System-Centric Security Threats

Security Threat Landscape

The notion of system in ICT is notably so generic to be suitable to denote almost everything that is based on software components. The system is widely used as a synonym of Operating System (OS), or in general, software that enables applications to take advantage of the computation connectivity and storage capabilities of the hardware. Due to their centrality, their role in some crucial security features (e.g., authentication), and their complexity, OSs were a preferred target of many disruptive attacks in the past (e.g., Code Red exploiting IIS buffer overflow, Sasser attacking the Local Security Authority Subsystem Service, Snakso Linux server rootkit). Nonetheless, they will have a fundamental role even in the future due to the fact that OSs are increasingly immersed in a more complex environment (e.g., mobile devices, virtualized systems), where their vulnerabilities can be either exacerbated or mitigated and they can become a commodity for applications (e.g.,  containerization of applications). Linux OS, for instance, is deeply involved in complex environments such as IoT.

Threats

In this section, we discuss the threats that can be mapped to the modern system asset taxonomy. CSA in its “Top Threats to Cloud Computing: The Egregious 11” of 2019, surveyed industry experts on security issues in the cloud industry in order to rate 11 salient threats, risks, and vulnerabilities. The most prominent outcome is that compared to the previous CSA report, traditional cloud security issues under the responsibility of cloud service providers (CSPs), such as the denial of service, shared technology vulnerabilities and CSP data loss and system vulnerabilities are no more ranked as important for the Cloud user perspective. This suggests a maturation of the cloud user understanding of the cloud, on one side, but should not lower the attention on such threats from the CSP perspective. It is interesting to note that the top threats reported are more in the area of potential control plane weaknesses and limited cloud visibility. Misconfiguration and inadequate change control, for instance, are ranked at position number two. Misconfiguration is the leading cause of data breaches in the cloud. Also, the absence of automatic proactive change control is perceived as another risky weakness. 

The threat taxonomy is a consolidation of threats previously considered in other documents/reports and is composed of the following category.

  • TG3.1 – Unintentional damage/loss of information or IT assets: This group includes all threats causing unintentional security leakage due to human errors.
  • TG3.2 – Interception and unauthorized acquisition: This group includes threats introduced by alteration/manipulation of the communications between two parties (including cloud internal communication channels). This TG, depending on the circumstances of the incident, could, also, be linked to TG3.5.
  • TG3.3 – Poisoning: This group includes all the threats due to configuration/business process poisoning and aiming to alter system behaviors (i.e., at any layers).
  • TG3.4 – Nefarious activity/abuse: This group includes threats coming from nefarious activities. It requires active attacks targeting the infrastructure at any layers like management hijacking and identity fraud.
  • TG3.5 – Legal: This group provides for threats resulting from violation of laws and/or regulations, such as the inappropriate use of Intellectual Property Rights, the misuse of personal data, the necessity to comply with judiciary decisions dictated with the rule of law. Section 4 of the present document will discuss aspects of this TG identified.
  • TG3.6 – Organizational threats: This group includes threats to the organizational sphere.

Threat Group TG3.1: Unintentional damage/loss of information or IT assets

Threat T3.1.1: Information leakage/sharing due to human errors

Human errors are among the most critical threats in today’s complex environment. These errors cause accidental threats, meaning that they are not intentionally posed by humans, and are due to misconfiguration, clerical errors (for example pressing the wrong button), misapplication of valid rules (poor patch management, weak passwords), and knowledge-based mistakes (software upgrades and crashes). According to the IBM X-Force Threat Intelligence Index of 2018,[1] misconfigured cloud servers, networked backup incidents, and other improperly configured systems were responsible for the exposure of more than 2 billion records, or nearly 70% of the total number of compromised records tracked by X-Force in 2017. In the 2019 report, IBM reported that publicly disclosed misconfiguration incidents increased by 20% year-over-year. Human errors at the virtualization level can be even more dangerous and complex to be identified (e.g., wrong VM images management/cloning).  Examples of attacks at the virtualization level are available in Threat T3.1.2. They are related to wrong internal processes, but similarly, they can be obtained due to human errors in configuring them or as human mistakes.

