Assignment 2.

Assignment 2.2: Cloud Vulnerability

Emmylou Bice

CSOL-500 – Foundations of Cyber Security

Ashton Mozano

May 25, 2020

Assignment 2.2

Assignment 2.2: Cloud Vulnerability

As technology evolves, we start to see more systems migrate to the cloud environment.

With respect to cyber security, the threat landscape shifts slightly with this environment

migration since the cyber security responsibility is split further amongst multiple organizations

when compared to traditional systems. Some new threats have emerged, but also old threats

remain. The following details the ten of the most recent top cyber security risks to data that is

processed on, stored on, and/ or transmitted through the cloud. For each of the presented risks, I

will describe what the risk is, identify the impacts, and provide a mitigation strategy to address

each risk.

1. Malware Injection

Description and Impact: Malware injection in the cloud is similar to those for on-

premise systems where the attacker tries to insert malicious software or code into a

service or system in the cloud (Bhagat, 2017). Common malware injection attacks

include SQL injection, cross-site scripting, worms, and trojans. This can be introduced

by users via unvalidated user-controlled fields or by unsuspecting employees

implementing compromised software or file with a virus. The impacts of this type of

attack include loss of consumer personal data as in an SQL injection attack. Attacker

could discover unauthorized personal information which they can then sell on the dark

web. From the financial standpoint, businesses can lose millions due to a malware

injection attack by losing systems and customer or proprietary information.

Mitigation Strategy: One of the best mitigation strategies for malware injection includes

the use of an Anti-Virus (A/V) software. A/V solutions will detect (and remove) any

existing malware on a system and monitor for potential malware on the (RAPID7, n.d.).

1
Assignment 2.2

In addition to installing an A/V solution, organizations should keep it up-to-date with the

latest version of the software and definitions and signatures. This will limit the risk of

known malware injection attacks from penetrating the system.

2. Insider Threat

Description and Impact: Insider threat is when an employee or someone internal to the

organization turns into an adversary. This employee or insider can either intentionally or

unintentionally cause havoc on the system and organization. Insider threat is a concern

for all organizations and is applies to the cloud. According to a Threatbuster survey on IT

professionals’ opinions on insider threat vulnerability in their organization, “41% of

respondents said cloud migration makes insider attacks harder to detect and defend”

(Armerding, 2019). The threat is a major concern as these individuals can significantly

impact business operations and cause millions of dollars in damage. For example, in the

healthcare industry, IT professionals have seen about a 31% increase in the financial cost

where the cost grew “from $8.76 million in 2018 to $11.45 million in 2020”

(FairWarning, n.d.). These costs are associated to insider threats from both careless

employees or malicious insiders.

Mitigation Strategy: One of the best ways to mitigate the risk of an insider threat in the

cloud is to follow “the principle of ‘least privilege’” by implementing an Identity and

Access Management (IAM) system (Armerding, 2019). With this strategy and

implementation, you limit the amount of access a single user has and provides them with

minimum amount of privileges and permissions necessary to conduct their daily tasking.

If higher privileges are needed, a manager should authorize the privilege only for limited

2
Assignment 2.2

timeframe, but then revert the user to an unprivileged status once the task is complete.

This will restrict insider access and reduce the risk of insider exploitation.

3. Denial of Service (DoS) or Distributed Denial of Service (DDoS)

Description and Impact: A DoS attack is when legitimate users cannot access the system

or service due to the actions of a malicious cyber threat actor (US-CERT, 2009). An

example is an attacker sending so much traffic to a specific port of a target system and

causes the system to freeze up trying to process all the requests and can’t handle any

more. DDoS is similar, but involves multiple machines working together to cause a DoS.

DDoS attacks often involve botnets, hijacked systems programmed to carry out the

attacker’s requests (US-CERT, 2009). A DDoS attack representation with botnets can be

seen in as seen in Figure 1 where the attacker floods an HTTP port to cause a denial of

service on the target. These attacks are relevant to both cloud-based systems and on-

premise systems.

Figure 1: HTTP Flood. From Application Layer Attack Example, by CloudFlare, n.d.,
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/. Copyright 2020 by
Cloudflare, INC.

3
Assignment 2.2

The impact of a DoS or DDoS attack includes halting an organization’s business services

for an unknown amount of time and grow a negative reputation with consumers. From a

financial perspective, this attack could cause millions of dollars depending on the

business. Kaspersky conducted some research and found that the impact of a DDoS

attack averaged of about $2 million dollars per attack (Berard, 2018).

