Transcription
Top Threats Working GroupThe Notorious NineCloud Computing Top Threats in 2013February 2013
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013The permanent and official location for Cloud Security Alliance Top Threats research ishttp://www.cloudsecurityalliance.org/topthreats. 2013 Cloud Security Alliance – All Rights ReservedAll rights reserved. You may download, store, display on your computer, view, print, and link to The Notorious Nine:Cloud Computing Threats in 2013 at http://www.cloudsecurityalliance.org/topthreats/, subject to the following: (a) theReport may be used solely for your personal, informational, non-commercial use; (b) the Report may not be modified oraltered in any way; (c) the Report may not be redistributed; and (d) the trademark, copyright or other notices may notbe removed. You may quote portions of the Report as permitted by the Fair Use provisions of the United StatesCopyright Act, provided that you attribute the portions to The Notorious Nine: Cloud Computing Threats in 2013. 2013, Cloud Security Alliance. All rights reserved.2
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013ContentsAcknowledgments. 5Executive Summary . 61.0 Top Threat: Data Breaches. 81.1 Implications . 81.2 Controls . 81.3 Links . 82.0 Top Threat: Data Loss . 92.1 Implications . 92.2 Controls . 92.3 Links . 93.0 Top Threat: Account or Service Traffic Hijacking . 103.1 Implications . 103.2 Controls . 103.3 Links . 104.0 Top Threat: Insecure Interfaces and APIs . 124.1 Implications . 124.2 Controls . 124.3 Links . 125.0 Top Threat: Denial of Service . 145.1 Implications . 145.2 Controls . 145.3 Links . 146.0 Top Threat: Malicious Insiders . 166.1 Implications . 166.2 Controls . 166.3 Links . 177.0 Top Threat: Abuse of Cloud Services . 187.1 Implications . 187.2 Controls . 187.3 Links . 18 2013, Cloud Security Alliance. All rights reserved.3
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20138.0 Top Threat: Insufficient Due Diligence. 198.1 Implications . 198.2 Controls . 198.3 Links . 209.0 Top Threat: Shared Technology Vulnerabilities . 219.1 Implications . 219.2 Controls . 219.3 Links . 21 2013, Cloud Security Alliance. All rights reserved.4
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013AcknowledgmentsCo-ChairsRafal Los, HPDave Shackleford, Voodoo SecurityBryan Sullivan, MicrosoftCSA Global StaffAlex Ginsburg, CopywriterLuciano JR Santos, Research DirectorEvan Scoboria, WebmasterKendall Scoboria, Graphic DesignerJohn Yeoh, Research AnalystThe CSA Top Threats to Cloud Computing Survey in 2012 was assisted by the extended CSA Top Threats Working Group,led by committee members: Aaron Alva, Olivier Caleff, Greg Elkins, Allen Lum, Keith Pasley, Satheesh Sudarsan, VinothSivasubramanian, and Rajeev Venkitaraman 2013, Cloud Security Alliance. All rights reserved.5
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013Executive SummaryAt an unprecedented pace, cloud computing has simultaneously transformed business and government, and creatednew security challenges. The development of the cloud service model delivers business-supporting technology moreefficiently than ever before. The shift from server to service-based thinking is transforming the way technologydepartments think about, design, and deliver computing technology and applications. Yet these advances have creatednew security vulnerabilities, including security issues whose full impact is still emerging.Among the most significant security risks associated with cloud computing is the tendency to bypass informationtechnology (IT) departments and information officers. Although shifting to cloud technologies exclusively is affordableand fast, doing so undermines important business-level security policies, processes, and best practices. In the absenceof these standards, businesses are vulnerable to security breaches that can quickly erase any gains made by the switchto SaaS.Recognizing both the promise of cloud computing, and the risks associated with it, the Cloud Security Alliance (CSA) haspioneered the creation of industry-wide standards for effective cloud security. In recent years, CSA released the“Security Guidance for Critical Areas in Cloud Computing” and the “Security as a Service Implementation Guidance.”These documents have quickly become the industry-standard catalogue of best practices to secure cloud computing,comprehensively addressing this within the thirteen domains of CSA Guidance and ten categories of service associatedwith the SecaaS Implementation Guidance series. Already, many businesses, organizations, and governments