Data breaches happen daily, but what constitutes a massive breach versus a small one? My thoughts are a breach is a breach, and size doesn’t matter.
Cloud infrastructure interacts with the public Internet and becomes one big playground and attack surface compared to traditional private infrastructure.
Finding a weakness in a relatively minor area could allow access to sensitive information in another.
Setting up and securing a VPC server containing services like EC2, Databases, VPC peering, and storage such as S3 might look simple at first, but VPC environments can become complicated quickly.
Errors can arise from anyone who is working on or communicating with your cloud infrastructure, from employees and subcontractors or services deploying infrastructure as code.
Gartner estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes.
AWS allows customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for certain services, and hackers think they can too.
It’s hard to understand your EC2 instance network exposure through console tables and logs with many different Security Groups, Route Tables, Network Access Control Lists, Internet Gateways, along with VPC peering across your network.
You only need to miss one security item, and that opens the door to any bad actor.
A tool such as Nmap can be set up on a free and disposable Linux machine using free credit from cloud providers such as AWS, Azure, GCP, or Digital ocean which provides the hacker with all the tools he or she needs to start an attack with virtually no chance of being caught.
This has made it easy and accessible to start performing mass remote scans, both TCP and UDP, in a couple of minutes. Couple that with over 581 Nmap Scripts publically available and it’s probably only a matter of when not if they start probing your defences.
Hackers are targeting servers that haven’t been set up correctly, using the same scanning tools that we use internally and looking for the same open ports that shouldn’t be accessible via the Internet.
Starting with the basics and performing scan on the top 100 most common ports using
nmap -F XXX.XXX.X.X
Digging deep and not a care in the world, scanning all 65535 ports with
nmap -p- XXX.XXX.X.X
Or they are generating a list of IPs and subdomains with a DNS enumeration scan and using
nmap -iL list-of-ips.txt
combined with (NSE) one of Nmap’s most powerful and flexible features to automate a variety of networking tasks or in this case attacks.
Cloud-based security can be tough to figure out and easy to overlook, relying on consoles tables and logs, or using open port checker tools internally like Nmap to find out which services are exposed to the Internet.
Security visualization is critical when it comes to the dynamic and complex nature of cloud infrastructure and an easy way to communicate between teams and departments of an organization.
Cloud technology allows us the ability to generate interactive security and infrastructure diagrams, creating a full picture straight from the source of truth, eliminating human error and effort.
The ability to see what resources are running and where, how resources are allowed to communicate with each other and the Internet, detect weak points, misconfiguration, and take action before these become a severe risk to your organization.
Visualizing your security layer, seeing the open ports, ingress and egress points, security groups and network interfaces can immediately highlight problems visually and is a quick way to ensure your architecture is secure without trolling through hundreds of console settings.
Security visualization is a tool every serious cloud security expert should have in their digital toolbox.