Google Cloud Platform Penetration Testing
 SERVICES

GCP Penetration Testing Services

There is significant difference between cloud architecture/infrastructure and traditional on-premise architecture/infrastructure. Similarly, cloud penetration testing is different from traditional penetration testing. Cloud service providers such as Google Cloud Platform (GCP) offer numerous features and services, but generally follow a shared-responsibility model. In such models, the cloud providers are responsible for the security of the cloud, such as security related to hardware and backend infrastructure; while consumers are in charge of the security in the cloud, such as server configuration, granting of privileges within the environment, and many more.

gcloud-image
Why GCP Pentesting?​
Why GCP Pentesting?​

Why GCP Pentesting?​

There are a variety of ways in which cloud environments can be compromised and misconfiguration of servers can expose your environment to external attackers. However, external attackers are not the only threat, internal employees can also cause tremendous damage. They should be closely monitored due to several reasons such as potential of their own malicious intent/activity, potential for making mistakes that open a security loophole or by unintended action, or even falling prey to external attackers’ techniques.

--> More

How do attackers gain access to GCP?

Following are some of the common hacks leveraged by attackers to gain unauthorised access to your cloud environment.
  • Application / server level vulnerabilities – credentials and sensitive information are stolen by exploiting an existing vulnerability present in the application or server metadata
  • Improper password policy – reuse of old passwords or using default password for logging in to the application or for accessing the database
  • Social engineering attacks such as phishing, pretext calls or physical attack vectors
  • External third parties – third parties you trust are using systems which are already compromised, or any malicious activity performed by them
  • Misconfigured GIT repositories containing and leaking sensitive data
  • Internal employees – employees getting compromised and bringing that to your environment or their mistakes leading to unintended consequences
Even though your organisation would have implemented robust security controls such as multi-factor authentication (MFA), strong security and password policies, attackers relentlessly keep looking for new ways to identify and exploit vulnerabilities in systems. Pen testing is an effective means to ensure your organisation’s capability to prevent, detect, respond, and react in case of any breaches.

Common GCP attacks

Several information security providers in Australia rely only on automated scanning to provide security assessment. Our focus is not just limited to automated scanning; we carry out in-depth assessment of your environment to ensure peace of mind. We check for a variety of vulnerabilities and misconfiguration, including but not limited to
Common GCP attacks
  • Privilege escalation checks for all IAM members (users/service accounts) that access your environment
  • Checking for lack of least-privilege, demonstrating what an attacker would do with that extra access
  • Kubernetes Engine configuration analysis and exploitation
  • Testing security controls (For e.g. Can you detect us exfiltrating data from your virtual machines, Google Storage, databases, or anywhere else? Can we evade your technical controls? Can you stop us from acting maliciously or detect us when we do?)
  • Best practices: Stackdriver logging/monitoring, encryption, built-in security tools such as Cloud Security Scanner
  • Checking your external perimeter
  • Cross-user / project / organisation privilege escalation or abuse
  • Backdoor / persistence methods in the account (surviving “getting caught”)

Reporting

After completing the assessment, SecureTriad provides an assessment report which includes executive summary and technical findings. The executive summary is written for management consumption and is a high-level overview of assessment activities, scope, most critical issues discovered, and overall risk scoring. We also include strategic recommendations to assist business leaders in making informed decisions regarding the information systems/devices. The technical findings include all vulnerabilities listed individually, with details for recreating the issue with necessary screenshots, understanding of the potential risk, recommended remediation actions, and helpful reference links.

Do I need to inform Google of pen testing GCP infrastructure?

No, it is not required to take formal approval from Google prior to pen testing. However, it is necessary to follow Google’s Acceptable Use Policy and Terms of Service, and ensure that your tests only affect your projects (and not other customers’ applications).

We do not perform any testing for vulnerabilities in the category of “denial-of-service” to avoid breaching Google’s AUP, and to not disrupt any of your operations during our pen test. Clients are typically notified before any potentially disruptive activity is performed.

Pen Testing GCP infrastructure