Mitigation Strategy: Although there is no good way to prevent a DoS or DDoS attack,

one way to mitigate the threat is to configure your firewalls and enroll in a DoS

protection service. By configuring the firewall appropriately, organizations can restrict

the traffic flowing into and out of Internet facing systems (US-CERT, 2009).

Organizations should configure Quality of Service (QoS) settings to manage the data

traffic flow and open only the necessary ports for standard operations.

4. Data Loss

Description and Impact: In the cloud, data loss is another common threat. Data loss can

result from attackers compromising data, crashing data storage servers, or accidental user

modifications to data. Data loss can result in a loss business operation productivity,

replacement and response costs, and reputation damage. Businesses may have to halt

operations due unrecoverable data loss which will result in downtime and may impact

revenue depending on duration. Additionally, the cost of replacing the data or hiring a

third party to assist with recovery and response costs eat into business profits. Outside of

the cloud, costs can range from about $20K-$30K to about $550K for smaller losses and

in the high millions like $5M-$15M for much larger data loss events (BackupWorks,

n.d.). Though I have not found evidence for the cloud, I anticipate that the costs for a

loud related data loss event around the same figures.

4
Assignment 2.2

Mitigation Strategy: Organizations should implement a well thought out contingency

plan, data loss prevention software, and backing up data via RAID or robust storages.

Contingency planning should be exercised periodically ad cover data loss scenarios.

Data loss prevention software will “ensure that sensitive data is not lost, misused, or

accessed by unauthorized users” (Zhang, 2020). For RAID, in the cloud, service

providers typically offer robust storage options and scalable server options.

Organizations utilizing the cloud should take advantage of these services to increase the

likelihood data will not be lost in some unforeseen event. Implementing RAID is

especially important as RAID storage provides fault tolerance and improves overall

system performance (Singh, 2019).

5. Insecure APIs

Description and Impact: Insecure APIs is when attacker take advantage of the

application programming interfaces to serve a malicious purpose. Some common attacks

adversaries conduct on APIs include DDoS, Cross-Site Scripting, and Man-in-the-

Middle. When implemented poorly, APIs are the equivalent to having insecure interfaces

allowing attackers to pursue an easy target. One example is a developer leaving an API

open to access privileged functions. An attacker can take advantage of this to access the

system and information. With is threat, results in the same impacts as data loss as

previously detailed as attackers can extract sensitive data causing millions of dollars of

damages for the organization.

Mitigation Strategy: A mitigation strategy for insecure APIs includes “adopting and

effective security model for Cloud provider’s interfaces” (Thor, 2019). This security

model should include secure authentication and authorization mechanisms by using

5
Assignment 2.2

encrypted transmissions such as HTTPS, strong authentication like OAuth 2 or OpenID

Connect, the principle of least privilege to restrict privilege creep, and limited access

control by determining resources the user can access (Imperva, n.d.). This will help limit

the attack dependency surface of an attacker exploiting APIs.

6. Account Hijacking

Description and Impact: Account hijacking is when attackers compromise employee

login information and remotely access sensitive data stored in the cloud (Evangelist,

2019). Account hijacking can be devasting for a company depending on the access

permissions of the account. Business reputation and integrity can be destroyed and

customers may lose trust in the business depending on what was accessed and what the

attackers can do with it (Lord, 2018).

Mitigation Strategy: One mitigation strategy or solution to protect and reduce the risk of

account hijacking includes implementing strong authentication mechanisms. Leverage

cloud solutions that offer multi-factor authentication mechanisms like requiring users to

input a password and either a dynamic one-time password (hard token or SMS message)

or biometric to login (Lord, 2018). Implementing multi-factor authentication increases

the likelihood that an authorized user is logging in versus an adversary or unauthorized

user as it verifies a user’s identity by requiring two types of credentials the user has from

the following: something the user knows (password), something the user has (token, one-

time generated pin) and something the user is (biometrics like fingerprint or iris scan).

7. Social Engineering

Description and Impact: Social Engineering is when an adversary tricks a user into

providing sensitive information or unauthorized access to a system. Common social

6
Assignment 2.2

engineering attacks include phishing and ransomware. The financial impact of this type

of attack can result in millions of dollars. For ransomware, the FBI released statistics

stating that in “2018 alone U.S. businesses paid more than $3.6 million to hackers in

these kinds of attacks” (Suros, 2019). Not only that, there are additional financial and

non-financial costs including business fees, time, reputation, data loss, and payments to

third party remediation such as law enforcement.

