Like most companies today, it's best practice to regularly evaluate your risk by performing internal and external (public accessible applications) scans on your IT infrastructure. This investigation provides critical information on your attack surfaces, weaknesses and is often complimentary with pen-testing.
With vulnerability scanning, the entire infrastructure is regularly checked for errors and other potential issues impacting the overall security/risk posture. Configurations, encryption algorithms and protocols that are not as they should be. The error messages leak sensitive details, which should never be revealed to hackers. They provide information on potential vulnerabilities and can provide negative user experiences. (source: OWASP) The scanner checks all IP addresses within an IT infrastructure and whether services are offered, and if so, do these services contain any vulnerabilities.
But… does this also work for an infrastructure in the cloud? And if this is the case, how does that work?
Your IT infrastructure vs. 3rd party cloud
In traditional hosting solutions, a company owns and operates the network on physical servers. This means they manage the entire IT infrastructure, staffing, performing configurations, and maintenance. So what can happen?
Errors often become present and are normally due to lack of processes, resourcing and knowledge, e.g. configuring new servers. Attacker’s often look for these weaknesses (OWASP top 10) such as misconfigurations to gain unauthorised access to assets and information. Often, such flaws result in complete system compromise.
As an example, when using automated deployments, unattended applications and misconfigurations can be deployed. As a result, new potential vulnerabilities may become introduced, making it important to regularly scan the entire network and validate it is still in a secure state.
It is important to note, owning your IT environments makes scanning networks much easier, as you have your IP addresses (IP ranges) configured into scanning tools like Marvin_. These scanning tools automate checks for vulnerabilities and produces a report with findings.
When using 3rd party services, you also purchase firewalls and routers through cloud services like AWS, Microsoft Azure, or Google Cloud Platform. These solutions are popular because they enable scalability, remote working, Compliance e.g. GDPR, real-time analysts, big data, and more.
However, there are some important considerations to keep in mind. Key considerations when scanning your cloud infrastructure:
Consideration 1 - Cloud-based solutions are shared by 3rd parties
When using a cloud solution, the infrastructure is not entirely under your control. You typically hire (server) machines assigned with an arbitrary IP address. This means platform providers do not give each customer an IP range.
To make it more complicated, you are not only working together with Amazon, Microsoft, or Google but also additional 3rd party service providers. As a result, when scanning your infrastructure, you are unable to scan entire ranges. You need to make careful selections, so scanning coverage is specific to your IP addresses.
- We recommend reviewing selected ranges each time you scan, as IP addresses change constantly. Furthermore, scans can appear to (server) machines as attacks, so it pays off when carefully making and managing your selection on ranges.
Consideration 2 - Check standard configurations
Most cloud suppliers offer customer-friendly one-click installations or templates to help a customer save time and money, for example, install a full application and go live without having to perform the full installation themselves. As a result, configuration Errors occur and users assume they are configured securely leading to a compromised network.
- We recommend checking there are no configuration errors in the default configurations that a cloud service provider makes available and never assume they are securely configured.
Consideration 3 - Check for overload
An infrastructure scan can cause extra load or noise on the hosting provider's networks, which is the shared processing capacity of the CPU and the network with other users. This can result in a negative user experience on applications, substantial amounts of data traffic, and cost.
- We recommend testing whether your cloud system automatically upscales in the event of additional system load when performing e.g. scans on IT environments. If so, don't forget to reset so you don't incur unnecessary costs.
Consideration 4 - Discuss plans upfront
Cloud hosting providers own the IT infrastructure and will restrict your scans as automated scanning tools are impossible to differentiate from attempts by attackers.
- We recommend consulting the owner of the infrastructure beforehand about your plans to do scheduled scanning and ask their permission.
How do Computest's security experts and Marvin_ scanning tools tackle these security challenges?
Marvin_ is a dynamic security tool engineered to identify vulnerabilities in large codebase(s), regularly changing IP addresses and scaleable without boarders. With Marvin_, you can specify a dynamic scope. The tooling enables holistic daily automated security checks and "pin-point" insights into urgent vulnerabilities in your infrastructure on your own personal portal.
The hybrid tool always provides 24/7 direct contact with Computest hackers/security specialists who are actively involved in triaging these findings and tuning them to the business needs of the customers thereby saving time in the overall triage time and reducing false positives.
The solution runs scans every 24 hours to validate no new vulnerabilities are introduced and produces consolidated reporting locations for compliance needs, the system automatically specifies which IP addresses should be scanned and which should not.
An API is made available for this purpose, which means modified configurations or new (server) machines are communicated directly with Marvin_ automatically. This scope also has an 'expiry date': as soon as it elapses, it will no longer be used. This avoids old IP addresses being scanned which have since been assigned to a third party by the cloud platform. In this way, updating the scope of the scan can easily be integrated with automated deployment of cloud machines, for example from a CI/CD pipeline.
We configure Marvin_'s vulnerability scanner in great detail to avoid overloading systems being scanned. The scan also comes from a fixed IP address (or in any event a limited set of addresses) and runs within a set time slot. As a result, you can configure autoscaling mechanisms so that they are not triggered during the scan. What's more, with Marvin_, obtaining permission for a scan is not a stumbling block.
Thanks to the extensive experience we have with scanning cloud-based infrastructures at Computest, we have excellent contacts with all the major cloud suppliers and we can get this sorted quickly.
- Justin Black (Business Development Manager) & Jos de Vos (Security Specialist)