Cloud Computing Security Exploits - Theory and Principles

Question: Describe about the Basic principles and theory of cloud security exploits? Answer: Basic principles and theory of cloud security exploits Cloud computing majority comprises of delivering computing resources like applications, storage, infrastructure as services provided by service providers to the end users. All kind of services are accessed by web browsers which is like on demand. The cloud service providers offers service based on requirement and ensure good quality. Basically cloud computing is three types Infrastructure as service (IaaS): It provides networking devices, memory and storage as services. Platform-as-a-Service (PaaS): Development platform provides to the users to design of their own applications depends on their need. Software-as-a-Service (SaaS): This provides the application for need of the requirements. Rent the application instead of buying it. These three services provides the different services to the end user and at the same time provides the information on security issues and risks of cloud. Brute force attack: Normally hackers use multiple machines to get good computing power for the cyber attacks because the attacking process are very complicated requires very huge amount of computing power which indeed takes years to complete. Because of IaaS just one registrations is enough for the attackers to get the huge computing power from cloud service providers. Hackers can do attacks in quick time using advantage offered by the cloud computing with just on registration in very short time instead of months which is very bad sign for many encryption strategies. For breaking the password brute force algorithm used but it requires very power machines with very huge capacity of computing. To get successful password it requires huge effort because millions of passwords needs to checked to find the correct password based on the encryption alogirhtm. Hackers are getting cloud computing platform to launch this type of attack. Thomas Roth, a German researcher, demonstrated a brute force attack in the Black Hat Technical Security. He managed to crack a WPA-PSK protected network by renting a server from Amazons EC2. In approximately 20 minutes, Roth fired 400,000 passwords per second into the system and the cost of using EC2 service was only 28 cents per minute. To get successful password it requires huge effort because millions of passwords needs to checked to find the correct password based on the encryption alogirhtm. Hackers are getting cloud computing platform to launch this type of attack. To send large burst of packets to victim hosts cloud computing services are used. For example, hacker launched DOS attack on to the client network with help of rented server from amazons EC2 cloud infrastructure and run the heavy flooding algorithm which sends flood of packets to victim network. It is just of $6. Web browser attack: Web browser used to send service request by client and the service communication uses the Simple Object Access Protocol messages and transmit them using HTTP with format of Extensible Markup Language. One security mechanism WS-Security is used for the SOAP messages confidentiality and SOAP messages data integrity which are transmitted among the clients and servers. Data integrity maintained by using digital on the message and for Confidentiality message encryption is used to protection on eves dropping. This kind of mechanism ensures authentication of the client and validation of messages at server side so that message not tampered. Web servers validating the signed requests at that time attackers by using the XML signature wrapping and exploit the weakness, attack launched when SOAP message exchanged between the web server and authenticated user. Attacked duplicates the users login session and added the bogus elements into message which will wrapped, it makes the original body message under the wrapped and malicious code is replaced on top of the contents of the message, this modified message sends to server and the server validation fine because the original body not changed so the server is tricked and authorize the message that has been altered. Because of this hacker gain the prohibited access to the resources which are protected and operations which are intended. All cloud computing services via web browser so wrapping attacks can be launched easily on to the cloud service provider servers, which makes the users as victims. In 2008 discovered cloud service provider who is vulnerable to the wrapping attack. This is because later identified as bug in validation process done by amazon cloud. It is vulnerability in SOAP message security validation algorithm. Interception and modification can be done to legitimate user SOAP request, this exposes the victims accounts in the cloud to the hackers with unprivileged access. The same XML signature wrapping technique can be used to heck the account in amazon AWS just by altering the authorized signed SOAP messages and hacker get the permission to access, delete, create user account. Theft: Storage service provided by the cloud computing makes the business organization very cost effective and no need of administration overhead over the sensitive data. This will reduce cost in buying new servers and maintaining them. So many companies are storing data using cloud. One major cloud service provider do maintain all the sensitive data of business organizations. Consider example of Netflix use the amazon web service for storing data of TV episodes and movies, Dropbox storage service to many user for their personal information. These kind of Cloud