19 - Cloud Computing

Question 1

What is cloud computing?

Answer 1

An on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network. Common characteristics are:

• On demand service
• Distributed Storage
• Rapid Elasticity
• Automated Management
• Broad Network Access
• Resource Pooling
• Measured Service
• Virtualization Technology

Question 2

What are the types of cloud computing?

Answer 2

• Infrastructure-as-a-Service (IaaS): Provides VM’s and other abstracted hardware and OS’s which may be controlled through a service API.
  
  • Advantages: Dynamic scaling, guaranteed uptime, elastic load balancing
  • Disadvantages: High risk, performance issues.
• Platform-as-a-Service (PaaS): Offers development tools, config management, and deployment platforms on-demand that can be used by subscribers to develop custom applications.
  
  • Advantages: Simplified deployment, Instant community
  • Disadvantages: Vendor lock in, data privacy
• Software-as-a-Service (SaaS): Offers software to subscribers like Google Docs. Etc.
  
  • Advantages: Low cost, global accessibility
  • Disadvantages: Security and latency issues, Total dependency on the internet

Question 3

What are the different types of cloud deployment models?

Answer 3

• Public Cloud: Services that are rendered over a network that is open for public use.
• Private (Corporate) Cloud: Cloud infrastructure operated solely for a single organization
• Community Cloud: Shared infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.)
• Hybrid Cloud: Composition of two or more clouds that remain unique entities but are bound together.

Question 4

What is the NIST Cloud Deployment Reference Architecture?

Answer 4

Defines five major factors:

• Cloud Consumer: User of cloud computing services.
• Cloud Provider: Person or organization providing services
• Cloud Carrier: An intermediary for providing connectivity and transport services between cloud consumers and providers
• Cloud Auditor: A party for making independent assessments of cloud service controls.
• Cloud Broker: An entity to manage cloud services in terms of use, performance, and delivery.
  
  • Service Intermediation: Improves a given function by a specific capability.
  • Service Aggregation: Combines and integrates multiple services into one or more services
  • Service Arbitrage: Similar to service aggregation, but services are not fixed.

Question 5

What are the benefits of cloud computing?

Answer 5

• Economic: Less maintenance costs, less total cost of ownership
• Operational: Flexible and efficiency, scale as needed, deploy apps quickly
• Staffing: Less IT staff, good use of resources
• Security: standardized, effective patch management

Question 6

What is virtualization?

Answer 6

The ability to run multiple OS on a single physical system and share the underlying resources such as a server, a storage device or a network. Involves partitioning, isolation, and encapsulation. Improves efficiency, business continuity, and reduces set up costs.

Question 7

What are the types of Virtualization?

Answer 7

• Storage Virtualization: Combines storage devices from multiple networks into a single storage device
• Network Virtualization: Combines all network resources into a single virtual network.
• Server Virtualization: Splits a physical server into multiple smaller virtual servers.

Question 8

What are some cloud computing threats?

