Cloud Vulnerability:

Current Threats to Cloud Computing

Nicholas Wicker

Program of Cyber Security Operations & Leadership, University of San Diego

CSOL 500-02-FA21: Foundations of Cyber Security

Professor Erik Schmidt

September 20, 2021

Table of Contents
Abstract..................................................................................................................................2
Introduction............................................................................................................................2
Discussion..............................................................................................................................2
Why Cloud?............................................................................................................................3
Data Breaches.........................................................................................................................3
Theft of Data..........................................................................................................................5
Lack of Credential Complexity and Management....................................................................6
Insider Threat(s).....................................................................................................................6
User Controls..........................................................................................................................6
Denial of Service (DOS) / Distributed Denial of Service (DDOS)............................................7
Policies, Training, Guidance...................................................................................................7
Account Hijacking..................................................................................................................8
Inadequate Security Control Posture.....................................................................................10
Facility Infrastructure...........................................................................................................10
Conclusion............................................................................................................................11
References............................................................................................................................12
2

Abstract

Cloud computing provides an alternative for companies with appropriate resources such as

hardware, software, and IT support. Cyber threats are present wherever there is a user, open port,

or web connection. The chance of a cyber event happening is inevitable although proper

planning and training can mitigate the possibility of a threat being successful. Cloud computing

presents adversaries with a system to penetrate and carry out attacks.

Introduction

Ten threats are identified that are current to cloud computing throughout this reading.

These threats affect both the service provider and those who utilize these services for data

transfer and storage. The concept is that with proper controls; either physical or logical, and

proper training for those who manage and handle the data, the chance that a threat succeeds is

less likely to happen. As more data is created and the requirement for storage is needed, attackers

will continue to pose a threat to vulnerable systems.

Discussion

The COVID-19 pandemic brought on challenges both physically and technologically for

companies and their employees. Many businesses had to shift their workforce to remote

operations. A PEW Research Center (Parker, Horowitz, & Minkin, 2021) report recorded data

from 5,858 U.S. adults who work either full or part-time. Before the pandemic, 20 percent of

those adults worked from home which jumped up to 71 percent due to in-person guidance and

social distancing restrictions. This health crisis has changed the way the workforce operates and

has brought on challenges for companies to store and transport data.

Why Cloud?

Cloud computing has a promising future, yet with any form of data services that store,

transfer, and backup, ensuring adequate and proper security metrics is of utmost importance to

maintaining data integrity. As with any application that connects to the web, this allows a

gateway for those looking to penetrate a system that could be for harmful intentions. Some

benefits of utilizing a cloud service are as follows (Kim & Kim, 2016):

 Cost-saving: limited up-front investment and operating cost. Allocation of resources.

 Business agility: provides quick responses to IT requirements for new business. Access

provider’s service through various devices with internet within a short period.

 Highly scalable: service provider can expand its service to large scales to rapidly provide

additional support capability.

 Reducing business risks and maintenance expenses: outsourcing shifts business risks to

infrastructure providers and cuts down maintenance costs.

Data Breaches

The concept behind cloud storage is that data is not located in one centralized location.

Therefore, in the event services are interrupted or need to be taken offline for maintenance, the

data is still available to the user(s) as it is transferred to alternate accessible locations; either local

or remote. There are a couple of areas to focus on regarding data breach threats. First, as a user

who stores data on a vendor-supplied service, such as iCloud Drive from Apple, the user is

theoretically only concerned with being able to access their data from Apple’s services. If,

however a company that is somewhat of medium scale or larger and options into a contractual

agreement with a service provider such as Amazon Web Services (AWS), then the company is
4

entrusting that the data that is moving from their servers are properly secured and safeguarded

wherever their data is transferred and stored. A provider such as AWS manages a fleet of

locations that support cloud facilities, and these facilities are still physical as they operate server

farms. Therefore, the cloud still requires physical servers, facilities, personnel, and other

operational requirements to maintain the service.

