Empirical Cloud Security
Practical Intelligence to Evaluate Risks and Attacks
2. Auflage
Erschienen am 22. Juni 2023
500 Seiten
978-1-5015-1799-0 (ISBN)
Beschreibung
The book discusses the security and privacy issues detected during penetration testing, security assessments, configuration reviews, malware analysis, and independent research of the cloud infrastructure and Software-as-a-Service (SaaS) applications. The book highlights hands-on technical approaches on how to detect the security issues based on the intelligence gathered from the real world case studies and also discusses the recommendations to fix the security issues effectively. This book is not about general theoretical discussion rather emphasis is laid on the cloud security concepts and how to assess and fix them practically.
Aditya K Sood (Ph.D.) is a cyber security advisor, practitioner, researcher and consultant. With an experience of more than 12 years, he provides strategic leadership in the field of information security covering products and infrastructure. He is well experienced in propelling the businesses by making security a salable business trait.?
Alle Preise
Weitere Details
Auflage
2nd Revised edition
Sprache
Englisch
Verlagsort
New York
USA
Zielgruppe
Für Beruf und Forschung
US School Grade: College Graduate Student
Editions-Typ
Überarbeitete Ausgabe
Illustrationen
55 Tables, black and white; 35 Illustrations, black and white
Dateigröße
11,63 MB
ISBN-13
978-1-5015-1799-0 (9781501517990)
Copyright in bibliographic data and cover images is held by Nielsen Book Services Limited or by the publishers or by their respective licensors: all rights reserved.
Schweitzer Klassifikation
Weitere Ausgaben
Andere Ausgaben
Buch
07/2023
2. Auflage
De Gruyter
59,95 €
Versand in 3-4 Wochen
E-Book
06/2023
2. Auflage
Mercury Learning and Information
59,95 €
Als Download verfügbar
Vorauflage
E-Book
04/2021
1. Auflage
Mercury Learning & Information
67,99 €
Als Download verfügbar
Inhalt
- Cover
- Half-Title
- Title
- Copyright
- Contents
- Preface
- About the Author
- Chapter 1: Cloud Architecture and Security Fundamentals
- Understanding Cloud Virtualization
- Cloud Computing Models
- Comparing Virtualization and Cloud Computing
- Containerization in the Cloud
- Components of Containerized Applications
- Serverless Computing in the Cloud
- Components of Serverless Applications
- The Characteristics of VMs, Containers, and Serverless Computing
- Cloud Native Architecture, Applications, and Microservices
- Embedding Security into Cloud Native Applications
- Securing Cloud Native Applications
- Cloud Native Application Protection Platform (CNAPP)
- Understanding Zero Trust Architecture
- Edge Computing Paradigm
- Embedding Security in the DevOps Model
- Understanding Cloud Security Pillars
- Cloud Security Testing and Assessment Methodologies
- References
- Chapter 2: Iam for Authentication and Authorization: Security Assessment
- Understanding Identity and Access Management Policies
- IAM Policy Types and Elements
- IAM Policy Variables and Identifiers
- Managed and Inline Policy Characterization
- IAM Users, Groups, and Roles
- Trust Relationships and Cross-Account Access
- IAM Access Policy Examples
- IAM Access Permission Policy
- IAM Resource-Based Policy
- Role Trust Policy
- Identity and Resource Policies: Security Misconfigurations
- Confused Deputy Problems
- Over-Permissive Role Trust Policy
- Guessable Identifiers in Role Trust Policy
- Privilege Escalation via an Unrestricted IAM Resource
- Insecure Policies for Serverless Functions
- Unrestricted Access to Serverless Functions
- Serverless Functions with Administrative Privileges
- Serverless Function Untrusted Cross-Account Access
- Unrestricted Access to the VPC Endpoints
- Insecure Configuration in Passing IAM Roles to Services
- Uploading Unencrypted Objects to Storage Buckets Without Ownership
- Misconfigured Origin Access Identity for CDN Distribution
- Authentication and Authorization Controls Review
- Multi Factor Authentication (MFA)
- User Credential Rotation
- Password Policy Configuration
- Administrative or Root Privileges
- SSH Access Keys for Cloud Instances
- Unused Accounts, Credentials, and Resources
- API Gateway Client-Side Certificates for Authenticity
- Key Management Service (KMS) Customer Master Keys
- Users Authentication from Approved IP Addresses and Locations
- Recommendations
- Automation Scripts for Security Testing
- MFA Check (mfa_check.sh)
- IAM Users Administrator Privileges Analysis (iam_users_admin_root_privileges. sh)
- IAM Users SSH Keys Analysis (iam_users_ssh_keys_check.sh)
- References
- Chapter 3: Cloud Infrastructure: Network Security Assessment
- Network Security: Threats and Flaws
- Why Perform a Network Security Assessment?
