What is Cloud?
Cloud means storing and accessing data and programs over the Internet instead of the computer’s hard drive.
Cloud Service Models
SaaS (Software as a Service)
In the SaaS service, clients provide access to application services that exist on the servers. Since applications exist, the customer does not need to work on installation, coding or patches, the software can be accessed with scanners. Cloud service providers make the application and all the components needed for it to work. Applications like Hotmail, Gmail are considered SaaS.
PaaS (Platform as a Service)
The PaaS service provides a platform that can be easily developed to suit the customer. Since operating systems between platforms are interested in the maintenance of pre-existing web server, database, network and hardware infrastructure service providers, the customer is only interested in the business and development department. Many organizations prefer PaaS instead of paying for hardware resources and invest only in selected platforms and resources. The most common examples are Microsoft Azure PaaS.
IaaS (Infrastructure as a Service)
IaaS provides customers with the necessary infrastructure such as VM, load balancers and WAF. With this service, they pay for the resources they use only in their spare time and do their work at a lower cost. IaaS customers have more control over the infrastructure than clients of SaaS and PaaS services, but require more technical knowledge. Amazon Web Services is a widely used IaaS.
Some Cloud Attack Types
Cloud Malware Injection Attacks
Cloud Malware injection attacks; used to control the user’s information in the cloud. Therefore, attackers can initiate the execution of malicious code by routing the user’s cloud requests to the attacker’s module by adding instances of an infected service application module to the SaaS or PaaS solution or virtual machine instances to the IaaS solution.
Side Channel Attacks
Attackers install side-by-side attacks simultaneously by installing a malicious virtual machine along with the target virtual machine. In the meantime, the purpose of attackers to access the system applications of cryptographic algorithms. Such attacks can cause severe destruction for the cloud.
An APT attack is an attack that allows attackers to constantly steal sensitive data stored in the cloud or to use cloud services without being noticed by legitimate users. After unauthorized access, attackers can roam between data center networks and use network traffic.
Specter – Meltdown
What is Cloud Penetration Testing?
Cloud penetration testing is a method of actively checking and inspecting the cloud system by simulating an attack from malicious code. So you can measure the vulnerability of your services, regardless of which Cloud model you use.
Frequently Asked Questions About Cloud Pentest
- Verify users with username and password.
- Ensure the Coding Policy by observing the Service Providers Policy.
- Strong password policy is recommended.
- Regularly change user account names on a per organization basis, such as a password assigned by cloud providers.
- Maintain information released during the Penetration Test.
- Password encryption is recommended.
- Use centralized Authentication or single sign-on for SaaS Applications.
- Ensure that the Security Protocols are up to date and flexible.
Cross-Site Request Forgery: CSRF is an attack designed to persuade a victim to submit a request to perform certain tasks as a user, which is inherently harmful.
Side Channel Attacks: This type of attack is cloud-specific and potentially very destructive, but largely requires skill and luck.
This form of attack attempts to violate the victim’s privacy indirectly through the use of shared resources in the cloud.Signature Wrapping Attacks: This is another type of attack, not cloud-specific, but dangerous for the security of a web application.
Basically, the signature wrap attack is based on the use of a technique used in web services.
- Hijacking using network sniffing
- Session hijacking using XSS attacks
- Domain Name System (DNS) attacks
- SQL injection attacks
- Cryptanalysis attacks
- Denial of service (DoS) and Distributed DoS attacks
Controlling security gaps in your systems by cyber security companies and reporting their strengths and weaknesses to your information is of great importance for your system security.
But the security of your company depends on the security of your cloud-based infrastructure as well as your systems. Our Cloud penetration testing service will help you determine how secure your assets in the cloud are.