Blog archive

CSA Dives Deep Into 'Egregious' Cloud Computing Threats

The Cloud Security Alliance (CSA) published a report in late September that I just got around to reading. I guess it was the Halloween season that drew me to the title, "Top Threats to Cloud Computing: Egregious 11 Deep Dive." It provides case‌ ‌study‌ ‌analyses‌ of last year's ‌The‌ ‌Egregious‌ ‌11:‌ ‌Top‌ ‌Threats‌ ‌to‌ ‌Cloud‌ ‌Computing, with nine recent cybersecurity attacks and breaches. (Both reports featured a scary octopus on their covers.)

All kidding aside, the deep dive is well worth a look, and its free. The so-called Egregious 11, you'll recall, were culled from a survey of 241 industry experts on security issues in the cloud. The respondents rated 11 "salient threats, risks, and vulnerabilities" in their cloud environments. The Top Threats Working Group used the survey results, along with its own expertise, to create the final 2019 report.

The new report looks at nine actual attacks and breaches, including "a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain," for its foundation. The report "connects the dots between the CSA Top Threats in terms of security analysis," Jon-Michael C. Brook, chair of the Top Threats Working Group, wrote in a forward to the report. And I think it does so quite effectively.

The list of organizations whose breaches were analyzed is a sexy one. It includes Capital One, Disney+, Dow Jones, GitHub, Imperva, Ring, Tesco, Tesla, and Zoom.

Each of the nine examples is presented in the form of a reference chart and a detailed narrative. The reference chart's format provides an attack-style synopsis of the actor spanning from threats and vulnerabilities to end controls and mitigations.

Here's one example of the narrative portion of the Capital One breach analysis:

Actor: Former engineer of AWS with insider knowledge on platform vulnerabilities gained credentials from a misconfigured web application to extract sensitive information from protected cloud folders.

Attack: Open-source anonymity network (Tor) and VPN services (iPredator) hides attacker. Misconfigured ModSecurity WAF used by Capital One with their AWS cloud operations relayed AWS cloud metadata services including credentials to cloud instances. Over privileged access given to the WAF allowed the attacker to gain access to protected cloud storage (AWS S3 buckets) with the ability to read data sync and exfiltrate sensitive information.
Vulnerabilities: A Server Side Request Forgery (SSRF) vulnerability on the platform was exposed in which a server (e.g. Capital One's WAF) was tricked into requests from an attacker to access cloud server configurations (e.g. EC2 metadata service) including credentials to whatever the server had access to.

Data Breach: A web application was compromised for IAM credentials to access multiple cloud folders. The cloud folders accessed had read rights to 106 million records of customer information that were exfiltrated.

Data Loss: The data extracted were credit card applications and credit card customer status reports between 2005-2019. Personal Identified Information (PII) from the applications included applicant names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The credit card customer PII and financial records extracted included credit scores, credit limits, balances, payment history, contact information, social security numbers, and linked bank accounts. Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers were exfiltrated.

I think these narratives read like mystery/thrillers, and the companies are name brands for the most part. Even if you're not into this kind of thing, this is an accessible report with useful insights that you should definitely read, developers and IT pros alike.

Both reports were prepared by the CSA's Top Threats Working Group, which, the CSA says, aims to provide organizations with "an up-to-date, expert-informed understanding of cloud security risks, threats, and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies."

When the CSA first hit my radar in 2012, it described itself as a not-for-profit coalition of companies, individuals, organizations, and "key stake holders" with an interest in promoting secure cloud computing. It's mission hasn't changed, and the website features a nice history and list of milestones. The group also issues the Certificate of Cloud Auditing Knowledge (CCAK) certification, currently the only credential for industry professionals who demonstrate expertise in the essential principles of auditing cloud computing systems. The CSA developed the most widely adopted cloud security audit criteria and organizational certification, which makes the group uniquely positioned to lead industry efforts to make sure that industry professionals have the requisite skill set for auditing the cloud environment.


Posted by John K. Waters on November 2, 2020