SERVICES GCP Penetration Testing Services
There is significant difference between cloud architecture/infrastructure and traditional on-premise architecture/infrastructure. Similarly, cloud penetration testing is different from traditional penetration testing. Cloud service providers such as Google Cloud Platform (GCP) offer numerous features and services, but generally follow a shared-responsibility model. In such models, the cloud providers are responsible for the security of the cloud, such as security related to hardware and backend infrastructure; while consumers are in charge of the security in the cloud, such as server configuration, granting of privileges within the environment, and many more.
Check Also: Cloud Based Security Threats
Why GCP Pentesting?
There are a variety of ways in which cloud environments can be compromised and misconfiguration of servers can expose your environment to external attackers. However, external attackers are not the only threat, internal employees can also cause tremendous damage. They should be closely monitored due to several reasons such as potential of their own malicious intent/activity, potential for making mistakes that open a security loophole or by unintended action, or even falling prey to external attackers’ techniques.
GCP pen testing enables your organisation to effectively assess the security posture of your applications and infrastructure that usually would not be directly evaluated during a traditional pen test.
GCP pen testing is an authorised hacking attempt against a system hosted on the platform. The primary goal of this testing is to identify strengths and weaknesses of the system, so that its security posture can be determined.
How do attackers gain access to GCP?
- Application / server level vulnerabilities – credentials and sensitive information are stolen by exploiting an existing vulnerability present in the application or server metadata
- Improper password policy – reuse of old passwords or using default password for logging in to the application or for accessing the database
- Social engineering attacks such as phishing, pretext calls or physical attack vectors
- External third parties – third parties you trust are using systems which are already compromised, or any malicious activity performed by them
- Misconfigured GIT repositories containing and leaking sensitive data
- Internal employees – employees getting compromised and bringing that to your environment or their mistakes leading to unintended consequences
Even though your organisation would have implemented robust security controls such as multi-factor authentication (MFA), strong security and password policies, attackers relentlessly keep looking for new ways to identify and exploit vulnerabilities in systems. Pen testing is an effective means to ensure your organisation’s capability to prevent, detect, respond, and react in case of any breaches.
Common GCP attacks
Several information security providers in Australia rely only on automated scanning to provide security assessment. Our focus is not just limited to automated scanning; we carry out in-depth assessment of your environment to ensure peace of mind. We check for a variety of vulnerabilities and misconfiguration, including but not limited to
- Privilege escalation checks for all IAM members (users/service accounts) that access your environment
- Checking for lack of least-privilege, demonstrating what an attacker would do with that extra access
- Kubernetes Engine configuration analysis and exploitation
- Testing security controls (For e.g. Can you detect us exfiltrating data from your virtual machines, Google Storage, databases, or anywhere else? Can we evade your technical controls? Can you stop us from acting maliciously or detect us when we do?)
- Best practices: Stackdriver logging/monitoring, encryption, built-in security tools such as Cloud Security Scanner
- Checking your external perimeter
- Cross-user / project / organisation privilege escalation or abuse
- Backdoor / persistence methods in the account (surviving “getting caught”)
Reporting
Do I need to inform Google of pen testing GCP infrastructure?
No, it is not required to take formal approval from Google prior to penetration testing. However, it is necessary to follow Google’s Acceptable Use Policy and Terms of Service, and ensure that your tests only affect your projects (and not other customers’ applications).
We do not perform any testing for vulnerabilities in the category of “denial-of-service” to avoid breaching Google’s AUP, and to not disrupt any of your operations during our pen test. Clients are typically notified before any potentially disruptive activity is performed.