haveincorporated this guidance into their cloud strategies.However, CSA recognizes that a central component of managing risks in cloud computing is to understand the nature ofsecurity threats. The purpose of the “The Notorious Nine: Cloud Computing Top Threats in 2013” report is to provideorganizations with an up-to-date, expert-informed understanding of cloud security threats in order to make educatedrisk-management decisions regarding cloud adoption strategies.The top threats report reflects the current consensus among experts about the most significant threats to cloud security.While there are many vulnerabilities to cloud security, this report focuses on threats specifically related to the shared,on-demand nature of cloud computing.To identify the top threats, CSA conducted a survey of industry experts to compile professional opinion on the greatestvulnerabilities within cloud computing. The Top Threats working group used these survey results alongside theirexpertise to craft the final 2013 report. The survey methodology validated that the threat listing reflects the mostcurrent concerns of the industry. In this most recent edition of this report, experts identified the following nine criticalthreats to cloud security (ranked in order of severity):1.2.3.4.5.Data BreachesData LossAccount HijackingInsecure APIsDenial of Service 2013, Cloud Security Alliance. All rights reserved.6
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20136.7.8.9.Malicious InsidersAbuse of Cloud ServicesInsufficient Due DiligenceShared Technology IssuesWith descriptions and analysis of these threats, this report serves as an up-to-date threat identification guide that willhelp cloud users and providers make informed decisions about risk mitigation within a cloud strategy. This threatresearch document should be utilized in conjunction with the best practices guides, “Security Guidance for Critical Areasin Cloud Computing V.3” and “Security as a Service Implementation Guidance.” Together, these documents will offervaluable guidance during the formation of comprehensive, appropriate cloud security strategies. 2013, Cloud Security Alliance. All rights reserved.7
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013It’s every CIO’s worst nightmare: the organization’s sensitive internal data fallsinto the hands of their competitors. While this scenario has kept executivesawake at night long before the advent of computing, cloud computingintroduces significant new avenues of attack. In November 2012, researchersfrom the University of North Carolina, the University of Wisconsin and RSACorporation released a paper describing how a virtual machine could use sidechannel timing information to extract private cryptographic keys being used inother virtual machines on the same physical server. However, in many casesan attacker wouldn’t even need to go to such lengths. If a multitenant cloudservice database is not properly designed, a flaw in one client’s applicationcould allow an attacker access not only to that client’s data, but every otherclient’s data as well.1.1 ImplicationsUnfortunately, while data loss and data leakage are both serious threats tocloud computing, the measures you put in place to mitigate one of thesethreats can exacerbate the other. You may be able to encrypt your data toreduce the impact of a data breach, but if you lose your encryption key, you’lllose your data as well. Conversely, you may decide to keep offline backups ofyour data to reduce the impact of a catastrophic data loss, but this increasesyour exposure to data breaches.SERVICE MODELIaaSPaaSSaaSRISK MATRIXActual Risk1.0 Top Threat: Data BreachesPerceived RiskRISK ANALYSISCIANA: ConfidentialitySTRIDE: Information DisclosureIS THREAT STILL RELEVANT?1.2 ControlsCCM DG-04: Data Governance - Retention PolicyCCM DG-05: Data Governance - Secure DisposalCCM DG-06: Data Governance - Non-Production DataCCM DG-07: Data Governance - Information LeakageCCM DG-08: Data Governance - Risk AssessmentsCCM IS-18: Information Security - EncryptionCCM IS-19: Information Security - Encryption Key ManagementCCM SA-02: Security Architecture - User ID CredentialsCCM SA-03: Security Architecture - Data Security/IntegrityCCM SA-06: Security Architecture - Production/Non-Production EnvironmentsCCM SA-07: Security Architecture - Remote User Multi-Factor Authentication1.3 Links1. Cross-VM Side Channels and Their Use to Extract Private Keyshttp://www.cs.unc.edu/ yinqian/papers/crossvm.pdf2. Multi-Tenant Data y/Aa479086 2013, Cloud Security Alliance. All rights reserved.TOP THREAT RANKINGCSA REFERENCEDomain 5: Information Managementand Data SecurityDomain 10: Application SecurityDomain 12: Identity, Entitlementand Access ManagementDomain 13: Virtualization8
