Project Proposal Title: Penetration Testing The Cloud
Security of the data stored in the cloud is one of the essential and most emerging needs in cloud computing to ensure that the data and the application of the web are secure. Different types of attackers try to hack systems in the network or any individual users. Hackers try to infiltrate the web application and the underlying software. With the help of penetration testing the security strategy of your web application can be evaluated and monitored when any data which are most sensitive are monitored using penetration testing. Penetration testing is done as a core part of web application security to find out the vulnerabilities in the applications. Penetration testing made on the web application helps to examine the overall security risk and the potential risks that are involved in the web application which may include errors in the coding, breaking of authentication and injecting vulnerabilities inside the application or in the stored data. Penetration testing is done on a computer system, systems connected through networks or on the application that is hosted. Its main use is to find out the vulnerabilities which are open for hackers to breaches the security of the system is one of the important features today. Hackers hack the data of the company or even prevent the authorized person to access the data and ask for a huge amount so that they will allow accessing the data stored in the cloud. Penetration testing helps the security team to find out the arising issues. It is one of the cheapest tests and helps to identify the vulnerabilities as soon as possible. Pen testing and its different usage and implementation are identified due to the growth of the cloud environment. Pen tests are to be conducted for all cloud-based applications as a counterpart of on-premises testing. While the penetration test is run in a public cloud many complexities arise which include technical and legal hindrances.
The first and foremost step is to understand the policies that are given by the cloud provider. There are many cloud providers in the market today due to the increased use of cloud environments. Many providers have restrictions on doing pen tests about what type of test they can actually do while testing it with pen-testing. For example, let us consider one application is running on the cloud which you try to pen test for any vulnerability in the cloud. Before executing the test we should do some research and find out the recommendation of the cloud provider for the different processes they use. If the recommendations of the cloud provider are not followed it may cause some errors. Pentest looks like a DDoS attack and it causes the system to shut down or restart your account. Infrastructures in the cloud are monitored by all the cloud providers to find out the anomalies. When running the penetration testing then the user can inform the system operators or user about the unwanted happening in the cloud. There are even some automated procedures that are implemented. If an attack is detected in the cloud environment it may stop the running application or even shut down the system without any warning message it looks like a DDoS attack. All the cloud providers will monitor their infrastructure to find out the anomalies in the cloud. Since we have taken the public cloud for testing. Public clouds are noisy since it is multitenant and should manage the requirement between the available resources. Some of the cloud providers will shut down the system automatically. Since the applications are shut down by the providers when the user tries to log in to the system they can find that the cloud application, database and storage are offline. If you want to login to the cloud database or cloud application by providing the current credential, A clear explanation about how the username is blocked should be given to the cloud provider. When we implement the penetration test in the public cloud there are certain rules to be followed by the public component. Before doing the pen test the legal policies and procedures should be well known.
The following are the points that should be covered by all the people who try to implement them.
- Data access
- Network access
- Automation and
Application is to identify the needs of APIs and user interface. Next, they should identify how the data should be pen tested whether with the application or directly to the database in the cloud. Network access is used to check whether the application and the data stored in the cloud are protected. Then to find out the workload based on the isolation of the virtual machine and its workload. Laws and regulations in the database should be known before the testing of the data is termed compliance. Many automated tools are available to test the application based on the cloud. Identification of one such automated pen-testing tool is more important. Then identification of the approach that should be followed while testing the application like including or excluding them in a pen test. It explains the reaction of the admin thinking that a real attack has happened. The test to be conducted should be agreed upon by all the members of the pen testing team and should be followed as per the plan. Any exceptions raised by the application helps us to identify the reaction of the admin who is seeing the pen test occurring and killing the access.
Many pen-testing tools are available now among which on-premises cloud-based application is a popular approach. Many cost-effective pen-testing tools are also available in the market. While selecting the pen testing tool it is important that it should simulate the actual attack. Hackers commonly use to guess passwords or look the APIs that provide direct access to the data that is stored in the computer the tools that we select should simulate procedures that hackers can try to hack the system. Pen-testing tools can’t meet the requirements which should be avoided since it increases the cost of leverage an existing tool.
While executing the pen test the following things should be observed
- Human Response
- Automate Response
Human response is based on the reaction of the application admin team and the users about the pen test. The get a correct result the test should not be disclosed. Many users may shut down the system while some will try to identify the problem first, before identifying and uplifting the threat. It also takes the responsibility of the client providers which is one of the important aspects of the responders. In an automated response system, the system will automatically find out the threat. Based upon the identified threat the system can simply block the IP address or shut down the application by the generated pen test. Whatever action it takes should be intimated to the application admin along with a description that says the action taken to correct the issues. Documentation of both human and automated responses is important. With the help of the documentation, we can find out the difference in the responses of the system and humans on the threat and identify the security level of the system.
