You are on page 1of 11

Pentesting In The Cloud

by Aaron Bryson

Too Close For Missiles, Switching to Bullets



Great Pen Test Coverage

Too Close For Missiles, Switching to Bullets
Tell me if this sounds familiaryou are asked to perform a penetration test on customer network to determine the security posture of their assets, and the first thing they do is give you a list of assets that you are NOT allowed to test, because they are critical systems to the business. Ironic isnt it? This is exactly the difficulty you can expect when performing penetration testing in the cloud, but multiplied by ten.

here is a lot to think about and plan for when you want to perform a penetration test in a cloud service providers (CSP) network. Before we get into the technical details, we need to start with the basics. Questions to ask yourself: What does my contract and SLA state about penetration testing? Does the CSP already have a team of penetration testers? And is this enough to meet your security requirements or compliance objectives?

Are we hiring a 3rd party company to perform the penetration tests for us? Do we have our own penetration testing team?

CSP in-house pen test team: If your cloud service provider has their own penetration testers that is great news! Not only does it show that they take security seriously, but it means that you can leverage their internal testing results for your own audits. If you do not have the money for your own penetration testing team (either in-house or 3rd party), you may be able to request detailed audit reports from the CSP relative to your

04/2011 (4) August

Page 1

company. Have information disclosure policies built-in to your SLA, and monthly vulnerability reports delivered to you. Some types of compliance will say this is not enough and still require a 3rd party testing. Honestly, you should perform your own penetration tests either with your own team or by hiring a trusted and skilled 3rd party. If your CSP claims that they are secure, are you just going to believe them? How do you know they didnt leave anything out of their reports? Make sure you ask a lot of questions about what they tested & how:

request that they test for the OWASP Top 10 (https: // Top_Ten_Project) web application vulnerabilities. If they dont have penetration testers, they should at least be performing web application vulnerability scans using one of the several great tools out there they can setup in-house. Coincidentally, this type of scanning can also be done from the cloud by certain vendors as well. How did they test those things? Were the tests performed black box, white box, or grey box? Vulnerability scans & fingerprinting are a precursor What was in scope? What devices, web apps, services, to the actual penetration testing. That being said, databases, hosts, subnets, and network storage? Make you want to ensure that from the very beginning you sure that any part of their Infrastructure (IaaS), Platform have an accurate vulnerability report by reducing the (PaaS), or Software (SaaS) that is relevant to you is number of false positives discovered. The best way included in the scope of testing and reports that are to do this is to use credentials (user + password). If delivered to you. your vulnerability scanner says one of your servers For IaaS, you may want to see their architectural is running an unpatched, old version of Apache design and security review documents, security what is the best way to verify this? You login and see policies and patch management policies, as well what version of Apache it is actually running. This is as any hardening guides used. In addition you what white box testing does for you. It reduces the should request vulnerability scans to be performed amount of unknowns in your testing. You dont want on your part of the VLAN or subnet. Other than any unknowns, because that is what will kill you. providing you facilities with HVAC, physical Be warned you still MUST sort through any falsesecurity, and hazard positives, but the amount If you are going to hire outsiders, you will be controls most of you will have to deal with playing the middleman, and working out a lot the technical security should be far less. of contract/SLA issues between all three parties is your responsibility. What tools were used? involved. Your job is to identify If they used a vulnerability what security gaps scanner, what scan policy have not been filled by the CSP and fill them, or (what vulnerabilities) did they scan for? Top 10? get the CSP to do it. Top 20? Make sure that anything you expect to For PaaS, in addition to everything listed above, be tested for is covered in their penetration tests you should have your CSP verify that your & vulnerability scanning. If you are using a SaaS platform is fully patched and up-to-date. Ensure product, you might want to know whether or not that your installation of Apache, Ruby on Rails, their website enforces SSL encryption, or is being Java, PHP, Bugzilla, Drupal, etc. is up-to-date and checked for code injection vulnerabilities such as not running a default installation with default user Cross-site scripting (XSS) and SQL Injections. names, passwords, and configuration files. If it is not protected, it is your job as a PaaS tenant to 3rd party pen test team: If you are going to hire outsiders, protect it. Some of these security responsibilities you will be playing the middleman, and working out a lot will be shared by the CSP and yourself, so make of contract/SLA issues between all three parties involved. sure you know where the line is drawn and who is You will have due diligence to perform when selecting responsible for what through an SLA. your 3rd party pen test team. Many of the considerations For SaaS, security mostly depends on the suggested next should be used when hiring 3rd party pen CSP. Make sure that in addition to everything testers. You should ask the same questions and have listed above for IaaS & PaaS, that you get web similar requirements as listed above from the 3rd party application & web service penetration testing done. pen test team just as one would with the CSP. Request web application vulnerability reports, Your own pen test team: So you have a team and you and make sure they have a web application want to pen test your CSP. Great! Lets get started. First, security policy that requires the CSP to test for you should check your SLA and contractual agreement vulnerabilities on a regular basis. At a minimum, between you and the CSP and then consider the type
04/2011 (4) August Page 2


