Emerging cloud threats and how to address them

As organizations deploy and harness private, community and hybrid clouds, they encounter new types of threats, along with the old ones they’ve been battling for years. Many of these threats come from sharing physical, virtual, and software infrastructure with other clients of varying security postures, and relying on a cloud provider to implement the right security measures. Public and community clouds can be appealing targets for hackers looking to disrupt or steal information from scores of organizations with one successful strike.

Here are some emerging security threats and issues cloud providers and their clients should be aware of.

Isolation breakout
Most public and community cloud environments employ a multi-tenant architecture in which a customer owns one or more virtual machines (VM) on physical servers shared with scores or hundreds of other customers on other VMs. Effective tenant isolation is critical in such environments, as without it one tenant could potentially disrupt or get access to another’s applications and sensitive data.

Isolation breakout (also sometimes called guest breakout or hypervisor breakout), occurs when hackers gain access to the root virtualization operating system, memory, other guest virtual machines and storage located on the same physical server. Once they have access, they can inject malicious code or steal sensitive client data either stored in the cloud or accessed by an application running in the cloud.

A number of techniques for isolation breakout have been discovered over the past few years, including exploiting vulnerabilities in hypervisor drivers, hardware emulation layers, APIs, and hypervisor hard disk handling. It’s not necessary to attack the core hypervisor directly. Up-to-date security patching is an essential requirement for addressing this issue as hackers have clever techniques for analyzing interactions between virtual machines and the hypervisor to determine and exploit the latter’s patch level. One of the challenges faced by legacy security solution vendors is to map existing security components such as firewalls and intrusion prevention to new cloud architectures.

Cloud access key leakage
One of the most popular uses of Infrastructure as a Service (IAAS) and Platform as a Service (PAAS) is for software development, testing and deployment. Clients often get access to their IAAS and PAAS accounts through access keys and often write these keys into their application code. If anyone gets hold of the access code, he or she has the information needed to access the corresponding cloud accounts.

That’s why code sharing sites such as GitHub can be juicy targets for hackers looking to gain access to cloud service accounts for DOS attacks and data theft and destruction.

Access keys can also be stolen via social engineering tactics hackers use to gain access to systems containing source code. In one case, a developer was steered to a malicious Web site that used a Java exploit to get access to the developer’s workstation, which contained access keys to a FreeBSD source code repository. The attacker was able to inject a malicious script allowing him to harness all systems running that code to craft a botnet.

Zero day vulnerabilities
Cloud services are subject to the same types of zero-day vulnerabilities as legacy datacenters and user systems, including those in commonly used services such as RDP, IIS, SSH, and FTP. Heartbleed is a recent example of a vulnerability in OpenSSL that left hundreds of private and public cloud environments susceptible to attack, according to a Cloud Security Alliance blog, even days after it was publicized.

Another example is Windows cloud images vulnerable to RDP and other Windows exploits. A few years ago, it was found that Rackspace and AWS were vulnerable to RDP exploits by default. Many cloud users assume that cloud providers are providing VM’s with a reasonable secure set of default firewall rules, but that’s not always the case.

After development projects are complete, many of the systems used for development and testing sit unpatched, unmaintained, and unmonitored, making them prime targets for hackers. Many have been deployed to cloud environments. When these systems are compromised, hackers tend to cover up their tracks by removing all log file evidence of the attack. One solution, aside from maintaining, monitoring, and patching development and test systems over their entire lifetime, is to deploy central storage of all system log files for forensics purposes.

Auditing gaps
Organizations hire reputable third-party auditors to analyze their infrastructure for vulnerabilities, but auditors rarely (if ever) audit a cloud service’s customers or its software for badly written code that could potentially expose them to attack.

Agent-based malware protection
Many cloud environments rely on antimalware and other security agents installed on each individual VM for malware detection and eradication. Unfortunately, skilled hackers can detect, subvert, and disable these agents, rendering them useless or worse, harmful. One of the earliest examples of malware with this capability was the Conflicker worm. A better solution in a cloud environment is hypervisor level security.

Aside from standard cloud best practices there are other measures that cloud providers should consider taking to address cloud vulnerabilities and attacks.

  • Deploy a honeypot, which is a digital trap set to attract and detect unauthorized use of information systems. The honeypot appears to the hacker to be an active member of the network with important information, but in reality it’s isolated from the rest of the network and monitored on an ongoing basis. Honeypots can be used to attract and analyze attackers and their methods in order to protect the network more successfully. In some cases they imitate the actual production systems to see what services attackers are targeting.
  • An auditor should have in-depth knowledge of all elements of your architecture, infrastructure and the technologies you use so they can run white box testing with enough preexisting knowledge to exploit all your vulnerabilities. Many organizations prefer black box testing, in which the auditor has to use hacking techniques to acquire this information in order to penetrate the client network. White box testing is likely to find more vulnerabilities than the black box method, however.
  • Another option is to hire a skilled ethical hacker to try to penetrate your cloud infrastructure.
  • Cloud providers should provide central, hypervisor-level security to avoid the exploitation of potentially vulnerable security agents installed by clients on hundreds of virtual machines. Centralized security can help protect instances running many different operating systems with different patch levels and with minimal impact on the applications they run. Anomaly based security solutions have become an essential component of an effective security infrastructure as solutions based primarily on signatures and related techniques prove less and less effective against increasing numbers of more sophisticated zero layer attacks. Solutions exist that can analyze mountains of system and security log data to alert users of anomalies that are likely to indicate an attack.

Of course, continuing education can help prevent developers from posting access keys to GitHub or falling victim to social engineering exploits.

As with most security, cloud security is a moving target that promises to evolve rapidly as the cloud matures. Organizations running or harnessing the cloud have to keep up to date with the latest threats and attack vendors if they don’t want to become easy targets.