Cloud is an emerging technology, offering numerous benefits to organizations of all sizes, such as reduced IT costs, scalability, efficiency, flexibility, etc. But it comes with its drawbacks, mainly in the form of security threats and vulnerabilities. Unlike traditional solutions where perils come from two known sources, either inside or outside the network, security threats in cloud computing can originate from different levels: application, network, and user levels. In this post, we will look at different types of attacks at these three levels: cloud service provider (CSP) level, network level, and user or host level, and the ways to reduce their damage.
Application or cloud service provider level security issues
Application-level security issues (or cloud service provider CSP level attacks) refer to intrusion from the malicious attackers due to vulnerabilities of the shared nature of the cloud. Some companies host their applications in shared environments used by multiple users, without considering the possibilities of exposure to security breaches, such as:
1. SQL injection
An unauthorized user gains access to the entire database of an application by inserting malicious code into a standard SQL code. Often used to attack websites, SQL injection can be avoided by the usage of dynamically generated SQL in the code. It is also necessary to remove all stored procedures that are rarely used and assign the least possible privileges to users who have permission to access the database.
2. Guest-hopping attack
In guest-hopping attacks, due to the separation failure between shared infrastructures, an attacker gets access to a virtual machine by penetrating another virtual machine hosted in the same hardware. One possible mitigation of guest-hopping attack is the Forensics and VM debugging tools to observe any attempt to compromise the virtual machine. Another solution is to use the High Assurance Platform (HAP), which provides a high degree of isolation between virtual machines.
3. Side-channel attack
An attacker opens a side-channel attack by placing a malicious virtual machine on the same physical machine as the victim machine. Through this, the attacker gains access to all confidential information on the victim machine. The countermeasure to eliminate the risk of side-channel attacks in a virtualized cloud environment is to ensure that no legitimate user VMs reside on the same hardware of other users.
4. Malicious insider
A malicious insider can be a current or former employee or business associate who maliciously and intentionally abuses system privileges and credentials to access and steal sensitive customer information within the network of an organization. Strict privilege planning and security auditing can minimize this security risk that originates from within an organization.
5. Cookie poisoning
Cookie poisoning means to gain unauthorized access into an application or a webpage by modifying the contents of the cookie. In a SaaS model, cookies contain user identity credential information that allows the applications to authenticate the user identity. Cookies are forged to impersonate an authorized user. A solution is to clean up the cookie and encrypt the cookie data.
6. Backdoor and debug option
The backdoor is a hidden entrance to an application, which was created intentionally or unintentionally by developers while coding. Debug option is also a similar entry point, often used by developers to facilitate troubleshooting in applications. But the problem is that the hackers can use these hidden doors to bypass security policies and enter the website and access the sensitive information. To prevent this kind of attack, developers should disable the debugging option.
7. Cloud browser security
A web browser is a universal client application that uses Transport Layer Security (TLS) protocol to facilitate privacy and data security for Internet communications. TLS encrypts the connection between web applications and servers, such as web browsers loading a website. Web browsers only use TLS encryption and TLS signature, which are not secure enough to defend malicious attacks. One of the solutions is to use TLS and at the same time XML based cryptography in the browser core.
8. Cloud malware injection attack
A malicious virtual machine or service implementation module such as SaaS or IaaS is injected into the cloud system, making it believe the new instance is valid. If succeeded, the user requests are redirected automatically to the new instance where the malicious code is executed. The mitigation is to perform an integrity check of the service instance before using it for incoming requests in the cloud system.
9. ARP poisoning
Address Resolution Protocol (ARP) poisoning is when an attacker exploits some ARP protocol weakness to map a network IP address to one malicious MAC and then update the ARP cache with this malicious MAC address. It is better to use static ARP entries to minimize this attack. This tactic can work for small networks such as personal clouds, but it is easier to use other strategies such as port security features on large-scale clouds to lock a single port (or network device) to a particular IP address.
Network-level security attacks
Cloud computing largely depends on existing network infrastructure such as LAN, MAN, and WAN, making it exposed to some security attacks which originate from users outside the cloud or a malicious insider. In this section, let’s focus on the network level security attacks and their possible countermeasures.
10. Domain Name System (DNS) attacks
It is an exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS), which converts hostnames into corresponding Internet Protocol (IP) addresses using a distributed database scheme. DNS servers are subject to various kinds of attacks since DNS is used by nearly all networked applications – including email, Web browsing, eCommerce, Internet telephony, and more. It includes TCP SYN Flood Attacks, UDP Flood Attack, Spoofed Source Address/LAND Attacks, Cache Poisoning Attacks, and Man in the Middle Attacks.
11. Domain hijacking
Domain hijacking is defined as changing a domain’s name without the owner or creator’s knowledge or permission. Domain hijacking enables intruders to obtain confidential business data or perform illegal activities such as phishing, where a domain is substituted by a similar website containing private information. One way to avoid domain hijacking is to force a waiting period of 60 days between a change in registration and a transfer to another registrar. Another approach is to use the Extensible Provisioning Protocol (EPP), which utilizes a domain registrant-only authorization key as a protection measure to prevent unintended name changes. Another approach is to use the Extensible Provisioning Protocol (EPP), which utilizes a domain registrant-only authorization key as a protection measure to prevent unauthorized name changes.
12. IP Spoofing
In IP spoofing, an attacker gains unauthorized access to a computer by pretending that the traffic has originated from a legitimate computer. IP spoofing is used for other threats such as Denial of Service and Middle Attack Man:
a. Denial of service attacks (DoS)
It is a type of attack that tries to make a website or network resource unavailable. The attacker floods the host with a massive number of packets in a short amount of time that require extra processing. It makes the targeted device waste time waiting for a response that never comes. The target is kept so busy dealing with malicious packets that it does not respond to routine incoming requests, leaving the legitimate users with denied service.
An attacker can coordinate hundreds of devices across the Internet to send an overwhelming amount of unwanted packets to a target. Therefore, tracking and stopping DoS is very difficult. TCP SYN flooding is an example of a DoS attack in which the intruder sends a flood of spoofed TCP SYN packets to the victim machine. This attack exploits the limitations of the three-way handshake in maintaining half-open connections.
b. Man In The Middle Attack (MITM)
A man-in-the-middle attack (MITM) is an intrusion in which the intruder relays remotely or probably changes messages between two entities that think they communicate directly with each other. The intruder utilizes network packet sniffer, filtering, and transmission protocols to gain access to network traffic. MITM attack exploits the real-time processing of transactions, conversations, or transfer of other data. It can be reduced using packet filtering by firewall, secure encryption, and origin authentication techniques.
End-user/host level attacks
The cloud end-user or host level attacks include phishing, an attempt to steal the user identity that includes usernames, passwords, and credit card information. Phishing is to send the user an email containing a link to a fake website that looks like a real one. When the user uses the fake website, his username and password will be sent to the hacker who can use them to attack the cloud.
Another method of phishing is to send an email to the user claiming to be from the cloud service company or, for instance, to tell the user to provide their username and password for maintenance purposes. Countermeasures of phishing are the use of Spam filters and spam blockers in the browsers. You can also train the users not to respond to any spoofed email and not to give their credentials to any website.