CEH v11 Cloud Computing

¡Supera tus tareas y exámenes ahora con Quizwiz!

Anti-virus

AV

AssumeRole

AWS IAM policy permissions that are flexible, but misconfigurations in the role permissions can open doors to various attacks.

Shared Technology Issues

Most underlying components that make up the cloud infrastructure (e.g., GPU and CPU caches) do not offer strong isolation properties in a multi-tenant environment which allows attackers to attack other machines if they can exploit the vulnerabilities in a

Network protocol by Cisco

Netflow

No Back-off Process for Scheduling

No back-off process for scheduling the execution of Kubernetes pods This causes a tight loop as the scheduler continuously schedules a pod that is rejected by the other processes

Container Technology Tier-4

Orchestrators - transforming images into containers and deploying containers to hosts

Mixing of Workload Sensitivity Levels

Orchestrators place workloads with different sensitivity levels on the same host. If a container hosts a public webserver with vulnerabilities, it may pose a threat to containers processing sensitive information.

Compliance Risks

Organizations that seek to obtain compliance with standards and laws may be put at risk if the CSP cannot provide evidence of their own compliance with the necessary requirements, outsources cloud management to third parties, and/or does not permit audit by the client

Non-Updated Images

Outdated images contain security loopholes and bugs that compromise the security of images.

Public key infrastructure

PKI

Theft of Computer Equipment

Poor controls over the physical parameters such as smart card access at the point of entry may lead to the loss of physical equipment and sensitive data

A2 - Broken Authentication

Poor design of identity and access controls

R7 - Multi Tenancy and Physical Security

Poor logical segregation may lead to tenants interfering with the security features of other tenants

Network Management Failure

Poor network management leads to network congestion, misconnection, misconfiguration, lack of resource isolation, etc., which affects service and security

A7 - Security Misconfiguration

Poor patch management, functions with long timeout and low concurrency

AWS pwn

AWS hacking tool that includes various automated scripts for hacking phases such as reconnaissance, escalating privileges, maintaining access, and clearing tracks

Vulnerabilities in AWS-Hosted Applications

Allows attackers to perform attacks such as reading local files and server-side request forgery to steal AWS IAM credentials

None

Allows the container to implement its own networking stack and is isolated from the host networking stack

Real traffic grabber

RTG

Container Technology Tier-3

Registries - storing images and disseminating images to the orchestrators based on requests

Loss of Business Reputation due to Co-tenant Activities

Resources are shared in the cloud, thus malicious activity by one co-tenant might affect the reputation of the another, resulting in poor service delivery, data loss, etc. that can be detrimental to an organization

Dump instance metadata

Retrieves important information metadata of EC2 instances. Extract metadata for the instance the command is run.

Password Reuse

Reusing the same passwords for multiple services enables attackers to compromise the credentials and gain access to other cloud services

Tools used to Identify S3 buckets

S3Scanner, lazys3, Bucket Finder, and s3-buckets-bruteforcer lazys3, Bucket Finder, and s3-buckets-bruteforcer

Security development lifecycle

SDL

VULNERABILITY: Cross-Site Scripting (XSS)

SOLUTIONS: - Encode all untrusted data before transmitting to the client - Use only well-known frameworks and headers

VULNERABILITY: No Certificate Revocation

SOLUTIONS: - Ensure that nodes maintain the Certificate Revocation List (CRL) -Insist that administrators use OCSP stapling for revoking certificates

VULNERABILITY: Insecure Deserialization

SOLUTIONS: - Ensure validation of serialized objects originating from untrusted data - Scan third-party libraries for deserialization vulnerabilities

VULNERABILTY: Sensitive Data Exposure

SOLUTIONS: - Identify and classify sensitive data - Encrypt data both in transit and at rest - Implement HTTPS endpoints for APIs

VULNERABILITY: No Back-off Process for Scheduling

SOLUTIONS: - Implement a back-off process for kube-scheduler to prevent tight-loops

VULNERABILITY: Log Rotation is not Atomic

SOLUTIONS: - Implement a copy-then-rename technique to ensure logs are not lost during log rotation -Avoid using log rotation, and implement persistent logs that add log data linearly

VULNERABILITY: Injection

SOLUTIONS: - Implement safe API, and employ parametrized interfaces or Object Relational Mapping Tools - Avoid special characters using a specific escape syntax in dynamic SQL queries

VULNERABILITY: Using Components with Known Vulnerabilities

SOLUTIONS: - Perform continuous monitoring of third-party libraries and dependencies - Deploy only signed packages and components from official sources

VULNERABILITY: XML External Entities (XXE)

SOLUTIONS: - Scan supply chain libraries for vulnerabilities - Test API calls for XXE vulnerabilities - Always disable Entity Resolution

VULNERABILITY: Non-constant Time Password Comparison

SOLUTIONS: - Use a safe constant-time comparison function such as crypto.subtle.ConstantTimeCompare - Disapprove basic authentication mechanisms for secure options

VULNERABILITY: Security Misconfiguration

SOLUTIONS: - Use the cloud provider's built-in services such as AWS Trust Advisor, to identify public resources - Identify functions with unlinked triggers - Set the functions with a minimum timeout required

VULNERABILITY: Hardcoded Credential Paths

SOLUTIONS: -Define a configuration method for credential paths, and avoid hardcoding credential paths -Allow cross-platform configuration through path generalization

VULNERABILITY: Insufficient Logging and Monitoring

SOLUTIONS: Employ cloud service provider's monitoring tools such as Azure Monitor, or AWS CloudTrail to detect anomalous behavior

VULNERABILITY: Broken Access Control

SOLUTIONS: Follow the least-privilege principle while granting permissions to functions

