Basic Principles and Theory of Cloud Security Exploits - Free Solution

Question: Describe about the Basic Principles and Theory of Cloud Security Exploits? Answer: Cloud computing majority comprises of delivering computing resources like applications, storage, infrastructure as services provided by service providers to the end users. All kind of services are accessed by web browsers which is like on demand. The cloud service providers offers service based on requirement and ensure good quality. Basically cloud computing is three types Infrastructure as service (IaaS): Here servers, networking devices, memory and storage are provided as service to the end users. Computational resources like more number of cores and fast instructions per cycle are made available for users as on-demand services. IaaS uses the virtualization technology to provide virtual machines to the end users on demand this allows clients to build complex network infrastructures. This will easy the deployment and administration of networking devices becomes easy. This makes the business more easy. Platform-as-a-Service (PaaS): It provides the development platform for the user to design of their own applications depends on their need. This kind of service model provides implemented libraries, tools and frameworks to develop the applications for the end users. This gives the end users to control the application deployment and configuration settings. Because of this developers are not required to buty any software just get the platform required from the service provider and design and build application. GoogleApps is an example of PaaS; it is a suite of Google tools that includes Gmail, Google Groups, Google Calendar, Google Docs, Google Talk, and Google Sites. Software-as-a-Service (SaaS): This provides the application for need of the requirements. Rent the application instead of buying it. Suppose excel is required to prepare some statics then just barrow the application from service providers and use it for required amount of time instead of buying the software. These three services provides the different services to the end user and at the same time provides the information on security issues and risks of cloud. DOS attack: Denial of service attack is to make user not able to access the host or network by disrupt their state so that its service not reached to user. These kind of issues comes depends on the kind of service. Flooding is the common type of attack any heckers use for DOS attack, here flood the victim system or service host with bogus requests which are as legitimate requests so that service is stopped because of heavy load. In cloud services these kind of flood attacks are differentiated as two types direct DOS and indirect DOS. Large volume of requests flooded into service provided by cloud server in this cloud provider is responsible for providing the load balancing to service so busy in providing that to the one user whose provided service is over loaded while other users won't get good service from service provider as it is busy, this is called direct DOS. If the victim server is doing load balancing and part of it offloaded to other servers as part of load balancing strategy which make other servers also vulnerable to DOS attack, this is called indirect DOS. Malicious insider: Companies and organizations can't trust the people inside when it storing the users data, so it is very important to store user data even insiders can't access without proper protocol. In cloud while moving all users data which is maintained by organization into some private cloud which is maintained by some third party, is it safe to trust the third parties over the data. Rouge kind of administrators has privilege to steal the unprotected data and can do brute force over the passwords and get the customers data on demand. The insiders who knows the cloud operational capabilities can identify the cloud vulnerabilities and attack on it to get the sensitive information. Cyber Theft Online: Storage service provided by the cloud computing makes the business organization very cost effective and no need of administration overhead over the sensitive data. This will reduce cost in buying new servers and maintaining them. So many companies are storing data using cloud. One major cloud service provider do maintain all the sensitive data of business organizations. Consider example of Netflix use the amazon web service for storing data of TV episodes and movies, Dropbox storage service to many user for their personal information. These kind of Cloud services are as daily part of every ones life. So all the sensitive information stored at single place so single target for attackers which gives huge information at little cost compare traditional way. These days many people using the social networking sites for interaction with the friends and shares profiles and personal information also. According to survey 35 percent people are using social sites have accounts in all sites which makes the attackers to grab the attention to get the information. Recently linkedln the worlds largest professional networking website has 175 million users has breached and approximately 6.4 million stolen hashed passwords dumped into russian website and more than 200 thousand passwords are cracked. Stolen username and password from one website can be used to access the other websites as