of cloud you will be testing, because each of them has different consideration you must account for: IaaS (Infrastructure as a Service) PaaS (Platform as a Service) SaaS (Software as a Service) service level agreement (SLA). You should know what application and technology you are running in your own cloud since it was provided by your organization, and may not have to worry about multi-tenancy issues (but you will for network & host level pen tests). You should be able to easily reach your web application/ services remotely for penetration testing. However, if you have deployed web application firewalls (WAF), or reverse proxy servers into your cloud it can interfere with your penetration testing. For the most accurate results, it is recommended to pen test against these web apps/ services without your WAF or reverse proxy in front of you. The reason is simple you want to know what vulnerabilities actually exist so that you can fix them. WAFs are not replacements for secure coding practices. You wouldnt run an un-patched OS on the web with only a firewall, and expect it to be secured would you? Testing with these types of mechanisms in place give you a false sense of security by hiding what really exists. However, you may actually want to test with your IPS, WAF, and other security devices in place; this will can also give you another valuable point-of-view. You just need to decide: Is the goal to test how well your devices are configured and operating? Is the goal to test the CSPs security team, and how well attacks detected on their network? An exercise can be coordinated with the CSPs security team, by which a live penetration test is conducted to test the responsiveness and effectiveness of their security team. You should opt to perform authenticated pen tests against web apps and services, and authenticated vulnerability scans against hosts. You will be able to get more accurate test coverage of your cloud. Iaas/PaaS network & hosts: If you want to pen test your cloud network meticulously, you should perform internal and external pen tests. This will provide you with two dissimilar points of view, and likely different set of vulnerability results.

Next you Must Know the Scope of What you Want Tested to Meet your Security Requirements
Web application pen test (this includes mobile apps) Web service pen test (this includes mobile backend services) Network/host pen test (this includes databases, firewalls, and other systems in your cloud network)

IaaS/PaaS web apps & web services: The good news is that IaaS cloud grants the customer the most granular control over the entire environment. That means most of security built-in will have to be setup by your organization, and you should have an easier time planning how to properly conduct your test with the given architecture. Since it is up to you to supply the web application and web services, you will have an easier time testing for vulnerabilities and performing penetration tests. Since security is left to the cloud users responsibilities, you usually will not have to interact too much with the CSP to perform your own penetration tests on your own system as part of your cloud security program. You should state upfront in your CSP contract that you will be performing your own penetration tests, and what that scope is going to be, and how often. This ideally should have been planned early on the in contract, not after the fact. If you are lucky, the CSP has already put this language into their

Figure 1. Separation of responsibilities

04/2011 (4) August

Page 3

* A pivot

is when a hacker breaks into a computer and uses that computer to hack into another. This has a few advantages: 1) It disguises the hackers true origins 2) It allows a hacker to attack other targets from the pointof-view of the victim (i.e. inside the rewall). If the attacker couldnt port scan you before, he can now! The best type of pivot is a VPN pivot. The hacker sets up a secure VPN connection between the compromised host inside your network and the outside world, effectively giving him a backdoor into your corporate network.