Assets: “Data”, “Infrastructure”.

Related Attack

Threat T3.1.2: Inadequate design and planning or incorrect adaptation

Inadequate design and deployment, including its adaptation, of a modern cloud-based system can result in threats to managed data. As an example, migration to the cloud requires careful design and planning to preserve security during and immediately after the migration. This means the implementation of appropriate security architecture to withstand cyber attacks. Unfortunately, this process is still not well perceived by the company leading to a series of security incidents. The main reason is that organizations implement a “lift-and-shift” cloud migration, simply porting their existing IT stack and security controls to a cloud environment. Similarly, a weak control plane while designing a full cloud solution may cause severe issues. In virtualized environments, several processes can be affected by intrinsic vulnerabilities due to their peculiarities. For instance, migrations are needed to keep balancing the workload, on one side, but similarly to cloud it opens to security issues while the migration is in progress, on the other side. Other virtualization specific processes that can be affected as well are the VM rollback and VM cloning. This threat refers to business processes design and therefore shows some similarity to business process failure threat T3.3.2 and business process poisoning threat T3.3.2, but it is due to unintentionally wrong design. If the process refers to moving, cloning, or copying VM files, then it can be linked to the unauthorized acquisition of information threat T3.2.2 as well. Due to this connection, some of the following attacks can be considered as examples also for other threats.

Assets: “Middleware”, “Management”, “Infrastructure”.

Related Attack


Threat Group TG3.2: Interception and unauthorized acquisition

Threat T3.2.1: Interception of information

It considers an attacker intercepting communication between two communicating links. Inter-node communication with cloud components is often unsecured by the default configuration, it is possible to hijack a user session or gain unauthorized access to services in social networks, and communication protocol flaws can result in the data breach. Cloud Stacks software distributions (for example Open Stack) do not always use protocols for data confidentiality and integrity between communicating applications (e.g., TLS and SSL) and are not always configured properly (e.g., changing default passwords). In addition, this effect is further exacerbated in a complex layered environment based on virtualization environments because they permit cross-inspection of various tenant’s data flow, as well as topology inference that could serve to set up several attacks. Meltdown and Spectre, for instance, are two CPU-level vulnerabilities that can be exploited to create a side-channel focused on deducing the content of computer memory. These vulnerabilities can be exploited even in virtualized environments, leading to an even more serious security risk, given the sharing of physical resources among multiple tenants. VM network traffic sniffing/spoofing are among the most critical threats in virtualization. Privilege domain processes like management interface can intercept all network traffic before it gets to the unprivileged user domain. The network traffic of a particular VM can be sniffed to read the communication or to perform traditional MITM attacks. Even if extremely difficult (i.e., the target and the attacker must be executed on the same core), virtualization permits a more low-level interception of information at the cache level (both L2 and L1) due to the sharing of the same hardware resources. For instance, a side-channel attack on L2 cache. This threat is strongly connected also with the network-centric domain in Section 3.4.

Assets: “Network”, “Compute Nodes”, “Management Server/Console”, “Access Control/Authorisation”

Related Attack

Threat T3.2.2: Unauthorised acquisition of information (data breach)

Unauthorized acquisition of data following data breaches is an important threat,[2] which is the main focus of Section 3.6, where data is the main asset. However, in cloud/virtualized environment data breaches have some peculiarities that are worth to be discussed in this threat. In virtual/cloud environments, where physical resources are shared between tenants, there may be a set of behaviors that result in the unauthorized acquisition of information.  For instance, exposure via scavenging in virtualized environments is even more serious[3] than in physical systems. In general, the physical sharing of virtualization or the logical sharing of the cloud enhances the severity of accessing unauthorized data.

Assets: “Data”.