it is very successful for many users. Recently dropbox found some logins are malicious who used the login details obtained from other social website. Wrapping Attack: Web browser used to send service request by client and the service communication uses the Simple Object Access Protocol messages and transmit them using HTTP with format of Extensible Markup Language. One security mechanism WS-Security is used for the confidentiality and data integrity of SOAP messages transmitted between the clients and servers. Data integrity maintained by using digital on the message and for Confidentiality message encryption is used to protection on eves dropping. This makes the client authenticated and the server can validate that the message is not tampered with during transmission. Web servers validating the signed requests at that time attackers by using the XML signature wrapping and exploit the weakness, attack launched when SOAP message exchanged between the legitimate user and the web server. Attacked duplicates the users login session and added the bogus elements into message which will wrapped, it makes the original body message under the wrapped and malicious code is replaced on top of the contents of the message, this modified message sends to server and the server validation fine because the original body not changed so the server is tricked and authorize the message that has been altered. Because of this hacker gain the unauthorized access to the protected resources and process intended operations. All cloud computing services via web browser so wrapping attacks can be launched easily on to the cloud service provider servers, which makes the users as victims. In 2008 discovered cloud service provider who is vulnerable to the wrapping attack. This is because later identified as bug in validation process done by amazon cloud. It is vulnerability in SOAP message security validation algorithm. Interception and modification can be done to legitimate user SOAP request, as a result hackers could take unprivileged actions on victims accounts in clouds. The same XML signature wrapping technique can be used to heck the account in amazon AWS just by altering the authorized signed SOAP messages and hacker get the permission to access, delete, create user account. Counter measures: Malware injection security methods The major security concern in cloud computing is malware injection attack. These kind of attacks can be nullified using File Allocation Table kind of system architecture. In the FAT table instance of all customers will be there so in advance can be recognized them using FAT table. Now the old instance and new instance are there to compare to determine the validity and integrity of the instances so that malware injection can prevented like this. In other way of nullifying the malware injection is storing the hash value of the original service instance image file and by performing the integrity check between the original and new service instances images to identify the malwar injection instance. In this malware injection can be identified. Data Protection Insiders may do stealing of data intentionally or accidentally but lose of data can happen in any case. So policies have take care of the data stealing by the insiders. It is very difficult identify the behavior of insider who steals data. Need deploy better security measures for the insider threats. Tools like data lose prevention and malicious behavior patterns identifications encrypting of sensitive information while storing it self, decoy technology for authentication and authorization. Policy Amendment Cloud service registration can be done by who has credit card and utilize the service which is giving advantage to hackers to get the fraud credit cards and get the access of service and getting computing power of cloud based solutions and exploit the user data. They are doing all malicious activities such as spamming and attacking the other computing systems. By Doing blocking of users who are publicly announced by some investigations teams and monitor the credit card fraud and changes the policies such way that cloud computing power can't be utilized by the attackers via weak registration policy. Mange and administration of networks in proper way so that least vulnerable to attackers. For example, Amazon re defined user policy like isolate any offending instance which is raised like spam or malware coming through Amazon EC2. Control access Private and sensitive data of end users is stored in cloud users can get the access to their data under the given access control mechanisms. For the physical computing systems continuous monitoring on the request coming and response served to it and analyzing the traffic makes the security techniques more efficient. Many security tools like firewalls and intrusion detection are used to restrict the illegal access and grant the legal access to the data. Majority all traffic is monitored to catch hold of illegal access of data. Future Work: Cloud computing is major important developments for giving service to different level where every service can offered via browser in just one click away. As the more benefits, more security vulnerabilities are there and bringing more challenges for all service providers and more vulnerabilities still exist in cloud so hackers are exploiting those security holes. For providing best quality to