services are as daily part of every ones life. So all the sensitive information stored at single place so single target for attackers which gives huge information at little cost compare traditional way. Online retailer Zappos was the victim of online cyber theft in that breach stolen accounts are 24 million. The stolen information comprised of names, email address, billing and shipping addresses, personal phone numbers, the last four digits of credit card numbers, as well as encrypted versions of account passwords. These days many people using the social networking sites for interaction with the friends and shares profiles and personal information also. According to survey 35 percent people are using social sites have accounts in all sites which makes the attackers to grab the attention to get the information. Recently linkedln the worlds largest professional networking website has 175 million users has breached and approximately 6.4 million stolen hashed passwords dumped into russian website and more than 200 thousand passwords are cracked. Stolen username and password from one website can be used to access the other websites as it is very successful for many users. Recently dropbox found some logins are malicious who used the login details obtained from other social website. Insider attack: Companies and organizations can't trust the people inside when it storing the users data, so it is very important to store user data even insiders can't access without proper protocol. In cloud while moving all users data which is maintained by organization into some private cloud which is maintained by some third party, is it safe to trust the third parties over the data. Rouge kind of administrators has privilege to steal the unprotected data and can do brute force over the passwords and get the customers data on demand. The insiders who knows the cloud operational capabilities can identify the cloud vulnerabilities and attack on it to get the sensitive information. Malware Injection Attack: In this attacker observes the web based server request and response methods to find the vulnerabilities and try to inject the malicious code into the server to change the normal execution and expose what required. Like web-based applications, cloud systems are also susceptible to malware injection attacks. Hackers make the malicious application or application or virtual machine to target the cloud service Saas, Pass or Iaas, after the injection completed the malicious code stated executed as validated modules and hacker do what ever he or she wants. SQL injection is major one which is just like script inserted into web server via its request and exploit the server. In 2012 SQL injection attack rate increased to 69%, this is report given by fire host. Counter measures: Security Policy Enhancement Cloud service registration can be done by who has credit card and utilize the service which is giving advantage to hackers to get the fraud credit cards and get the access of service and getting computing power of cloud based solutions and exploit the user data. They are doing all illegal activities like spamming and attacking the other computing systems. By Doing blocking of users who are publicly announced by some investigations teams and monitor the credit card fraud and changes the policies such way that cloud computing power can't be utilized by the attackers via weak registration policy. Mange and administration of networks in proper way so that least vulnerable to attackers. For example, Amazon re defined user policy like isolate any offending instance which is raised like spam or malware coming through Amazon EC2. Access Management Private and sensitive data of end users is stored in cloud users can get the access to their data under the given access control mechanisms. For the physical computing systems continuous monitoring on the request coming and response served to it and analyzing the traffic makes the security techniques more efficient. Many security tools like firewalls andintrusion detection are used to restrict the illegal access and grant the legal access to the data. Majority all traffic is monitored to catch hold of illegal access of data. Apart from all above, authentication standards, Security Assertion Markup Language (SAML) and eXtensible Access Control Markup Language (XACML), used to access to the cloud applications and data in secured way. Authorization and authentication decisions between the entities handled by SAML while XACML focuses on the mechanism for arriving at authorization decisions. Data Protection Insiders may do stealing of data intentionally or accidentally but lose of data can happen in any case. So policies have take care of the data stealing by the insiders. It is very difficult identify the behavior of insider who steals data. Need deploy better security measures for the insider threats. Tools like data lose prevention and malicious behavior patterns identifications encrypting of sensitive information while storing it self, decoy technology for authentication and authorization. Security Techniques Implementation The major security concern in cloud computing is malware injection attack. These kind of attacks can be nullified using Table maintained for File Allocation kind of system architecture. In the FAT table instance of all customers will be there so in advance can be recognized them using FAT table. Now the old instance and new instance are there to compare to determine the validity and integrity of the instances so that malwareinjection can prevented like this. In other way of nullifying the malware injection is storing the hash value of the original service