Great video from BSides Columbus Ohio 2018 :
“Zero to Owned in 1 Hour”
That is an interesting review of how the new potential weaknesses are in the Cloud itself.
Human Access to the cloud can be a weak point.
AWS (Amazon Web Services)
Does Multi-factor Authentication work with multiple people running things?
Service Provider (cloud company) – has a main login, here is where the hacker can get the keys to the kingdom. what if the hacker can figure out to get the main account login somehow? we are so busy locking down all the desktops and more, it is the easy items that we seem to fall down on.
The comparison with the old life cycle is interesting, as we were so focused on denying system access last year (or pre-cloud).
Today if the main account somehow is taken over the hacker does not need to escalate privileges or keep access in the network since the main control account can do all of that and more.
So due to the big beacon of if you capture this item then you have keys to kingdom, what can we do to prevent this?
You have to review how the system administration and ownership of the cloud account is handled.
- How many people are managing the main account
- How is the password/authentication performed?
- Who is reviewing the security of this important account?
I.e. who should be at fault if there is a security problem? The Cloud company (or service provider) or our own IT people? At first blush, you would think it depends on the problem, but the interesting thing about this is that some cloud companies want to push that responsibility to the client. Check this post by CSOonline.com :
12 top cloud Security threats “Treacherous 12”
- Data Breaches
- Insufficient Identity, credential and access management
- Insecure interfaces and application programming interfaces (APIs)
- System vulnerabilities
- Account hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data loss
- Insufficient Due Diligence
- Abuse and nefarious use of cloud services
- Denial of Service (DoS)
- Shared Technology vulnerabilities
This is a nice list, so which threats could be classified “service provider”, and which would be more the client fault?
All of them could be both or either , except for System vulnerabilities which is just Service provider. Denial of Service ought to be service provider as well.
The problem is that the client can affect almost all of them as the client drives the applications and thus the technological trail. Or the client really controls most of the issue like account hijacking (main account)
As usual someone has to review and check (technical Audit) to make sure that the technology is doing what it is supposed to be doing “securely”.
Contact to discuss