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013For both consumers and businesses, the prospect of permanently losing one’sdata is terrifying. Just ask Mat Honan, writer for Wired magazine: in thesummer of 2012, attackers broke into Mat’s Apple, Gmail and Twitter accounts.They then used that access to erase all of his personal data in those accounts,including all of the baby pictures Mat had taken of his 18-month-old daughter.Of course, data stored in the cloud can be lost due to reasons other thanmalicious attackers. Any accidental deletion by the cloud service provider, orworse, a physical catastrophe such as a fire or earthquake, could lead to thepermanent loss of customers’ data unless the provider takes adequatemeasures to backup data. Furthermore, the burden of avoiding data loss doesnot fall solely on the provider’s shoulders. If a customer encrypts his or herdata before uploading it to the cloud, but loses the encryption key, the datawill be lost as well.2.1 ImplicationsUnder the new EU data protection rules, data destruction and corruption ofpersonal data are considered forms of data breaches and would requireappropriate notifications.SERVICE MODELIaaSPaaSSaaSRISK MATRIXActual Risk2.0 Top Threat: Data LossPerceived RiskRISK ANALYSISCIANA: Availability, Non-RepudiationSTRIDE: Repudiation, Denial ofServiceIS THREAT STILL RELEVANT?Additionally, many compliance policies require organizations to retain auditrecords or other documentation. If an organization stores this data in thecloud, loss of that data could jeopardize the organization’s compliance status.2.2 ControlsCCM DG-04: Data Governance - Retention PolicyCCM DG-08: Data Governance - Risk AssessmentsCCM RS-05: Resiliency - Environmental RisksCCM RS-06: Resiliency - Equipment LocationTOP THREAT RANKING2.3 Links1.Cloud Computing Users Are Losing Data, Symantec udy.htm2.Kill the Password: Why a String of Characters Can’t Protect Us at-honan-password-hacker/ 2013, Cloud Security Alliance. All rights reserved.CSA REFERENCEDomain 5: Information Managementand Data SecurityDomain 10: Application SecurityDomain 12: Identity, Entitlementand Access ManagementDomain 13: Virtualization9
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013Account or service hijacking is not new. Attack methods such as phishing,fraud, and exploitation of software vulnerabilities still achieve results.Credentials and passwords are often reused, which amplifies the impact ofsuch attacks. Cloud solutions add a new threat to the landscape. If an attackergains access to your credentials, they can eavesdrop on your activities andtransactions, manipulate data, return falsified information, and redirect yourclients to illegitimate sites. Your account or service instances may become anew base for the attacker. From here, they may leverage the power of yourreputation to launch subsequent attacks.In April 2010, Amazon experienced a Cross-Site Scripting (XSS) bug that allowedattackers to hijack credentials from the site. In 2009, numerous Amazonsystems were hijacked to run Zeus botnet nodes.3.1 ImplicationsAccount and service hijacking, usually with stolen credentials, remains a topthreat. With stolen credentials, attackers can often access critical areas ofdeployed cloud computing services, allowing them to compromise theconfidentiality, integrity and availability of those services. Organizationsshould be aware of these techniques as well as common defense in depthprotection strategies to contain the damage (and possible litigation) resultingfrom a breach. Organizations should look to prohibit the sharing of accountcredentials between users and services, and leverage strong two-factorauthentication techniques where possible.SERVICE MODELIaaSPaaSSaaSRISK MATRIXActual Risk3.0 Top Threat: Account or ServiceTraffic HijackingPerceived RiskRISK ANALYSISCIANA: Authenticity, Integrity,Confidentiality, Non-repudiation,AvailabilitySTRIDE: Tampering with Data,Repudiation, Information Disclosure,Elevation of Privilege, SpoofingIdentityIS THREAT STILL RELEVANT?3.2 ControlsCCM IS-07: Information Security - User Access PolicyCCM IS-08: Information Security - User Access Restriction/AuthorizationCCM IS-09: Information Security - User Access RevocationCCM IS-10: Information Security - User Access ReviewsCCM IS-22: Information Security - Incident ManagementCCM SA-02: Security Architecture - User ID CredentialsCCM SA-07: Security Architecture - Remote User Multi-Factor AuthenticationCCM SA-14: Security Architecture - Audit Logging / Intrusion DetectionTOP THREAT RANKING3.3 Links1.Amazon purges account hijacking threat from sitehttp://www.theregister.co.uk/2010/04/20/amazon website treat/ 2013, Cloud Security Alliance. All rights reserved.10