Mitigation Strategy: One of the main victims to social engineering tactics are people.

One of the ways to mitigate against social engineering includes educating employees

about the social engineering tactics and send out mock phishing attempts periodically to

keep them aware. Organizations should emphasize that employees should never respond

to or open/download email attachments from unknown senders (Suros, 2019). By

educating the main component in an organization, employees, the less risk a company has

against social engineering.

8. Supply Chain

Description and Impact: The risk with supply chain involves the compromising systems

prior to being deployed for operations. Attackers target third-party suppliers to inject

malicious software or backdoors and gain access to secure systems (Behrens, 2020).

Organizations then unknowingly incorporate the components thus compromising the

entire system right out of the gate. The impact of an attacker succeeding in a supply

chain attack includes similar impacts of previously mentioned risks. The component

implemented could be incorporating a back door or other malicious code which could

result in serious damage to the business both from financial wise and reputation wise.

Mitigation Strategy: To help mitigate against the supply chain risk, organizations should

7
Assignment 2.2

develop and implement a supply chain risk management plan (SCRMP) in accordance

with Figure 2 and the NIST SP 800-161. In Figure 2, we see that the Enterprise is

responsible for making a SCRM Policy and integrate that into the different risk

management steps. In this plan/policy, organizations should identify internal programs

with policies and procedures in place to include the use of only approved and trusted

vendors, and conduct thorough analysis and testing to identify defects, counterfeits, and

malicious parts. This testing should be conducted by multiple individuals for each of the

HW and SW components prior to approving use in the overall design of the system. For

systems deployed in the cloud, organizations should verify the cloud provider’s SCRMP

and take it into consideration when selecting a service provider to house their system.

Figure 2: ICT SCRM Activities in Risk Management Process. From Supply Chain Risk
Management Practices for Federal Information Systems and Organizations. By J. Boyens, C.
Paulsen, R. Moorthy, and N. Bartol, 2015,
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf

8
Assignment 2.2

9. Insufficient Due Diligence

Description and Impact: Due diligence is when organizations take thorough steps to

understand the security implications a certain technology and implement security

mitigations to reduce risks. When organizations migrate to the cloud, sometimes they

don’t understand the full scope of what it means to move to the cloud as far as what the

cloud service provider provides in terms of security measures and what the organization

is responsible for (Morrow, 2018). The impact of not minimizing the risk of insufficient

due diligence can result in adversaries exploiting other mentions risks such as system

vulnerabilities, malware injection, supply chain exploitation. Adversaries successfully

exploiting any one of these will cost the business their public reputation as well as

millions of dollars in damages.

Mitigation Strategy: A mitigation strategy to implement for this risk involves “digging

deeper” and ask the CSP about their certifications or industry affiliations to understand

what security measures are already in place and which ones do the organization need to

cover (ICorps Technologies, 2014). Businesses should understand their service level

agreements (SLA), understand the expectations of the CSP, and investigate the security

measures that the CSP provides to ensure they implement sufficient due diligence on their

end. Afterall, the business is the face of the system, not the CSP and if the system is

exploited, the business will see almost all the impacts.

10. System Vulnerabilities

Description and Impact: System vulnerabilities is when businesses do not maintain the

security posture of the systems. Old ad outdated software is exposed to the internet

providing attackers with a relatively easy foothold on the system sometimes if a

9
Assignment 2.2

vulnerability is exploited, the attacker will automatically gain privileged access. For the

cloud, the infrastructure has more exposure to system vulnerabilities due the complexity

of the networks and environment (Evangelist, 2019). System vulnerabilities can result in

adversaries taking advantage of this exploited vulnerability to employ other exploited

vulnerabilities like malware injection. Like the previous discussed risks, systems

vulnerabilities can result in millions of dollars of damages for an organization.

Mitigation Strategy: To mitigate against system vulnerabilities, organizations should

ensure that every system is up-to-date on both the software version and any released

patches. For example, Microsoft releases patches every Tuesday of the month. In the

cloud, organizations should ensure there is a security management domain separate from

normal operations and that every machine is scanned for outdated patches at least once a

month. Tools to help assist with ensuring the systems are patched include Nessus on the

commercial side and OpenVAS on the open source side.

10
Assignment 2.2

References

Armerding, T. (2019, May 16). Don’t let insider threats rain on your cloud deployment.

