The book discusses the security and privacy issues detected during penetration testing, security assessments, configuration reviews, malware analysis, and independent research of the cloud infrastructure and Software-as-a-Service (SaaS) applications. The book highlights hands-on technical approaches on how to detect the security issues based on the intelligence gathered from the real world case studies and also discusses the recommendations to fix the security issues effectively. This book is not about general theoretical discussion rather emphasis is laid on the cloud security concepts and how to assess and fix them practically.
Author(s): Aditya K. Sood
Edition: 2
Year: 2023
Language: English
Pages: 491
Cover
Half-Title
Title
Copyright
Contents
Preface
About the Author
Chapter 1: Cloud Architecture and Security Fundamentals
Understanding Cloud Virtualization
Cloud Computing Models
Comparing Virtualization and Cloud Computing
Containerization in the Cloud
Components of Containerized Applications
Serverless Computing in the Cloud
Components of Serverless Applications
The Characteristics of VMs, Containers, and Serverless Computing
Cloud Native Architecture, Applications, and Microservices
Embedding Security into Cloud Native Applications
Securing Cloud Native Applications
Cloud Native Application Protection Platform (CNAPP)
Understanding Zero Trust Architecture
Edge Computing Paradigm
Embedding Security in the DevOps Model
Understanding Cloud Security Pillars
Cloud Security Testing and Assessment Methodologies
References
Chapter 2: Iam for Authentication and Authorization: Security Assessment
Understanding Identity and Access Management Policies
IAM Policy Types and Elements
IAM Policy Variables and Identifiers
Managed and Inline Policy Characterization
IAM Users, Groups, and Roles
Trust Relationships and Cross-Account Access
IAM Access Policy Examples
IAM Access Permission Policy
IAM Resource-Based Policy
Role Trust Policy
Identity and Resource Policies: Security Misconfigurations
Confused Deputy Problems
Over-Permissive Role Trust Policy
Guessable Identifiers in Role Trust Policy
Privilege Escalation via an Unrestricted IAM Resource
Insecure Policies for Serverless Functions
Unrestricted Access to Serverless Functions
Serverless Functions with Administrative Privileges
Serverless Function Untrusted Cross-Account Access
Unrestricted Access to the VPC Endpoints
Insecure Configuration in Passing IAM Roles to Services
Uploading Unencrypted Objects to Storage Buckets Without Ownership
Misconfigured Origin Access Identity for CDN Distribution
Authentication and Authorization Controls Review
Multi Factor Authentication (MFA)
User Credential Rotation
Password Policy Configuration
Administrative or Root Privileges
SSH Access Keys for Cloud Instances
Unused Accounts, Credentials, and Resources
API Gateway Client-Side Certificates for Authenticity
Key Management Service (KMS) Customer Master Keys
Users Authentication from Approved IP Addresses and Locations
Recommendations
Automation Scripts for Security Testing
MFA Check (mfa_check.sh)
IAM Users Administrator Privileges Analysis (iam_users_admin_root_privileges. sh)
IAM Users SSH Keys Analysis (iam_users_ssh_keys_check.sh)
References
Chapter 3: Cloud Infrastructure: Network Security Assessment
Network Security: Threats and Flaws
Why Perform a Network Security Assessment?