VULNERABILITY: Unauthenticated HTTPS Connections

SOLUTIONS: - Authenticate all HTTPS connections within the system - Ensure that all the components use CA maintained by the kube-apiserver - Implement two-way TLS for all the connections

VULNERABILITY: Exposure of Sensitive Data via Environment Variables

SOLUTIONS: - Avoid collecting sensitive data directly from environment variables -Use Kubernetes secrets in all components of the system

VULNERABILITY: Secrets at Rest not Encrypted by Default

SOLUTIONS: -Define and document configurations required for different levels of security

VULNERABILITY: Broken Authentication

SOLUTIONS: -Employ identity and access control solutions -Implement strong authentication and access control on external-facing resources -Employ secure service authentication methods such as Federated Identity

VULNERABILTY: No Non-repudiation

SOLUTIONS: -Use secondary logging mechanisms for processes that require strict non-repudiation and auditing -All authentication events should be logged and retrievable from a central location

VULNERABILITY: Exposed Bearer Tokens in Logs

SOLUTONS: - Remove the bearer token from the system logs - Perform code reviews to ensure sensitive data is not logged and implement logging filters

A1 - Injection

SQL/NoSQL injection, OS command injection, Code injection

Secure web gateway

SWG

Secrets at Rest not Encrypted by Default

Secrets defined by users are not encrypted by default. Attackers gaining access to etcd servers can retrieve unencrypted secrets

Hijacked Repository and Infected Resources

Security misconfiguration and bugs allow gaining unauthorized access to the repository that can poison the resources by altering or deleting files.

Public Cloud

Services are rendered over a network that is open for public use. May be free or based on a pay-per-usage model (e.g., Amazon Elastic Compute Cloud (EC2), Google App Engine, Windows Azure Services Platform, IBM Bluemix).

Accessing Container

Similar to accessing nodes, attackers can also retrieve the same information within the container itself. By attacking volumes from a container, attackers can configure the hostpath volume type to retrieve sensitive information from a node. Attackers can further use filesystem tools to browse all m

A3 - Sensitive Data Exposure

Storing sensitive data in plaintext or using weak encryption

Trusted platform module

TPM

VM-Level Attacks

The cloud extensively uses virtualization technology. This threat arises due to the existence of vulnerabilities in the hypervisors

R5 - User Privacy and Secondary Usage of Data

The default share feature in social web sites can jeopardize the privacy of user's personal data

Lock-in

The difficulties experienced by a user when migrating from in-house systems or from one cloud service provider to another due to the lack of tools, procedures, or standard data formats, poses potential threats to data, application, and service portability

Large attack surface

The host OS consists of many containers, applications, VMs, and databases in the cloud or on-premises. It implies a large number of vulnerabilities and an increased difficulty in detecting them.

Loss of Encryption Keys

The loss of encryption keys required for secure communication or systems access provide a potential attacker with the opportunity to get unauthorized access to assets

Licensing Risks

The organization may incur a huge licensing fee if the software deployed in the cloud is charged on a per instance basis

Cloud Service Termination or Failure

The termination of cloud service due to non-profitability or disputes might lead to data loss unless end-users are legally protected

wrapping attack

An attack performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.

Domain Name System (DNS) Attacks

An attack used to obtain authentication credentials from Internet users.

Exploiting SSRF Vulnerability

An attacker exploits a web application that is hosting the cloud service to retrieve the AWS credentials for a role, add the retrieved credentials to the local aws-cli, retrieve user account details from S3 buckets, and gain access and exfiltrate the data stored in all the buckets related to that account.

Kubernetes

An open-source container orchestration engine for automating deployment, scaling, and management of containerized applications

Application security

App Sec

Inspecting HTML

Attackers attempt to perform HTML source code analysis to gather information about the S3 buckets. Analyzing the source code of HTML web pages in the background allows attackers to find URLs to target S3 buckets.

No Certificate Revocation

Attackers can exploit the certificate before it is replaced across the entire cluster

Exploiting Third-Party Software

Attackers compromise third-party software used to manage cloud services to gain high-level access to the data stored in the cloud environment

Abuse and Nefarious Use of Cloud Services

Attackers create anonymous access to cloud services and perpetrate attacks. ex: Password and key cracking, Building rainbow tables, CAPTCHA-solving farms, Launching dynamic attack points, Hosting exploits on cloud platforms, Hosting malicious data, Botnet command or control DDoS

Repository Misconfigurations

Attackers exploit misconfigurations while hosting AWS keys in a shared storage on the internal network such as the Git repository to access the AWS IAM keys

Exposed Bearer Tokens in Logs

Attackers having access to the system logs can impersonate a legitimate user

SQL Injection Attacks

Attackers insert malicious code (generated using special characters) into a standard SQL code to gain unauthorized access to a database and ultimately to other confidential information.

Network-based attacks

Attackers may exploit failed containers having active raw sockets and outbound network connections to launch various network-based attacks.

Loss/ Modification of Backup Data

Attackers might exploit vulnerabilities such as SQL injection, insecure user behavior like storing passwords, and reusing passwords to gain illegal access to the data backups in the cloud

Advanced Google Hacking

Attackers use advanced Google search operators, such as "inurl", to search for URLs related to the target S3 buckets.

Reverse IP Search

Attackers use search engines, such as Bing, to perform reverse IP search to identify domains of target S3 buckets. Attackers use the advance search operator ip:<target IP address> in the Bing search engine to obtain different domains related to the target bucket that resolves the given IP address.

Social Engineering

Attackers use techniques such as fake emails, calls, or SMSs to trick the users into revealing AWS IAM credentials.

DumpsterDiver

Attackers use this tool to identify potential secret leaks and hardcoded passwords in the target cloud services, by examining a large volume of file types while scanning hardcoded secret keys, such as AWS access, SSL, and Microsoft Azure keys.