It may be possible in your IaaS/PaaS environment that multi-tenancy exists

If this condition exists, you may not be allowed to perform authenticated tests, or any test for that matter against certain systems (due to the impact it can have against other CSP customers). You will have to work with your CSP to determine what is allowed and what is not, which should all documented in your contractual agreement and SLA. Your goal should still be as much testing coverage as possible within legal bounds.

that those are hosted on. Make sure you perform authenticated penetration tests for the best coverage. What you should take away from this is that penetration To conduct an internal pen test, you should already testing in the cloud takes a large amount of coordination have access to all your servers and hosts in the cloud and contract negotiations before the fun stuff can begin. (including the databases and storage components). Before you negotiate the terms of penetration testing in You should also have access control credentials and your contract, you have homework to do. Know what kind network architecture. Start with an authenticated of penetration testing you want to perform. For areas that vulnerability scan against your systems. The idea you are not able to test, make sure you take note of behind an internal assessment is that you want to where security gaps may exist, and check to make sure know what kind of damage you have compensating a hacker (or disgruntled controls in place to mitigate Penetration testing in the cloud takes a large employee) can do, if he/ amount of coordination and contract negotiations the risk. For example, if before the fun stuff can begin. she had access inside the you are unable to perform perimeter. This will also penetration tests against a help discover potential pivot* points used by hackers. database, ask the user CSP to provide design details, For an external and more realistic viewpoint of an sanitized device configuration files, the hardening guide average hacker, you will want to test remotely from lines used, results from the CSPs own penetration tests, outside the DMZ. This should be performed as any and any other relevant audit reports. You have less typical black box remote penetration test. External control over the cloud environment than with your own white box testing here is not really necessary if you are network, so try to maintain as much of that control as already performing internal white box pen tests. possible through contractual agreements and SLAs. SaaS pen testing in general: It is up to the CSP to provide all the security to the customer in this cloud environment. That includes host level security all the AARON BRYSON way up to web application security. Performing internal Aaron is a Senior Information Security and external pen tests of any type will usually require Engineer & Risk Management Specialist very difficult contract negotiations, because of multi- at Ciscos Corporate Security Programs tenancy. It very common that SaaS products share Office (CSPO), on the Infosec Risk & Audit backend components (e.g. databases and storage), team. Aarons history at Cisco began and as such certain vulnerability tests (e.g. DoS and with the Intrusion Detection/Prevention SQL injection) may not be permitted. System team (IDS/IPS product). After a couple years he moved Since you will have very little access beyond the to the consulting arm of Cisco as a penetration tester where his public facing web application(s) & web service(s), you clients included many Fortune 500 companies & government dont have many options for network pen tests. To get entities in every vertical. Eventually, he moved his skills inthis done in a SaaS environment, it will require very house to the Infosec team to create Ciscos own internal special permission and you will have to take what you application security penetration testing program to secure can get. Remember that your objective is still to get as the companies few thousand applications, as well as a Red much test coverage as possible. So try to push for an Team. Primary responsibilities now include developing and internal pen test on their network as much as possible performing penetration test programs for Ciscos products, through documented mutual agreement. However, most web applications and services, and network on a global scale. likely you will only get permission to pen test the web Clients include Cisco-on-Cisco, partners, acquisitions, and app and web service itself, and maybe the web servers customers.
04/2011 (4) August Page 4



Penetration testing can benefit of cloud computing to improve the business model for resource intensive tests. The flexibility and cost effectiveness of the IaaS model can be used for resource greedy activities as brute forcing or denial-of-service tests.

loud computing is a technology of distributed data processing when computer resources and capacities are provided to the user as an Internet service. Cloud computing services are presented to the user in the following forms: SaaS (Software as a service) PaaS (Platform as a service) IaaS (Infrastructure as a service) HaaS (Hardware as a Service) WaaS (Workplace as a Service) IaaS (Infrastructure as a service) EaaS (Everything as a Service) DaaS (Data as a Service) SaaS (Security as a Service)

port scanning, distributed password brute-forcing, denial of service attacks, network perimeter scanning, automated vulnerability detection in the Customer infrastructure, etc.

