• Cloud Security
  • Cybersecurity

14 worst breaches on your Cloud Apps. How does VA/PT help?

Cross-Site Scripting (XXS) Attack   |   SQL Injection Attack   |   Man-in-the-Middle (MitM) Attack   |   Denial-of-Service (DoS)   |   Malware Attack   |   Password Attack   |   Business logic bypass issues   |   Session Riding (SSRF)   |   HTTP Request Smuggling   |   Privilege Escalation Side   |   Channel Attacks  |  Signature Wrapping AttacksAuthentication/Authorisation attack   |   Error Handling

As cloud computing brings flexibility, ease, and a plethora of options to innovate, create and expand, it also opens the space for multifold threat actors.

And it is increasingly becoming a nightmare for developers, architects, product teams, businesses, and most importantly the cyber security frontiers – CISOs & their army.

The only way one can beat the heat of rapidly growing and highly variant attacks is to remain proactive in ensuring the security health of the development process, developed applications, and the platforms hosting the products. It is not only crucial to sustain the business with uptime but also to ensure the reputation, brand and hence the future growth of the business.

The ongoing checks & secure coding practice becomes key responsibility for the security team and the developers respectively to ensure a robust security posture as well as to meet consistent compliance with regulations & norms of a geography & business area.

How Do We Ensure Proactive Defense?

We often introduce a lot of sophisticated security controls to mitigate the identified security risks. While the most important control remains the testing of the security state of the software, applications and the platforms hosting the various applications. And one of the fundamental security processes driving these security testing is –

Vulnerability Management & Penetration Testing/ VA PT

Vulnerability management is a manual or automated set of procedures including scans to detect the security vulnerabilities in the systems. It can identify either the missing patches, misconfigurations, missing authentication, or security controls with proactive detection, monitoring, measurement & cure. It is governed by documented processes, guidelines, tools & technologies to identify, remediate, track, and report in an ongoing manner. Penetration testing is a set of manual techniques to identify more complex security vulnerabilities which might get missed with automated assessments or scans. This is a more strategic approach with a well-defined targeted scope of coverage and enlisted scenarios planned to be tested. This also involves an attempt to exploit and demonstrate the probable impact with evidence of exploit.

Success Of VA/PT

The success of vulnerability management programs is driven by

  • How fast & frequent are the detection and patching?
  • How much is the coverage of applications, platforms and known vulnerabilities & exploits
  • Conclusion with the measures to fix the weaknesses identified
  • Good documentation of the exercise to track the closures
Possible Outcomes of VA/PT
  • Correction of misconfigurations
  • Updating missing patches & Port closures
  • Updating the security protocols & controls like SSL, TLS etc.
  • Identification of weakness in authentication, access, or security protocols with credential correction

Apart from VA/PT ongoing exercise, successful security operations also need a well-established red teaming & blue teaming exercise.

Is Threat of Attacks Really So Alarming? Why?

Let us look at some of the most prevalent attacks which has resulted into the breach of the applications and cloud platforms in the recent past. It is important for the cyber security leaders, product teams and developers to be aware of the attacks, ways to prevent & mitigate these attacks as they focus on the core business.

1. Cross-Site Scripting (XXS) Attack

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

A cross-site scripting attack sends malicious scripts into content from reliable websites. The malicious code joins the dynamic content that is sent to the victim’s browser. Usually, this malicious code consists of JavaScript code executed by the victim’s browser, but can include Flash, HTML and XSS.

Prevention

– Secure coding practice with controls on the browser execution.

 

One useful example of cross-site scripting attacks is commonly seen on websites that have unvalidated comment forums. An attacker posts a comment consisting of executable code wrapped in ‘<script></script>’ tags. These tags tell a web browser to interpret everything between the tags as JavaScript code.

2. SQL Injection Attack

This occurs when an attacker inserts malicious code into a server using a server query language (SQL) forcing the server to deliver protected information. This type of attack usually involves submitting malicious code into an unprotected website comment or search box.

It can be prevented by secure coding practices such as using prepared statements with parameterized queries is an effective way to prevent SQL injections.