Finding subdomains

Attackers use tools, such as Findsubdomains and Robtex, to identify subdomains related to the target bucket.

Bypassing isolation

Attackers, after compromising the security of a container, may escalate privileges to gain access to other containers or the host itself.

R4 - Business Continuity and Resiliency

There can be business risk or monetary loss if the cloud provider handles the business continuity improperly

R3 - Regulatory Compliance

There is a lack of transparency, and there are different regulatory laws in different countries

Detective controls

These controls detect and react appropriately to occurring incidents. Example: Employing IDSs, IPSs, etc. helps detect attacks on cloud systems.

Corrective controls

These controls minimize the consequences of an incident by limiting the damage. Example: Restoring system backups.

Deterrent controls

These controls reduce attacks on the cloud system. Example: A warning sign on the fence or property to inform potential attackers of adverse consequences if they proceed to attack

Preventive controls

These controls strengthen the system against incidents by minimizing or eliminating vulnerabilities. Example: A strong authentication mechanism to prevent unauthorized use of cloud systems.

Network Drivers

These drivers are pluggable so that multiple network drivers can be used concurrently on the same network.

Automated management

By minimizing user involvement, cloud automation speeds up the process and reduces labor costs and the possibility of human error.

Unsynchronized System Clocks

Can affect the working of automated tasks. The network administrator cannot accurately analyze the log files for any malicious activity, if the timestamps are mismatched.

Impetuous Image Creation

Careless creation of images without considering the security safeguards or control aspects leads to vulnerabilities in the images

Conflicts between Client Hardening Procedures and Cloud Environment

Certain client hardening procedures may conflict with a cloud provider's environment, making their implementation by the client impossible

Insecure Interfaces and APIs

Circumvention of user defined polices, Credentials leakage, Breach in logging and monitoring facilities Dependency on unknown APIs, Reuse of passwords/tokens, Poor input-data validation

Unknown Risk Profile

Client organizations are unable to get a clear picture of the internal security procedures, security compliance, configuration hardening, patching, auditing, and logging, etc. as they are less involved with hardware and software ownership and maintenance in the cloud

Security-as-a-Service (SECaaS)

This cloud computing model integrates security services into corporate infrastructure in a cost-effective way. It is developed based on SaaS and does not require any physical hardware or equipment. Therefore, it drastically reduces the cost compared to that spent when organizations establish their own security capabilities. It provides services such as penetration testing, authentication, intrusion detection, anti-malware, security incident and event management (e.g., eSentire MDR, Switchfast Technologies, OneNeck IT Solutions, McAfee Managed Security Services).

Management Layer Security Controls

This layer covers the cloud security administrative tasks, which can facilitate continued, uninterrupted, and effective services of the cloud. GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring

Physical Layer Security Controls

This layer includes security measures for cloud infrastructure, data centers, and physical resources. Physical Plant Security, CCTV, Guards

Endpoint

To maintain application portability, an endpoint is connected to a network and is abstracted away from the application, so that services can implement different network drivers.

Cloud Container Attack Tool (CCAT)

Tool used for exploiting docker containers on AWS.

R6 - Service and Data Integration

Unsecured data in transit is susceptible to eavesdropping and interception attacks

A7 - Cross-Site Scripting (XSS)

Untrusted input used to generate data without properly escaping

Buckets

Used for static file storage.

packet sniffers

Used to capture sensitive data such as passwords, session cookies, and other web service-related security configuration files such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol) and WSDL (Web Service Description Language)

Docker inspect command

Used to detect external storage mounts, such as S3 and network file system (NFS).

S3Inspector

Used to enumerate AWS S3 bucket permissions. By using this tool, attackers can verify whether a bucket is public or non-public.

S3Scanner

Used to identify open S3 buckets of cloud services, such as Amazon AWS, and retrieve their content for malicious purposes.

Cross-Site Scripting (XSS) Attack

Used to steal cookies used in the user authentication process; this involves injecting a website with malicious code, which is subsequently executed by the browser.

A4 - XML External Entities (XXE)

Using XML processors might make the application vulnerable to XXE attacks

R10 - Non-Production Environment Exposure

Using non-production environments increases the risk of unauthorized access, information disclosure, and information modification.

R1 - Accountability and Data Ownership

Using the public cloud for hosting business services can cause severe risk for the recoverability of data.

Unreliable Third-Party Resources

Using untrusted third-party resources causes severe threat and makes the resources vulnerable to malicious attacks.

Virtual application/Virtual machine

VA/VM

Virtual private network

VPN

Accessing Master Nodes

Volume configurations, such as iSCSI, store configuration details in the form of secrets. If attackers gain access to the API or etcd, they can easily retrieve the configuration details of these volumes.

Exploited Applications

Vulnerable applications can be exploited using various techniques (e.g., SQLi, XXS, RFI).

Web application firewall

WAF

Illegal Access to the Cloud

Weak authentication and authorization controls could lead to illegal access, thereby compromising confidential and critical data stored in the cloud

Authentication Attacks

Weak authentication mechanisms (weak passwords, re-use of passwords, etc.) and the inherent limitations of one-factor authentication mechanisms can allow an attacker to gain unauthorized access to cloud computing systems

Loss of Governance

When using cloud infrastructures, the customer gives up control to the cloud service provider including control of issues that may affect security

dockerscan

a Docker analysis and hacking tool that allows attackers to perform various malicious activities such as scanning networks to identify Docker registries, manipulating registries, analyzing images for retrieving sensitive information, and extracting and modifying Docker images

Kube-bench

a Go application used to check whether Kubernetes is securely deployed by running checks according to the center for internet security Kubernetes benchmark documentation. It performs permission, authentication, and security checks across Kubernetes clusters and secures containers data.

Networking

a channel through which all isolated containers communicate.