- Understanding Security Groups and Network Access Control Lists
- Understanding VPC Peering
- Security Misconfigurations in SGs and NACLs
- Unrestricted Egress Traffic via SGs Outbound Rules
- Unrestricted Egress Traffic via NACLs Outbound Rules
- Insecure NACL Rule Ordering
- Over-Permissive Ingress Rules
- Cloud Network Infrastructure: Practical Security Issues
- Insecure Configuration of Virtual Private Clouds
- Public IP Assignment for Cloud Instances in Subnets
- Over-Permissive Routing Table Entries
- Lateral Movement via VPC Peering
- Insecure Bastion Hosts Implementation
- Outbound Connectivity to the Internet
- Missing Malware Protection and File Integrity Monitoring (FIM)
- Password-Based Authentication for the Bastion SSH Service
- Insecure Cloud VPN Configuration
- Insecure and Obsolete SSL/TLS Encryption Support for OpenVPN
- Unrestricted VPN Web Client and Administrator Interface
- Exposed Remote Management SSH Service on VPN Host
- IPSec and Internet Key Exchange (IKE) Assessment
- Reviewing Deployment Schemes for Load Balancers
- Application Load Balancer Listener Security
- Network Load Balancer Listener Security
- Insecure Implementation of Network Security Resiliency Services
- Universal WAF not Configured
- Non-Integration of WAF with a Cloud API Gateway
- Non-Integration of WAF with CDN
- Missing DDoS Protection with Critical Cloud Services
- Exposed Cloud Network Services: Case Studies
- AWS Credential Leakage via Directory Indexing
- OpenSSH Service Leaking OS Information
- OpenSSH Service Authentication Type Enumeration
- OpenSSH Service with Weak Encryption Ciphers
- RDP Services with Insecure TLS Configurations
- Portmapper Service Abuse for Reflective DDoS Attacks
- Information Disclosure via NTP Service
- Leaked REST API Interfaces via Unsecured Software
- Unauthorized Operations via Unsecured Cloud Data Flow Server
- Information Disclosure via Container Monitoring Software Interfaces
- Credential Leakage via Unrestricted Automation Server Interfaces
- Data Disclosure via Search Cluster Visualization Interfaces
- Insecure DNS Servers Prone to Multiple Attacks
- Exposed Docker Container Registry HTTP API Interface
- Unsecured Web Servers Exposing API Endpoints
- Exposed Riak Web Interfaces without Authentication
- Exposed Node Exporter Software Discloses Information
- Unsecured Container Management Web Interfaces
- Insecure ERP Deployments in the Public Cloud
- Information Leakage via Exposed Cluster Web UI
- Unsecured Reverse Proxy Web Interfaces
- Recommendations
- References
- Chapter 4: Database and Storage Services: Security Assessment
- Database Cloud Deployments
- Deploying Databases as Cloud Services
- Databases Running on Virtual Machines
- Containerized Databases
- Cloud Databases
- Cloud Databases: Practical Security Issues
- Verifying Authentication State of Cloud Database
- Database Point-in Time Recovery Backups Not Enabled
- Database Active Backups and Snapshots Not Encrypted
- Database Updates Not Configured
- Database Backup Retention Time Period Not Set
- Database Delete Protection Not Configured
- Cloud Storage Services
- Cloud Storage Services: Practical Security Issues
- Security Posture Check for Storage Buckets
- Unencrypted Storage Volumes, Snapshots, and Filesystems
- Unrestricted Access to Backup Snapshots
- Automating Attack Testing Against Cloud Databases and Storage Services
- Unsecured Databases and Storage Service Deployments: Case Studies
- Publicly Exposed Storage Buckets
- Unsecured Redis Instances with Passwordless Access
- Penetrating the Exposed MySQL RDS Instances
- Data Destruction via Unsecured Memcached Interfaces
- Privilege Access Verification of Exposed CouchDB Interfaces
- Keyspace Access and Dumping Credentials for Exposed Cassandra Interfaces
- Data Exfiltration via Search Queries on Exposed Elasticsearch Interface
- Dropping Databases on Unsecured MongoDB Instances
- Exploiting Unpatched Vulnerabilities in Database Instances: Case Studies
- Privilege Escalation and Remote Command Execution in CouchDB
- Reverse Shell via Remote Code Execution on Elasticsearch/Kibana
- Remote Code Execution via JMX/RMI in Cassandra
- Recommendations
- References
- Chapter 5: Design and Analysis of Cryptography Controls: Security Assessment
- Understanding Data Security in the Cloud
- Cryptographic Techniques for Data Security
- Data Protection Using Server-Side Encryption (SSE)
- Client-Side Data Encryption Using SDKs
- Data Protection Using Transport Layer Encryption
- Cryptographic Code: Application Development and Operations
- Crypto Secret Storage and Management
- Data Security: Cryptographic Verification and Assessment
- Machine Image Encryption Test
- File System Encryption Test
- Storage Volumes and Snapshots Encryption Test
- Storage Buckets Encryption Test
- Storage Buckets Transport Encryption Policy Test
- TLS Support for Data Migration Endpoints Test
- Encryption for Cloud Clusters
- Node-to-Node Encryption for Cloud Clusters
- Encryption for Cloud Streaming Services
- Encryption for Cloud Notification Services
- Encryption for Cloud Queue Services
- Envelope Encryption for Container Orchestration Software Secrets
- Cryptographic Library Verification and Vulnerability Assessment
- TLS Certificate Assessment of Cloud Endpoints
- TLS Security Check of Cloud Endpoints
- Hard-Coded Secrets in the Cloud Infrastructure
- Hard-Coded AES Encryption Key in the Lambda Function
- Hard-Coded Credentials in a Docker Container Image
- Hard-Coded Jenkins Credentials in a CloudFormation Template
- Cryptographic Secret Storage in the Cloud
- Recommendations for Applied Cryptography Practice
- References
- Chapter 6: Cloud Applications: Secure Code Review
- Why Perform a Secure Code Review?