Understanding Security Groups and Network Access Control Lists
Understanding VPC Peering
Security Misconfigurations in SGs and NACLs
Unrestricted Egress Traffic via SGs Outbound Rules
Unrestricted Egress Traffic via NACLs Outbound Rules
Insecure NACL Rule Ordering
Over-Permissive Ingress Rules
Cloud Network Infrastructure: Practical Security Issues
Insecure Configuration of Virtual Private Clouds
Public IP Assignment for Cloud Instances in Subnets
Over-Permissive Routing Table Entries
Lateral Movement via VPC Peering
Insecure Bastion Hosts Implementation
Outbound Connectivity to the Internet
Missing Malware Protection and File Integrity Monitoring (FIM)
Password-Based Authentication for the Bastion SSH Service
Insecure Cloud VPN Configuration
Insecure and Obsolete SSL/TLS Encryption Support for OpenVPN
Unrestricted VPN Web Client and Administrator Interface
Exposed Remote Management SSH Service on VPN Host
IPSec and Internet Key Exchange (IKE) Assessment
Reviewing Deployment Schemes for Load Balancers
Application Load Balancer Listener Security
Network Load Balancer Listener Security
Insecure Implementation of Network Security Resiliency Services
Universal WAF not Configured
Non-Integration of WAF with a Cloud API Gateway
Non-Integration of WAF with CDN
Missing DDoS Protection with Critical Cloud Services
Exposed Cloud Network Services: Case Studies
AWS Credential Leakage via Directory Indexing
OpenSSH Service Leaking OS Information
OpenSSH Service Authentication Type Enumeration
OpenSSH Service with Weak Encryption Ciphers
RDP Services with Insecure TLS Configurations
Portmapper Service Abuse for Reflective DDoS Attacks
Information Disclosure via NTP Service
Leaked REST API Interfaces via Unsecured Software
Unauthorized Operations via Unsecured Cloud Data Flow Server
Information Disclosure via Container Monitoring Software Interfaces
Credential Leakage via Unrestricted Automation Server Interfaces
Data Disclosure via Search Cluster Visualization Interfaces
Insecure DNS Servers Prone to Multiple Attacks
Exposed Docker Container Registry HTTP API Interface
Unsecured Web Servers Exposing API Endpoints
Exposed Riak Web Interfaces without Authentication
Exposed Node Exporter Software Discloses Information
Unsecured Container Management Web Interfaces
Insecure ERP Deployments in the Public Cloud
Information Leakage via Exposed Cluster Web UI
Unsecured Reverse Proxy Web Interfaces
Recommendations
References
Chapter 4: Database and Storage Services: Security Assessment
Database Cloud Deployments
Deploying Databases as Cloud Services
Databases Running on Virtual Machines
Containerized Databases
Cloud Databases
Cloud Databases: Practical Security Issues
Verifying Authentication State of Cloud Database
Database Point-in Time Recovery Backups Not Enabled
Database Active Backups and Snapshots Not Encrypted
Database Updates Not Configured
Database Backup Retention Time Period Not Set
Database Delete Protection Not Configured
Cloud Storage Services
Cloud Storage Services: Practical Security Issues
Security Posture Check for Storage Buckets
Unencrypted Storage Volumes, Snapshots, and Filesystems
Unrestricted Access to Backup Snapshots
Automating Attack Testing Against Cloud Databases and Storage Services
Unsecured Databases and Storage Service Deployments: Case Studies
Publicly Exposed Storage Buckets
Unsecured Redis Instances with Passwordless Access
Penetrating the Exposed MySQL RDS Instances
Data Destruction via Unsecured Memcached Interfaces
Privilege Access Verification of Exposed CouchDB Interfaces
Keyspace Access and Dumping Credentials for Exposed Cassandra Interfaces
Data Exfiltration via Search Queries on Exposed Elasticsearch Interface
Dropping Databases on Unsecured MongoDB Instances
Exploiting Unpatched Vulnerabilities in Database Instances: Case Studies
Privilege Escalation and Remote Command Execution in CouchDB
Reverse Shell via Remote Code Execution on Elasticsearch/Kibana
Remote Code Execution via JMX/RMI in Cassandra
Recommendations
References
Chapter 5: Design and Analysis of Cryptography Controls: Security Assessment
Understanding Data Security in the Cloud
Cryptographic Techniques for Data Security
Data Protection Using Server-Side Encryption (SSE)
Client-Side Data Encryption Using SDKs
Data Protection Using Transport Layer Encryption
Cryptographic Code: Application Development and Operations
Crypto Secret Storage and Management
Data Security: Cryptographic Verification and Assessment
Machine Image Encryption Test
File System Encryption Test
Storage Volumes and Snapshots Encryption Test
Storage Buckets Encryption Test
Storage Buckets Transport Encryption Policy Test
TLS Support for Data Migration Endpoints Test
Encryption for Cloud Clusters
Node-to-Node Encryption for Cloud Clusters
Encryption for Cloud Streaming Services
Encryption for Cloud Notification Services
Encryption for Cloud Queue Services
Envelope Encryption for Container Orchestration Software Secrets
Cryptographic Library Verification and Vulnerability Assessment
TLS Certificate Assessment of Cloud Endpoints
TLS Security Check of Cloud Endpoints
Hard-Coded Secrets in the Cloud Infrastructure
Hard-Coded AES Encryption Key in the Lambda Function
Hard-Coded Credentials in a Docker Container Image
Hard-Coded Jenkins Credentials in a CloudFormation Template
Cryptographic Secret Storage in the Cloud
Recommendations for Applied Cryptography Practice
References
Chapter 6: Cloud Applications: Secure Code Review
Why Perform a Secure Code Review?