McAfee MVISION Cloud

a cloud security platform that provides real-time protection for enterprise data and users across all cloud services. It allows security professionals to gain complete visibility into data, context, and user behavior across all cloud services and devices, take real-time action deep within cloud services to correct policy violations and stop security threats, and apply persistent protection to sensitive information.

Server-Side Request Forgery

a common web application vulnerability used by the attackers to send random web requests to the victims from a compromised web server.

Cloud storage

a data storage medium used to store digital data in logical pools using a network.

Etcd

a distributed and consistent key-value storage, where Kubernetes cluster data, service discovery details, API objects, etc. are stored.

cluster

a group of computers known as nodes, which execute the applications inside the containers

Kube-controller-manager

a master component that runs controllers.

Kube-scheduler

a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.

Kuryr

a network plugin that implements the Docker libnetwork remote driver by using Neutron, an OpenStack networking service, and also includes an IPAM driver.

Social engineering

a non-technical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures

Cloud Security Alliance (CSA)

a nonprofit global organization that provides rising awareness and promotes best practices and security policies to help and secure the cloud environment.

container

a package of an application/software including all its dependencies such as library files, configuration files, binaries, and other resources that run independently of other processes in the cloud environment.

Server

a persistent back-end process, also known as a daemon process (dockerd command).

Metadata Spoofing Attack

a process of changing or modifying service metadata written in the web service definition language (WSDL) file, where the information regarding service instances is stored.

Loss of Operational and Security Logs

a risk for managing the implementation of the information security management program

IBM Cloud

a robust suite of advanced data and AI tools and deep industry expertise. It provides various cloud services, such as IaaS, SaaS, and PaaS, through public, private, and hybrid cloud delivery models. These services include computing, networking, storage, management, security, databases, analytics, AI, IoT, mobile, Dev tools, and blockchain.

Simple storage service (S3)

a scalable cloud storage service used by Amazon AWS where files, folders, and objects are stored via web APIs.

GCPBucketBrute

a script-based tool that allows attackers to enumerate Google storage buckets, determine what kind of access they have for them, and check whether they can be privilege escalated

Zero Trust model

a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network. This model prevents users/employees from accessing a network without being verified.

Microsoft Azure Functions

a serverless computing platform that allows users to run code without provisioning and managing servers. It is fully automated and provides scaling based on the workload volume; this feature lets users add more values without thinking about back-end server management.

Protego

a serverless security platform that provides complete lifecycle security to serverless applications from deployment to runtime.

CaaS

a service that includes the virtualization of containers and container management through orchestrators.

Container Runtime

a software designed to run the containers. Kurbernetes supports various container runtimes, such as Docker, rktlet, containerd, and cri-o.

Volumes

a storage where persisting data created by Docker and used by Docker containers are stored.

Cloudborne

a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware.

Front-end layer

accessed by the end user where it provides APIs for the management of data storage

service hijacking

an attacker steals the credentials of a CSP or a client by phishing, pharming, social engineering, and exploitation of software vulnerabilities.

MITM attacks

an attacker uses an exploit that intercepts and manipulates the communication between two parties

Qualys Cloud Platform

an end-to-end IT security solution that provides a continuous, always-on assessment of the global security and compliance posture, with visibility across all IT assets irrespective of where they reside

Docker

an open source technology used for developing, packaging, and running applications and all its dependencies in the form of containers, to ensure that the application works in a seamless environment

Pacu

an open-source AWS exploitation framework for enumerating and hijacking IAM roles. The tool contains a 1100+ wordlist of commonly used role names.

Contiv

an open-source network plugin introduced by Cisco for building security and infrastructure policies for multi-tenant microservices deployments.

enumerate IAM role names

analyzing the AWS error messages, which reveal information regarding the existence of a user.

IPAM Drivers

assign default subnet and IP addresses to the endpoints and networks, if they are not assigned.

Session Riding

attackers "ride" an active computer session by sending an email or tricking users into visiting a malicious webpage during login to an actual target site.

Cloud Malware Injection Attack

attackers install malicious service implementations or virtual machines into the cloud services that run as SaaS, PaaS, or IaaS.

Isolation Failure

attackers may try to control operations of other cloud customers to gain illegal access to the data

Brute-forcing URL

attackers perform brute-force attacks on the target bucket to identify the correct bucket UR.

Man-in-the-Cloud (MITC) Attack

attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access.

Trivy

automated tool used to perform container image vulnerability scanning.

Automatic bin packing

can manage a cluster of nodes that run containerized applications.

env

command on a container returns all the details, including the credentials used to initiate the containers.

Sandbox

comprises the container network stack configuration for the management of container interfaces, routing tables, and domain name system (DNS) settings.

Unauthenticated HTTPS Connections

connections between the components are not authenticated properly Attackers can gain unauthorized access to kubelet-managed Pods and retrieve sensitive information

Container images

consist of an operating system, application, runtime, etc. packaged together.

Trusted Computing Layer Security Controls

defines a secured computational environment that implements internal control, auditability, and maintenance to ensure the availability and integrity of cloud operations. Hardware and software RoT and API's

Docker networking architecture

developed on a set of interfaces known as the container network model (CNM), which provides application portability across heterogeneous infrastructures.

Microservices

divide and distribute the application workload, providing stable, seamless, and scalable services by interacting with each other.

Docker architecture

employs a client/server model and consists of various components, such as the host, client, network, registry, and other storage units.

Application Layer Security Controls

establish the policies that match the industry adoption security standards; e.g., OWASP for a web application. It should meet and comply with appropriate regulatory and business requirements. SDLC, Binary Analysis, Scanners, Web App Firewalls, Transactional Sec

Hardware Failure

failures such as switches and servers in data centers can make the cloud data inaccessible

Cryptanalysis Attacks

flaws in cryptographic algorithm implementations (e.g., weak random number generation) may turn strong encryption to weak or broken.