The main outcome of this testing process is to find out all the vulnerabilities in the system and to discover them with the help of a pen test. The list may contain any number of issues it may be one or two or even hundreds. If no issues are found it means that the pen test created is not effective and it indicates that a re-evaluation of the test should be conducted to find out the vulnerabilities in the system. Some of the vulnerabilities found by the simulation of pen testing in the cloud-based applications are
- Application data can be accessed by using **** API
- Access to the API will be granted after a maximum number of attempts
- Isolation of workload is not properly done by the VM
- DNS is disabled and the VPN will allow the outside users to access the data
- New regulations are not followed while encrypting the data
- Other problems related to the security of the data
Depending upon the type of application that we run the types of issues may vary depending upon the pen test run on it. The different layers like application, network, database, storage system etc should also be tested and reported separately. The interoperability of the layers should also be tested. The output of the test made on each layer should be produced as a report. It is one of the best practices to be followed in pen-testing. The recommendations of the cloud provider regarding the pen test should also be followed to test the applications in the cloud. The get the best result the process flow should be followed by putting in all the effort we can get the best result.
The pen testing results also depend upon who’s doing the test and if the testing is done at home then some issues will not be answered. Even good internal testing teams will miss some things. The team members are familiar with all the applications and can identify the causes and lead to omission. White-hat hackers can be used as an alternative to run cloud-based applications for their money. Researchers are going on to find out the types of applications. The pen testing approach and its tools should be customized as per the specific requirements.
OpenStack Cloud Management Software
OpenStack provides integrated cloud management with four core services which include Compute, Storage, Networking and Dashboard along with a set of ancillary service Identity and Image. The below image shows the block diagram of the software.
It is used to manage virtual machines with huge networks. The OpenStack compute use cases are extended from the public cloud that offers IaaS service, Private clouds which offers service within an organization, applications of big data and for application of high-performance computing. Features of OpenStack is to manage the virtualized server resources like memory space, CPU, network interfaces etc. It manages Flat, Flat DHCP, IPv4, IPv6, etc of the local area network. It also manages to store the data that are imported, shared and helps to query the virtual images. It can also assign or reassign the IP address of the virtual machines in the cloud. Security is provided to the users, project and roles with the Role-Based Access Control (RBAC). Faster provisioning is provided for caching VM images on the nodes.
Both object and block storage is provided by the OpenStack storage to use along with server applications. A distributed storage system for virtual machine images, backups and archives are static storage which is considered object storage. To provide scalability and redundancy objects and files that are written using multiple disk drives help them to spread throughout the OpenStack cloud. Persistent block-level storage is provided by OpenStack which can be used by high-performance data storage with compute instance and expand the file system or for the server to access the raw block-level storage. Features of OpenStack storage (Swift & Cinder) are the usage of commodity hard drives which will reduce the storage cost per byte. To make the storage highly redundant and reliable self-healing is done by copying data to several different places all over the cloud. Data storage is unlimited for both horizontal and vertical scaling. Can provide storage for very large scale objects with multiple petabytes of data along with billions of objects. Elastic Block Storage of Amazon S3 support API. It has many build-in management utilities like account management, storage monitoring and container management.
OpenStack Networking is used for managing API-driven system networks and their IP addresses. A feature of OpenStack networking (Quantum) is to manage the IP address by allowing a static IP address, DHCP. It provides various networking models which also include VLANs. Users can create their own networks and manage them. Various devices can be integrated into the cloud with the help of a network framework which includes firewalls, intrusion detection systems, load balance etc.
OpenStack Dashboard is provided for the cloud administrator and also for the users to manage the resources in the cloud and to control the compute and storage in the cloud. Administrators can create users and assign projects to the user along with a limited set of resources that are required for the project. The dashboard can also be used by the user to control the resource that is allocated to them for their project. It is an extensible web-based application.
OpenStack Identity is used to maintain the user’s database and to nmap the users to the OpenStack service which they can access. A common authentication is provided by OpenStack identity (Keystone) which can integrate third-party backend directory services. It supports standard authentication of providing username and password credentials, token-based system etc., along with other multiple forms of authenticating. Cloud administrators can set up common policies for all the users and systems in the cloud and can specify the permissions of computation, storage and network of resources.
OpenStack Image is a service that helps to discover, register and service for disk and server images. Image templates can be created by the cloud administrators with the help of the template cloud users can instantly create a new image. It helps to create and store the snapshots of the created image. It supports different types of image formats which include VHD (Hywhich include VHD (Hyper-V), Virtual Box(VDI), qcow2, VMDK and OVF.
