There is an old law of network security which says, if the bad guy can get you to run his program on your machine just once, it’s no longer your machine. Likewise, if the bad guy is able to upload just one program to your website, it’s no longer your website. And, worse case scenario, if the bad guy compromises just one machine in your data center, it’s no longer your data center!
Whether you are trying to secure your data center, secure a hybrid infrastructure including your own resources augmented by the cloud, or secure your cloud in order to best serve your customers, you are trying to prevent the bad guys from running anything on your machines. The bad guys though are not going to stop trying to do just that.
Many of the attack vectors and hackers’ methods have not changed. For example, they are still going to try and crack user passwords. The emerging social networks, unfortunately, provide them with a new tool for doing just that. They can take your user identity (userid) from one network, for example, and use that as a pattern to go against all the machines where you have a userid. Similarly, they can use the information posted about you online - your name, your interests, your friends, etc. - to create a list of candidate passwords that they can apply in a word-wheel fashion to break into your various accounts.
This sort of thing was there before the cloud, but it hasn’t gone away and the cloud simply provides hackers with more ways to gather and use this information. What is more troubling is that way that the cloud allows hackers to employ and even combine or blend more sophisticated modes of attack.
Essentially, there are two types of sophisticated attacks used by hackers. On the one hand, you have what I call “inside-out” attacks. Such attacks include
- Snooping the DNS cache
- Stealing files via FTP port
- Abusing the ARP and SMTP protocols
On the other hand, you have “outside-in” attacks, which are of special concern to cloud providers, hosters and managed service providers (MSP-s). These include:
Stealing Sessions
- When a user session on a website has ended, the session should close out. However, the session can stay open and thus serve hackers as a “zombie session” giving them free access to an account.
SQL Injection
- Websites, particularly those built on AJAX, can become infected by hijacking the scripts that help make them dynamic. Injecting a little SQL command into a URL parsing logic, for example, can initiate queries and other things that you didn’t expect to happen, essentially opening a door into your systems.
Java Applet Abuse
- Similarly, the applets running on a site can be corrupted and made to do malicious things.
Poisoning a Guest VM
- You can plant a dormant program in the VM that can actually compromise the host OS.
I say that these attacks are of special concern to cloud providers because, as I mentioned in my last blog post, the cloud paradigm relies heavily on virtualization, thus making it vulnerable on that front. Similarly, users have to access cloud applications via the web, making them vulnerable to session stealing and hacks like SQL injection.
To top it all off, the cloud computing model blurs the line between an “outsider” and “insider” and what resources are “on premise” versus “off premise”, thereby making it exceedingly harder to track down where attacks are originating.
As I’ve tried to show over these last two posts, the ecosystem has a lot of vulnerabilities and keeping all the subsystems trustworthy is a real challenge. Nevertheless, I would like to end on a hopeful note.
Yes, the cloud has introduced new attack patterns and given hackers new ways of creating havoc, but the cloud also gives us an opportunity to secure the data center in a more disciplined way. For, if we can systematically close down all the scenarios - preventing malware, safeguarding authentication, safeguarding compliance and patching - for a cloud ecosystem, eventually we will all get better security. And how to do THAT, will be the topic of my next post.
Posted
Jun 15 2010, 08:39 PM
by
DiptoChakravarty