DoS Attacks

flooding the server with multiple requests to consume all available system resources, passing malicious input to the server that crashes an application process, entering wrong passwords continuously so that the user account is locked, etc.

Cloud Hacking

gaining access to user data and blocking access to cloud services.

AWS accounts

identified via unique IDs, which, when exposed in the public domain, can be leveraged by attackers to target cloud services.

Sysdig

identifies Kubernetes vulnerabilities by integrating continuous integration (CI) or continuous delivery/deployment (CD) pipelines, image registry, and Kubernetes admissions controllers and also validates container images at the orchestration level using the Kubernetes admission controller feature.

Tier-1: Developer machines

image creation, testing and accreditation

Docker client

interacts with the Docker daemon, which develops, runs, and distributes the containers.

DDoS attack

involves a multitude of compromised systems attacking a single target, thereby causing a denial of service to users of the targeted system.

Network sniffing

involves interception and monitoring of network traffic which is being sent between the two cloud nodes

Docker Registries

locations where images are stored and pulled, and can be either private or public.

Cloud Provider Acquisition

may increase the probability of a tactical shift which may put non-binding agreements at risk. This could make it difficult to satisfy the security requirements

Docker Backdoor

module used to create a reverse shell backdoor replacing the default CMD command.

Pull Repos from ECR

module used to download the target repository

Enumerate ECR

module used to list the details of available ECR repositories.

Push Repos to ECR

module used to upload the modified Docker image to the ECR repository.

Docker Swarm

multiple Docker engines within the Docker platform.

Distributed storage

offers the cloud better scalability, availability, and reliability of data. However, can potentially raise security and compliance concerns.

Tier-5: Hosts

operating and managing containers as instructed by the orchestrator

Middleware layer

performs several functions such as data de-duplication and replication of data

Google Cloud Platform (GCP)

provides IaaS, PaaS, and serverless computing services. These include computing, data storage and analytics, machine learning, networking, bigdata, cloud AI, management tools, identity and security, IoT, and API platforms.

CloudPassage Halo

provides comprehensive security visibility and continuous compliance for public cloud infrastructure. It is a security automation platform that delivers comprehensive visibility, protection, and continuous compliance monitoring to reduce cyber security risks. It provides features such as discovering all cloud assets, reducing public cloud attack surface, identifying critical risks, and maintaining continuous compliance.

Amazon Web Service (AWS)

provides on-demand cloud computing services to individuals, organizations, the government, etc. on a pay-per-use basis.

Node components

run on each node in the cluster, managing working pods and supplying the Kubernetes runtime services.

Aqua

scans container images, VMs, and serverless functions for known vulnerabilities, embedded secrets, configuration and permission issues, malware, and open-source licensing. This tool restricts untrusted code from running and ensures that functions, containers, and VMs remain immutable, thus preventing any changes to running workloads compared with their originating images.

Tier-3: Registries

storing images and disseminating images to the orchestrators based on request

Man-in-the-Browser attacks

target a user's web-browser by injecting sophisticated malware (e.g., bots) that allow attackers to monitor information being shared between the user's browser and cloud application.

CloudGoat

the "Vulnerable by Design" AWS deployment tool developed by Rhino Security Labs. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios.

side-channel attack

the attacker runs a virtual machine on the same physical host as the victim's virtual machine and takes advantage of the shared physical resources (processor cache) to steal data (cryptographic keys) from the victim

Client CLI

the command-line interface used to communicate with the daemon and where various Docker commands are initiated.

cloud-controller-manager

the master component used to run controllers that communicate with cloud providers. It enables the Kubernetes code and cloud provider code to evolve separately.

Supply Chain Failure

Cloud providers outsource certain tasks to third parties. Thus the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties A disruption in the chain may therefore lead to a loss of data privacy and integrity, as well as services unavailability, a violation of the SLA, and economic and reputational losses, which in turn results in the failure to meet customer demand and cascading

Broad network access

Cloud resources are available over the network and accessed through standard procedures via a wide variety of platforms, including laptops, mobile phones, and personal digital assistants (PDAs).

Cryptojacking

the unauthorized use of the victim's computer to stealthily mine digital currency.

Create DB snapshot

tool allows attackers to access the information stored in a database by creating a snapshot and restoring it.

Orchestrators

tools that allow DevOps administrators to fetch images from the registries, deploy them into containers, and manage container operation.

Tier-4: Orchestrators

transforming images into containers and deploying containers to host

Cloud Hopper attacks

triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers.

Synchronization tokens

used for application authentication in the cloud but cannot distinguish malicious traffic from normal traffic.

AWS IAM

used for providing identity management capabilities to AWS customers and manage the AWS user identities and their changing levels of access to the AWS resources.

Docker Objects

used to assemble an application.

Non-constant Time Password Comparison

using basic password authentication, does not perform secure comparison of secret values. Attackers can launch timing attacks to retrieve passwords

Tier-2: Testing and accreditation systems

verification and validation of image contents, signing images and sending them to the registries.

Back-end layer

where the hardware is implemented

Class of service/Quality of service

CoS/QoS

Hybrid Cloud

Combination of two or more clouds (private, community, or public) that remain unique entities but are bound together, thereby offering the benefits of multiple deployment models. In this model, the organization makes available and manages some resources in-house and provides other resources externally (e.g., Microsoft Azure, Zymr, Parangat, Logicalis). Example: An organization performs its critical activities on the private cloud (e.g., operational customer data) and non-critical activities on the public cloud.

Configuration control

Config Control

Ecosystem complexity

Containers are built, deployed, and managed using multiple vendors and sources. This makes it complex to secure and update the individual components because they originate from different repositories.