- Introduction to Security Frameworks
- Application Code Security: Case Studies
- Insecure Logging
- Exceptions Not Logged for Analysis
- Data Leaks From Logs Storing Sensitive Information
- Insecure File Operations and Handling
- File Uploading with Insecure Bucket Permissions
- Insecure File Downloading from Storage Buckets
- File Uploading to Storage Buckets Without Server-side Encryption
- File Uploading to Storage Buckets Without Client-Side Encryption
- Insecure Input Validations and Code Injections
- Server-Side Request Forgery
- Function Event Data Injections
- Cloud Database NoSQL Query Injections
- Loading Environment Variables without Security Validation
- HTTP Rest API Input Validation using API Gateway
- CORS Origin Header Server-Side Verification and Validation
- Insecure Application Secrets Storage
- Hard-Coded Credentials in Automation Code
- Leaking Secrets in the Console Logs via the Lambda Function
- User Identity Access Tokens Leaked in Logs
- Insecure Configuration
- Content-Security-Policy Misconfiguration
- Use of Outdated Software Packages and Libraries
- Obsolete SDKs Used for Development
- Container Images not Scanned Automatically
- Unsupported Container Orchestration Software Version Deployed
- Code Auditing and Review Using Automated Tools
- Recommendations
- References
- Chapter 7: Cloud Monitoring and Logging: Security Assessment
- Understanding Cloud Logging and Monitoring
- Log Management Lifecycle
- Log Publishing and Processing Models
- Categorization of Log Types
- Enumerating Logging Levels
- Logging and Monitoring: Security Assessment
- Event Trails Verification for Cloud Management Accounts
- Cloud Services Logging: Configuration Review
- ELB and ALB Access Logs
- Storage Buckets Security for Archived Logs
- API Gateway Execution and Access Logs
- VPC Network Traffic Logs
- Cloud Database Audit Logs
- Cloud Serverless Functions Log Streams
- Cluster Control Plane Logs
- DNS Query Logs
- Log Policies via Cloud Formation Templates
- Transmitting Cloud Software Logs Over Unencrypted Channels
- Sensitive Data Leakage in Cloud Event Logs
- Case Studies: Exposed Cloud Logging Infrastructure
- Scanning Web Interfaces for Exposed Logging Software
- Leaking Logging Configurations for Microservice Software
- Unrestricted Web Interface for the VPN Syslog Server
- Exposed Elasticsearch Indices Leaking Nginx Access Logs
- Exposed Automation Server Leaks Application Build Logs
- Sensitive Data Exposure via Logs in Storage Buckets
- Unrestricted Cluster Interface Leaking Executor and Jobs Logs
- Recommendations
- References
- Chapter 8: Privacy in the Cloud
- Understanding Data Classification
- Data Privacy by Design Framework
- Learning Data Flow Modeling
- Data Leakage and Exposure Assessment
- Privacy Compliance and Laws
- EU General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- A Primer of Data Leakage Case Studies
- Sensitive Documents Exposure via Cloud Storage Buckets
- Data Exfiltration via Infected Cloud VM Instances
- Exposed SSH Keys via Unsecured Cloud VM Instances
- Environment Mapping via Exposed Database Web Interfaces
- Data Leakage via Exposed Access Logs
- Data Leakage via Application Execution Logs
- PII Leakage via Exposed Cloud Instance API Interfaces
- Stolen Data: Public Advertisements for Monetization
- Recommendations
- References
- Chapter 9: Cloud Security and Privacy: Flaws, Attacks, and Impact Assessments
- Cybersecurity Approaches for Organizations
- Understanding the Basics of Security Flaws, Threats, and Attacks
- Understanding the Threat Actors
- Security Threats in the Cloud Environment and Infrastructure
- Security Flaws in Cloud Virtualization
- Security Flaws in Containers
- Virtualization and Containerization Attacks
- Security Flaws in Cloud Applications
- Application-Level Attacks
- Security Flaws in Operating Systems
- OS-Level Attacks
- Security Flaws in Cloud Access Management and Services
