Penetration Testing for the Cloud – How it is different?
If you are working in the cyber security industry, you will be familiar with terms like application penetration testing, network penetration testing, etc. However, the growth of the cloud computing industry in the last 4-5 Years has introduced a new name to the penetration testing list – cloud penetration testing.
In a traditional pen test, an organization conducting a test is itself the asset owner of the entire technical infrastructure. While in a cloud environment, the cloud service provider is the asset owner of the overall cloud infrastructure. Since you are using its service, your ownership is limited to your data stored on the cloud environment.
Considering the above point, one needs to address many challenges before starting a penetration test. These challenges can be technical, legal, or regulatory. The first and foremost challenge is policies and terms & conditions of a cloud service provider (hereinafter referred to as CSP).
Questions You Should Ask – Iaas, PaaS, and SaaS
Cloud services are provided in three forms – Infrastructure as a Service (Iaas), Platform as a Service (PaaS), and Software as a Service (SaaS). Before starting a penetration test, here are a few questions that you should ask your CSP considering the nature of services being availed. You should note that there is a fine line of separation of responsibilities in these three forms. In IaaS, a CSP is responsible for physical security and natural/artificial hazards while you are responsible for most of the security-related activities. In PaaS, security responsibilities are shared and a Service Level Agreement (SLA) demarcates who is responsible for what. In SaaS, most of the security responsibilities lie with a CSP.
- What is the type of penetration tests performed by you?
- What are the tools used for penetration testing?
- What are the vulnerabilities that you majorly focussed on?
- Do you check for common vulnerabilities such as SQL injection and XSS?
- Have you enforced SSL encryption?
- What are the security policies implemented by you?
- What are the security controls incorporated in your cloud infrastructure’s architecture?
- Do you perform vulnerability scans on our VLAN/subnet?
- What are the physical security controls implemented by you?
- Have you implemented any hazard control mechanisms?
Apart from the ones listed above for IaaS, you should ask –
- How frequently are patches applied?
- Is there a feature to change the default passwords?
- How do you protect configuration files?
Apart from the ones listed above for IaaS and PaaS, you should ask –
- Do you perform vulnerability assessment and penetration testing by default?
- Can you share web application vulnerability reports?
- Do you test for OWASP top 10 web application vulnerabilities?
If your penetration test is being conducted by a third-party service provider, here are a few questions that you must ask.
Penetration Testing in the Cloud – 4 Key Steps
Step 1 – CSP Policies
Every CSP has its own set of policies as to how its cloud infrastructure can be used by its clients. One such policy talks about penetration testing and a CSP may require you to inform in advance before conducting a penetration test. If a CSP requires you to notify for conducting a penetration testing and you do not notify, your penetration testing activity will look like a DDoS attack and eventually, it may shut down your account. In addition, notifying a CSP is also important as your neighbor may get affected due to your penetration testing activity.
Most of the CSPs are proactive and they take extra care in ensuring the security of their cloud infrastructure. If abnormal activities happen, it is also a possibility that a CSP representative may call you for inquiring what is happening. Hence, you must go through the relevant penetration testing policy of a service provider to understand rights & liabilities as well as legal requirements. (Read more about Amazon and Google Cloud’s requirements here and here respectively)
Step 2 – Penetration Testing Plan
Preparing a penetration testing plan ensures that testing activities are concluded on the set deadlines. Your penetration testing plan should cover areas such as –
- Compliance Requirements
A penetration testing plan should be agreed on to by your organization as well as the penetration testing team. In case if the penetration team is provided by a third-party service provider, a legally-binding contract must be signed. If you are having troubles in selecting a penetration testing service provider, this guide will help you out.
Step 3 – Selecting Appropriate Tools
There are a plethora of tools available in the market for conducting a penetration test. Depending upon your requirements and budget constraints, you can either opt for an on-premise tool or conduct a penetration test using a cloud-based penetration testing tool like BreachLock. In the latter case, it is a cloud performing a test on another cloud.
Selecting a tool is a dilemma for the decision-makers of a company. You must check that the tool is able to simulate a real-life attack on your cloud presence. In addition, you should not entirely depend on tools and should also consider manual testing by security experts.
Step 4: Vulnerabilities and Reporting
Although finding vulnerabilities is quite an obvious step in a penetration test, a penetration testing document is going to stay with your company until the end of the time. It will also form a basis for the future security-related updates for your organization. While vulnerabilities are being reported, they should be classified depending upon the layer there were found on such as network layer, database, application layer, storage, etc. You can check the contents of an ideal penetration testing report here.
Penetration Testing in the Cloud – Checklist
- Check the SLA between your organization and the CSP
- Understand rights and liabilities
- Determine roles and responsibilities
- Avail the services of a third-party service provider, if required
- Prepare a Penetration Testing Plan
- Start the penetration test
- Monitor the penetration test activities
- Ports and Protocols
- Data stored on cloud servers
- SSL Certificates
- Access Points
- Input Validation
- DDoS Prevention
- SQL Injection
- Bruteforce Attack
- Virtual Machines
- Preparing a report for the penetration test
- Address the vulnerabilities identified
- Schedule the next penetration test
Conducting a penetration test is not an option anymore. It has become a mandatory activity to enhance the security posture of an organization. In addition, it is now being recommended by various regulations to conduct regular assessments of an organization’s technical infrastructure. It is recommended that you must hire an external service provider for conducting a penetration test as an internal team is familiar with your cloud presence and they might miss a thing or two.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019