A study in 2020 conducted by global intelligence firm IDC, “revealed that 80% of

organizations suffered at least one cloud data breach in the past 18 months, while 43% of

companies reported 10 or more cloud data breaches” (Zatlavi, Yachin, & Dahan, 2021). The

following table provides an idea of shared responsibilities.

Figure 1. Shared responsibility for security between cloud providers and their customers
(Skyhigh Security, n.d.)

The cloud access risk security company Ermetic, which reported the IDC study results

identifies the top three concerns associated with the cloud environment:

 Security misconfiguration

 Inadequate visibility of access settings to include activities

 Access management permission errors

Security managers and system administrators need to work together to ensure proper

privileges and access are provided to only authorized personnel who have been vetted

accordingly. Additionally, proper access policies and guidance should be acknowledged by all

users.

Theft of Data

Data can be considered compromised once an attack has occurred. Even if files seem to

be unaltered, there is the possibility that a copy of the data could have been conducted or

exploited. According to the Identity Management Institute (IMI), an outstanding 21 percent of

data uploaded by companies into the cloud contain sensitive data. This data is vulnerable to

malicious activity and the company risks having its intellectual property stolen. Additionally,

IMI noted:

“The Ponemon Institute and Surveying 409 IT investigated the risk posed by BYOC (bring your

own cloud). The analysis revealed that most of the interviewees had no idea of the threat posed

by bringing their own cloud storage devices to their organization. Employees unwittingly help

cyber-criminals access sensitive data stored in their cloud accounts.

Weak cloud security measures within an organization include storing data without encryption or

failing to install multi-factor authentication to gain access to the service.” (Cloud Security Risks

and Solutions, 2021).

Companies may not think of the vulnerabilities initially when providing data to service

providers and may think their data is 100 percent secured and only accessible by the company

itself. Companies need to do their due diligence when working with a vendor to ensure that

security practices are in place and that access controls are implemented.
6

Lack of Credential Complexity and Management

Authentication of users enhances the security posture that can thwart many adversaries

from initiating attacks. Two-factor authentication (2FA) is becoming more common with many

mobile applications and websites that provide and handle personal information. When systems

applications lack authentication requirements, either from 2FA or not enforcing password

complexity, these present opportunities for attackers to infiltrate a system.

Insider Threat(s)

The insider threat could be considered the most dangerous threat from a physical and

logical attack vector. Personnel who physically have access to facilities might have

familiarization with the network, security barriers, and office space layouts. Regardless of the

privileges one may have to the network, each person has adept knowledge of what vulnerabilities

may be present without much effort or research.

User Controls

End users of systems can unknowingly create vulnerabilities or provide information to

adversaries. It is imperative that businesses train their employees on cyber threats such as

phishing, fraud, scammers, using complex passwords, and protecting material.

When an employee is using a cloud service, they must be cognizant of elevated measures

that need to be considered from a local network database. Enforcing virtual private network

(VPN) connections is an excellent application to limit external threats. In addition, policies, and

guidelines when employees are connecting to publicly accessible wireless connections such as

cafés or hotels will help protect data.

Denial of Service (DOS) / Distributed Denial of Service (DDOS)

Services of cloud computing often utilize the HTTP protocol. “This means that the HTTP

protocol’ attacks, vulnerabilities, misconfiguration, and bugs have a direct impact on the users’

services deployed on the cloud” (Idhammad, Afdel, & Belouch, 2018). Attacks on the cloud can

occur either internally or externally. Primary targets are usually the Software as a Service (SaaS)

and Platform as a Service (PaaS) layers.

Attackers, for example, may take advantage of the trial periods of cloud services that

vendors offer. The result could lead to an “authorized user” within the environment who can then

launch a DoS attack on the internal machine(s). Additionally, “sharing infected virtual machine

images could allow an attacker to control and use the infected virtual machines to carry out an

internal DDoS attack on the targeted machine within the same cloud computing system”

(Darwish, Ouda, & Capretz, 2015).