instance image file and by performing the integrity check between the original and new service instances images to identify the malwar injection instance. In this malware injection can be ident fied. Web services are vulnerable to XML signature wrapping and lot many methods proposed to nullify this vulnerability found in XML based technologies. XML schema hardeing is used to strengthen XML Schema declarations. A subset of Xpath, called FastXPath, is proposed to resist the malicious elements that attackers inject into the SOAP message structure Future Work Cloud computing is major important developments for giving service to different level where every service can offered via browser in just one click away. As the more benefits, more security vulnerabilities are there and bringing more challenges for all service providers and more vulnerabilities still exist in cloud so hackers are exploiting those security holes. For providing best quality to the end user required to nullify these security flaws at the best possible level. Recently more news regarding the NSA eye on the information which is been leaking from third parties and going into the hands of NSA which is something like you are not the one who is looking into your data. Scott Hazdra said in the news that U.S and many companies keeping eye on the data stored in the internet and clouds and transmitting as it is to the required sources which is not good for the users who uses the cloud. It is big security risk and may be threat to the users who store the information on the internet. This kind of one risk can't be avoided in the wolrd of internet and increases more with cloud features. At any point privacy is always big concern with the cloud which is like companies or third parties and insiders who can breach into cloud to steal the information and big threat is intrusion of the government also. Confidentiality is big threat to the companies who store information as because competitors try to steal the information, so all companies store the information in encrypted form irrespective of competitor. This is costly for hackers when compare to advantage they get from information so less attacks but now in cloud everything stores there one shot many pots. One compromises all compromised which is big plus for the hackers to try and steal data with little extra cost. This is one of the big problems in the current cloud industry. Security of data and privacy protection of data is major issues and they are basic important issues which are separation of sensitive control of access. It is very important for cloud solution providers to provide kind of security which is lik e levels of organization while providing protection to the users. Some frameworks and utilities are required to build while accessing the cloud and data so that privacy to users can be provided. Mobility of companies is very common in industry so customer service to users while activating and deactivating the account should be done very quick and good service is needed. Cloud makes life of users completely into internet which makes their more explored and into internet. Every user try store irrespective of type of data as it is more friendly so at any stage Any information can be observed over internet about any person. This gives advantage to the hackers to crack the accounts of very far distance people so that unable to trace if any personal information is compromised. Previous employees should not able to get the insides of the organizations cloud as is it quite natural that inside people get clarity on the vulnerabilities on the cloud and where to exploit and when to exploit these details gives advantages for the employees who leaves the organization and try to attack on the cloud for their personal needs. So it is very essential that cloud organization takes required steps while removing any employee. Cloud organization suppose to be very transparent about their agreements with the government so that people aware what to keep what not. It is very offensive that organizations provide data to government without any information to the user. This kind of leaks gives advantage to government officials so that they try get the required users private information to full fill their personal needs. This is completely illegal. References: 1) Victoria Ivey, Dec 16th 2014, cloud-securitylink:https://www.cio.com/article/2380182/cloud-security/5-tips-to-keep-your-data-secure-on-the-cloud.html2) Ted Samson, Feb 25th 2013, cloud securitylink:https://www.infoworld.com/article/2613560/cloud-security/cloud-security-9-top-threats-to-cloud-computing-security.html?null3) IBM cloudlink: https://www.ibm.com/cloud-computing/in/en/security.html4) Cloud Security Fundamentalslink: https://www.sans.org/course/cloud-security-fundamentals5) Security ascepts of cloudlink: https://cloudsecurity.org/6) Charles Badcock, Mar 03, 2014, Cloud Threatslink: https://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085 7) Adam Greenberg, Mar 06, 2015, top concern regarding cloud adoptionlink: https://www.scmagazine.com/study-financial-firms-cite-data-security-as-top-concern-regarding-cloud-adoption/article/402201/8) CSA cloud security alliancelink: https://cloudsecurityalliance.org/9)https://www.sa fenet-inc.com/data-protection/virtualization-cloud-security/10) https://www.porticor.com/11) https://www.symantec.com/cloud-computing-software/12) https://www.mcafee.com/in/solutions/cloud-security/cloud-security.aspx13) https://www.vormetric.com/data-security-solutions/cloud-data-security14) https://www.cloudcredential.org/certifications/pcs/15)https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles