The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities and potential mitigation measures.

The document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Descriptions of each vulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources:

Misconfiguration: While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services, says the document. "Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise. The rapid pace of CSP innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources," says the NSA. 

Examples of abused misconfigurations:

• In May 2017, a large defense contractor exposed sensitive NGA data and authentication credentials in publicly accessible cloud storage.
• In September 2017, a security researcher discovered CENTCOM data accessible to all public cloud users.
• In September 2019, a research team discovered sensitive travel details of DoD personnel exposed in a publicly accessible Elasticsearch. database.

Poor Access Control: Poor access control occurs when cloud resources use weak authentication/authorization methods or include vulnerabilities that bypass these methods, says the NSA. "Weaknesses in access control mechanisms can allow an attacker to elevate privileges, resulting in the compromise of cloud resources."

Examples of abused poor access control:

• In October 2019, a CSP reported cyberattacks in which cloud accounts using multi-factor authentication were compromised through password reset messages sent to single-factor authentication email accounts.
• In March 2018, FBI reported about the Iran-based Mabna group byp.

Shared Tenancy Vulnerabilities: "Cloud platforms consist of multiple software and hardware components. Adversaries who are able to determine the software or hardware used in a cloud architecture could take advantage of vulnerabilities to elevate privileges in the cloud. Vulnerabilities in cloud hypervisors (i.e., the software/hardware that enables virtualization) or container platforms are especially severe due to the critical role these technologies play in securing cloud architectures and isolating customer workloads. Hypervisor vulnerabilities are difficult and expensive to discover and exploit, which limits their exploitation to advanced attackers," notes the document.

Supply Chain Vulnerabilities: Supply Chain vulnerabilities in the cloud include the presence of inside attackers and intentional backdoors in hardware and software, says the NSA. "CSPs source hardware and software from across the globe and employ developers of many nationalities. Third-party software cloud components may contain vulnerabilities intentionally inserted by the developer to compromise the application. Inserting an agent into the cloud supply chain, as a supplier, administrator or developer, could be an effective means for nation state attackers to compromise cloud environments," notes the NSA.

While not specific to the cloud environment, some examples of supply chain attacks are:

• In the ShadowHammer operation, downloads from live update servers were modified to add malicious functionality. Half a million users downloaded the software, although analysis of the software showed the actor’s goal was to attack specific hosts by targeting MAC addresses.
• In December 2019, two malicious Python Package Index (PyPI) libraries were discovered stealing credentials from systems where developers unwittingly installed them. 

"Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities," says the document. 

The guidance is intended for use by both organizational leadership and technical staff, says the document. "Organizational leadership can refer to the Cloud Components section, Cloud Threat Actors section, and the Cloud Vulnerabilities and Mitigations overview to gain perspective on cloud security principles. Technical and security professionals should find the document helpful for addressing cloud security considerations during and after cloud service procurement."