Technically, a penetration test on the cloud computing environment does not differ that much from any other penetration test, even an on-premise equivalent.
You may have moved data to the cloud. But that doesn’t mean your responsibilities for securing it are gone.
In a hybrid cloud environment, where some data is stored locally while some lives in the cloud, security must be assessed wherever information resides.
Penetration testing probes for weaknesses that could compromise security, perhaps leading to a data breach.
When your organization stores sensitive information on behalf of customers, like medical or financial records, you are not just responsible for protecting their data; you also must ensure that all of your outsourcing venues are following proper protocol.
How is a typical pen test carried out?
Pen tests start with a phase of reconnaissance, during which an ethical hacker spends time gathering data and information that they will use to plan their simulated attack.
After that, the focus becomes gaining and maintaining access to the target system, which requires a broad set of tools.
Tools for attack include software designed to produce brute-force attacks or SQL injections.
There is also hardware specifically designed for pen testing, such as small inconspicuous boxes that can be plugged into a computer on the network to provide the hacker with remote access to that network.
In addition, an ethical hacker may use social engineering techniques to find vulnerabilities.
For example, sending phishing emails to company employees, or even disguising themselves as delivery people to gain physical access to the building.
The hacker wraps up the test by covering their tracks; this means removing any embedded hardware and doing everything else they can to avoid detection and leave the target system exactly how they found it.
What happens in the aftermath of a pen test?
After completing a pen test, the ethical hacker will share their findings with the target company’s security team.
This information can then be used to implement security upgrades to plug up any vulnerabilities discovered during the test.
These upgrades can include rate limiting, new WAF rules, and DDoS mitigation, as well as tighter form validations and sanitization.
Challenges of Cloud Pentesting
In the past, testing of cloud-based applications and infrastructure was somewhat restricted because of legal and geographical complications.
Security enthusiasts and professional penetration testers were not permitted to perform intrusive security scans or penetration tests on cloud-based applications and environments without the explicit permissions of Cloud Service Providers like Microsoft Azure and AliCloud.
But the growing number of cyber attacks targeting the cloud in recent years is paving the way for mainstream cloud computing penetration testing.
The recent CapitalOne data breach showed that a misconfigured access control (IAM) configuration on AWS was enough for a malicious attacker to obtain adequate credentials to illegally access Amazon S3 buckets and retrieve the information stored within.
Organizations are now open to QA outsourcing to conduct penetration tests on their cloud environments under controlled circumstances.
But before going deep into what a cloud environment pentest entails, it pays for users to understand that security of the cloud is a shared responsibility.
Cloud service providers like Amazon Web Services (AWS) inherently build security in their infrastructure.
Cloud firewalls such as Security Groups are configured by default to disallow all traffic unless otherwise specified by the user.
It is this user flexibility that is ballooning the risk of human error in the cloud.
If end users accidentally switch a configuration like removing a Security Group whitelist to a VPN or internal IP, they open up their cloud infrastructure and applications to a larger attack surface.
Pen-testing on cloud environment – The Execution
1) Understand the policies of the cloud provider
Putting private clouds aside, for now, public clouds have policies related to pen-testing.
In many cases, you must notify the provider that you’re carrying out a test, and it puts restrictions on what you can actually do during the pen-testing process.
So, if you have an application that runs on a public cloud and would like to pen test it, you’ll need to do some research first regarding the process your cloud provider recommends.
Not following that process could lead to trouble. For instance, your pen test will look a lot like a DDoS attack, and it may shut down your account.
All cloud providers proactively monitor their infrastructure for anomalies. In some cases, humans may give you a call to find out what’s up.
In most cases, cloud service providers have automated procedures in place that shut down the system without warning when it perceives a DDoS attack.
You could come into the office the next day and find that your cloud-delivered storage systems, databases, and applications are offline, and you’ll have some explaining to do to get them back up and running.
The long and short of this is that there are rules of the road when it comes to public clouds.
You have to understand the legal requirements of the pen testing, as well as policies and procedures, or else you’ll quickly find yourself off the cloud system.
2) Create a pen-testing plan
Those who plan to do a cloud application pen test first need to create a pen-testing plan.
The test plan should be agreed to by the pen-testing team, and each part of the plan should be followed. Any exceptions that occur are really part of the results, such as an application admin seeing the pen test occurring and killing access for the pen-testing team.
3) Select your pen-testing tools
There are many pen-testing tools on the market. While pen testing cloud-based applications with on-premises tools is a popular approach, there are now cloud-based pen-testing tools that may be more cost-effective.
Moreover, they don’t require huge hardware footprints. It’s a cloud pen testing a cloud. What’s important about the tool is that it can simulate an actual attack.
Pen testing is not an option these days. It’s the only way to prove that your cloud-based applications and data are secure enough to allow the maximum amount of user access with the minimum amount of risk.