the end user required to nullify these security flaws at the best possible level. Recently more news regarding the NSA eye on the information which is been leaking from third parties and going into the hands of NSA which is something like you are not the one who is looking into your data. Scott Hazdra said in the news that U.S and many companies keeping eye on the data stored in the internet and clouds and transmitting as it is to the required sources which is not good for the users who uses the cloud. It is big security risk and may be threat to the users who store the information on the internet. This kind of one risk can't be avoided in the wolrd of internet and increases more with cloud features. At any point privacy is always big concern with the cloud which is like companies or third parties and insiders who can breach into cloud to steal the information and big threat is intrusion of the government also. Confidentiality is big threat to the companies who store information as because competitors try to steal the information, so all companies store the information in encrypted form irrespective of competitor. This is costly for hackers when compare to advantage they get from information so less attacks but now in cloud everything stores there one shot many pots. One compromises all compromised which is big plus for the hackers to try and steal data with little extra cost. This is one of the big problems in the current cloud industry. Cloud makes life of users completely into internet which makes their more explored and into internet. Every user try store irrespective of type of data as it is more friendly so at any stage Any information can be observed over internet about any person. This gives advantage to the hackers to crack the accounts of very far distance people so that unable to trace if any personal information is compromised. Security of data and privacy protection of data is major issues and they are basic important issues which are separation of sensitive control of access. It is very important for cloud solution providers to provide kind of security which is like levels of organization while providing protection to the users. Some frameworks and utilities are required to build while accessing the cloud and data so that privacy to users can be provided. Mobility of companies is very common in industry so customer service to users while activating and deactivating the account should be done veryquick and good service is needed. Previous employees should not able to get the insides of the organizations cloud as is it quite natural that inside people get clarity on the vulnerabilities on the cloud and where to exploit and when to exploit these details gives advantages for the employees who leaves the organization and try to attack on the cloud for their personal needs. So it is very essential that cloud o rganization takes required steps while removing any employee. Cloud organization suppose to be very transparent about their agreements with the government so that people aware what to keep what not. It is very offensive that organizations provide data to government without any information to the user. This kind of leaks gives advantage to government officials so that they try get the required users private information to full fill theirpersonal needs. This is completely illegal. References: 1) CSA cloud security alliancelink: https://cloudsecurityalliance.org/2) Adam Greenberg, Mar 06, 2015, top concern regarding cloud adoptionlink: https://www.scmagazine.com/study-financial-firms-cite-data-security-as-top-concern-regarding-cloud-adoption/article/402201/3) Charles Badcock, Mar 03, 2014, Cloud Threatslink: https://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085 4) Security ascepts of cloudlink: https://cloudsecurity.org/5) Cloud Security Fundamentalslink: https://www.sans.org/course/cloud-security-fundamentals6) IBM cloudlink: https://www.ibm.com/cloud-computing/in/en/security.html7) Ted Samson, Feb 25th 2013, cloud securitylink:https://www.infoworld.com/article/2613560/cloud-security/cloud-security-9-top-threats-to-cloud-computing-security.html?null8) Victoria Ivey, Dec 16th 2014, cloud-securitylink:https://www.cio.com/article/2380182/cloud-security/5-tips-to-keep-your-data-secure-on-the-cloud.html9) https://www.sa fenet-inc.com/data-protection/virtualization-cloud-security/10) https://www.porticor.com/11) https://www.symantec.com/cloud-computing-software/12) https://www.mcafee.com/in/solutions/cloud-security/cloud-security.aspx13) https://www.vormetric.com/data-security-solutions/cloud-data-security14) https://www.cloudcredential.org/certifications/pcs/15) https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles16) https://www.csoonline.com/category/cloud-security/17) https://www.alertlogic.com/resources/cloud-security-report/18) https://www.zdnet.com/article/cloud-security-reports-slam-data-protection-national-internets-access-myths/ 19) https://www.bitdefender.com/business/small-office-security.html20) https://www.intel.com/content/www/us/en/enterprise-security/processors-with-built-in-cloud-security.html21) https://www.cloudschool.com/certifications/security22) https://www.imfacademy.com/areasofexpertise/information_technology/cloud_sec urity.php23) https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html24) https://www.websense.com/content/cloud-web-security-features.aspx