How Cloud Migration will help Boost Security and Compliance

How Cloud Migration will help Boost Security and Compliance
Although the adoption of cloud services is becoming increasingly popular in the past few years, many organizations are still skeptical of migrating to the cloud due to security concerns. This outlook tends to emerge from a lack of exposure to the emerging potentialities of the modern cloud. However, the case has become precisely opposite—firms, no matter how small or large, can benefit immensely from cloud migration when regarding stronger security and compliances.

Cloud providers reassure organizations of seamless and hassle-free cloud migration and ongoing maintenance; they make the security and protection of third party data their priority because their reputation highly depends on the kinds of services they provide. Once this goodwill suffers a blow, their company sustains a considerable loss, which is certainly not favored.

The cloud providers render security with the help of following measures:

Safekeeping the Data
Cloud providers are not just any organizations; they have grown considerably and have become among the wealthiest companies in the world. Security concerns come to them not as a challenge, but rather as an opportunity. These companies have a highly skilled team of professional IT engineers that are capable of tackling any security danger that may occur. Take for instance the most prominent cloud provider—Amazon. Amazon’s security parameters are well above the average reach of hackers. Amazon and other cloud providers take protecting infrastructure and customer data as their top priority. They apply a significant portion of their budget to meet and often go beyond security expectations. Companies such as Amazon go through a series of exercises that ensure the protection of physical infrastructure and systems.

Shared Responsibility Model
A model that is implemented at the organizational level is the Shared Responsibility Model in which a cloud infrastructure provider is responsible for maintaining the physical security of its data center, including building access, network and server hardware, as well as monitoring the hypervisor in charge of the virtual machines. On the other hand, the customer is responsible for securing operating systems, applications, and data running on cloud accounts. This co-operation is established when both sides are happy and comply willingly. The benefit is mutual, thus, this model is generally upheld. With its implementation, the cloud providers render best practices for controlling access and limiting network exposures which result in a secured infrastructure.

Supply of Personalized Tools
Typically, cloud providers supply tools that complement cloud-based security management tools to help the organization defend their virtual environments. Take, for instance, Amazon Web Services (AWS) CloudTrail; it provides visibility into the actions being taken by both legitimate users and bad actors operating in the cloud environment and acts as an active vigilante for the entire operation. Other security tools such as firewalls, file integrity monitoring solutions, and centralized logging also remain functional and works together in conjuncture with cloud tools. Thus, it all adds further layers of security that are purposefully built for strengthening and monitoring the environment.

Besides security measures, cloud computing is also highly compliant with the modern day needs of an organization. They focus on cost-effectiveness and the ease of use while keeping in mind the procurement of untainted security measures.

Reduced Business Expenditure
From its advent, cloud computing engineers have strived to seek the betterment of the existing platform services. The financial aspect in organizations is of great importance to the engineers too. Therefore, a traceable shift can be seen in cloud computing as far as reducing cost is concerned. Cloud computing is much more affordable than a traditional data center as it works on a pay-as-you-go model. The building, maintenance and retrieval of data in conventional terms is costly and messy as opposed to cloud computing. Cloud computing uses real-time extraction that takes seconds to locate the data, while any modifications can be done without any harm to the existing data. The labor-force employed and time consumed in cloud computing is a lot less than traditional data centers which result in a more cost-efficient solution for the business.

Greater flexibility
Cloud computing enables organizations to become more agile and flexible through a variety of benefits. The cloud allows businesses to expand their infrastructure without any evident disturbance elastically. Organizations can instantaneously start using systems and applications on newly acquired cloud space without having to worry about the organizational insecurity. Instead, the human resource can work on their business strategies. Even for the IT professionals, who manage these clouds, their efforts can be oriented to other more strategic initiatives instead of a web of data complexity.

Related Stories

Overcoming Cloud Security Threats with AI and Machine Learning

11 Cyber-Security Predictions for 2017

A new forecast predicts that automated malware attacks will have a devastating effect on the internet of things (IoT). It also predicts the rise of the Shadownet (IoT botnets that can’t be seen or measured using conventional tools), cloud poisoning, more growth of Ransomware as a Service, and attacks on smart buildings. The report, “Fortinet 2017 Cyber-Security Predictions: Accountability Takes the Stage,” based its predictions on cyber-security trends this year. The digital footprint of businesses and individuals has expanded, thus increasing the potential attack surfaces; everything is a target and anything can be a weapon; threats are becoming intelligent, can operate autonomously and are increasingly difficult to detect; and old threats are returning but are enhanced with new technologies. According to the report, “This demand for connectivity, and the need to address its associated risks, will create serious challenges for emerging countries, traditionally disconnected markets, and smaller companies adopting digital business strategies for the first time.” Some key predictions are highlighted here. Read more..

The Top 11 Information Security Conferences of 2016

In Part II of our 2015 Infosec Wishlist series, a number of security experts expressed their desire for the security community to renew its focus on collaboration, communication and unity in the New Year. To accomplish this goal, folks in information security will need to internalize this message and inject it into their dealings with one another. But how can we set this process in motion?

We feel that conferences are an excellent starting point. Indeed, these events are perfect for security personnel to share research, debate hot topics and learn from one another.

With this in mind, we have assembled a list of the top 11 conferences in the information security industry for 2016. We hope that everyone with the means and ability to attend these events will do so.
Continue reading

The Biggest Security Threats We’ll Face in 2016

HACKERS ARE NOTHING if not persistent. Where others see obstacles and quit, hackers brute-force their way through barriers or find ways to game or bypass them. And they’ll patiently invest weeks and months devising new methods to do so.