Mitigation techniques to thwart adversaries from such attacks would be to implement

Intrusion Prevention/Detection Systems which assist firewalls from allowing unauthorized

traffic. Disabling unused services and installing security patches are best practices as well.

Policies, Training, Guidance

Threats and vulnerabilities can be minimized with proper training and identification of

privileged accounts. Understanding how data is accessed and shared, managers can set privileges

per user requirements. Accounts can be identified when sessions are ongoing via audit logs. The

level of effort and resources to manage data is dependent on the number of users which will

determine costs. Utilizing standard policies and guidance while providing cyber awareness

training will keep employees informed and abreast of threats that may be encountered.
8

According to a McAfee report of 1,500 companies surveyed in 2019, “4% claimed that

they did not experience any sort of cyber incident in 2019. The damage from malware and

spyware represented the highest cost to organizations, closely followed by data breaches”

(Malekos & Lostri, 2020). The report also noted that the longest average interruption to

operations was 18 hours, averaging more than half a million dollars.

Figure 2. The average cost of cybercrime (Smith & Lostri ,2020)

Account Hijacking

Hijacking occurs over an active TCP/IP communication session when the attacker

assumes the identity of the compromised user. Attacker intentions include identity theft,

information theft, and stealing of data. Phishing and weak passwords are common ways how

accounts are hijacked. Once the victims’ credentials are compromised, an attack can occur either

actively or passively.

An active attack occurs when a workstation, usually the client computer, is compromised

and the communication exchange between the workstation and the server is taken over. There is

an opportunity that allows the attacker to issue commands on the network making it possible to

create user accounts, which can later be used to gain access without the need for another hijack.
9

Figure 3. Session hijacking (Hacking Loops, 2015)

monitors the traffic between the workstation and the server. The objective is to potentially

discover valuable data or passwords and then use those for an eventual active attack.

Session hijacking poses a serious threat when continuous activity between network

endpoints is in progress. These sessions can result in data breaches and financial losses for

organizations and individual users. Preventing session takeovers is possible with a few strategic

security moves (Poremba, 2020):

 Encrypting all data transmitted on a web page.

 Using HTTPS certification on websites.

 Properly logging out of sessions when they are finished and closing websites

 Using cyber security tools to protect websites from potential threats.

Since the pandemic changed many business operations to remote work, session hijacking

has taken on new urgency in 2020. Protecting your connections and credentials from intruders

and making visits to your site more secure for clients and consumers should be a top priority.

Inadequate Security Control Posture

Since applications are hosted on a server, data that is transmitted is available over the

internet, while the on-premises software is deployed in-house on the company’s own servers.

The computing differs from the cloud provider from that of a company that is the client. Security

controls are not necessarily the same between both endpoints, and the service provider is not

responsible for implementing guidelines or best practices for each client. Therefore, it is

incumbent on the company to ensure proper and adequate training and controls are implemented

to their network boundary. Examples of implementing controls to increase security are:

 Deterrent Controls – designed to discourage actors from attacking a system

 Preventive Controls –creates a more resilient environment by eliminating vulnerabilities

 Detective Controls – identify and react to security threats

 Corrective Controls – activated in the event of an attack

Facility Infrastructure

Physical security is still a requirement for cloud facilities. Ensuring proper screening and

authorization metrics to entrust those who manage the equipment must be implemented to assure

data is not tampered with or breached. DynaSis which is a division of Novatech, provides

outsourcing solutions, applications hosting, and IT infrastructure. Their services are developed

for small to mid-size businesses and part of their support is to educate on the damages that could

occur due to inadequate infrastructure to defend against a cyber-attack. It is important to

physically and logically finance IT operations that include implementing a sound and reliable

cyber posture. Cloud service providers offer many tools and products that can raise costs, but

these additional costs could save companies hundreds of thousands of dollars from being

targeted with a successful breach.

