Cloud Services Penetration Testing
We continue to see more services migrating to the cloud. As this evolution in the computing services space continues, the need for cloud services penetration testing increases. Hedgehog Cyber delivers leading edge cloud-based penetration testing for cloud service providers as well for the clients that use these services as a core part of our penetration testing offerings.
Our extensive experience in working with all major cloud service providers really benefits out clients. Whether it is Infrastructure, Platform or Software as a Service, Hedgehog Cybers information security and penetration testing consultants are experienced in testing and security for all types of environments.
Benefits of Cloud Services Penetration Testing
The benefits of a cloud penetration test are increased technical assurance, and better understanding of the attack surface that your systems are exposed to. Cloud services, whether they are infrastructure, platform or software as a service, are prone to security misconfigurations, weaknesses, and security threats just as traditional systems are.
By engaging with Hedgehog Cyber to perform your cloud penetration test, you will get:
- A better understanding of your cloud estate. What services do you have in the cloud? What systems do you expose to the public?
- A detailed report on any common security misconfigurations along with our recommendations for how to secure your cloud configuration.
The increased assurance will come from the fact that that you will gain visibility of the security weaknesses of your cloud estate. You will be able to verify what services and data are publicly accessible, what cloud security controls are in effect, and how effectively these are mitigating your security risk.
Although cloud providers offer increasingly robust security controls, it is you who is ultimately responsible for securing your company’s workloads in the cloud. According to the 2019 Cloud Security Report, the top cloud security challenges highlighted are about data loss and data privacy. This is followed by compliance concerns. It is also tied with concerns about accidental exposure of credentials.
By conducting Cloud Penetration Testing, you are combining a mixture of external and internal penetration testing techniques to examine the external posture of your organisation.
Adding to this a Cloud Configuration Review, which is an assessment of your Cloud configuration against the accepted best practice of industry benchmarks, you get a truly holistic view your cloud deployment.
Examples of vulnerabilities determined by this type of active hybrid testing can include unprotected storage blobs and S3 buckets, servers with management ports open to the internet and poor egress controls.
Areas we specifically look at that are not usually covered in standard penetration tests are:
- Enumeration of external attack surface – Identify all possible entry points into the environment – O365, Web Applications, Storage Blobs, S3 Buckets, SQL/RDS Databases, Azure Automation APIs, AWS APIs, Remote Desktops, VPNs, etc.
- Authentication and Authorisation Testing – Ensure the users within the environment operate on a Principle of Least Privilege, are protected by robust multi factor authentication policies, as well as ensuring that known ‘bad passwords’ are prohibited from being used.
- Virtual Machines / EC2 – Azure supports two types of virtual machines – Classic and v2. Testing will ensure that these virtual machines are protected via Network Security Groups (NSGs – analogous to firewalls) and their data is encrypted at rest. Where possible, audits of missing patches and their effects are included. Where virtual machines are publicly accessible, this will lead on to the examination of their external interfaces.
- Storage and Databases – This area of testing will examine storage blob permissions and those of subfolders, ensuring that only authenticated and authorised users can access the data within. Examination of databases (either on virtual machines running SQL Server, or running via Azure SQL) for security best practices is also covered.
Threats for 2020
Microsoft (Azure) and Amazon (AWS) used to require testing authorisation before commencing a penetration test. This is no longer the case, and barring a few exceptions within AWS, you are no longer required to request authorisation for a cloud penetration test for Azure, AWS, or GCP.
Our team consists of AWS Security and Microsoft certified experts. Our experienced consultants frequently publish research on Cloud security and Cloud Penetration Testing.