DevOps speed

Containers can be executed promptly and, after execution, are stopped and removed. This fugitiveness helps attackers launch attacks and hide themselves without installing any malicious code.

Inflow of vulnerable source code

Containers constitute an open-source platform used by developers to regularly update, store, and use images in a repository. This results in an enormous uncontrolled code that may include vulnerabilities, which can compromise security.

Compromising secrets

Containers require sensitive information, such as API keys, usernames, or passwords, for accessing any services. Attackers who illicitly gain access to this sensitive information can compromise security.

Container breakout to the host

Containers that runs as root may break the containment and gain access to the host OS through privilege escalation.

ls command to retrieve files stored on the Docker host

$ docker -H <Remote IP:Port> exec modest_goldstine ls

command to get an image of Alpine Linux

$ docker -H <Remote IP:Port> pull alpine

command to create a container from the image

$ docker -H <Remote IP:Port> run -t -d alpine

Bridge

Creates a Linux bridge on the host that is managed by the Docker

MACVLAN

Creates a network connection between container interfaces and its parent host interface or sub-interfaces

Create new user

Creates a new IAM user using existing credentials.

R2 - User Identity Federation

Creating multiple user identities for different cloud providers makes it complex to manage multiple user IDs and credentials

Management Interface Compromise

Customer management interfaces of cloud providers are accessible via the Internet and facilitate access to many resources. This enhances the risk, particularly when combined with remote access and web browser vulnerabilities

Distributed denial of service

DDoS

Data loss prevention

DLP

Data Breach/Loss

Data is erased, modified or decoupled (lost). Encryption keys are lost, misplaced or stolen. Illegal access to the data in the cloud due to improper authentication, authorization, and access controls and Misuse of data by the Cloud Service Provider (CSP)

Natural Disasters

Depending on geographic location and climate, data centers may be exposed to natural disasters such as floods, lightening, earthquakes, etc. that can affect the cloud services

A8 - Insecure Deserialization

Deserialization vulnerabilities in Python, JavaScript, etc.

Information Layer Security Controls

Develop and document an information security management program, which includes administrative, technical, and physical safeguards to protect information against unauthorized access, modification, or deletion. DLP, CMF, Database Activity Monitoring, Encryption

Container Technology Tier-1

Developer machines - image creation, testing and accreditation

iam_privesc_by_attachment

Discover and attach existing instance profiles to elevate privileges.

Malicious Insiders

Disgruntled current or former employees, contractors, or other business partners who have authorized access to cloud resources, can misuse their access to compromise the information available in the cloud

Data Exposure in Docker Files

Docker images exposing sensitive information, such as passwords and SSH encryption keys, can be exploited to compromise the security of the container.

R8 - Incidence Analysis and Forensic Support

Due to the distributed storage of logs across the cloud, law enforcement agencies may face problems in forensics recovery

Dump permissions

Dump permissions

Log Rotation is not Atomic

During log rotation, if the kubelet is restarted, all the logs may be erased The attacker waits for the log rotation to happen by monitoring it and then tries to remove all the logs

Multi Cloud

Dynamic heterogeneous environment that combines workloads across multiple cloud vendors, managed via one proprietary interface to achieve long term business goals. Uses multiple computing and storage services from different cloud vendors. It distributes cloud assets, software, applications, etc. across various cloud-hosting environments. Organizations use this cloud environment for distributing computing resources, thereby increasing computing power and storage capabilities, and limiting the data loss and downtime risk to a great extent (e.g., Microsoft Azure Arc, AWS Kaavo IMOD, Google Cloud Anthos).

Encryption

ENC

Overlay

Enables container to container communication over the physical network infrastructure

iam_privesc_by_rollback

Enumerate IAM policy versions and roll back to a previous version with higher privileges.

Exposure of Sensitive Data via Environment Variables

Environmental variables allow settings to be derived from the variables. Attackers can gain access to the stored values through environment logging

Virtualization

Essential technology that powers cloud computing. It provides the ability to run multiple OSs on a single physical system and share the underlying resources, such as servers, storage devices, or networks.

codebuild_secrets

Explore CodeBuild and SSM to discover plaintext secrets in a secure database.

Dump credentials:

Extracts the credentials available with this host and prints them out to the console.

Firewall

FW

ec2_ssrf

Find and exploit the EC2 metadata service to get keys using a server-side request forgery (SSRF) vulnerability in a web app.

rce_web_app

Find the secret endpoint and exploit a web app remote code execution vulnerability to gain root EC2 access inside a virtual private cloud (VPC).

Governance, risk, and compliance

GRC

Unauthorized Access

Gaining access to user accounts leads to privilege escalation attacks.

A5 - Broken Access Control

Granting functions access and more privileges to unnecessary resources

Identity and access management

IAM

Intrusion prevention system

IPS

Economic Denial of Sustainability (EDOS)

If an attacker engages the cloud with a malicious service or executes malicious code that consumes a lot of computational power and storage from the cloud server, then the legitimate account holder is charged for this kind of computation until the primary cause of CPU usage is detected

Subpoena and E-Discovery

If customer data or services are subpoenaed or subjected to a cease and desist request from authorities or third parties, access to such data and services may be compromised

No Non-repudiation

If debug mode is disabled, kube-apiserver does not record user actions. Attackers can directly interact with kube-apiserver and perform various malicious activities

Improper Data Handling and Disposal

If it is difficult to ascertain data handling and disposal procedures followed by CSPs due to limited access to cloud infrastructure, such data may be compromised

Hardcoded Credential Paths

If the cluster token and the root CA are stored in different locations, an attacker can insert a malicious token and the root CA to gain access to the entire cluster

Insufficient Due Diligence

Ignorance of the CSP's cloud environment poses risks to operational responsibilities such as security, encryption, incident response, and other issues such as contractual issues, design, and architectural issues

Insecure Container Runtime Configurations

Improper handling of the configuration option and mounting sensitive directories on the host cause faulty and insecure runtime configurations.