Regarding cyber incidents and infrastructure, the following variables have been outcomes

post an attack (DynaSis, 2020):

 Damage to your IT infrastructure - 78% of companies experience service degradation

 Lost revenue due to downtime

 Loss of customer confidence in your company

 Fines for non-compliance with data protection and privacy laws

 Costs associated with managing exposed customer data

Infrastructure is a critical piece of an overall secure network boundary. Hardware

components need to have physical barriers in place to keep unauthorized personnel from

accessing equipment. Both the company and the cloud vendor need to ensure adequate controls

are implemented at both endpoints of where the data is stored.

Conclusion

Cloud computing provides multiple benefits for companies that need to manage and store

data. It is incumbent on those in charge of their networks and employees to do their due diligence

when looking for a vendor that can support their business needs. As more products and devices

connect to each other as part of the Internet of Things, each connection provides a gateway for

someone with bad intentions that can cause severe damage. Companies can succeed in

preventing data breaches with proper funding and resources. It is up to the company how much

they are willing to risk financially when building its cyber defense posture.
12

References

Cloud Security Risks and Solutions. (2021, April 18). Retrieved September 15, 2021, from

https://identitymanagementinstitute.org/cloud-security-risks-and-solutions/

Darwish, M., Ouda, A., & Capretz, F. (2015). Cloud-based DDoS Attacks and Defenses.

Retrieved September 19, 2021, from https://arxiv.org/pdf/1511.08839.pdf

DynaSis. (2020, June 15). How Much Does a Cybersecurity Attack Actually Cost? Retrieved

September 19, 2021, from https://dynasis.com/2019/03/price-security-how-much-

cybersecurity-attack-actually-cost/

Hacking Loops. (2015, December 5). Session hijacking: How to hack online sessions. Retrieved

September 20, 202AD, from https://www.hackingloops.com/session-hijacking-how-to-

hack-online-sessions/ 

Idhammad, M., Afdel, K., & Belouch, M. (2018, June 05). Detection System of HTTP DDoS

Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random

Forest. Retrieved September 18, 2021, from

https://www.hindawi.com/journals/scn/2018/1263123/

Kim, J., & Kim, Y. (2016). Benefits of cloud computing adoption for smart grid security from a

security perspective. The Journal of Supercomputing, 72(9), 3522-3534. Retrieved

September 15, 2021, from

https://web-a-ebscohost-com.ezproxy.fhsu.edu/ehost/pdfviewer/ pdfviewer?vid=

1&sid=a3a7a41f-0082-4db7-a6ce-ac9840abf314%40sessionmgr4008
13

Malekos Smith, Z., & Lostri, E. (2020, December). The Hidden Costs of Cybercrime. Retrieved

September 19, 2021, from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-

hidden-costs-of-cybercrime.pdf

Parker, K., Horowitz, J. M., & Minkin, R. (2021, May 25). How Coronavirus Has Changed the

Way Americans Work. Retrieved September 15, 2021, from

https://www.pewresearch.org/social-trends/2020/12/09/how-the-coronavirus-outbreak-

has-and-hasnt-changed-the-way-americans-work/

Poremba, S. (2020, October 27). Session Hijacking Attacks: How to Prevent Them. Retrieved

September 18, 2021, from https://enterprise.verizon.com/resources/articles/s/how-to-

prevent-session-hijacking-attacks/

Skyhigh Security. (n.d.). Top 25 security issues in cloud computing. Retrieved September 20,

2021, from https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/security-

issues-in-cloud-computing.html 

Smith, Z., & Lostri, E. (2020). Antivirus, VPN, Identity & Privacy Protection | McAfee.

Retrieved September 20, 2021, from

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-

cybercrime.pdf 

Zatlavi, L. T., Yachin, D. T., & Dahan, N. T. (2021, August 23). Nearly 80% of Companies had

a Cloud Data Breach in the Past 18 Months. Retrieved September 15, 2021, from

https://ermetic.com/news/ermetic-reports-nearly-80-of-companies-experienced-a-cloud-

data-breach-in-past-18-months/