Related Attack


Threat Group TG3.3: Poisoning

Threat T3.3.1: Configuration poisoning

Configuration poisoning is a serious threat in complex environments such as cloud and virtualization.[4] It is sometimes called deliberate/intentional misconfiguration. It is very difficult to detect and shares a similar impact as unintentional misconfiguration. In most of the cases, it implies a malicious insider. F5 Labs researchers study the breaches due to intentional insecurity and the growth rate from 2017 to 2018 was an alarming 200%.[5] For instance, one poisoning activity can be related to the modification of firewalling service (i.e., web Application Firewall) configuration, to avoid deep packet inspection on a certain port. Several configuration poisoning activities targeted the audit mechanisms or cloud console monitoring system to hide the attacker activities (e.g., the log system poisoning). [6] Configuration poisoning shares technical similarities with misconfigurations due to human errors, but it differs from it for the fact that poisoning is intentional, and it brings in most of the cases to an invalid configuration that provides an advantage for the attacker. On the other hand, misconfiguration (mistake) is not intentional, but still difficult to be discovered yet less difficult than the intentional ones.  Configuration poisoning can be either the effect of an external attack or of a malicious insider attack. For this reason, it has a strong link with other threats of TG3.4. Poison objective can be focused to produce a configuration that exposes the server to attacks. However, since intentional, the type of configuration modification is much more complex to be detected that misconfiguration, mainly due to the fact that the attacker wants to hide as well as to hide the fact that something is not well configured.

Assets: “Middleware”, “Management”, “Infrastructure”, “Security Mechanisms”.

Related Attack

Threat T3.3.2: Business process poisoning

It refers to what is also called business process compromise (BPC), an attack that silently alters parts of specific business processes, or machines facilitating these processes, to generate significant monetary profit for the attackers. According to Trend Micro, 43% of surveyed organizations have been impacted by a BPC.[7] In most cases, the business process is implemented at the application level, but it can also be associated with an internal cloud or virtualization business processes related to automatic or programmable activities. In the case of VM relocation, for instance, to handle load balancing, the target location server can be altered to a weaker configuration where memory copy protection can be disabled.  This threat is connected with inadequate design and planning or incorrect adaptation threat T3.1.2, but with the difference that this is an intentional alteration of the working business process. It is therefore also connected with malicious insider threat T3.6.2 that can more easily alter the business processes from inside. In addition, in many cases, it is obtained via poisoning of configurations of the business process T3.3.1. In cloud and virtualization, most of these alterations are malicious alterations of business process configurations.

Assets: “Middleware”, “Management”, “Infrastructure”, “Security Mechanisms”.

Related Attack


Threat Group TG3.4: Nefarious activity/abuse

Threat 3.4.1: Identity fraud

In modern systems, identity handling may be more difficult due to the more complex and stratified hierarchical administration of privileges of the different layers down to the virtual one.  As an example, at the virtual network level, when aggregating virtual networks into a federation, issues of role segregation and policy conflicts may arise, providing room for identity fraud.  Moreover, the dynamics of adding and removing entities may be used by malicious entities to gain a new identity, for example, through inconsistencies in the migration process.  Replay attacks are also facilitated by shared communication channels, which can be exploited at the virtual router level by replying to old control messages[8]. Concerning repudiation, the disposable nature of VMs, providing log features and the rollback procedures typical of virtualized environments, may have a strong impact on the non-repudiation of actions registered via logging[9]. Cloud introduces multiple changes to traditional internal system management practices related to identity and access management (IAM). IAM must be able to scale, support immediate de-provisioning of access to resources and it must be automated and integrated into the cloud environment. In addition, IAM becoming increasingly interconnected for instance due to federation. In such an environment, password theft is even more severe (e.g., network lateral movement attacks such as “pass the hash”). In the case of legacy system password strength, rotation must be verified since they are still among the most common causes of leakages. Similarly, in the case of management of cryptographic keys, the handling of keys lifecycles, creation distribution, and deletion, as a fundamental role to reduce breaches. In the cloud also hijacking of cloud service and subscription accounts is riskier due to the peculiarity of the Cloud model itself, where data and application reside in the cloud services.

