Defending Web Apps Against Overwhelming Odds

Sunday, April 24, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

The concept of "Cloud Computing" has been a [real] game changer for many reasons including scalability, the idea of "instant-on", and a critical advancements in computing - PaaS, IaaS and SaaS inclusively. 

Unfortunately, cloud computing has also evolved some black-hat mechanisms including the velocity and vector of attack against web-based applications.

In the old days, an attacker posed a threat for the reason we've used (in security) for decades... the attacker can spend all their energy searching for one flaw over your entire attack surface yet you have to defend it all with equal vigilance. 

While that paradigm is still true - a few things have happened now...

First, the thing we commonly refer to as the attack surface has exploded.  Think of the surface area of a circular perimeter... relatively easily defensible if you've got a finite amount of defensive resources. 

That circular perimeter would have carefully defined ingress and egress points where packets could be inspected and controlled with at least some regularity. 

Over time, the circle morphed into the three-dimensional sphere, as corporations moved out to "work from anywhere" capabilities, and expanded their virtual online presence and added a web presence.

What happened next was the explosion of Cloud Computing into the everyday CIOs vernacular.  As I stated previously, it appears as though the velocity of confusion has out-paced the educational efforts and sane adoption of what the term cloud computing actually means. 

In the end, the circle, which became the sphere has now become a complex three-dimentional shape which has more attack surface than any one organization is capable of understanding, much less defending with any success.

Now let's mix back in the idea that an attacker only has to find one, teensy, tiny little entry point to exploit while you're left defending everything not knowing where the attacks will be, or what is going to fall. 

We can all agree that there are enough *exploitable security defects* in commercial software that virtually every organization on the planet can (and will) be broken into given enough patience and resources - so where does that leave us?  More importantly what does that have to do with cloud computing?

Allow me to explain... Cloud Computing has given would-be attackers the power of the "Instant On".  Everything in technology is a double-edged sword and this one cuts pretty deep... because as we've been giving enterprises the ability to scale and provide temporary bursts of massive computing power and bandwidth - we've been giving attackers the same luxury. 

In short - the cloud has made attacking many orders of magnitude less demanding on the attacker.  Think of the idea of scanning IP space of a specific enterprise for a type of vulnerability (let's say... SQL Injection). 

If you've ever used a dynamic analysis tool that has to traverse an entirety of web applications you know that takes a long time in some cases - especially if you want to be thorough.  Now let's assume that an attacker can design a tool that harnesses the power of something like Amazon's EC2 cloud for example.

An anonymous attacker can leverage credit cards acquired on the black market to finance a temporary burst of computing power before anyone really notices... Think of it this way, a black-box type scan that could take 1-2 days per application on a single computing instance, may take hours or even minutes utilizing the massively parallel computing power a cloud can provide.

A likely scenario that's probably been going on many, many times already:

  • malevolent attacker "acquires" a credit card which can be used
  • attacker utilizes an anonymous VPN to connect to cloud provider
  • attacker purchases a large farm of computing power (several hundred cores of processor, a terabyte of memory, and disk space)
  • attacker unleashes a script or program meant to search for a specific vulnerability across an entire enterprise's web application space
  • attacker identifies a weakness (or more likely several weaknesses) takes the results back from the cloud instance and powers down the whole "attack cloud"
  • attacker then continues to exploit those pinpointed security defects to exploit the enterprise's security weaknesses
  • total cost to the attacker?  probably at or under $500 USD ... payout? your guess is as good as mine but I'm guessing many orders of magnitude higher

See, the one thing that's available now that wasn't' before is the capability to leverage the massive computing power of the cloud, and since most vendors can not hope to monitor, log, review and act on attacks originating from their cloud environments... this is the perfect attack platform

In other words, our savior has just become our worst nightmare.

Now - I'm not going to tell you the sky is falling, and you should block all cloud computing instances, that would just be silly ...but I'm pointing out a threat that is real, dangerous, and imminent.

What can be, or rather, what should be done to evade the coming "cloud-pocalypse"?  2 things...

  • Cloud providers have a duty to monitor their environments and act on threats in at least near-real-time so they don't become platforms for attack
  • Enterprises need to continue to ramp up their software security assurance efforts -software of every kind (bought, put-together, or built) is under attack
Cross-posted from Following the White Rabbit
Possibly Related Articles:
13452
Webappsec->General
Software
SQl Injection Enterprise Security Vulnerabilities Web Application Security Cloud Computing Attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.