Answer 8

• Data Breach/Loss
• Abuse and Nefarious Use of Cloud Services: Hosting malicious data, hosting exploits, password and key cracking
• Insecure Interfaces and APIs: Circumvents user defined polices, Unknown API dependancies, insufficient input data validation
• Insufficient Due Diligence: Ignorance of CSP’s cloud environment poses risk
• Shared Technology Issues: Most underlying components do not offer strong isolation properties.
• Unknown Risk Profile: Clients are unaware of the risks with the environment
• Unsynchronized System Clocks: Can affect automated tasks, can affect log analyzing
• Inadequate Infrastructure Design and Planning: poor design and shortage of resources can affect performance
• Conflicts Between Client Hardening Procedures and Cloud Environment
• Loss of Operational and Security Logs: poses a risk for investigation
• Malicious Insiders: Users can misuse their access to compromise the information available in the cloud.
• Illegal Access to the Cloud: Weak authentication and auth controls
• Loss of Business Reputation due to Co-tenant Activities: Malicious activity on one tenant can affect another
• Privilege Escalation: More access rights than needed can mistakenly be allowed
• Natural Disasters
• Hardware Failure: hardware failure can make the cloud inaccessible
• Supply Chain Failure: Security in the cloud is directly proportional to security of each link.
• Modifying Network Traffic: traffic can be modified due to flaws while provisioning
• Isolation Failure: Attackers try to control operations and gain illegal access
• Cloud Provider Acquisition
• Management Interface Compromise: The access of the management consoles are a risk.
• Network Management Failure: Poor management leads to congestion, misconnection, and misconfiguration
• Authentication Attacks: Weak auth mechanisms can allow attacks
• VM-Level Attacks: Vulnerabilities in hypervisors
• Lock-In: Inability of the client to migrate to another cloud provider
• Licensing Risks: fees that can be incurred
• Loss of Governance: Customers sacrifice control to cloud providers concerning security.
• Loss of Encryption Keys: Attacker can potentially get unauthorized access
• Improper Data Handling and Disposal: Difficult to control data when handled by cloud providers
• Loss/Modification of Backup Data: attackers gain access to data backups by exploiting vulnerabilities
• Compliance Risks: Risk of CSP not providing proof of compliance
• Economic Denial of Sustainability: Legit account holder can be sued for malicious service that consumes a lot of resources.

Question 9

What are some cloud computing attacks?

Answer 9

• Service Hijacking using Social Engineering: Attacker targets CSP to reset password or other ways of access
• Service Hijacking using Network Sniffing: Packet sniffing used to capture sensitive data
• Session Hijacking using XSS Attack: Attacker uses XSS to steal cookies that are used to authenticate. Involves injecting malicious code into the website that is subsequently executed by the browser.
• Session Hijacking using Session Riding: Attacker rides an active computer session by sending an email or tricking the user to visit a malicious webpage while they are logged into the targeted site.
• Domain Name System (DNS) Attacks:
  
  • DNS Poisoning: Diverting users to a spoofed website
  • Cybersquatting: Conducting phishing scams by registering a domain name that is similar to CSP
  • Domain Hijacking: Stealing a CSP’s domain name
  • Domain Snipping: Registering an elapsed domain name
• Side Channel Attacks or Cross-Guest VM Breaches: Attacker runs malicious VM on same physical host of the victim’s VM and takes advantage of shared physical resources to steal data.
• SQL Injection Attack
• Cryptanalysis Attack: Insecure or obsolete encryption makes cloud services susceptible
• Wrapping Attack: Performed during the translation of SOAP message in the TLS layer where attackers duplicate the body of the message and send it to the server as a legitimate user.
• DoS/DDoS:
  
  • Flooding the server with multiple requests
  • Passing malicious input to the server that crashes app
  • Entering wrong passwords continuously so that user is locked
  • Botnets are referred to as a DDoS
• Man-in-the-Cloud Attack: Advanced version of MitM, where an attacker intercepts communications by abusing cloud services. Attacker tricks victim to install malicious code which plants attackers synchronization token on the victim’s drive.

Question 10

What are the Cloud Security Control Layers?

Answer 10

• Applications
• Information
• Management
• Network
• Trusted Computing
• Computer and Storage
• Physical

Question 11

What are the cloud computing security considerations?

Answer 11

• Cloud computing services should be tailor-made
• CSP’s should provide multi-tenancy
• CSP should have a disaster recovery plan
• SLA’s should be maintained
• Data should be stored securely
• Cloud service should be fast, reliable, and have a fast response
• Symmetric and asymmetric algos must be implemented
• Load balancing should be incorporated

Question 12

What are the types of security controls in the cloud?

Answer 12

• Deterrent Controls: Reduce attacks on the cloud
• Preventative Controls: Strengthen the system against incidents by minimizing vulnerabilities
• Detective Controls: Detect and react appropriately to the incidents that happen
• Corrective Controls: Controls minimize the consequences of an incident, probably by limiting the damage.

Question 13

What are the best practices for Securing the Cloud?

