• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Cloud   »   Top 10 AWS Security Tips: #10 Penetration Testing

Top 10 AWS Security Tips: #10 Penetration Testing

  • Posted on:April 17, 2013
  • Posted in:Cloud
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
1

In last week’s post, we gave a high level overview of vulnerability assessments. This type of assessment results in a prioritized list of vulnerabilities in your deployment. It’s an excellent first step in knowing the state of your deployment.

The next step you should take is to conduct a penetration test.

The Test

A penetration test (or simply, pentest) is an active test of your defenses. You’re hiring a trusted 3rd party to attack your deployment in order to find exploitable vulnerabilities. The theory is that it’s better to have someone working with you do this before a malicious attacker can.

The test report is going to provide detailed information on how the attacks were conducted, what was successful, how defenses could be improved, etc.

Setting up a Test

Pentests can vary greatly depending on their goals, your deployment, timelines, etc. A few key tips for organizing a pentest on AWS include:

  1. Use a trusted 3rd party to conduct the test
  2. Give AWS a heads up
  3. Establish a time frame but not a testing time

Trusted 3rd Party

While you might have the skill set on your security team, it’s usually best to have a trusted 3rd party conduct the penetration test. Penetration testing is as much an art as a science. A good penetration tester is going to be able to ferret out issues with your deployment that you never saw coming.

If you use an internal resource, they will approach the test with a biased mindset. The most typical issue that surfaces is that an internal resource will either attack the most common–and well known–weak spot or avoid that option entirely. Either way, that type of test is not a close enough simulation of a real attack.

A trusted 3rd party will approach the test methodically. Working through your exposed attack surface gradually finding issues with your deployment and mapping your exploitable vulnerabilities.

Give AWS a Heads Up

AWS requests that your provide them with notification before any vulnerability scanning or penetration testing is done. They provide a convenient form to help make that process as easy as possible.

As part of the form, AWS requires:

  • information about the instances to be tested
  • the time frame for the testing
  • agreement with their terms & conditions
  • appropriate use of the tool set used during the test

Completing the form only takes a few minutes and will save a lot of headaches. Be sure to take the time to fill it in with the details of your test.

Establish a Time Frame

The first time you have a pentest done, it’s extremely tempting to provide a specific time at which the test will be conducted. In fact, that’s one the pieces of information that AWS requests up front.

Within reason, keep this information compartmentalized. Don’t tell your security team, your ops teams, or support.

Why not? Because if any of the teams normally involved in incident response knows about the test ahead of time you won’t be testing the right things.

The ideas behind the pentest is to measure you current security posture at any given time. If everyone knows ahead of time that they’re going to be tested, they are going to prepare ahead of time. While you may look better on the test report, you’re doing yourself a disservice.

When a real attack happens, no one calls ahead.

The Report

So your “attacker” has tested your defenses and found a few holes. Maybe they’ve even been able to breach all of your defenses and gain access to key customer data. Don’t panic. That’s OK. This is the whole reason you run a pentest. It’s much better to have your known testing attacker reach your customer data than an unplanned attacker with actual malicious intent.

At the end of the test, you should receive a comprehensive report detailing the results. This should include:

  • how far the tester was able to breach your defences
  • details of the vulnerabilities exploited
  • suggestions for mitigating these issues
  • another other issues found or observations of the tester

Even though it may be hard to read the results, take them to heart. Work through each of the issues raised in turn and fix the problem. This is the crucial step. You have to take action on the results.

Stronger Than Before

After you’ve worked through the issues raised in the report, your defenses should be stronger than ever. Better yet, you know your defenses work. They’ve been actively tested.

While no security is perfect, by following the tips in this series you can be confident that you’ve taken reasonable steps to ensure that only the most determined attackers are going to have a chance at breaching your defenses.


How do you handle penetration testing in the cloud? Please share your tips in the comments! And if you’re interested in securing your EC2 or VPC instances, check out our new Deep Security as a Service for cloud servers, currently in free Beta.

Related posts:

  1. Top 10 AWS Security Tips: #4 Protecting Guest Operating Systems
  2. Third Party Testing of Security is a Very Big Deal for Customers
  3. Penetration testing: Researchers successfully hack a vibrator
  4. Top 10 AWS Security Tips: #8 Encrypt Sensitive Data

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.