14.1 - Cloud Computing

 14.1 - Cloud computing 

 

Key Terms: 

    • Content security policy (CSP) - A trusted entity that gives subscribers tokens and electronic credentials. 
    • Domain name system security extensions (DNSSEC) - A network control. 
    • Triple data encryption standard (3DES) - A symmetric-key block cipher. 
    • Structured query language (SQL) - A standard computing language used with relational database management/manipulation. 
    • Cloud access security broker (CASB) - CASB is a software that sits between cloud service users and cloud applications to monitor all activity and enforce security policies. 
    • Infrastructure as a service (IaaS) - IaaS is a cloud computing service model that delivers infrastructure to the client. 
    • Platform as a service (PaaS) - PaaS is a cloud computing service model that delivers everything a developer needs to build an application. 
    • Software as a service (SaaS) - SaaS is a cloud computing service model that delivers software applications to the client. 
    • Quality of service (QoS) - QoS is network control. 
    • Service-level agreement (SLA) - SLA is an agreement between a service provider and a client, like a contract. 
    • System development life cycle (SDLC) - SDLC is an application layer control. 
    • Data loss prevention (DLP) - DLP is information control. 
    • Content management framework (CMF) - CMF is information control. 
    • Information security management program (ISMP) - ISMP is a program that protects information from being deleted, modified or stolen. 
    • Governance risk compliance (GRC) - Management control 
    • Identity and access management (IAM) - Management control 
    • Virtual appliance/virtual machine (VA/VM) - Management control 
    • Network intrusion detection system/network intrusion protection system (NIDS/NIPS) - Network control 
    • Open authorisation (OAuth) - Network control 
    • Root of trust (RoT) - Security control 
    • Host-based intrusion detection system/host-based intrusion protection system (HIDS/HIPS) - HIDS/HIPS is a computation and storage control. 
    • LoadStorm - LoadStorm is a cloud load testing solution to find the scalability of web or mobile applications. 
    • BlazeMeter - BlazeMeter is a continuous testing solution to help with the early stages of app development. 
    • JMeter - JMeter is an Apache project used as a load testing tool for analyzing and measuring the performance of a variety of services, especially web applications. 
    • Nexpose - Nexpose is a vulnerability scanner that strives to support the entire vulnerability management lifecycle. It integrates with Rapid7's Metasploit for vulnerability exploitation. 

 

Threats 

In a regular system, data transmissions are secured behind ACLs, encryption, firewalls, ect... With a cloud-based system, all that data is being transmitted over the internet to a third party server. The cloud provider must be able to secure your data safely to prevent breaches and loss. Cloud providers may claim that their services are secure, however, breaches and hacking incidents have occurred on various cloud services before. 

 

Data Loss 

Large scale data loss is not very common with reliable cloud providers however, small data loss is common. An incident may occur where data is wiped by accident either by human or machine error. To mitigate this issue, make sure backups are made frequently. 

 

Account and Service Traffic Hijacking 

Hackers may be able to intercept network packets to steal data. They may also be able to use social engineering to gain access to a cloud server. Make sure you are educated in social engineering techniques like phishing and use encrypted protocols wherever possible to mitigate the threat of a MITM attack. 

 

Unsecure APIs 

Sometimes, a cloud provider may use an API to allow third party developers to implement applications in the cloud. An unsecure API may allow a hacker access to the cloud server and enable them to dig through information and perform malicious acts. Make sure that, when choosing a cloud provider, enquire about the interface security model, authentication and data encryption. 

 

Denial of Service 

Although uncommon, a DOS attack is possible on a cloud-based server. Due to the amount of people using a cloud server, the attack may even be more detrimental than a regular DOS attack. 

 

Malicious Insider 

A malicious insider is someone who had or still has access to a cloud server in which they have a desire to perform malicious acts. Most often, malicious insiders compromise data in exchange for money. A strict supply change management policy should be used to limit employee access. Also, HR requirements should be made on legal contracts to act as a deterrent towards malicious insiders. 

 

Poor Security 

Poor cloud security by the provider can lead to security breaches, data attacks and encryption modification. It’s important to investigate the provider’s security policies before signing a contract with them. 

 

Multi-Tenancy Environments 

Multi-tenancy environments mean that two or more clients share the same hardware on the same cloud server. This theoretically makes data leakage more common inside these environments. To combat this, end-to-end protection should be established. 

 

Natural Disasters 

Although uncommon, natural disasters can wipe out cloud infrastructure leading to data loss and downtime. If a business is very reliant on cloud services, natural disasters can be catastrophic to their prodcutivity, reputation and financial standing. Make sure you know where the cloud server is located and verify that the cloud service provider is backing up your data in another location. 

 

Hardware Failure 

Hardware failure such as hard disk malfunction can cause data to become inaccessible. Make sure that a physical security program is in place at the cloud servers and that the hardware is checked regularly either by software or humans. 

 

Social Engineering 

By using social engineering techniques like phishing or pharming, a hacker can steal credentials from a legitimate user to login to their cloud infrastructure, usually to perform malicious acts. 

 

Network Sniffing 

Hackers can use packet sniffers to steal packet information like passwords, emails, and usernames. They can use these credentials to login to cloud servers and perform malicious acts. 

 

XSS 

A cross site scripting attack can be used to take away the cookies utilised by the user authentication process. The hacker inserts malicious code into the website and collects cookies which are used to exploit active computer sessions. 

 

Session Riding 

This attack occurs when a hacker tricks a user to login to a malicious website. These login credentials are logged and used by the hacker to gain access to the cloud server. 

 

DNS Poisoning 

This attack is when the hacker poisons the DNS server sending the user to an illegitimate website where their credentials can be stored. 

 

Cybersquatting 

This is when a hacker hosts a fake website on a domain which is almost the same as the cloud service provider. An example could be: 

Cloudservice.com - Real 

Cloudservices.com - Fake 

 

Side Channel VM Breach 

This is when a hacker runs a virtual machine on the user’s physical host machine to access physical resources like the cache. 

 

Cryptanalysis 

All data stored in the cloud should be encrypted. If the encryption is weak, a hacker may be able to use cryptanalysis to decipher the data and steal it in plain text form. 

 

Wrapping Attack 

When a user sends a request over the internet, the web server creates a SOAP message containing the structural information. The hacker intercepts this SOAP message and copies the body and the XML signature, then they can insert malicious code into the body of the legitimate message. The duplicated copy is sent to the cloud server. 

 

Man-in-the-Cloud 

A hacker will convince a user to install malicious code that will send a sync token to the user’s drive. They will then steal that token and gain access to the cloud system. 

Comments

Post a Comment

Popular posts from this blog

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

Useful Core A Acronyms

  Useful core A acronyms     NGO – Non governmental organisation   KPI – Key performance indicator   USP – Unique selling point   CRM – Customer relationship management   Saas – Software as a service   CAB – Change advisory board   SMARTER – Specific, measurable, accurate , realistic, time-bound, evaluate, re-evaluate   IPO – Intellectual property office   RCD – Registered community designs   UCD – Unregistered community designs   TNA – Training needs analysis   PRR – Post project reviews   COBC – Code of business conduct   BCS – British computing society   ML – Machine learning   CVS – Computer vision syndrome   RSI – Repetitive strain injury   DSE – Display screen equipment   HSE – Health and safety executive   ODD – Optical disk drive   RPM – Revolutions per minute   CPU – Central processing unit   RAM – Random access memory   EMI – Electromagnetic inter...
Read more