Abuse Types

Innovation cloud computing technology may be applied both for good purposes and not very good purposes. How can bad guys make use of the service? We will try to consider the question in this chapter by the example of the most widespread abuses by malicious Internet users.


First of all, we are interested in IaaS, because this service is the most needed and realistic environment for pentesters today. IaaS allows the user to create a virtual server using equipment of a cloud computing provider. The most evident advantage of this service consists in almost unlimited computing power, which may be used by a pentester if necessary, e.g. to decrypt passwords. What is IaaS for a pentester? IaaS provides him/her with a unique opportunity to use tens of servers with identical power to follow a realistic approach to implementation of such techniques as IPS bypass in the course of remote
04/2011 (4) August

The problem of anonymity during application of cloud computing services is highly urgent. The deal is that at best, all information necessary to access such services confines to credit card number and cell phone number, which are used to authenticate the person (e.g. by the Amazon service). Most providers take users word on trust and do not think about the issues that will arise after their service becomes a key element in breaking some resource.

Read the full story

Page 5

Lying in Wait to Attack From the Cloud

and how we can try to protect ourselves
The idea of a hacker leasing a server or a VM (with a stolen PayPal account of course) from a ISP or Cloud provider and using that environment as a jump off point to create hate and discontent is nothing new. In most cases this is a loud attack and will get the server unplugged from the network or VM removed in no time.

hat if a hacker could have a VM with all their tools and code ready to go, stored in the cloud, and invoked at the most opportune moment? This could create almost the perfect scenario for a hacker. An excellent use case for moving to a cloud is disaster recovery. Depending on your business continuity plan a cloud instance can be spun up in a matter of minutes, data stored in another cloud transferred to that instance and DNS changes invoked to route traffic to your new environment. Your business is now backed up and

running, all in a matter of minutes at a low cost. In most cases to reduce your costs clouds you have built VMs and then they are stored until needed, so the cost lies with the time you use to build your VMs and the amount of data stored. Costs rise once the VMs are spun up, as there is usually a cost of transfering the data. Still cheap! Lets say an attacker approaches a cloud as a legitimate company looking for the use case provided. In truth the attacker is installing tools, code and an entrance point from the internet to make it look like they were compromised on the VM. When the time is right the hacker invokes a disaster recovery scenario, maybe during a time of a large disaster or crisis. The hacker compromises his own VM and now has a platform to attack other organizations in that cloud or targets outside of the cloud, possibly making less noise then the large disaster or crisis going on.

Read the full story

04/2011 (4) August Page 6


Vulnerability Disclosure
A Closer Look At Vulnerability Management
In a perfect world there would be no vulnerabilities available for attackers to be able to exploit. In a less than perfect world, vendors and researchers would work together to find these vulnerabilities before they were ever made public.

