Download - Security on Cloud Computing
SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES
REZA PAHLAVASTMIK RAHARJA
What is Cloud Computing? Cloud computing involves delivering computing
resources (hardware and software) as a service over a network (typically the Internet) by cloud computing service providers.
• A good understanding of cloud security threats is necessary in order to provide more secure services to cloud users.
CLOUD SERVICE MODELS
Cloud computing includes three layers:
• System layer: known as Infrastructure-as-a-Service (IaaS)
• Platform layer: known as Platform-as-a-Service (PaaS)
• Application layer: known as Software-as-a-Service (SaaS)
Layers of Cloud Computing
SalesForce CRMLotusLive
TAXONOMY OF CLOUD SECURITY THREATS
• SaaS, PaaS, and IaaS also disclose information security issues and risks of cloud computing systems.
• Hackers might abuse the forceful computing capability provided by clouds.
• Data loss is an important security risk of cloud models.
• Traditional network attack strategies can be applied to harass three layers of cloud systems.
Abuse Use of Cloud Computational Resources
• Previously, hackers used multiple computers or a botnet to produce a great amount of computing power in order to conduct cyber-attacks.
• Now, powerful computing infrastructure could be easily created using a simple registration process in a cloud computing service provider.
• Brute force attack
• Denial of Service attack
BRUTE FORCE ATTACK: THOMAS ROTH, A GERMAN RESEARCHER, MANAGED TO CRACK A WPA-PSK PROTECTED NETWORK BY RENTING A SERVER FROM AMAZON’S EC2. IN APPROXIMATELY 20 MINUTES, FIRED 400,000 PASSWORDS/SEC INTO THE SYSTEM AND THE COST WAS ONLY 28 CENTS/MINUTE.
DOS: BRYAN AND ANDERSON, LAUNCHED CLOUD-BASED DOS ATTACKS TO ONE OF THEIR CLIENTS IN ORDER TO TEST ITS CONNECTIVITY WITH THE HELP OF AMAZON’S EC2; SPENT $6 TO RENT VIRTUAL SERVERS, USED A HOMEMADE PROGRAM TO SUCCESSFULLY FLOOD THEIR CLIENT'S SERVER AND MADE IT UNAVAILABLE.
Data BreachesMalicious Insider: • insiders who exploit cloud vulnerabilities gaining
unauthorized access to confidential data or carry out attacks against its own employer’s IT infrastructure
Online Cyber Theft:• sensitive data stored on clouds have become an attractive
target to online cyber theft. • Incidents such as Zappos, LinkedIn, Sony Playstation
Cloud Security Attacks
• Malware Injection Attacks: • hackers exploit vulnerabilities of a web application and
embed malicious codes into it changing the course of its normal execution. The two common forms are SQL injection attack and cross-site scripting attack.
• Wrapping Attack: • use XML signature wrapping (or XML rewriting) to
exploit a weakness when web servers validate signed requests. An attacker is able to change the content of the signed part without invalidating the signature.
MALWARE INJECTION ATTACKS: HACKERS EXPLOIT VULNERABILITIES OF A WEB APPLICATION AND EMBED MALICIOUS CODES INTO IT CHANGING THE COURSE OF ITS NORMAL EXECUTION. THE TWO COMMON FORMS ARE SQL INJECTION ATTACK AND CROSS-SITE SCRIPTING ATTACK.
COUNTERMEASURES • Security Policy Enhancement: avoid weak registration
systems, credit card fraud monitoring, and block of public black lists could be applied.
• Access Management: continuous monitoring of physical computing systems, restricting traffic access to the data using firewalls and intrusion detection systems, and controlling access to cloud applications and data using SAML and XACML.
• Data Protection: data loss prevention systems, anomalous behavior pattern detection tools, format preserving and encryption tools, user behavior profiling, decoy technology, and authentication and authorization.
• Security Techniques Implementation: for malware injection attacks, use FAT system; also store a hash value on the original service instance’s image file and perform integrity check. For XML signature wrapping attacks, use XML Schema Hardening techniques i.e. a subset of XPath, called FastXPath.
CONCLUSIONS AND FUTURE WORK• Cloud Computing is in continual development, while people
enjoy the benefits cloud computing brings, security in clouds is a key challenge.
• Much vulnerability in clouds still exists and hackers continue to exploit these security holes.
• this paper has examined the security vulnerabilities in clouds from three perspectives), included related real world exploits, and introduced countermeasures to those security breaches.
• In the future, further efforts in studying cloud security risks and the countermeasures to cloud security breaches must continue.