Answer 13

• Enforce data protection, backup, and retention mechanisms
• Enforce SLAs for patching and vulnerability remediation
• Enforce legal contracts in employee behavior policy
• Prohibit user cred sharing among users, apps, and services
• Implement strong authentication, authorization, and auditing
• Check for data protection
• Implement strong key gen and management practices
• Prevent unauthorized server access
• Disclose applicable logs and data to customers
• Analyze cloud provider security polices
• Access security of cloud API’s and log customer network traffic
• Ensure physical security
• Ensure storage, memory, and network access is isolated
• Leverage strong 2FA techniques
• Baseline security breach notification
• Enforce stringent registration and validation process
• Perform vulnerability and config risk assessment
• Enforce strict supply chain management
• Employ security devices such as IDS, IPS, and FW
• Use VPNs to secure clients
• Ensure SSL is used for sensitive and confidential data transmission
• Understand Terms and Conditions

Question 14

What are the NIST recommendations for Cloud Security?

Answer 14

• Assess risk posed to data, software, and infrastructure
• Select appropriate deployment model according to needs
• Ensure audit procedures are in place
• Renew SLAs in case security gaps found
• Establish appropriate incident detection and reporting mechanisms
• Analyze what are the security objectives of organization
• Enquire about who is responsible of data privacy and security issues in cloud

Question 15

What is the Cloud Storage Architecture?

Answer 15

Cloud storage is the storage medium used to store digital data in logical pools. Consists of 3 main layers:

• Front-End: Accessed by end user, provides APIs
• Middleware: Performs several functions such as data de-duplication and replication of data.
• Back-End: Where the hardware is implemented

Question 16

What is a Container?

Answer 16

An app/software including all its dependencies such as library files, config files, binaries, and other resources that run independently of other processes in the cloud.

• CaaS (Container as a Service): Service that includes the virtualization of containers and container management through orchestrators.

Question 17

What is the Container Technology Architecture?

Answer 17

3 phases of lifecycle are: Image Creation/Testing/Accreditation, Storage and Retrieval of Image, Deployment and Management of Container.

• Tier-1: Developer machines - image creation (required files and resources), testing accreditation
• Tier-2: Testing and Accreditation systems - verification and validation of image contents, signing images and sending them to the registries.
• Tier-3: Registries - Storing images and disseminating images to the orchestrators based on requests
• Tier-4: Orchestrators: transforming images into containers and deploying containers to hosts
• Tier-5: Hosts - operating and managing containers as instructed by the orchestrator

Question 18

What is the difference between a Container and a VM?

Answer 18

Virtualization is the ability to run multiple OS on a single physical system and share underlying resources. Containers are placed on the top of one physical server and OS and share OS’s kernel binaries and libraries, reducing the need for reproducing the OS.

Question 19

What is Docker?

Answer 19

An open source technology used for developing, packaging, and running apps and all its dependencies in the form of containers. Provides a PaaS through OS-level virtualization.

• Daemon: processes API requests and handles various docker objects
• Client: Primary interface where users communicate with Docker
• Registries: Locations where images are stored and pulled, can be private or public.

Question 20

What are Microservices?

Answer 20

Cloud hosted, sub applications that work together and perform a unique task.

Question 21

What is the Container Network Model (CNM)?

Answer 21

A set of network interfaces that allow for containers to network. Drivers:

• Host: Container implements host networking stack
• Bridge: Creates Linux bridge on the host that is managed by the Docker
• Overlay: Used to enable container communication over the physical infrastructure
• MACVLAN: Used to create a network connection between container interfaces and the parent host interface or sub-interfaces using the Linux MACVLAN bridge mode
• None: Implements its own networking stack and is isolated completely from the host networking stack.
• Contiv: Open source plugin developed by Cisco
• Weave: Used to a build a virtual network for connecting Docker containers spread across multiple clouds.
• Kuryr: Implements the Docker libnetwork remote driver by using Neutron, an OpenStack networking service

Question 22

What is Container Orchestration?

Answer 22

An automated process of managing the lifecycles of software containers and their dynamic environments. Used for scheduling and distributing the work of individual conatiners for microservices-based apps spread across clusters

Question 23

What is Kubernetes?

