|Preview: cloud pentesting|
Dear PenTest Readers,
We would like to proudly present you the newest issue of PenTest. We hope that you will find many interesting articles inside the magazine and that you will have time to read all of them.
We are really counting on your feedback here!
In this issue we discuss the tools and methods that you can find useful while doing penetration tests in cloud. You can read about micro segmentation, phased security approach or Cloud WAF. There are also few articles about common issues in cloud pentesting.
Enjoy your reading, Anna Kondzierska & PenTest Team
Table of Contents
Cloud Computing and Penetration Testing
by Ondrej Krehel & Michal Hojcska
Would you want to know how secure your cloud implementation is and how to perform a penetration test properly? The astonishing exposition of on demand, pay as you go computing platforms (also known as clouds) provides an amazing flexibility and unprecedented scalability to both large and small businesses, and individuals taking advantage of competing platforms marketplace. On the other hand, it presents a set of new and unique challenges for cloud owners, end users, third parties, regulators, and security professionals in charge, as well as those being hired to asses and remediate security shortcomings.
Turn into a Hero- Use APIs
by Nitesh Sinha Due to the frenzied pace at which the technology growth has happened, is happening and will happen, we are approaching a pretty complex heterogeneous Infrastructure environment. With the fast-paced growth of multiple networking protocols and messaging formats, organizations will need to plan to put one standardized Infrastructure in place this is capable of addressing current and future requirements. Penetration Testing in Cloud enviorments- a systematic approach by Frank Siepmann
Penetration Testing in Cloud environments- a systematic approach
by Frank Siepmann The use of cloud environments in todays’ organizations has become systematic, creating new challenges for pen-testers. In addition to the infrastructure hosting the application in scope, there is the cloud infrastructure that adds additional attack vectors. The best security with the application and systems hosted in the cloud does not help if the cloud infrastructure is insecure.
Penetration testing in the Cloud
by Jon Sternstein A pair of eyes intently stares at the computer screen while ten fingers are furiously typing on the keyboard. The penetration tester smiles as he finds the “file upload” component of the credit union’s online banking web application. The application allows a client to upload a custom image for their credit card. Unfortunately for the credit union, they use client side checks to confirm the uploaded file is a picture file. “Reverse shell uploaded!” the pen tester says to himself as he bypasses the client side checks and uploads a reverse shell. “Now, let’s access the shell…” He browses to the upload location and waits for the shell to appear on his Kali machine.
Application layer Security. Trend or technology?
by Dwight Koop External penetration tests (pen tests), that simply fulfill compliance and regulatory checkboxes, have proven to be ineffective at helping organization prevent cybersecurity attacks. In 2016, security experts must refocus pentesting goals to better align with business unit goals. Business unit executives are more attuned to, and aware of, the risks of data breaches and are better able to fund and prioritize larger pen testing budgets, as well as more rigid internal network security.
Protecting your web sites and applications through the cloud
by Luis Diego Raga Every day we see more and more companies adopting cloud technologies to protect their web sites and applications from external threats such a DDoS and application layer attacks. There are several benefits of using a cloud solution to augment your security controls and security perimeter, but the main one is that you can drop malicious traffic on the cloud, saving you from processing and inspecting this traffic. In this article we will cover some of the technologies that can be applied using cloud technologies to protect your websites and applications.
NextGen Kill Chain Defending the Cloud
by Michael L. Adams With the exponential increase in cyber-attacks, of which we are all aware, combined with the shift to the Internet of Things (IoT) and Cloud, the attack surfaces and vectors have concurrently expanded to the point of near uncontrollability.
Gain Insight and Protect Your Organizations Security Posture in the Cloud
by Shawn Ershad In today’s dynamic Cyber-Security threat landscape, organizations are trying to gain the clearest visibility into all aspects of information security efforts. These include how to effectively operationalize existing deployed security solutions such as SIEM, Network Monitoring, GRC, and penetration testing tools, as well as services to provide a centralized collection of threat landscape intelligence to evaluate the organization’s security posture.
Penetration Testing in the Cloud
by Robert Hawk Some of my peers think I have unique ideas in regards to information technology security, information systems security, and cybersecurity. The main notion is that there is no such thing as security. Security has traditionally been based on building defenses that I will outline by using a castle analogy: building moats, walls, segments and compartments, reinforced doors, etc. These kinds of fortresses are in actuality easily defended against small onslaughts, although difficult to defend against very small groups of infiltrators or a massive assault. The small group of infiltrators will always find the cracks in the defensive systems and gain access. In the case of the large scale onslaught, the attackers can always bring more resources than the defenders used to build the fortress - classically that is why castles fail in siege warfare.