Retrieved May 24, 2020, from https://www.synopsys.com/blogs/software-security/insider-

threats-cloud/

BackupWorks. (n.d.). Financial Impact of Data Loss for Business. Retrieved May 25, 2020, from

https://www.backupworks.com/financial-impact-data-loss.aspx

Behrens, A (2020, January 29). Accenture cybersecurity report sees risks from hacker groups and

vulnerabilities in supply chains, the cloud. Retrieved May 25, 2020, from

https://spendmatters.com/2020/01/29/accenture-cybersecurity-report-sees-risks-from-

hacker-groups-and-vulnerabilities-in-supply-chains-the-cloud/

Berard, D. (2018, February 22). DDoS Breach Costs Rise to over $2M for Enterprises finds

Kaspersky Lab Report. Retrieved May 25, 2020, from

https://usa.kaspersky.com/about/press-releases/2018_ddos-breach-costs-rise-to-over-2m-

for-enterprises-finds-kaspersky-lab-report

Bhagat, B. (2017, August 12). Major attacks on Cloud Computing with countermeasures.

Retrieved May 24, 2020, from https://cloud-techlife.com/2017/08/12/major-attacks-on-

cloud-computing-with-countermeasures/

Boyens, J., Paulsen, C., Moorthy, R., & Bartol, N. (2015). ICT SCRM Activities in Risk

Management Process. [Figure]. Retrieved from

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf.

Boyens, J., Paulsen, C., Moorthy, R., & Bartol, N. (2015). Supply chain risk management

practices for federal information systems and organizations. Gaithersburg, MD: U.S. Dept.

of Commerce, National Institute of Standards and Technology.

11
Assignment 2.2

Cloudflare. (n.d.). Application Layer Attack Example. [Image] Retrieved from

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

Evangelist, C. (2019, September 7). Top 5 Cloud Computing Security Issues; and How they are

used by Hackers. Retrieved May 25, 2020, from

https://www.cloudmanagementinsider.com/top-5-cloud-computing-security-issues-and-

strategies-used-by-hackers/

FairWarning. (n.d.). The Cost of Insider Threats in Healthcare and How to Reduce Them.

Retrieved May 24, 2020, from https://www.fairwarning.com/blog/the-cost-of-insider-

threats-in-healthcare-and-how-to-reduce-them/

ICorps Technologies. (2014, September 11). Lack of Due Diligence: How It Can Hurt Your

Company. Retrieved May 25, 2020, from https://blog.icorps.com/bid/185776/why-the-

lack-of-due-diligence-can-hurt-your-company

Imperva. (n.d.). Web API Security. Retrieved May 24, 2020, from

https://www.imperva.com/learn/application-security/web-api-security/

Lord, N. (2018, September 11). What is Cloud Account Hijacking?. Retrieved May 25, 2020,

from https://digitalguardian.com/blog/what-cloud-account-hijacking

Morrow, T. (2018, March 5). 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud.

Retrieved May 25, 2020, from https://insights.sei.cmu.edu/sei_blog/2018/03/12-risks-

threats-vulnerabilities-in-moving-to-the-cloud.html

RAPID7. (n.d.). Malware Attacks: Examined and Best Practices. Retrieved May 25, 2020, from

https://www.rapid7.com/fundamentals/malware-attacks/

Singh, G. (2019, March 12). Types of RAID Storage for Databases in Public Cloud. Retrieved

May 25, 2020, from https://www.xenonstack.com/blog/raid-storage-databases/

12
Assignment 2.2

Suros, T. (2019, August 26). Voices On ransomware: How to stay safe in the cloud. Retrieved

May 25, 2020, from https://www.accountingtoday.com/opinion/on-ransomware-how-to-

stay-safe-in-the-cloud

Thor, D. (2019, April 30). Cloud APIs and How to Mitigate the Security Risks. Retrieved May

25, 2020, from https://dzone.com/articles/cloud-apis-and-how-to-mitigate-the-security-

risks

US-CERT. (2009, November 4). Understanding Denial-of-Service Attacks. Retrieved May 25,

2020, from https://www.us-cert.gov/ncas/tips/ST04-015

Zhang, E. (2020, January 27). What is Data Loss Prevention (DLP)? A Definition of Data Loss

Prevention. Retrieved May 25, 2020, from https://digitalguardian.com/blog/what-data-loss-

prevention-dlp-definition-data-loss-prevention

13