Introduction to Security Frameworks
Application Code Security: Case Studies
Insecure Logging
Exceptions Not Logged for Analysis
Data Leaks From Logs Storing Sensitive Information
Insecure File Operations and Handling
File Uploading with Insecure Bucket Permissions
Insecure File Downloading from Storage Buckets
File Uploading to Storage Buckets Without Server-side Encryption
File Uploading to Storage Buckets Without Client-Side Encryption
Insecure Input Validations and Code Injections
Server-Side Request Forgery
Function Event Data Injections
Cloud Database NoSQL Query Injections
Loading Environment Variables without Security Validation
HTTP Rest API Input Validation using API Gateway
CORS Origin Header Server-Side Verification and Validation
Insecure Application Secrets Storage
Hard-Coded Credentials in Automation Code
Leaking Secrets in the Console Logs via the Lambda Function
User Identity Access Tokens Leaked in Logs
Insecure Configuration
Content-Security-Policy Misconfiguration
Use of Outdated Software Packages and Libraries
Obsolete SDKs Used for Development
Container Images not Scanned Automatically
Unsupported Container Orchestration Software Version Deployed
Code Auditing and Review Using Automated Tools
Recommendations
References
Chapter 7: Cloud Monitoring and Logging: Security Assessment
Understanding Cloud Logging and Monitoring
Log Management Lifecycle
Log Publishing and Processing Models
Categorization of Log Types
Enumerating Logging Levels
Logging and Monitoring: Security Assessment
Event Trails Verification for Cloud Management Accounts
Cloud Services Logging: Configuration Review
ELB and ALB Access Logs
Storage Buckets Security for Archived Logs
API Gateway Execution and Access Logs
VPC Network Traffic Logs
Cloud Database Audit Logs
Cloud Serverless Functions Log Streams
Cluster Control Plane Logs
DNS Query Logs
Log Policies via Cloud Formation Templates
Transmitting Cloud Software Logs Over Unencrypted Channels
Sensitive Data Leakage in Cloud Event Logs
Case Studies: Exposed Cloud Logging Infrastructure
Scanning Web Interfaces for Exposed Logging Software
Leaking Logging Configurations for Microservice Software
Unrestricted Web Interface for the VPN Syslog Server
Exposed Elasticsearch Indices Leaking Nginx Access Logs
Exposed Automation Server Leaks Application Build Logs
Sensitive Data Exposure via Logs in Storage Buckets
Unrestricted Cluster Interface Leaking Executor and Jobs Logs
Recommendations
References
Chapter 8: Privacy in the Cloud
Understanding Data Classification
Data Privacy by Design Framework
Learning Data Flow Modeling
Data Leakage and Exposure Assessment
Privacy Compliance and Laws
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
A Primer of Data Leakage Case Studies
Sensitive Documents Exposure via Cloud Storage Buckets
Data Exfiltration via Infected Cloud VM Instances
Exposed SSH Keys via Unsecured Cloud VM Instances
Environment Mapping via Exposed Database Web Interfaces
Data Leakage via Exposed Access Logs
Data Leakage via Application Execution Logs
PII Leakage via Exposed Cloud Instance API Interfaces
Stolen Data: Public Advertisements for Monetization
Recommendations
References
Chapter 9: Cloud Security and Privacy: Flaws, Attacks, and Impact Assessments
Cybersecurity Approaches for Organizations
Understanding the Basics of Security Flaws, Threats, and Attacks
Understanding the Threat Actors
Security Threats in the Cloud Environment and Infrastructure
Security Flaws in Cloud Virtualization
Security Flaws in Containers
Virtualization and Containerization Attacks
Security Flaws in Cloud Applications
Application-Level Attacks
Security Flaws in Operating Systems
OS-Level Attacks
Security Flaws in Cloud Access Management and Services
