Kia Manoochehri

Background

Threat Classification
◦ Traditional Threats
◦ Availability of cloud services
◦ Third-Party Control

The “Notorious Nine”

Contractual Obligations

Security: “freedom from risk and danger”

In Computer Science we define security as…
◦ “the ability of a system to protect information and
system resources with respect to confidentiality and
integrity”

Three core areas
◦ Confidentiality
◦ Integrity
◦ Authentication

Some other security concepts
◦ Access Control
◦ Nonrepudiation
◦ Availability
◦ Privacy



Cloud Service Providers (CSP) provide a
“target rich environment”
Consolidation of information draws potential
attackers
Potential problematic areas in the field of
Cloud Computing aren’t transparent.

Three broad classifications
◦ Traditional Threats
◦ Availability Threats
◦ Third-Party Control Threats

Anytime a computer is connected to the
internet they are at risk…
◦ When we are dealing with Cloud based applications
we are amplifying these threats

Question of responsibility
◦ User vs Provider

Authorization and Authentication
◦ Individual access vs enterprise access

One solution would be to have tiered access
◦ Not every user is created equal!

Distributed Denial of Service attacks (DDoS)

SQL Injection

Phishing

Cross-Site Scripting

Digital forensics cannot be applied to the
cloud
◦ Difficult to trace where an attack is from

Virtual Machine vulnerabilities extend to the
cloud as well

System failures
◦ http://www.forbes.com/sites/anthonykosner/2012
/06/30/amazon-cloud-goes-down-friday-nighttaking-netflix-instagram-and-pinterest-with-it/
◦ Amazon’s Elastic Compute Cloud (EC2) in North
Virginia goes down due to lightning.
 Netflix, Instagram, and Pintrest were down for at least
a few hours.

Problem stems from CSP outsourcing certain
aspects of their operation
◦ How does this affect

Introduces more points of entry and
vulnerability to the Cloud


In 2010 the Cloud Security Alliance (CSA) had
defined 7 major threats to Cloud Computing
February 2013 yielded their “Notorious Nine”
list
◦ 9 major threats in Cloud Computing

Data Breaches
◦ Currently the biggest threat
◦ The solution is encryption… but
 What if you lose the key?
◦ Backing up the data is not viable either

Example: Epsilon

Data Loss
◦
◦
◦
◦


Malicious deletion
Accidental deletion by CSP
Physical catastrophe
Loss of the encryption key
Compliance policies require audit
audit records
Example: Mat Honan

Account/Service Hijacking
◦ Phishing, fraud, software exploits
◦ Organizations should be proactive
◦ Two-Factor authentication

Example: XSS attack on Amazon

Insecure Interfaces and APIs
◦ Any vulnerability in an API bleeds over
◦ Can effect security and availability
◦ Partially falls on the consumer

Denial of Service
◦ From the user end… most frustrating
◦ Can cost cloud users $$$
◦ Makes the user doubt the cloud

Malicious Insiders
◦ Straightforward
◦ Systems that only depends on the
CSP for security are at greatest risk
◦ If data-usage encryption is used the
data is still vulnerable during storage

Abuse of Cloud Services
◦ Using CSP for malicious purpose
◦ Hacking encryption keys via cloud
◦ DDoS attacks via cloud
◦ Problems of detection arise

Insufficient Due Diligence
◦ Insufficient user experience
◦ Unknown levels of risk when using CSP
◦ Design and architecture issues for devs
◦ Countered by:
 Capable resources
 Extensive internal understanding of risks

Shared Technology Vulnerabilities
◦ CPU caches, GPUs are not designed to
be isolated
◦ A single vulnerability can lead to an
entire environment being compromised
Buffer Overflow
SQL Injection
Privilege escalation
SSL Certificate spoofing
Attacks on browser caches
Phishing attacks
DDoS attacks
Limiting resources
Privilege-related attacks
Data Distortion
Injecting additional operations

Goal is to minimize the security risks

Contract between the CSP and user should:
◦ State CSP obligations to handle securely sensitive
information and it’s compliance to privacy laws
◦ Spell out CSP liability for mishandling information
◦ Spell out CSP liability for data loss
◦ Spell out rules governing ownership of data
◦ Specify the geographical regions where information and
backups can be stored.
Kia Manoochehri