SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES

REZA PAHLAVASTMIK RAHARJA

What is Cloud Computing? Cloud computing involves delivering computing

resources (hardware and software) as a service over a network (typically the Internet) by cloud computing service providers.

• A good understanding of cloud security threats is necessary in order to provide more secure services to cloud users.

CLOUD SERVICE MODELS

Cloud computing includes three layers:

• System layer: known as Infrastructure-as-a-Service (IaaS)

• Platform layer: known as Platform-as-a-Service (PaaS)

• Application layer: known as Software-as-a-Service (SaaS)

Layers of Cloud Computing

SalesForce CRMLotusLive

TAXONOMY OF CLOUD SECURITY THREATS

• SaaS, PaaS, and IaaS also disclose information security issues and risks of cloud computing systems.

• Hackers might abuse the forceful computing capability provided by clouds.

• Data loss is an important security risk of cloud models.

• Traditional network attack strategies can be applied to harass three layers of cloud systems.

Abuse Use of Cloud Computational Resources

• Previously, hackers used multiple computers or a botnet to produce a great amount of computing power in order to conduct cyber-attacks.

• Now, powerful computing infrastructure could be easily created using a simple registration process in a cloud computing service provider.

• Brute force attack

• Denial of Service attack

BRUTE FORCE ATTACK: THOMAS ROTH, A GERMAN RESEARCHER, MANAGED TO CRACK A WPA-PSK PROTECTED NETWORK BY RENTING A SERVER FROM AMAZON’S EC2. IN APPROXIMATELY 20 MINUTES, FIRED 400,000 PASSWORDS/SEC INTO THE SYSTEM AND THE COST WAS ONLY 28 CENTS/MINUTE.

DOS: BRYAN AND ANDERSON, LAUNCHED CLOUD-BASED DOS ATTACKS TO ONE OF THEIR CLIENTS IN ORDER TO TEST ITS CONNECTIVITY WITH THE HELP OF AMAZON’S EC2; SPENT $6 TO RENT VIRTUAL SERVERS, USED A HOMEMADE PROGRAM TO SUCCESSFULLY FLOOD THEIR CLIENT'S SERVER AND MADE IT UNAVAILABLE.

Data BreachesMalicious Insider: • insiders who exploit cloud vulnerabilities gaining

unauthorized access to confidential data or carry out attacks against its own employer’s IT infrastructure

Online Cyber Theft:• sensitive data stored on clouds have become an attractive

target to online cyber theft. • Incidents such as Zappos, LinkedIn, Sony Playstation

Cloud Security Attacks

• Malware Injection Attacks: • hackers exploit vulnerabilities of a web application and

embed malicious codes into it changing the course of its normal execution. The two common forms are SQL injection attack and cross-site scripting attack.

• Wrapping Attack: • use XML signature wrapping (or XML rewriting) to

exploit a weakness when web servers validate signed requests. An attacker is able to change the content of the signed part without invalidating the signature.

MALWARE INJECTION ATTACKS: HACKERS EXPLOIT VULNERABILITIES OF A WEB APPLICATION AND EMBED MALICIOUS CODES INTO IT CHANGING THE COURSE OF ITS NORMAL EXECUTION. THE TWO COMMON FORMS ARE SQL INJECTION ATTACK AND CROSS-SITE SCRIPTING ATTACK.

COUNTERMEASURES • Security Policy Enhancement: avoid weak registration

systems, credit card fraud monitoring, and block of public black lists could be applied.

• Access Management: continuous monitoring of physical computing systems, restricting traffic access to the data using firewalls and intrusion detection systems, and controlling access to cloud applications and data using SAML and XACML.

• Data Protection: data loss prevention systems, anomalous behavior pattern detection tools, format preserving and encryption tools, user behavior profiling, decoy technology, and authentication and authorization.

• Security Techniques Implementation: for malware injection attacks, use FAT system; also store a hash value on the original service instance’s image file and perform integrity check. For XML signature wrapping attacks, use XML Schema Hardening techniques i.e. a subset of XPath, called FastXPath.

CONCLUSIONS AND FUTURE WORK• Cloud Computing is in continual development, while people

enjoy the benefits cloud computing brings, security in clouds is a key challenge.

• Much vulnerability in clouds still exists and hackers continue to exploit these security holes.

• this paper has examined the security vulnerabilities in clouds from three perspectives), included related real world exploits, and introduced countermeasures to those security breaches.

• In the future, further efforts in studying cloud security risks and the countermeasures to cloud security breaches must continue.