During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents them and provides tips on how to avoid them - for #moresecurity across all IT assets.
Today we look at the three most common security-critical vulnerabilities that our analysts have identified in Cloud Pentests in in recent years.
Why Cloud Pentests?
Storing data in the cloud has become a preferred solution for companies in recent years. However, companies are still responsible for the security of their data and do not hand this over to cloud services.
Often all it takes is a misconfiguration or an unadapted standard configuration of a cloud service - vulnerabilities quickly arise in the cloud. The quantity and complexity of configuration options for many cloud services result in numerous vulnerabilities. The frequent lack of or insufficient understanding of the shared responsibility model fuels this trend - many organizations are not aware of their share of responsibility for the configuration of the cloud services they use. As a result, the cloud security analyses we carry out repeatedly reveal typical vulnerabilities.
Multi-Factor Authentication (MFA)
Identity and access management is usually the most important focus of cloud security analyses. The advantage of easy access to cloud resources also poses a major challenge: the classic combination of username and password is no longer sufficient. Multi-factor authentication (MFA) is the standard answer to solving this problem. MFA does not prevent passwords from being compromised, but it can prevent the misuse of accounts or identity theft. In concrete terms, MFA means that users can present at least two independent factors during authentication. Classic factors are:
- Knowledge (the user knows something, e.g. password)
- Ownership (the user owns something, e.g. key)
- Inherence (the user is something, e.g. fingerprint)
A practical example of the use of MFA is the PSD2 payment directive, which has required European credit institutions to offer their customers strong customer authentication since 2021.
However, it is still one of the most common vulnerabilities when analyzing cloud environments: MFA is not used or only used in a weak form. Weak MFA means that insecure protocols are used to generate or transmit the second factor. Examples of these “legacy protocols” are email, SMS or phone calls, which can be compromised in various ways. However, even technically stronger MFA such as the use of one-time passwords (OTP) or proprietary authenticator apps can be successfully circumvented by social engineering attacks. This, in turn, can be prevented by phishing-resistant MFA, which in current practice primarily includes hardware-based solutions such as FIDO2 security keys and PKI smartcards. The extension of the FIDO2 standard known under the marketing term “Passkey” includes several variants, but not all of them offer the same high level of protection as the aforementioned hardware-based solutions. MFA is therefore not simply MFA. The different variants differ primarily in terms of their security, usability and implementation costs.
Security Tip
In general, even weak MFA is better than no MFA at all. The long-term goal should be the use of phishing-resistant MFA for all users of cloud services. An intermediate step could be the introduction of OTP or authenticator apps for normal users, while phishing-resistant MFA is recommended for particularly sensitive users (e.g. management, accounting) and administrative users with privileged rights. The increasing support of passkeys as a factor for MFA may be a good option in the medium term.
Logging
Monitoring the IT infrastructure and access to company data and its processing is a topic that is equally relevant for IT administrators, compliance officers and auditing departments, both in on-premise environments and in the cloud. Well-configured monitoring of the infrastructure is crucial in order to detect security risks and malicious activities at an early stage and meet compliance requirements.
In the cloud, this monitoring concerns all relevant cloud services, hosted applications and administrative access and activities. Although the activities are logged in the Management Plane by default, these standard logs are often inadequate without customization: there are no preset alert mechanisms and the retention time is often only 90 days.
Many cloud users wrongly assume that infrastructure monitoring is fully covered by the cloud provider. However, by default, this only covers the basic infrastructure of the cloud platform and not the services that the customer uses on it. Additional measures are therefore required for comprehensive security monitoring of the cloud environment. The following challenges and best practices should be taken into account:
Security tip for incomplete monitoring of individual services and layers
Not all services and layers and their activities are recorded by default. Companies should therefore ensure that all security-relevant logs, such as those from web application firewalls or specific applications, are also included in the monitoring. Logs are often only recorded at application level, without including events from cloud services. For complete monitoring, it is important that activities and configurations of cloud services, such as access and authorization changes, are also checked regularly.
