohibit the sharing of account credentials between users and services. Leverage strong two-factor authentication techniques where possible.
-Employ proactive monitoring to detect unauthorized activity.
-Understand cloud provider security policies and SLAs
7 Unknown risk profile ( IaaS, PaaS, SaaS) -
One of the tenets of Cloud Computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational
benefits, which must be weighed carefully against the contradictory security concerns — complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the
security ramifications. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your company’s security posture.
Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs. Security by obscurity may be low effort, but it can result in unknown exposures. It may also impair the in-depth analysis required highly
controlled or regulated operational areas.
Remediation -
-Disclosure of applicable logs and data.
-Partial/full disclosure of infrastructure details (e.g., patch
levels, firewalls, etc.).
-Monitoring and alerting on necessary information
The easiness of registering for IaaS solutions and the relative anonymity they offer attracts many a cyber criminal. IaaS offerings have been known to host botnets and/or their command and control centers, downloads for exploits, Trojans, etc. There is a myriad of ways in which in-the-cloud capabilities can be misused - possible future uses include launching dynamic attack points, CAPTCHA solving farms, password and key cracking and more
Remediation -
-Stricter initial registration and validation processes.
-Enhanced credit card fraud monitoring and coordination.
-Comprehensive introspection of customer network traffic.
- Monitoring public blacklists for one’s own network blocks
2 Insecure interfaces and APIs (IaaS, PaaS, SaaS) -
As software interfaces or APIs are what customers use to interact with cloud services, those must have extremely secure authentication, access control, encryption and activity monitoring mechanisms - especially when third parties start to build on them..
Remediation-
-Analyze the security model of cloud provider interfaces.
- Ensure strong authentication and access controls are implemented in concert with encrypted transmission.
- Understand the dependency chain associated with the API
3 Malicious insiders (IaaS, PaaS, SaaS) -
The threat of a malicious insider is well-known to most organizationsThis threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.
Remediation-
-Enforce strict supply chain management and conduct a comprehensive supplier assessment.
-Specify human resource requirements as part of legal contracts.
-Require transparency into overall information security and management practices, as well as compliance reporting.
-Determine security breach notification processes.
4 Shared technology issues (IaaS)-
Sharing infrastructure is a way of life for IaaS providers. Unfortunately, the components on which this infrastructure is based were not designed for that. To ensure that customers don't thread on each other's "territory", monitoring and strong compartmentalization is required, not to mention scanning for and patching of vulnerabilities that might jeopardize this coexistence.
Remediation -
Implement security best practices for installation/configuration.
-Monitor environment for unauthorized changes/activity.
-Promote strong authentication and access control for administrative access and operations. Enforce service -level agreements for patching and vulnerability remediation.
-Conduct vulnerability scanning and configuration audits.
5 Data loss or leakage( IaaS, PaaS, SaaS)-
There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable,
as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data. The threat of data compromise increases in the cloud, due to thenumber of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
Remediation -
-Implement strong API access control.
-Encrypt and protect integrity of data in transit.
-Analyzes data protection at both design and run time. Implement strong key generation, storage and management, and destruction practices. Contractually demand providers wipe persistent media before it
is released into the pool.
-Contractually specify provider backup and retention strategies.
6 Account or service hijacking(IaaS, PaaS, SaaS) -
Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may
become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks.
Remediation -
-Prohibit the sharing of account credentials between users and services. Leverage strong two-factor authentication techniques where possible.
-Employ proactive monitoring to detect unauthorized activity.
-Understand cloud provider security policies and SLAs
7 Unknown risk profile ( IaaS, PaaS, SaaS) -
One of the tenets of Cloud Computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational
benefits, which must be weighed carefully against the contradictory security concerns — complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the
security ramifications. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your company’s security posture.
Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs. Security by obscurity may be low effort, but it can result in unknown exposures. It may also impair the in-depth analysis required highly
controlled or regulated operational areas.
Remediation -
-Disclosure of applicable logs and data.
-Partial/full disclosure of infrastructure details (e.g., patch
levels, firewalls, etc.).
-Monitoring and alerting on necessary information
0 comments:
Post a Comment