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20132.Zeus bot found using Amazon’s EC2 as C&C on ec2 bot control channel/CSA REFERENCEDomain 2: Governance andEnterprise Risk ManagementDomain 5: Information Managementand Data SecurityDomain 7: Traditional Security,Business Continuity, and DisasterRecoveryDomain 9: Incident ResponseDomain 11: Encryption and KeyManagementDomain 12: Identity, Entitlement,and Access Management 2013, Cloud Security Alliance. All rights reserved.11
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20134.0 Top Threat: Insecure Interfaces andAPIsSERVICE MODELCloud computing providers expose a set of software interfaces or APIs thatcustomers use to manage and interact with cloud services. Provisioning,management, orchestration, and monitoring are all performed using theseinterfaces. The security and availability of general cloud services is dependentupon the security of these basic APIs. From authentication and access controlto encryption and activity monitoring, these interfaces must be designed toprotect against both accidental and malicious attempts to circumvent policy.RISK MATRIXFurthermore, organizations and third parties often build upon these interfacesto offer value-added services to their customers. This introduces thecomplexity of the new layered API; it also increases risk, as organizations maybe required to relinquish their credentials to third-parties in order to enabletheir agency.4.1 ImplicationsWhile most providers strive to ensure security is well integrated into theirservice models, it is critical for consumers of those services to understand thesecurity implications associated with the usage, management, orchestrationand monitoring of cloud services. Reliance on a weak set of interfaces and APIsexposes organizations to a variety of security issues related to confidentiality,integrity, availability and accountability.PaaSSaaSActual RiskIaaSPerceived RiskRISK ANALYSISCIANA: Authenticity, Integrity,ConfidentialitySTRIDE: Tampering with Data,Repudiation, Information Disclosure,Elevation of PrivilegeIS THREAT STILL RELEVANT?4.2 ControlsCCM IS-08: Information Security - User Access Restriction/AuthorizationCCM SA-03: Security Architecture - Data Security/IntegrityCCM SA-04: Security Architecture - Application Security4.3 LinksTOP THREAT RANKING1.Insecure API Implementations Threaten cure-api-implementations-threaten-cloud.html2.Web Services Single Sign-On Contains Big -sign-on-contain-big-flaws.html 2013, Cloud Security Alliance. All rights reserved.12
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013CSA REFERENCEDomain 5: Information Managementand Data SecurityDomain 6: Interoperability andPortabilityDomain 9: Incident ResponseDomain 10: Application SecurityDomain 11: Encryption and KeyManagementDomain 12: Identity, Entitlement,and Access Management 2013, Cloud Security Alliance. All rights reserved.13
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013Simply put, denial-of-service attacks are attacks meant to prevent users of acloud service from being able to access their data or their applications. Byforcing the victim cloud service to consume inordinate amounts of finitesystem resources such as processor power, memory, disk space or networkbandwidth, the attacker (or attackers, as is the case in distributed denial-ofservice (DDoS) attacks) causes an intolerable system slowdown and leaves allof the legitimate service users confused and angry as to why the service isn’tresponding.While DDoS attacks tend to generate a lot of fear and media attention(especially when the perpetrators are acting out of a sense of political“hactivism”), they are by no means the only form of DoS attack. Asymmetricapplication-level DoS attacks take advantage of vulnerabilities in web servers,databases, or other cloud resources, allowing a malicious individual to take outan application using a single extremely small attack payload – in some casesless than 100 bytes long.5.1 ImplicationsExperiencing a denial-of-service attack is like being caught in rush-hour trafficgridlock: there’s no way to get to your destination, and nothing you can doabout it except sit and wait. As a consumer, service outages not only frustrateyou, but also force you to reconsider whether moving your critical data to thecloud to reduce infrastructure