Security tip for insecure storage of logs
Logs are often stored in the same environment as the resources themselves. In the event of a compromise, an attacker would therefore also have access to these logs. It is therefore advisable to set up a separate and secure storage environment for logs in order to protect the integrity of this important data. Adequate access management should also be ensured when storing log files in order to prevent manipulation, even by internal perpetrators.
Security tip for limited log retention and storage limits
The retention periods and storage limits configured by default can lead to important logs being deleted before they have been sufficiently analyzed. It is advisable to customize the retention periods and check the storage limits regularly to ensure that all security-relevant information remains available in the long term.
Safety tip for alert fatigue and prioritization
A common problem is too many alarms without prioritization, which can overwhelm IT teams or Security Operations Centers (SOCs). Important alarms could easily go unnoticed as a result. Careful prioritization and filtering of alerts helps to focus attention on truly critical incidents and increase the effectiveness of security monitoring. To this end, it is important to learn from false positives and to sharpen alarms based on the experience gained.
Security tip when looking at logs and metrics in isolation
Logs and metrics from different cloud services or from different providers are often viewed in isolation, which makes a holistic security assessment difficult. A centralized aggregation of all logs, ideally in a Security Information and Event Management (SIEM) solution, enables a holistic view and facilitates the detection of complex threats that can affect multiple services.
Security tip for irregular checking of alert configurations
Although many organizations set up alerts, they are rarely tested for effectiveness and relevance. We recommend regular testing and customization to ensure that alerts really cover the most important and potentially dangerous events, using well-known attack detection frameworks such as Mitre Attack.
Public Endpoints
The insecure configuration of endpoints is another common cause of vulnerabilities in the cloud. To better understand the background, we will briefly discuss an important condition for the use of typical Platform as a Services (PaaS):
Two prerequisites must be met in order to be able to perform an action on a PaaS service used:
- The identity must be authorized to perform the action.
- The network must allow access to the service.
In practice, however, we repeatedly see PaaS resources where no protection is configured at network level. As a result, the public endpoints activated by default are still active and allow access from any network, including the Internet.
In order to perform actions on the PaaS service, such as reading or modifying data, it is therefore only necessary to be authorized for the action.
If no configuration has been made here, such as the use of role-based access, unauthenticated parties can access the data in case of doubt.
However, even the use of weak authentication and authorization methods (low-complexity passwords, no MFA in use) does not provide sufficient protection. Attackers can gain access to cloud users through targeted phishing (spear phishing) or guess simple passwords through brute force attacks.
In this case, potential vulnerabilities in the authentication and authorization procedures (potential zero-day vulnerabilities) could also be exploited from the public Internet.
But let's now look at a concrete example using a storage account: By default, storage accounts at many cloud service providers have public endpoints that can be accessed from the internet.
With an unrestricted public endpoint, whether an attacker can reach the storage account's data via the public endpoint therefore only depends on whether the attacker manages to obtain authorization for their access.
Security Tip
In addition to the use of strong authentication and authorization procedures, the standard use of private endpoints is therefore also recommended. Only if the use case requires it and no other suitable alternative is available should public endpoints be used, whose connectivity should also be reduced to the necessary minimum. This second level of protection can also provide protection if there is a vulnerability in the authentication and authorization procedures or if a session token has been stolen.
Let's Recap
Insufficient understanding of the shared responsibility model, incorrect configuration or non-customized standard configurations of cloud services often lead to security gaps. The implementation of multi-factor authentication (MFA) is particularly important, as simple combinations of user name and password are no longer sufficient. Monitoring the cloud infrastructure (logging) is also crucial, as many cloud services only offer standard logs. Another common security problem is publicly accessible endpoints, as cloud resources can be attacked via these from any network.
As a user of cloud services, you need to ensure the security of your data. A Cloud Pentests can provide clarity here and help you to effectively protect the data of your company, your customers and your employees. Our security analysts comprehensively examine all relevant cloud components and identify potential gateways for attackers. Get in touch, we're happy to help.