- Network-Level Attacks
- Security Flaws in the Code Development Platform
- Hybrid Attacks via Social Engineering and Malicious Code
- Security Impact Assessment
- Privacy Impact Assessment
- Secure Cloud Design Review Benchmarks
- Recommendations
- References
- Chapter 10: Malicious Code in the Cloud
- Malicious Code Infections in the Cloud
- Malicious Code Distribution: A Drive-By Download Attack Model
- Hosting Malicious Code in Cloud Storage Services
- Abusing a Storage Service's Inherent Functionality
- Distributing Malicious IoT Bot Binaries
- Hosting Scareware for Social Engineering
- Distributing Malicious Packed Windows Executables
- Compromised Cloud Database Instances
- Ransomware Infections in Elasticsearch Instances
- Ransomware Infections in MongoDB Instances
- Ransomware Infections in MySQL Instances
- Elasticsearch Data Destruction via Malicious Bots
- Malicious Code Redirecting Visitors to Phishing Webpages
- Deployments of Command and Control Panels
- Malicious Domains Using Cloud Instances to Spread Malware
- Cloud Instances Running Cryptominers via Cron Jobs
- Indirect Attacks on Target Cloud Infrastructure
- Cloud Account Credential Stealing via Phishing
- Unauthorized Operations via Man-in-the-Browser Attack
- Exfiltrating Cloud CLI Stored Credentials
- Exfiltrating Synchronization Token via Man-in-the-Cloud Attacks
- Infecting Virtual Machines and Containers
- Exploiting Vulnerabilities in Network Services
- Exposed and Misconfigured Containers
- Injecting Code in Container Images
- Unsecured API Endpoints
- Stealthy Execution of Malicious Code in VMs
- Deploying Unpatched Software
- Malicious Code Injection via Vulnerable Applications
- References
- Chapter 11: Threat Intelligence and Malware Protection in the Cloud
- Threat Intelligence
- Threat Intelligence in the Cloud
- Threat Intelligence Classification
- Threat Intelligence Frameworks
- DNI Cyber Threat Framework
- MITRE ATT&CK Framework
- Conceptual View of a Threat Intelligence Platform
- Understanding Indicators of Compromise and Attack
- Indicators of Compromise and Attack Types
- Indicators of Compromise and Attack Data Specification and Exchange Formats
- Indicators of Compromise and Attack Policies
- Implementing Cloud Threat Intelligence Platforms
- Using AWS Services for Data Collection and Threat Intelligence
- Enterprise Security Tools for Data Collection and Threat Intelligence
- Open-Source Frameworks for Data Collection and Threat Intelligence
- Hybrid Approach to Collecting and Visualizing Intelligence
- Cloud Honeypot Deployment for Threat Intelligence
- Detecting Honeypot Deployments in the Cloud
- Threat Intelligence: Use Cases Based on Security Controls
- Scanning Storage Buckets for Potential Infections
- Detecting Brute-Force Attacks Against Exposed SSH/RDP Services
- Scanning Cloud Instances for Potential Virus Infections
- Understanding Malware Protection
- Malware Detection
- Malware Prevention
- Techniques, Tactics, and Procedures
- Cyber Threat Analytics
- References
- Appendix A: List of Serverless Computing Services
- Appendix B: List of Serverless Frameworks
- Appendix C: List of SaaS, PaaS, IaaS, and FaaS Providers
- Appendix D: List of Containerized Services and Open Source Software
- Appendix E: List of Critical RDP Vulnerabilities
- Appendix F: List of Network Tools and Scripts
- Appendix G: List of Databases Default TCP/UDP Ports
- Appendix H: List of Database Assessment Tools, Commands, and Scripts
- Appendix I: List of CouchDB API Commands and Resources
- Appendix J: List of CQLSH Cassandra Database SQL Queries
- Appendix K: List of Elasticsearch Queries
- Appendix L: AWS Services CLI Commands
- Appendix M: List of Vault and Secret Managers
- Appendix N: List of TLS Security Vulnerabilities for Assessment
- Appendix O: List of Cloud Logging and Monitoring Services
- Appendix P: Enterprise Threat Intelligence Platforms
- Index
