Upload File

cloud_security_final

16
Cloud Penetration Testing: Methodology By Bhavin Shah

Upload: bhavin-shah

Post on 17-Aug-2015

16 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Cloud_Security_Final

Cloud Penetration Testing: Methodology

By Bhavin Shah

Page 2: Cloud_Security_Final

2

Testing the

Cloud

Question

Research

Threat Statemen

tExperimen

t and Model

CollectResults

ProposeSolutio

n

Page 3: Cloud_Security_Final

3

STEP 1

Ask QuestionsKey Questions:

1) What are the various techniques used to authenticate users to the cloud?

Why is cloud authentication the paramount component of cloud security?

2) How secure is authentication in the cloud?  

Are there security issues in elements other than the cloud system (ex. physical security, databases, etc.) ?

Page 4: Cloud_Security_Final

4

Establish a research environmentOpenStack, open-source cloud software

Research authentication measures for the specified environmentKeystone, OpenStack’s authentication serviceHorizon Dashboard, OpenStack’s graphical

interface for administrators to manage cloud resources

STEP 2

Research

Page 5: Cloud_Security_Final

5

STEP 3

Threat StatementAn attacker can obtain credentials of the cloud administrator through hacking and/or social engineering and use them to authenticate to a cloud and temporarily or permanently damage normal operations.

Page 6: Cloud_Security_Final

6

STEP 4

Normal Operations

Page 7: Cloud_Security_Final

7

STEP 5

Vulnerability Testing

Page 8: Cloud_Security_Final

8

STEP 6

ResultsOverview:

Information in the captured session cookie revealed user credentials.

Why?

The credentials were insecure because by default, Horizon uses HTTP for web communications instead of the more secure HTTPS.

Page 9: Cloud_Security_Final

9

STEP 7

Devising a SolutionProblem Source: Use of HTTPSolution: Enable HTTPS for communicationsAvoiding similar problems in future:

Follow security guidelinesProperly configure new softwareRegularly check existing software for

vulnerabilities and apply patches

Page 10: Cloud_Security_Final

10

Extra ContentHorizonLoggingNova VersionSSHImage ProvisionDevstack Directory

Page 11: Cloud_Security_Final

11

Shown here is the window used to login to the Horizon Dashboard.

Page 12: Cloud_Security_Final

12

The screenshot above shows the process used to enable logging in OpenStack.

Page 13: Cloud_Security_Final

13

Shown above is a command used to get the version number of OpenStack’s compute service, Nova.

Page 14: Cloud_Security_Final

14

This is an error encountered while using SSH to connect to an OpenStack instance. It is occurring because the key pair file used for security is not being accessed privately by the user who generated it.

Page 15: Cloud_Security_Final

15

Above is an image of the OpenStack Dashboard. It currently shows several images that can be launched as instances in the cloud.

Page 16: Cloud_Security_Final

16

Below is a screenshot from Ubuntu showing the main devstack directory.


United States Constitution

Effective Parenting: Establishing Boundaries

Who Killed God

Life Is Just A Dream - Or Is It?

Iron Mills Essay

Daniel Zanella and Alexander Weygers

Chapter-01

Tragic Heroes

Minne hävisivät soneran rahat

(Tesla) - The Tesla Magnetic Car Engine

Jan Van Eyck and the Man In A Red Turban

xCDC14a

Bhagavad Gita

Aesops Fables

Algorithms

Acetone Peroxide

Chapter 23

Basic Buffer Overflows Explained

Introduction to Six Sigma

The Last Carnival I Ever Saw

European Colinization of Latin America

Venture Capital

The Best American Humorous Short Stories

Barclays1

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Rubik's cube solution

Do you admire Leonardo da Vinci?

Physical Modelling Synthesis Overview

18 Tricks to Teach Your Body

Oedipus The King: The Ideal Tragic Play

Simple Functions in Haskell

Steve Jobs' Commencement Speech at Stanford

Heidegger Kritik

How Computer Keyboards Work

Bodybuilding - The Rock Hard Challenge (Month 1 Training)