costs was really worthwhile after all. Evenworse, since cloud providers often bill clients based on the compute cycles anddisk space they consume, there’s the possibility that an attacker may not beable to completely knock your service off of the net, but may still cause it toconsume so much processing time that it becomes too expensive for you to runand you’ll be forced to take it down yourself.SERVICE MODELIaaSPaaSSaaSRISK MATRIXActual Risk5.0 Top Threat: Denial of ServicePerceived RiskRISK ANALYSISCIANA: AvailabilitySTRIDE: Denial of ServiceIS THREAT STILL RELEVANT?TOP THREAT RANKING5.2 ControlsCCM IS-04: Information Security - Baseline RequirementsCCM OP-03: Operations Management - Capacity/Resource PlanningCCM RS-07: Resiliency - Equipment Power FailuresCCM SA-04: Security Architecture - Application Security5.3 Links1. As Cloud Use Grows, So Will Rate of DDoS cloud-use-grows-so-will-rateof-ddos-attacks-211876 2013, Cloud Security Alliance. All rights reserved.CSA REFERENCEDomain 8: Data Center OperationsDomain 9: Incident ResponseDomain 10: Application SecurityDomain 13: VirtualizationDomain 14: Security as a Service14
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20132.Computerworld: DDoS is Cloud’s security Achilles heel (September 1127/ddos cloud security achilles heel/3.OWASP: Application Denial of Servicehttps://www.owasp.org/index.php/Application Denial of Service4.Radware ter/DDoSPedia/ 2013, Cloud Security Alliance. All rights reserved.15
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 20136.0 Top Threat: Malicious InsidersThe risk of malicious insiders has been debated in the security industry. Whilethe level of threat is left to debate, the fact that the insider threat is a realadversary is not.SERVICE MODELIaaSPaaSSaaSCERN defines an insider threat as such: 16.1 ImplicationsA malicious insider, such as a system administrator, in an improperly designedcloud scenario can have access to potentially sensitive information.From IaaS to PaaS and SaaS, the malicious insider has increasing levels ofaccess to more critical systems, and eventually to data. Systems that dependsolely on the cloud service provider (CSP) for security are at great risk here.Even if encryption is implemented, if the keys are not kept with the customerand are only available at data-usage time, the system is still vulnerable tomalicious insider attack.RISK MATRIXActual Risk“A malicious insider threat to an organization is a current or former employee,contractor, or other business partner who has or had authorized access to anorganization's network, system, or data and intentionally exceeded or misusedthat access in a manner that negatively affected the confidentiality, integrity,or availability of the organization's information or information systems.”Perceived RiskRISK ANALYSISSTRIDE: Spoofing, Tampering,Information DisclosureIS THREAT STILL RELEVANT?6.2 ControlsCCM CO-03: Compliance - Third Party AuditsCCM DG-01: Data Governance - Ownership / StewardshipCCM DG-03: Data Governance - Handling / Labeling / Security PolicyCCM DG-07: Data Governance - Information LeakageCCM FS-02: Facility Security - User AccessCCM FS-05: Facility Security - Unauthorized Persons EntryCCM FS-06: Facility Security - Off-Site AuthorizationCCM HR-01: Human Resources Security - Background ScreeningCCM IS-06: Information Security - Policy EnforcementCCM IS-08: Information Security - User Access Restriction / AuthorizationCCM IS-10: Information Security - User Access ReviewsCCM IS-13: Information Security - Roles / ResponsibilitiesCCM IS-15: Information Security - Segregation of DutiesCCM IS-18: Information Security - Encryption1TOP THREAT RANKINGhttp://www.cert.org/insider threat/ 2013, Cloud Security Alliance. All rights reserved.16
CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013CCM IS-19: Information Security - Encryption Key ManagementCCM IS-29: Information Security - Audit Tools AccessCCM RI-02: Risk Management - AssessmentsCCM SA-09: Security Architecture - Segmentation6.3 Links1.Insider threats to cloud r-threats-to-cloud-computing/2.Cloud’s privileged identity gap intensifies insider -identity-gapintensifies-insider-threats.html 2013, Cloud Security Alliance. All rights reserved.CSA REFERENCEDomain 2: Governance andEnterprise Risk ManagementDomain 5: InformationManagement and Data SecurityDomain 11: Encryption and KeyManage
organizations with an up-to-date, expert-informed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies. The top threats report reflects the current consensus among experts about the most significant threats to cloud security.