Network-Level Attacks
Security Flaws in the Code Development Platform
Hybrid Attacks via Social Engineering and Malicious Code
Security Impact Assessment
Privacy Impact Assessment
Secure Cloud Design Review Benchmarks
Recommendations
References
Chapter 10: Malicious Code in the Cloud
Malicious Code Infections in the Cloud
Malicious Code Distribution: A Drive-By Download Attack Model
Hosting Malicious Code in Cloud Storage Services
Abusing a Storage Service’s Inherent Functionality
Distributing Malicious IoT Bot Binaries
Hosting Scareware for Social Engineering
Distributing Malicious Packed Windows Executables
Compromised Cloud Database Instances
Ransomware Infections in Elasticsearch Instances
Ransomware Infections in MongoDB Instances
Ransomware Infections in MySQL Instances
Elasticsearch Data Destruction via Malicious Bots
Malicious Code Redirecting Visitors to Phishing Webpages
Deployments of Command and Control Panels
Malicious Domains Using Cloud Instances to Spread Malware
Cloud Instances Running Cryptominers via Cron Jobs
Indirect Attacks on Target Cloud Infrastructure
Cloud Account Credential Stealing via Phishing
Unauthorized Operations via Man-in-the-Browser Attack
Exfiltrating Cloud CLI Stored Credentials
Exfiltrating Synchronization Token via Man-in-the-Cloud Attacks
Infecting Virtual Machines and Containers
Exploiting Vulnerabilities in Network Services
Exposed and Misconfigured Containers
Injecting Code in Container Images
Unsecured API Endpoints
Stealthy Execution of Malicious Code in VMs
Deploying Unpatched Software
Malicious Code Injection via Vulnerable Applications
References
Chapter 11: Threat Intelligence and Malware Protection in the Cloud
Threat Intelligence
Threat Intelligence in the Cloud
Threat Intelligence Classification
Threat Intelligence Frameworks
DNI Cyber Threat Framework
MITRE ATT&CK Framework
Conceptual View of a Threat Intelligence Platform
Understanding Indicators of Compromise and Attack
Indicators of Compromise and Attack Types
Indicators of Compromise and Attack Data Specification and Exchange Formats
Indicators of Compromise and Attack Policies
Implementing Cloud Threat Intelligence Platforms
Using AWS Services for Data Collection and Threat Intelligence
Enterprise Security Tools for Data Collection and Threat Intelligence
Open-Source Frameworks for Data Collection and Threat Intelligence
Hybrid Approach to Collecting and Visualizing Intelligence
Cloud Honeypot Deployment for Threat Intelligence
Detecting Honeypot Deployments in the Cloud
Threat Intelligence: Use Cases Based on Security Controls
Scanning Storage Buckets for Potential Infections
Detecting Brute-Force Attacks Against Exposed SSH/RDP Services
Scanning Cloud Instances for Potential Virus Infections
Understanding Malware Protection
Malware Detection
Malware Prevention
Techniques, Tactics, and Procedures
Cyber Threat Analytics
References
Appendix A: List of Serverless Computing Services
Appendix B: List of Serverless Frameworks
Appendix C: List of SaaS, PaaS, IaaS, and FaaS Providers
Appendix D: List of Containerized Services and Open Source Software
Appendix E: List of Critical RDP Vulnerabilities
Appendix F: List of Network Tools and Scripts
Appendix G: List of Databases Default TCP/UDP Ports
Appendix H: List of Database Assessment Tools, Commands, and Scripts
Appendix I: List of CouchDB API Commands and Resources
Appendix J: List of CQLSH Cassandra Database SQL Queries
Appendix K: List of Elasticsearch Queries
Appendix L: AWS Services CLI Commands
Appendix M: List of Vault and Secret Managers
Appendix N: List of TLS Security Vulnerabilities for Assessment
Appendix O: List of Cloud Logging and Monitoring Services
Appendix P: Enterprise Threat Intelligence Platforms
Index