Computation and Storage Layer Security Controls

In the cloud, owing to the lack of physical control of the data and the machine, the service provider may be unable to manage the data and computation and lose the trust of the cloud consumers. CSPs must establish policies and procedures for data storage and retention and implement appropriate backup mechanisms to ensure availability and continuity of services that meet with statutory, regulatory, contractual, or business requirements and compliance. Host-based Firewalls, HIDS/HIPS, Integrity & File/Log Management, Encryption, Masking

Modifying Network Traffic

In the cloud, the network traffic may be modified due to flaws while provisioning or de-provisioning the network, or vulnerabilities in communication encryption and may cause loss, alteration, or theft of confidential data and communications

A10 - Insufficient Logging and Monitoring

Insufficient security monitoring and auditing

Cybersquatting

Involves conducting phishing scams by registering a domain name that is similar to a CSP.

DNS Poisoning

Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user's system.

Domain Snipping

Involves registering an elapsed domain name.

Domain Hijacking

Involves stealing a CSP domain name.

Network Layer Security Controls

It deals with various measures and policies adopted by a network administrator to monitor and prevent illegal access, misuse, modification, or denial of network-accessible resources. NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth

Accessing Nodes

Kubelet manages pods, so if attackers gain access to a node in a pod, they can easily access all volumes used within the pod.

Load balancer

LB

A9 - Using Components with Known Vulnerabilities

Lack of knowledge on component-heavy deployment patterns

Undertaking Malicious Probes or Scans

Malicious probes or scanning allows an attacker to collect sensitive information that may lead to a loss of confidentiality, integrity, and availability of services and data

Exposed Services due to Open Ports

Misconfiguration of an application may allow port access and exposure of sensitive information upon port scanning.

R9 - Infrastructure Security

Misconfiguration of infrastructure may allow network scanning for vulnerable applications and services.

Hijacked Image Registry

Mismanaged configurations and vulnerabilities can be exploited to compromise the registry and image hubs.

Docker Daemon

(dockerd) processes the API requests and handles various Docker objects, such as containers, volumes, images, and networks.

Risks from Changes of Jurisdiction

A change in the jurisdiction of the data can lead to the risk that the data or information system may be blocked or impounded by a government or other organization

Git repository

A common place most organizations host their AWS keys in a shared storage on an internal network

Embedded Malware

A container image may be embedded with malware after creation, or hardcoded functions may download malware after image deployment.

Noisy neighboring containers

A container may consume and exhaust all available system resources, which directly affects the operation of other neighboring containers creating a denial-of-service (DoS) attack.

Insider Threat

A disgruntled employee who wants to damage the reputation of the company can exploit the cloud services using his credentials and perform direct code changes to disclose private information to the public

Privilege Escalation

A mistake in the access allocation system can result in a customer, third party, or employee getting more access rights than needed

Inadequate Infrastructure Design and Planning

A shortage of computing resources and/or poor network design can result in unacceptable network latency or an inability to meet agreed service levels

Nimbostratus

A tool used for fingerprinting and exploiting Amazon cloud infrastructures.

Container orchestration

an automated process of managing the lifecycles of software containers and their dynamic environments. It is used for scheduling and distributing the work of individual containers for microservices-based applications spread across multiple clusters.

Container technology

an emerging container-based virtualization service. It helps developers and IT teams in developing, running, and managing containerized applications by using the API of the service provider or a web portal interface.

Kubelet

an important service agent that runs on each node and ensures containers running in a pod. It also ensures pods and containers are healthy and running as expected.

Network

an interconnected collection of endpoints. Endpoints that do not have network connection cannot communicate over the network.

Cloud computing

an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network

Kubernetes (K8s)

an open-source, portable, extensible, orchestration platform developed by Google for managing containerized applications and microservices.

Registries

provide various services to developers, such as storing images, tagging, and cataloging images for easy identification, version control for easy discovery and reuse, and fetching and downloading images created by other developers.

On-demand self-service

A type of service rendered by cloud service providers that allow provisions for cloud resources, such as computing power, storage, and network, always on-demand, without the need for human interaction with the service providers.

Cloud Broker

An entity that manages cloud services in terms of use, performance, and delivery, and maintains the relationship between cloud providers and consumers

Kube-proxy

It is a network proxy service that also runs on every worker node. This service maintains the network rules that enable network connection to the pods.

Community Cloud

Shared infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.) The cloud can be either on-or off-premises and governed by the participated organizations or by a third-party managed service provider (e.g., Optum Health Cloud, Salesforce Health Cloud).

Container Technology Tier-2

Testing and accreditation systems - verification and validation of image contents, signing images and sending them to the registries

Kube-apiserver

The API server is an integral part of the Kubernetes control panel that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage.

Function-as-a-Service (FaaS)

This cloud computing service provides a platform for developing, running, and managing application functionalities without the complexity of building and maintaining necessary infrastructure (serverless architecture). This model is mostly used while developing applications for microservices. It provides on-demand functionality to the subscribers that powers off the supporting infrastructure and incurs no charges when not in use. It provides data processing services, such as Internet of Things (IoT) services for connected devices, mobile and web applications, and batch-and-stream processing (e.g., AWS Lambda, Google Cloud Functions, Microsoft Azure Functions, Oracle Cloud Fn).

Virtualization technology

Virtualization technology in the cloud enables the rapid scaling of resources in a way that non-virtualized environments cannot achieve.

Docker Hub

a predefined location of Docker images, which can be used by all users.

Automated rollouts and rollbacks

automates the process of creating new containers, destroying existing containers, and moving all resources from one container to another.