 

Illustration – A SQL query field that is supposed to be reserved for a particular type of data, such as a number is instead passed unexpected information, such as a command. The command, when run, escapes beyond the intended confines, allowing for potentially nefarious behavior.

3. Man-in-the-Middle (MitM) Attack

When the attacker inserts themselves in between the user and the destination domains or URLs being visited by the user, it is called a man-in-a-middle attack. It is mostly done by compromising the weakness in the security of the network like weak passwords, unencrypted networks, or no secure channel between the sender and destination sites.

A man-in-the-middle attack can be avoided by the usage of a secure wired and wireless network, strong authentication, and authorisation along with secure & encrypted channels like VPN. This can also be avoided by timely scan & identification of weak credentials and missing secure protocols.

 

Using a packet sniffer, an attacker intercepts a data transfer between a client and server. By tricking the client into believing it is still communicating with the server and the server into believing it is still receiving information from the client, the attacker can intercept data from both as well as inject their own false information into any future transfers.

4. Denial-of-Service (DoS)

A denial-of-service attack is an attack where an application, machine, network, or platform can completely stop its service due to flooding of the targeted systems with traffic or information that can lead to a crash. It shuns authorized users from legitimate usage. This can lead to a huge impact on a business and hence effective control is crucial to avoid complete downtime. It is usually done by – buffer overflow attacks, ICMP flood & SYN flood.

Though there are technologies that can prevent heavy targeted traffic, a slight miss can create havoc, and hence an effective check on ports & configurations is essential with a strong VA & PT programs on critical platforms.

 

An attacker purposefully tries to exhaust the site’s resources, denying legitimate users access-
– Amazon Web Services (AWS) (February 2020)
– GitHub (February 2018)
– Undisclosed NETSCOUT Client (March 2018)

5. Malware Attack

Malware attacks are the introduction of malicious software designed with the intent to cause damage to the system, the network, the infrastructure, and connected machines with or without the awareness of the user using the system. The malware are run on the system with various objects of – information or financial theft, business loss or ransom. There are various tact, techniques and procedures used for the compromise of privileged information.

There are various categories of malwares used for attacks and most common are – Virus, Worm, Trojan, Adware, Spyware, Ransomware, Malvertising.

Prevention
– Timely scan and assessment for vulnerabilities followed by applying the patches.
– Hardening of OS & Platforms
– Endpoint protection and detection solutions on the systems

 

Ransomware is a malware hat uses encryption to disable a target’s access to its data until a ransom is paid. The victim organization is rendered partially or totally unable to operate until it pays. And payment may or may not result into getting the access back.

6. Password Attack

Password attackers use various methods to compromise the password & gain access. The most common methods are – social engineering, access to password database, testing the unencrypted network connection, guessing the password, brute force attack and dictionary attack.

It can be avoided by password policies like – account lockout, multi-factor authentication & enforced periodic password changes. And most important is – Cyber security awareness on risks, threats & best practices.

 

Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily.

7. Business logic bypass issues

This is technique of the attack where the legitimate designed flow of the application is used by the attacker to compromise the system. This is not the typical security flow but the design for the business is misused by the attacker. Some examples being –
– Compromising the time bound purchase order mechanisms
– Attacking the password recovery methods of applications
– Denial of service of public accounts
– Posting unvalidated inputs

This can be avoided with good collaboration of business & security teams.

 

Purchase orders are not processed before midnight; Written authorization is not on file before web access is granted.

8. Session Riding (SSRF)

Server-side request forgery is a web security vulnerability that allows an attacker to make server-side application doing HTTP requests to an arbitrary domain planned by attacker.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

An effective assessment of web application and timely fixing of the identified bugs in the application can avoid the attack.

 

When an attacker can control the third-party service URL to which the web application makes a request. In recent years, including Capital One and SolarWinds, involved the use of SSRF as one of the break-in techniques.

9. HTTP Request Smuggling

HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

– Applications frequently employ chains of HTTP servers between users and the ultimate application logic. Users send requests to a front-end server (sometimes called a load balancer or reverse proxy) and this server forwards requests to one or more back-end servers.
– The front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection, because this is much more efficient and performant.