There’s no Moore’s Law for hacking innovation, but anyone who follows cybersecurity knows that techniques get bolder and more sophisticated each year. The last twelve months saw several new trends and next year no doubt will bring more.

Here’s our take on what to expect in 2016. Continue reading…

Bug Reporting is an Art – Idexcel Testing Roundup

1. Why Bug Reporting is an Art That Should Be Learned by Every Tester

When it comes down to it, a tester’s primary responsibility is to test an application or project and report back on the issues. But it isn’t here that the responsibility ends, from here, the real work begins. It’s absolutely essential for testers to understand why their bugs are being rejected or being marked as “not reproducible” and how to react in these situations. Read more…

2. How Was This Tested?” Providing Evidence of Your Testing

Many testers have a tendency to minimize the information they record when testing. The challenge comes when problems are found later, possibly after the software is in production. How do we remember what we did, and when? What records do we have to refer to? How do we, as testers, answer the question “How was this tested?” Read more…

3. The Advantages of Utilizing Formal Test Design Techniques

When it comes to test design, there are those who firmly believe in the use of formal test design techniques and those who believe that those same techniques cause rigid thinking and limit creativity. I believe formal techniques have value as a basis for formal analysis and design as well as for creative thinking. Read more…

4. Discussion: Should Trivial Bugs Be Logged?

A poster to the Test Huddle forum referenced this blog from Eric Jacobson in which he argues that reporting trivial bugs tends to waste everyone’s time and that testers shouldn’t log them. The forum poster’s question: Do you agree or should all bugs be logged despite the severity?

Reponses from both sides have already been submitted to the thread. Contribute your own thoughts on the matter here!

MOBILE APPLICATIONS SECURITY TESTING- TEST FOR THE WORST

We all love apps, especially, the fancy, colourful apps, that promise all-your-problems-end here kind of euphoria. You wish! Really, as if the world could be so simple. However, some apps undoubtedly make our lives much simpler (Ahem, no pun intended).

So what types of applications are we talking about here? Well, that’s not the point. What I would like to elaborate here are the risks that come as a package with our life saving (sometimes literally) mobile apps, which threaten our identity, productivity and other areas critical for our day to day communication.

Why? What’s wrong with those lovely looking apps?

In simple terms, A LOT. In more complex terms, if your device or credentials have been compromised, you got a lot to lose. Now, picture this on a bigger scale, at the business or corporate level. The extent of loss is unfathomable if even a single employee downloads the app that gives the access of internal resources to malicious users who can then access the individual systems and get hold of confidential information. Phishers and hackers are constantly inventing newer ways to compromise such vulnerabilities related to web security. Users want more and more apps, and companies try to develop and deploy these apps quickly, which puts security in the back seat.

Top Mobile apps vulnerabilities and Dealing with them

As per the tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

The report compiled by WhiteHat shows that whilst many different attack methods exist, XSS (Cross Site Scripting) is the most popular, followed by Content Spoofing. To add to this, many other attack methods, such as SQL Injections, Information Leakage, and Stolen Credentials could all be the side-effects of an XSS attack.

Reference: WhiteHat-Security Statistics report 2012 (https://www.whitehatsec.com/resource/stats.html)

The 2013 Threat Report from the Websense ® Security Labs (WSL) also revealed how often malicious apps abuse permissions, especially in the use of SMS communications, something very few legitimate apps do. Risks increased as the mobile devices are used for web surfing and social media more often than actually making the calls.

So let’s dig a little deeper, and understand these vulnerabilities, and best practices to deal with them.

1. Excessive Permissions and Privileges– This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that have more access are easy target for attackers due to broad attack surface. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

Best Practice– App Developers should restrict granting privileges and permissions to the applications. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, and should invoke the access rights.

2. Malware– Just like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discovered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Best Practices– Applications should validate all form inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

3. Ineffective Session Termination– When the user clicks logout button, the session gets terminated only locally on the client side, without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where attacker can access victim’s session and this can lead to identity threat.

Best Practice– After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-authenticated.

4. Buffer Overflow– Attacker uses buffer overflows to corrupt the execution stack of the application. Attacker sends the carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Best Practice– Buffer overflow protection techniques can be used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

5. SQL Injection– It is used by hackers to steal data from the applications where user input is not validated. As a result, the user can inject SQL statements into the database and have them executed.

Best Practice– The only way to check if your application is vulnerable to SQL injection is by scanning it with the automated web application security scanner.

6. Bad Data Storage Practice– Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. If data is not protected property, jailbreaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal information and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Best Practice– Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

7. Cross Site Scripting– This attack requires the user to execute a malicious URL which could have been crafted in a manner that appears to be legitimate. Attacker then effectively executes something malicious in the user’s browser.

Best Practice– Use web vulnerability scanner that checks for the XXS vulnerabilities. It will show which scripts/URLs are vulnerable to these attacks.

Some of the other common vulnerabilities include weak server side controls, poor authentication and authorization, weak or broken encryption, insufficient transport layer protection and broken cryptography. The solution to deal with these threats lies in employing a vulnerability analysis solution that can automate security quality testing.

Testing Techniques to Deal with these Vulnerabilities

The mobile applications need to be exhaustively tested for vulnerabilities that put data and device at risk. Threat-profile based test cases are used, and threat profiles are derived from different types of mobile applications. Once the vulnerabilities are identified, these need to be patched, and retested. Some of the most common testing techniques include:
Black box/Dynamic Testing– Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually.

Code Review– It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hardcoded passwords and secret keys, weak algorithm usage and hardcoded keys and data storage definitions.

Penetration Testing– For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks.

Mobile Application Security Assessment– It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them.

Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.

Hope for the Best, but Test for the Worst.