Quiz_Material_Spring2024.pdf

Full Transcript

Cloud Computing Spring 2024 Quiz Material 1. Cloud security risks There are multiple ways to look at the security risks for cloud computing. Three broad classes of security risks for cloud computing are: traditional security threats, threats related to system availability, and threats related to third-party data control. 1.1 Traditional security threats: The impact is amplified due to the vast resources and large user populations. Examples: 1.1.1 DDoS (Distributed Denial of Service): is like a traffic jam on the internet. Attackers flood a website or service with so much fake traffic that it becomes overwhelmed and stops working for everyone else. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. regular traffic 1.1.2 Phishing is like someone pretending to be someone they're not to trick you into giving them sensitive information, like your passwords or credit card numbers. Imagine someone calling you and pretending to be your bank. They say there's a problem with your account and ask for your account number and PIN to fix it. But in reality, they're not from your bank—they're trying to steal your information. That's phishing. 1.1.3 SQL-Injection Attackers manipulate a website's input fields to make the website give them access to its database. Think of a website where you can search for products. If the website isn't properly protected, you could type something into the search bar that makes it reveal all the website's user passwords. That's SQL injection. Scenario: Let's say there's an online shopping website with a search feature that allows users to search for products by entering keywords. The website uses SQL queries to retrieve product information from its database. Consider the following simplified SQL query used by the website to search for products: SELECT * FROM products WHERE name = ''; Attack: Now, imagine an attacker wants to exploit a SQL injection vulnerability in the website's search feature. Instead of entering a regular search query, the attacker enters the following input into the search bar: ' OR 1=1; -- (note: 1=1 is always TRUE) Cloud Computing Spring 2024 This input modifies the query's logic when inserted into the SQL query. The resulting query becomes: SELECT * FROM products WHERE name = '' OR 1=1; --'; As a result of the SQL injection attack, the website's search functionality retrieves all products from the database instead of filtering based on the user's input. The attacker can now view sensitive product information, modify database entries, or potentially access other parts of the database. 1.2 Threats related to system availability: System failures, power outages, and other catastrophic events could shut down cloud services for extended periods. 1.3 Threats related to third-party data control: Because cloud provider spying offers real risks, storing confidential data on the cloud is dangerous. Contractual duties typically assign the user full responsibility for data security. Users' confidence is not enhanced by the Amazon Web Services customer agreement because it states: “We...will not be liable to you for any direct, indirect, incidental...damages...nor...be responsible for any compensation, reimbursement, arising in connection with: (A) your inability to use the services...(B) the cost of procurement of substitute goods or services...or (D) any unauthorized access to, alteration of, or deletion, destruction, damage, loss or failure to store any of your content or other data.” Source” the required Textbook. ‫ﻟﻺطﻼع و اﻟﺘﻌﺮف ﻋﻠﻰ ﺟﺰء ﻣﻦ ﻣﺤﺘﻮى اﺗﻔﺎﻗﯿﺔ اﺳﺘﺨﺪام ﺧﺪﻣﺎت اﻣﺎزون ﺣﺴﺐ ﻣﺎ ورد ﻓﻲ اﻟﻜﺘﺎب اﻟﺪراﺳﻲ اﻟﻤﻄﻠﻮب ﻟﮭﺬه‬.‫اﻟﻤﺎدة ﻋﻠﻤﺎ ﺑﺄن اﻟﻨﺺ ﻣﻘﺘﺒﺲ ﺣﺮﻓﯿﺎ ً ﺣﺴﺐ ﻣﺎ ورد ﻓﻲ اﻟﻜﺘﺎب‬ 1.3.1 Other issues It is very difficult for a cloud user to prove that data has been deleted by the service provider. The lack of transparency makes auditability a very difficult proposition for cloud computing. Abusing the cloud refers to conducting nefarious activities from the cloud, for example, using multiple AWS instances or applications supported by IaaS to launch distributed denial of service attacks or to distribute spam and malware. Cloud providers themselves do not engage in abusing the cloud. Instead, they provide the infrastructure and services for legitimate users to leverage for various purposes, however, malicious actors, such as cybercriminals can exploit cloud resources for abusive activities such as launching distributed denial of service (DDoS) attacks and distributing spam and malware. 2. Privacy Cloud Computing Spring 2024 The term privacy refers to the right of an individual, a group of individuals, or an organization to keep information of a personal nature or proprietary information from being disclosed. Privacy concerns are different for the three cloud delivery models and also depend on the actual context. For example, consider Gmail, a widely used SaaS delivery model; Gmail privacy policy (see http://www.google.com/policies/privacy/) : “We collect information in two ways: information you give us... like your name, email address, telephone number or credit card; information we get from your use of our services such as:...device information,...log information,...location information,...unique application numbers,...local storage,...cookies and anonymous identifiers... We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable governmental request;...protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law. We may share aggregated, non-personally identifiable information publicly and with our partners—like publishers, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services.” ‫ﺗﻢ اﻗﺘﺒﺎس اﻟﻨﺺ ﻛﻤﺎ ھﻮ ﻣﻦ اﻟﻜﺘﺎب اﻟﺪراﺳﻲ ﻟﻼطﻼع و اﻟﻤﻌﺮﻓﺔ‬ 3. Virtual machine security Virtual security services are typically provided by the hypervisor as shown in the below Fig. 8.3(a); another alternative is to have a dedicated VM providing security service as in Fig. 8.3(b). The analysis of Xen and another hypervisor shows that the VM technology provides stricter isolation of VMs from one another than the isolation of processes in a traditional operating system. Cloud Computing Spring 2024 Indeed, a hypervisor controls the execution of privileged operations and can thus enforce memory isolation, as well as disk and network access. Hypervisors are less complex and better structured than traditional operating systems and are better positioned to respond to security attacks. A major challenge is that a hypervisor sees only raw data regarding the state of a guest OS, while security services typically operate at a higher logical level, e.g., at the level of a file rather than a disk block. 4. Some of AWS Security Tools CloudTrail is a service that enables governance, compliance, operational, auditing, and risk auditing of an AWS account. The Inspector (IS) is an automated security assessment service; it assesses applications for exposure, vulnerabilities, and deviations from best practices. Web Application Firewall (WAF) protects web applications or APIs against common web exploits and bots that may compromise security, consume excessive resources, or affect availability. WAF provides control over the traffic generated by applications and blocks attack patterns, such as SQL injection. Cognito is used for identity management. It can detect brute-force authentication and fraudulent login attempts. CloudFront is a content delivery network. It protects applications from DDoS attacks and transfers data securely at high speeds. =============================Thanks ======================