he problem that we have as security throughout the year. If you have any questions please professionals (and / or as a vendor) is that we feel free to contact me at do not live in either a perfect world or a near perfect world. Vulnerabilities are being found, sold and The Perfect Disclosure then used to attack people everyday. For example, just A perfect disclosure happens from time to time but by looking at one database available to researchers / usually you would be lucky to be involved with one. attackers (The Open Source Vulnerability Database There are two sides to the disclosure process, the first we can see an excess of 70,000 being the researcher disclosing the vulnerability and the vulnerabilities over a 46 year period (although the second being the vendor fixing or conversing with the reliability of this statistic is questionable, it nevertheless researcher. In a perfect world the following would be an supports my point.) It would be interesting to see example of a disclosure (see Figure 1). exactly how these vulnerabilities were disclosed to the The beginning step in this flowchart is an important database and whether or not it was prior to the vendor one. Im currently part of a mailing list named VIM finding out that the vulnerability existed. There are no (Vulnerability Information Managers) over at Attrition laws regarding vulnerability disclosure at the moment ( that is dedicated to the vulnerability and no standards are in In the Open Source Vulnerability Database we management of advisories on place for researchers or can see an excess of 70,000 vulnerabilities over a different databases. Most of vendors to abide by. Later on the topics that are discussed 46 year period. this article, I will be looking are about the duplication of into standards that are currently being created to help CVEs or vulnerabilities in these different databases. and aid in vulnerability disclosure and remediation. Having duplicate vulnerabilities may not seem like This article is a result of a lot of different thoughts a big problem, but it messes around with statistics and ideas regarding vulnerability disclosure and and can make it difficult for vendors to track even the management. Thus, it doesnt flow in any particular simplest of problems that may have arisen from that direction or order, but should be read as a series of notes one vulnerability. about disclosure of vulnerabilities. For a more in depth guide, look out for a talk that myself and Josh Grunzweig will hopefully be giving at a number of conferences

Read the full story

04/2011 (4) August

Page 7

Turning a Nation Off With Binary Planting

How Binary Planting Bugs Can Be Used In a Real Penetration Test For Crossing Security Boundaries
The last two years have produced an enormous number of binary planting vulnerabilities in widely-used software that run on almost every network in the world.

hese remotely exploitable security defects, some of which are also known as DLL hijacking, can be a highly valuable asset to both penetration tester and malicious attacker alike when trying to achieve some of the most catastrophic security goals imaginable. Like, say, taking down a power grid. Every real penetration tester knows that both real actual attacks and simulated deep network intrusions (penetration tests) consist of various propagation steps where the attacker, whether malicious or friendly, crosses security boundaries and obtains additional privileges in hope to get closer to the crown jewels that they are after. Typically, these propagation steps require some vulnerability in the target and pentesters usually have a wide range of software defects, configuration errors, network topology flaws, other human errors such as passwords in files accessible to everyone and social engineering tricks to choose from. During last two years, a lot of research has been done on how securely or insecurely widely-used Windows applications load their dynamic-link libraries and launch other standalone executables. This research produced hundreds of so-called binary planting [1] vulnerabilities in applications from practically all leading software vendors. However, the applicability of these vulnerabilities in real-world attacks remains
04/2011 (4) August

poorly understood, even by security professionals and penetration testers. This article will attempt to demonstrate how binary planting bugs can be used in a real penetration test for crossing some typical security boundaries. I invite you to join our team on an exciting pentesting engagement and learn a few tricks along the way.

The goal

Every real penetration test starts with setting a number of security goals: i.e., what the friendly attacker is going to try to achieve in the target network. Typically, such goals include obtaining administrative access to the mainframe or the main database, taking control of corporate Windows domains, seizing the network infrastructure (i.e., gaining network access and credentials for main routers and switches), obtaining control over computers with critical data, such as in HR, legal department, accounting or CEOs office, or, in case of banks, making an unauthorized transfer of funds to some agreed-upon account.

Read the full story

Page 8

Is your MISSION-CRITICAL security strong enough to stop a SKILLED ATTACKER?

Don't guess Don't believe Don't hope



An ACROS Penetration Test is conducted exactly like a real attack by a skilled, motivated adversary only without the damage. We will find the weakest links in your security and use all our knowledge, skills and capabilities to try to achieve exactly what your security measures and policies are there to prevent. If it sounds difficult, we're interested. Experience the ultimate test of your security. (After all, the only alternative is to wait for an actual attack.) Page 9 04/2011 (4) August ACROS Security

04/2011 (4) August

Page 10