This type of attack can be prevented by focussing on the controls on the relay agents in the architecture which connected the front end & backend.

 

HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends: the Content-Length header and the Transfer-Encoding header. Sending both of these headers in the same request is where the conflict can occur.

10. Privilege Escalation

When an attacker exploits a bug, or misconfiguration or a flaw in the design of the platform to gain the elevated access, it is privileged escalation. It can either be horizontal privileged escalation which means to gain access of the functionality & data of a different user OR it can be a vertical privileged escalation which gains the elevated access like system administrator for stealing the data or disrupting the service in the network.

– It can be avoided by timely checking the vulnerabilities in the applications by scanning the websites, applications, exposed APIs.
– Correction of the identified flaws in the policies applied.
– Fixing the missing security controls during application development

 

Horizontal privilege escalation applies to all situations when an attacker acts as a specific user and gains access to resources belonging to another user with a similar level of access. For example, if an attacker impersonates a user and gains unauthorized access to their bank account, this is an example of horizontal privilege escalation. Vertical privilege escalation is often referred to as privilege elevation. It applies to all situations when the attacker gains higher privileges, most often root privileges (administrative privileges).

11. Side Channel Attacks

A side-channel attack is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware rather than targeting the program or its code directly.

These attacks can be avoided by maintaining the secrecy of trade, details of business applications and exposing minimal details publicly. Developers can play key role in ensuring the minimal exposure of code details to avoid the parallel compromise track.

 

Electromagnetic, optic, Acoustic, power, optical, timing, memory cache, hardware weakness measurements.

12. Signature Wrapping Attacks

Usually any malicious modification of the signed data is detected by the receiving web service unless the attacker is able to break the signature algorithm itself. However when executing a XML Signature Wrapping attack an attacker is able to change the content of the signed part without invalidating the signature. This becomes the XML Signature wrapping.

Can be prevented by strict security policy
– The element specified by /soap: Envelope/soap: Body must be signed using WSS with XML Signature, and the associated signature verification key must be provided by an X.509v3 certificate issued by one of a set of trusted Certificate Authorities (CAs) (this part is not Signature Wrapping specific!)

 

The Identity (I) of other users. As a result, the attacker can log into arbitrary user accounts and gain unauthorized access to their data.

13. Authentication/Authorisation attack

Authentication – When developers plan the authentication mechanism, it is important to take care of the complexity of the password as well as to design the authentication steps. This will make it tough for an attacker to break through.
Key Measures –
– Complex Passwords control
– Multi Factor authentication
– Encryption
– Trust Establishment

Authorization – It is also important to design the authorization which can be
– Role based control
– Duration based control
– Session based control
While it is important to govern who accesses, it also important to handle what gets accessed.

 

Some scenarios which results into these attacks are when malicious actors use a computer program to validate a list of usernames and passwords against a website login.

14. Error Handling

Error handling refers to the anticipation, detection, and resolution of programming, application, and communications while designing, developing & testing of the applications. This goes a long way in avoiding the gaps & vulnerabilities in the code.

A good error handling phase done with engineers, product team and developers post code development as part of the quality testing determines the robustness of the application and code.

 

Some examples of security miss in error handling
– A message that includes server software version details.
– A message that reveals where a configuration file holding credential information is located.
– An “access denied” message that suggests the existence of hidden files.

Message For Cyber Security Leaders

It is evident from the last major security breaches that effective patching, on-time hardening & upgrade of the platforms, and associated fixes can avoid breaches & leakage of sensitive information. To ensure timely patching without any gap left behind, it is unavoidable for an organization and the security team to not have “A WELL DEPLOYED AND TIMELY DRIVEN VA/PT.

No security control is effective without assessment of vulnerabilities of applications and servers. No business is safe from breach unless evaluated & tested with penetration.

“To run safe & function fast, assess the weakness

An internally organized examination is way better than an outer exposure. An effective cyber security strategy is laid on the strong pillars of well-scoped and regularly performed vulnerability assessment & management. And it stands firm on the pillars of well-governed penetration testing.