Join the Webinar | Strong Protection Against Cyber Threats

What is Cloud? - Cloud Pentest

Cloud means storing and accessing data and programs over the internet instead of the computer's hard disk.

 

Cloud Service Models

 

SaaS (Software as a Service)

In SaaS service, clients access application services existing on servers. Since the applications exist, the customer does not need to work on installation, coding or patches, the software can be accessed via browsers. Cloud service providers make the application and all the components needed to run it. Applications such as Hotmail and Gmail are considered SaaS.

 

PaaS (Platform as a Service)

 

In the PaaS service, a platform is provided that the customer can easily develop according to his needs. The customer only deals with the operation and development part, as the operating systems between the platforms take care of the maintenance of the pre-existing web server, database, network and hardware infrastructure service providers. Instead of paying for hardware resources, many organizations prefer PaaS and invest only in the selected platform and resources. The most common example is Microsoft Azure PaaS.

 

IaaS (Infrastructure as a Service)

 In the IaaS service, the necessary infrastructure such as VM, load balancers, WAF is provided to customers. With this service, they get their work done at a lower cost by paying only for the resources they use in their spare time. IaaS customers have more control over the infrastructure than clients of SaaS and PaaS services but require more technical knowledge. Amazon Web Services is a widely used IaaS.

 

Some Cloud Attack Types

Cloud Malware Injection Attacks

Cloud Malware injection attacks; It is used to control the user's information in the cloud. Therefore, attackers insert an infected service application module into a SaaS or PaaS solution, or virtual machine instances into an IaaS solution, and initiate the execution of malicious code by redirecting the user's cloud requests to the attacker's module.

 

Side Channel Attacks

Attackers conduct side-channel attacks simultaneously by installing a malicious virtual machine along with the target virtual machine. Meanwhile, the attackers' goal is to gain access to system implementations of cryptographic algorithms. Such attacks can cause serious destruction to the cloud.

 

 APT

APT attacks are attacks that allow attackers to constantly steal sensitive data stored in the cloud or take advantage of cloud services without being noticed by legitimate users. Once unauthorized access is gained, attackers can traverse data center networks and manipulate network traffic.

 

Specter -Meltdown

Specter and Meltown attacks are attacks that allow attackers to read information from the kernel by breaking the isolation between applications and the operating system with malicious JavaScript code.

 

What is Cloud Penetration Testing?

Cloud penetration testing is a method of actively controlling and examining the cloud system by simulating an attack from malicious code. Thus, you can measure the fragility of your services regardless of which Cloud model you use.

 

Frequently Asked Questions About Cloud Pentest

What Should I Pay Attention to When Performing Cloud Pentest?

Authenticate users with username and password. Secure the Coding Policy by paying attention to the Service Providers Policy. A strong password policy is recommended. Change user account names on an organizational basis regularly, such as a password assigned by cloud providers. Protect information exposed during Penetration Testing. Password encryption is recommended. Use centralized Authentication or single sign-on for SaaS Applications. Make sure Security Protocols are up to date and flexible.

What are the Known Cloud Attacks?

Cross-Site Request Forgery: CSRF is an attack designed to persuade the victim to submit a request to perform some task as a user, which is harmful in nature. Side Channel Attacks: This type of attack is cloud-native and potentially devastating, but requires a great deal of skill and luck. This form of attack attempts to violate the victim's privacy by indirectly exploiting the fact that they are using shared resources in the cloud. Signature Wrapping Attacks: This is another type of attack, not specific to the cloud environment, but a dangerous method for the security of a web application. Basically, the signature wrapping attack relies on the use of a technique used in web services. Other Attacks: Hijacking using network sniffing Session hijacking using XSS attacks Domain Name System (DNS) attacks SQL injection attacks Cryptanalysis attacks Denial of service (DoS) and Distributed DoS attacks.

Why Should I Have a Cloud Penetration Test?

It is of great importance for your system security that the security vulnerabilities in your systems are checked by cyber security companies, their strengths and weaknesses are reported and presented to your information. But the security of your company depends on the security of your Cloud-based infrastructure as much as your systems. Our cloud penetration testing service will help you determine how secure your cloud assets really are.