Load balancing

automatically distributes the traffic to other containers and performs load balancing.

Cloud Carrier

An intermediary for providing connectivity and transport services between cloud consumers and providers

Storage orchestration

allows developers to mount their own storage capabilities, such as local and public cloud storage.

Rest API

allows the communication and assignment of tasks to the daemon.

Secret and configuration management

allows users to store and manage sensitive information such as credentials, secure shell (SSH) keys, and OAuth tokens.

Platform-as-a-Service (PaaS)

(DEVELOPERS) This type of cloud computing service allows for the development of applications and services. Subscribers need not buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. This offers development tools, configuration management, and deployment platforms on-demand, which can be used by subscribers to develop custom applications (e.g., Google App Engine, Salesforce, Microsoft Azure). Advantages of writing applications in the PaaS environment include dynamic scalability, automated backups, and other platform services, without the need to explicitly code for them.

Infrastructure-as-a-Service (IaaS)

(SYSTEMADMINS) This cloud computing service enables subscribers to use on-demand fundamental IT resources, such as computing power, virtualization, data storage, and network. This service provides virtual machines and other abstracted hardware and operating systems (OSs), which may be controlled through a service application programming interface (API). As cloud service providers are responsible for managing the underlying cloud computing infrastructure, subscribers can avoid costs of human capital, hardware, and others (e.g., Amazon EC2, GoGrid, Microsoft OneDrive, Rackspace).

Lack of visibility

A container engine runs the container, interfaces with the Linux kernel, and creates another layer of abstraction camouflaging the actions of the containers and making it difficult to track activities of specific containers or users.

Cloud Consumer

A a person or organization that maintains a business relationship with the cloud service providers (CSPs) and utilizes the cloud computing services.

Cloud Auditor

A party for making independent assessments of cloud service controls and taking an opinion thereon and can evaluate the services provided by a CSP regarding security controls (management, operational, and technical safeguards intended to protect the confidentiality, integrity, and availability of the system and its information), privacy impact (compliance with applicable privacy laws and regulations governing an individual's privacy), performance, etc.

Host

Allows the container to implement the host networking stack

Private Cloud

Cloud infrastructure is operated for a single organization only and and implemented within a corporate firewall. Organizations deploy this cloud infrastructure to retain full control over corporate data (e.g., BMC Software, VMware vRealize Suite, SAP Cloud Platform).

Measured service

Cloud systems employ the "pay-per-use" metering method. Subscribers pay for cloud services by monthly subscription or according to the usage of resources such as storage levels, processing power, and bandwidth. Cloud service providers monitor, control, report, and charge consumption of resources by customers with complete transparency.

Container Technology Tier-5

Hosts - operating and managing containers as instructed by the orchestrator

Etcd cluster

It is a distributed and consistent key-value storage where Kubernetes cluster data, service discovery details, API objects, etc. are stored.

Rapid elasticity

The cloud offers instant provisioning of capabilities to rapidly scale up or down, according to demand. To the consumers, the resources available for provisioning seem to be unlimited and can be purchased in any quantity at any point of time.

Resource pooling

The cloud service provider pools all the resources together to serve multiple customers in the multi-tenant environment, with physical and virtual resources dynamically assigned and reassigned on demand by the consumer of the cloud.

Container-as-a-Service (CaaS)

This cloud computing model provides containers and clusters as a service to its subscribers. It provides services such as virtualization of container engines, management of containers, applications, and clusters through a web portal, or an API. Using these services, subscribers can develop rich scalable containerized applications through the cloud or on-site data centers. CaaS inherits features of both IaaS and PaaS (e.g., Amazon AWS EC2, Google Kubernetes Engine (GKE)).

Software-as-a-Service (SaaS)

This cloud computing service offers application software to subscribers on-demand over the Internet. The provider charges for the service on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users (e.g., web-based office applications like Google Docs or Calendar, Salesforce CRM, and Freshbooks).

Identity-as-a-Service (IDaaS)

This cloud computing service offers authentication services to the subscribed enterprises and is managed by a third-party vendor to provide identity and access management services. It provides services such as Single-Sign-On (SSO), Multi-Factor-Authentication (MFA), Identity Governance and Administration (IGA), access management, and intelligence collection. These services allow subscribers to access sensitive data more securely both on and off-premises (e.g., OneLogin, Centrify Identity Service, Microsoft Azure Active Directory, Okta).

Weave

a network plugin that is used to build a virtual network for connecting Docker containers spread across multiple clouds.

Cloud Provider

a person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access.

Service discovery

allows a service to be discovered via a DNS name or IP address.

Self-healing

automatically performs a health check of the containers, replaces the failed containers with new containers, destroys failed containers, and avoids advertising unavailable containers to clients.

Monolithic applications

broken down into cloud-hosted sub-applications, called microservices, that work together, each performing a unique task.

Services

enable users to extend the number of containers across daemons, and together they serve as a swarm with several managers and workers.

Master Components

provide a cluster control panel and perform various activities, such as scheduling, detecting, and handling cluster events.

Microsoft Azure

provides cloud computing services for building, testing, deploying, and managing applications and services through Azure data centers. It provides all types of cloud computing services, such as SaaS, PaaS, and IaaS. It offers various cloud services, such as computing, mobile storage, data management, messaging, media, machine learning, and IoT.

Docker Client

the primary interface through which users communicate with Docker. When commands such as docker run are initiated, the client passes related commands to dockerd, which then executes them.

Images

used to store and deploy containers. They are read-only binary templates with instructions for container creation.


Conjuntos de estudio relacionados

Psychology Unit7 Module 31 and 32

View Set

Chapter 8: Exercise Metabolism & Bioenergetics

View Set

EDUC 606 Comprehensive Final Exam

View Set

Chapter 4: Entrepreneurship and Lecture

View Set