Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Cloud Security Threats - Abuse and nefarious use of cloud services

SimonLeech

This is the fifth blog in a series of 5 looking at some specific cloud security threats identified by the Cloud Security Alliance. The other articles in the series can be accessed by searching the blog for the tag cloudsecthreats.

 This blog will look at the abuse and nefarious use of cloud services. This is one of the top threats identified by the Cloud Security Alliance in their recent white paper ‘The Treacherous Twelve – Cloud Computing Top Threats in 2016’, sponsored by HPE Security - Data Security, and available to download here.

Cloud.JPG

One of the advantages of a cloud model is the ability to dynamically up and downscale resources as the business requires. However this same flexibility affords attackers a dynamic environment in which to create their attacks. It is relatively cheap to rent space from a cloud service provider (CSP) and to use the CPU power and network bandwidth to launch DDoS attacks, run malicious websites, or control botnets. The solution to this problem is not simple – an acceptable use policy can set down the rules, but due to the automation that is involved in provisioning new cloud instances, it is often too late before a CSP identifies a nefarious cloud instance.

Another problem related to the misuse of cloud services is cyber criminals taking advantage of the free trial period offered by some CSPs – we recently spoke with a service provider customer who had automated the provisioning of a free trial period, which in turn was being white-labeled and resold by a team of Chinese hackers!

The challenges around the abuse of cloud services are for the most part a service provider issue rather than a cloud consumer problem, however it can impact the customer when the nefarious cloud instances are causing congestion on the cloud platform and/or network uplink in the case of distributed denial of service (DDoS) attacks. This can lead into shared platform resource problems – where the availability of a cloud instance is impacted by activity that is taking place elsewhere in the service provider infrastructure.

In terms of a solution to this problem, there is not much a cloud consumer can do, other than to check the reputation of the CSP along with the SLAs that they offer. The CSP can implement various compensatory controls, for example limiting per instance bandwidth, or implementing reputation based IP filtering, and choose a subscription model that makes it harder for a criminal to abuse the services on offer.

The other area related to abuse of cloud services is where cybercriminals are able to break into legitimate cloud instances by guessing passwords, obtaining them through social engineering attacks, or by stealing the access keys. There are often limited safeguards in place to protect against unauthorized usage using legitimate credentials, and whilst CSPs will mask the credit card numbers in a cloud account, it may be relatively simple for an attacker to add charges for the services consumed. This is a cloud consumer problem and highlights the need for good password security, multi factor authentication (covered in the second blog of this series), and code sanitization (don’t leave the access keys in any code you share). There is an interesting write up on AWS account hacking here.

Hopefully this blog mini-series has provided some food for thought around some of the security challenges in cloud environment. As always, we welcome any feedback or comments, and for further information on how Hewlett Packard Enterprise can help you with a risk-based approach to cloud security, please contact your account manager or visit our website.

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all