11 - Cloud Pen Testing Flashcards
1
Q
What are some major risks with Cloud Computing?
A
- Risk profile not known
- Data Leakage
- Lack of control
- Account or Service hijacking
- Malignant Insiders
- Insecure Application Programming Interfaces
2
Q
What are the different scopes of Cloud Pen Testing?
A
- Web App/Web Service: Testing app and web service security
- Network Pen Testing: Pen testing network, databases, firewalls, and other systems in your cloud network
- Cloud Pen Testing: Various assessments against risks specific to a cloud that could expose it to serious threats
3
Q
What are the differences in the different “as a Service” models?
A
- On Premises: Client manages all
- Infrastructure-as-a-Service: Client manages OS down to Application. Cloud manages Server up to network.
- Platform-as-a-Service: Client manages Data and Application. Cloud manages everything else.
- Software-as-a-Service: Cloud manages all.
4
Q
What are the steps for Cloud Pen Testing?
A
- Identify type of cloud
- Identify what is to be tested
- Identify systems/instances and applications that client wants tested
- Identify the tools for Pen Testing
- Identify what is allowed to be tested in the cloud environment
- Cloud Service Provider (CSP) will allow you to conduct pen test on their specific instances or resources
- Identify which tests are prohibited
- Cloud Service Provider (CSP) will specify
- Identify date and time for Pen Testing
- Check for lock-in problems
- Lock-in refers to a situation in which a subscriber cannot switch to another CSP
- Can have severe impact on business services if CSP discontinues its services
- Check SLA between subscriber and cloud service
- Check for Governance Issues
- Check for Compliance Issues
- PCI
- SOX
- Check for Right Implementation of Security Management
- Right employees with right knowledge are appointed to look for cloud security
- Are right set of policies and procedures implemented
- Are proper security and business-continuity-process models implemented
- Check the Cloud for Resource Isolation
- Check if activity of one subscriber affects the others
- Check the CSP’s client feedback and expert reviews
- Check the track record and any security of the CSP’s services
- Check whether Anti-Malware Applications are Installed and Updated
- Check if component of infrastructure is protected with security controls
- Check whether Firewalls are Installed at Every Network Entry Point
- Unused ports, protocols, and services should be blocked
- Check that strong authentication is deployed for every remote user
- All remote users should use an 8 character alphanumeric password
- 2FA should be used
- Check the SSL certs for cloud services are encrypted
- Check for secure URL connections, VPN, and secure email services
- Check the Data retention policy of service providers
- Determine if CSP’s are bound by the law of the land to disclose the data to third parties such as law enforcement agencies
- How will data retention will be handled if CSP is acquired
- Check that all Users Follow Safe Internet Practices
- Is there a proper usage policy in place
- Is staff educated not to engage in risky activity
- Perform a Detailed Vulnerability Assessment
- Try to gain passwords to hijack cloud service
- Use password grabbing techniques
- Network sniffing
- Test for Virtualization Management (VM) Security
- Is host updated with latest patches
- Check password complexity
- Are unneeded services running
- Are hosts individually firewalled
- Is the VM host physically secured
- Are file integrity checks in place
- Check audit and Evidence-gathering Features in the cloud service
- Is cloning of VM’s offered
- Cloning helps minimize down time and evidence can be analyzed offline
- Perform Automated Cloud Security Testing
5
Q
What type of things are you looking for during Cloud Reconnaissance?
A
- List of publicly accessible resources
- Security Groups
- Routing Tables, network ACL
- Subnets
- Permissions
- Identity and Access Management (IAM) policies
6
Q
What type of Governance issues should you look for?
A
- Discrepancies in SLA clauses and their implementation
- Hidden dependencies to resources outside the cloud
- Lack of transparency on the use of standard tech and storage of data in multiple jurisdictions
- Source escrow agreement
- Jurisdictions over CSP- for SLA-related issues
- Completeness and transparency in terms of use
- Cloud asset ownership
7
Q
What are recommendations for Cloud Testing?
A
- Ensure Cloud provider is achieving better that than normal security standards
- Authenticate users with user name/password
- Ensure creds are changed on a regular basis
- Use centralized authentication or SSO for firms that use SaaS applications
- Train workers with high end training
- Offer IT support and layers of security to prevent potential data breaches
- Pay special attention to cloud hypervisors
- Restrict access to VM management interfaces
- Password encryption is advisable
- Protect information that is uncovered during the pen test.
8
Q
What are some recommendations for Cloud Security?
A
- Enforce data protection, backup, and retention
- Enforce SLAs for patching and vulnerability remediation
- Vendors should undergo AICPA SAS 70 Type II audits
- Verify one’s own cloud in public domain blacklists
- Enforce legal contracts in employee behavior policy
- Prohibit user credential sharing
- Implement strong key management practices
- Monitor client’s traffic for any malicious activities
- Prevent unauthorized server access using security checkpoints
- Disclose applicable logs and data to customers
- Log customer network traffic
- Assess security cloud API’s
- Ensure physical security is 24x7x365
- Enforce security standards in installation/configuration
- Ensure memory, storage, and network access are isolated.
- Leverage 2FA
- Enforce stringent registration and validation process
- Perform vulnerability and configuration risk assessment
- Employ network security devices
- Enforce strict supply chain management
- Use SSL