Open Stack penetration tests are built and configured. For the purpose of implementation four computers are configured to support the penetration testing. To connect the OpenStack dashboard a laptop with window 7 is used. Along with this a window XP system is configured with a network interface card, Wireshark etc are used to analyze network traffic to and from the open stack server. The implementation setup and the output that is received are demonstrated in the output section. The image shown below depicts the OpenStack Test Cloud Implementation.
Before implementing the penetration test a scan of the OpenStack server is executed using the Zenmap program which is a GUI for the nmap program which is called Network Mapper. The result of the scan indicates the no of ports on the OpenStack server which can be used as an attack vector.
Setup of server:
A number of penetration tests are performed in the OpenStack cloud management server during the implementation of this research. Among which the HTTP Fuzzing dashboard does not reveal any vulnerabilities. It uses two test programs BED and fuzz used in HTTP fuzzing attacks in the distributed penetration. The packet tracing test is also executed. Different types of theft attacks were implemented to gain administrative access. In an unencrypted network, the login credentials are acquired easily using Wireshark this is done by locating unencrypted files on the OpenStack server which contains information that is more sensitive. The vulnerabilities that are developed during this research can be prevented using HTTPS for communication between the cloud management software and the cloud users. By encrypting the credential the OpenStack files that contain sensitive information can be prevented. Performance of penetration test is an important task that should be continued on the OpenStack cloud management software. Many large scale companies use OpenStack to test their private and public clouds to protect their data by improving the overall security. Many of the users are moving all their applications and data in the cloud to OpenStack users because of testing and its worthy effort. Penetration tests ensure the security of web applications and provide core security by identifying the vulnerable applications that are running. A report by Forrester has said that nearly 60 per cent of the companies in North America depend on cloud computing.
- B. Mohata, D. M. Dakhane, and R. L. Pardhi,2013. ‘‘Cloud-based testing: Need of testing in cloud platforms,’’ Int. J. Appl. Innov. Eng. Manage, vol. 2, pp. 369–373.
- Raengkla and T. Suwannasart,2013. ‘‘A test case selection from using use case description changes,’’ in Proc. Int. Multi Conf. Eng. Comput. Scientists, Hong Kong, pp. 13–15
- Singh, A. Kaur, B. Suri, and S. Singhal,2012. ‘‘Systematic literature review on regression test prioritization techniques,’’ Informatica, vol. 36, no. 4, pp. 379–408.
- Kumar and S. Rao,2014. ‘‘The latest approach to cyber security analysis using vulnerability assessment and penetration testing,’’ Int. J. Emerg. Res. Manage. Technol., vol. 3, no. 4, p. 21.
- Jones,2013. ‘‘Penetrating the cloud,’’ Netw. Secure., vol. 2013, no. 2, pp. 5–7.
H.-C. Li, P.-H. Liang, J.-M. Yang, and S.-J. Chen,2010. ‘‘Analysis on cloud-based security vulnerability assessment,’’ in Proc. IEEE Int. Conf. E-Bus. Eng. (ICEBE), Shanghai, China, pp. 490–494
- N. Goel and B. M. Mehtre,2015. ‘‘Vulnerability assessment penetration testing as a Cyber defence technology,’’ Procedia Comput. Sci., vol. 57, pp. 710–715.
- Denis, C. Zena, and T. Hayajneh,2016.‘‘Penetration testing: Concepts, attack methods, and defence strategies,’’ in Proc. IEEE Long Island Syst., Appl. Technol. Conf. (LISAT), pp. 1–6.
- I. Sahu and U. Pandey, “Mobile cloud computing: Issues and challenges”, Proc. Int. Conf. Adv. Comput. Commun. Control Netw. (ICACCCN), pp. 247-250, Oct. 2018.
- Akherfi, M. Gerndt and H. Harrod, “Mobile cloud computing for computation offloading: Issues and challenges”, Appl. Comput. Information., vol. 14, pp. 1-16, 2018.
SFUZZ (Simple Fuzzer), available from http://SFUZZ.git.sourceforge.net/git/gitweb.cgi?p= SFUZZ, December 2012.
Quick Start All-in-One OpenStack Shell Script, available from http://devstack.org
National Vulnerability Database CVE-2012-2144, http://web.nvd.nist.gov/view/vuln/detail? vulnId= CVE-2012-2144
Wireshark is available from http://www.Wireshark.org
Zenmap and nmap are available from http://nmap.org
OpenStack Documentation is available from http://docs.openstack.org
Academic Research Writing Arm of Global Research Services.