Answer 23

aka K8’s, an open source, portable, extenisble, orchestration platform developed by Google for managing containerized apps and microservices. Provides a resilient framework for managing distributed containers, deployment patterns, and performing failover.

• Service discovery
• Load Balancing
• Storage Orchestration
• Automated rollouts and rollbacks
• Self Healing
• Secret and configuration management

Question 24

What is the Kubernetes Cluster Architecture?

Answer 24

A cluster is a group of computers known as nodes. A cluster comprises a minimum of one master node and one worker node. The worker node contains pods (a group of containers) and master node manages them. Components:

• Master components:
  
  • Kube-apiserver: the API server that responds to all API requests
  • Etcd cluster: A distributed and consistent key-value storage where Kubernetes cluster data, service discovery details, API objects are stored
  • Kube-Scheduler: a Master component that scans newly generated pods and allocates a node for them.
  • Kube-controller-manager: A master component that runs controllers which are individual processes but are combined into a single binary
  • Cloud-controller-manager: Used to run controllers that communicate with cloud providers
• Node components:
  
  • Kubelet: An important service agent that runs on each node and ensures containers running in a pod.
  • Kube-proxy: A network proxy that also runs on every worker node.
  • Container Runtime: Software designed to run the containers.

Question 25

What is the difference between Kubernetes and Docker?

Answer 25

Software that is used to run containerized apps on a single OS. Kubernetes is a container orchestration platform that manages containers.

Question 26

What is Serverless computing?

Answer 26

Known as serverless architecture, FaaS (Function as a Service), a cloud based apps architecture where app infrastructure and supporting services are provided by the cloud vendor as they are needed.

Question 27

What is the Cloud Hopper attack?

Answer 27

Attacks are triggered at the managed service providers (MSP) and their users. Initiated by spear phishing with custom made malware to compromise the accounts of staff or cloud service firms to obtain confidential information.

Question 28

What is Cloud Cryptojacking?

Answer 28

An unauthorized use of the victims computer to stealthily mine digital currency. Attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities.

Question 29

What is Cloudborne Attack?

Answer 29

A vulnerability residing in a bare-metal server that enables the attackers to implant a malicious backdoor in its firmware.

Question 30

what is enumerating S3 buckets?

Answer 30

Simple Storage Service (S3) is a scalable cloud storage service used by Amazon AWS where files, folders, and objects are stored via web APIs. Through various techniques, attackers try to discover information: * Inspecting HTML * Brute-Forcing URL * Finding subdomains * Reverse IP Search * Advanced Google Hacking

Question 31

What are the best practices for Container security?

Answer 31

* Regularly monitor the CVE's * Employ app aware tools * Configure apps to run as normal users * Configure hosts root file system to be in read-only mode * Employ app security scanning tools * Scan images * Deploy app firewalls * Use separate db for each app * Update host OS * Maintain a set of trusted registries and images

Question 32

What are the best practices for Docker security?

Answer 32

* Don't expose Docker daemon socket * Use trusted docker images only * Patch Docker and host OS * Only allow access to the features required by the container * Limit privileges of Docker images * Disable inter-container communication feature for running Docker demon * Ensure Docker images from remote registry are digitally signed using Docker content trust

Question 33

What are the best practices for Kubernetes security?

Answer 33

* Proper validation of file contents * Raise errors explicitly after each step of a compound operation * Log rotation to prevent log overwrites * Never use compound shell commands with proper validation * Limit the size of manifest files * Use TLS

Question 34

What are the best practices for Serverless security?

Answer 34

* Minimize permissions * Monitor function layers * Use 3rd party security tools * Patch and update function dependencies and apps * Sanitize event input * Deploy functions in minimal granularity to prevent implicit global rules * Data validation * Safe coding practices *

Question 35

what are Zero Trust Networks?

Answer 35

A security implementation that assumes that every user trying to access the network is not a trusted entity by defualt and verifies every incoming connection before allowing access to the network.