.

Cloud Computing - Formulating an EH Methodology for Cloud Computing

<<

savingpvtryansdad

Newbie
Newbie

Posts: 1

Joined: Thu Jul 13, 2006 9:58 pm

Post Wed Feb 03, 2010 3:25 pm

Cloud Computing - Formulating an EH Methodology for Cloud Computing

As a Security Professional supporting the Government, I have been bombarded with the organization using Cloud Computing for the day to day applications and operations. The move to the Cloud is easy for the end user - but is a pain and potential nightmare for those that want to secure the data and protect our Assets.

My Team and I am working our security assessment approach - following the government approved standards. However, from the EH side, am adding additional items as we won't be able to see the assets first hand and have to entrust a third party to protect us.

But aside from the obvious items (scanning from IP's of the unknown, XSS attacks, social engineering, and maybe a spearphish scenario/test case. anyone have any good items to share to add to my list of tests or maybe past experiences or "it was easy" to get to the jewels?!?!?

Thanks.
savingpvtryansdad
<<

KamiCrazy

Jr. Member
Jr. Member

Posts: 78

Joined: Wed Jun 17, 2009 8:40 pm

Post Wed Feb 03, 2010 8:29 pm

Re: Cloud Computing - Formulating an EH Methodology for Cloud Computing

I don't work in the security industry but I do work in sys admin with a heavy focus towards virtualisation and cloud computing.

This sort of topic is something I face very much every day from my management and my clients.

I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?

In relation to your question, I don't see cloud computing to be much different to any other computing system. If your cloud apps are web applications, for instance a business I look after uses Xero a web based accounting software package, then you are just pen testing a web app. If your definition of cloud computing revolves around virtualisation then the only added component I would say would be that you need to also test the hypervisor layer.

Just some things to think about.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 04, 2010 9:10 am

Re: Cloud Computing - Formulating an EH Methodology for Cloud Computing

In regards to KamiCrazy's post, he / she asked a very important question:

"I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?"

It's interesting that this topic came up, and that this question comes up, as a major provider of webhosting services recently (within the past couple of weeks) had their customers websites defaced.  While it was likely some 'script-kiddie' looking for a thrill - they posted images similar to what might be posted on islamic militant and terror groups' sites - it still doesn't bode well for the customers, whose sites were defaced.  One such site was for a county government's Health Department.  While defacing may or may not have been the worst thing that could have happened (they also had scripts on there to auth to employee data, email, and others, so it could be a lot worse, if the attackers would've gained access to said data through XSS to gain passwords, etc,) ultimately, you have to decide how worth the costs it can be, if you're allowing the security of your 'public image' and public site to be hosted by someone else.

I'd agree fully with savingpvtryansdad, in that it certainly does make things easy for end-users and customers, sometimes, but can be an overall nightmare for IT staff, to try to manage services and security that are out of their control, to whatever extent.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

KamiCrazy

Jr. Member
Jr. Member

Posts: 78

Joined: Wed Jun 17, 2009 8:40 pm

Post Thu Feb 04, 2010 2:58 pm

Re: Cloud Computing - Formulating an EH Methodology for Cloud Computing

Muss gave a great presentation at Kiwicon about the state of security of most shared web hosting providers and it didn't paint a pretty picture.
So when I read hayabusa's example of defaced websites I could almost visualise what exactly happened.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software