Have You Adjusted Your Penetration Testing Strategy for the Cloud?
Hackers are targeting the cloud. Why? To paraphrase Willie Sutton, because that is where the data is.
Historically, penetration testers gain access to network devices through the “perimeter defense” and then they move around (the so-called east-west movement) trying to get access to data, wherever it lives inside the network perimeter.
But in the cloud, there is much more. Not that the traditional method doesn’t work, but it is no longer the only method and if you focus on the traditional methods, you may miss gaps that hackers won’t miss.
Take, for example, the Uber breach that compromised data on 57 million users and 600,000 drivers.
Hackers didn’t break into Uber’s data center.
They didn’t even try to break in through the cloud front door to Uber’s AWS presence.
Instead they stole the password to Uber’s GitHub account and while rifling through Uber’s code, they found a hardcoded AWS S3 password (not exactly best practice, but very common).
From then on, it was game over – they owned the data.
As we saw in the Capital One breach, the problem was not bad code but rather a bad architecture. Certain resources were publicly exposed. Basically on purpose – or at least not well thought out.
Hackers probe these environments for weaknesses and when they find them, they exploit them. Often times they test them before they are even operational and likely before monitoring is turned on.
Many times companies forklift move their systems from a protected corporate data center to the cloud, not understanding that this is a really bad idea.
Another part of the problem is lack of partitioning. When a hacker does compromise credentials, the access he or she gets may be far greater than just one system or one network.
To make things worse, many times the company’s development and test environments are also in the same cloud, protected by the same credentials, but poorly secured because, after all, it is just dev.
Part of it is poor secure software development practices which might be less risky inside a protected corporate data center.
Hackers have figured this out and are having a field day. They will continue to have more success until the pen testing improves.
If you need assistance with this, please contact us.
Credit: Dark Reading