Assets: “Middleware”, “Management”, “Security Mechanisms”.

Related Attack

Threat T3.4.2: Denial of service

Traditional DDoS is among the main threats to complex systems. They aim to threaten components availability at any of the layers by exhausting their resources, causing performance decrease, loss of data, service outages, on one side, and data availability, on the other side. In layered environments based on virtualization, this disruption is exacerbated due to the sharing of resources. For instance, physical resource overloading may cause degradation of a virtual network’s performance, leading to disruption in communications, especially when the resources are in the same area as the underlying network.  We note that this may happen: i) unintentionally during the system’s lifecycle (difficult to predict) or ii) maliciously in case of coordinated attacks. Virtualized environments seek to cope with this severe class of threats by providing isolation solutions and by promoting the fair distribution of resources among all virtualized entities (networking entities included).  However, these approaches are difficult to implement due to the intrinsic characteristics of virtualized systems that share computing resources and distribute them (possibly on demand) at runtime.

Assets: “Middleware”, “Infrastructure”, “Security Mechanisms”.

Related Attack

Threat T3.4.3: Malicious code/software/activity

This class of threats usually targets all ICT stack and the 6 domains in this deliverable. They aim to distribute and execute malicious code/software or execute malicious activities. These threats usually involve malware, exploit kits, worms, trojans, and exploit backdoors and trapdoors, as well as developers’ errors/weaknesses. Malicious attackers can host malware on cloud services. Cloud services that host malware can seem more legitimate because the malware uses the CSP’s domain and can use cloud-sharing tools to further propagate itself. Hyperjacking is a special type of malicious activity that affects hypervisors in the virtualized environment. The target is to violate the integrity of the hypervisor to get control over it. Other malicious activities are the VM hopping that allows jumping from a VM to another on the same physical server and VM escape that takes advantage of isolation failures between the hypervisor and the VM to gain control of the hypervisor and VMs. Malware-infected VM/container images can be deployed in the relative repositories of images to be used by an attacker when launched on a trusted infrastructure leading to serious security issues.

Assets: “Middleware”, “Security Mechanisms”, “Virtual File Format”.

Related Attack

Threat T3.4.4: Generation and use of rogue certificates

This class of threats usually targets all ICT stack and the 6 domains in this deliverable. Certificates are largely used in the cloud to make the service working in a trustful ecosystem.

Assets: “Middleware”, “Management”, “Infrastructure”, “Security Mechanisms”.

Related Attacks: This threat is usually at the basis of other more complex attacks as discussed in the previous threats. As an example, BIG-IP and BIG-IQ do not properly regenerate certificates and keys when deploying VM image on AWS, Azure or Verizon cloud service, which makes multiple instances to share the same certificates and keys. It causes the disruption of services eventually leading to an information leak (CVE-2016-2084).

Threat T3.4.5: Misuse of assurance tools

Assurance is the way to gain justifiable confidence that IT systems will consistently demonstrate one or more security properties, and operationally behave as expected, despite failures and attacks[10]. Assurance is based on the audit, certification, and compliance tools and techniques. The manipulation of such tools and techniques can result in scenarios where the malicious behavior of attackers is masqueraded and is not discovered. Assurance information is necessary to ensure the security of the system during its entire lifecycle from its design to its operation. It is also necessary to guarantee compliance and regulation. This is valid through all the domains but especially for cloud and virtualization is quite crucial due to the intrinsic lack of transparency[11][12].

Assets: “Data”, “Middleware”, “Management”, “Infrastructure”, “Security Mechanisms”.

Related Attack

Threat T3.4.6: Failures of business process

According to ENISA taxonomy, improper business processes can damage or cause a loss of assets. In the cloud environment, one of the main causes of this type of threat is limited cloud usage visibility. There can be two behaviors, un-sanctioned app usage, and sanctioned app misuse, which refers to internal company regulations and processes that are not satisfied completely. In the case of un-sanctioned app use, employees can use cloud applications without any specific permission, any support for the corporate leading to what is called shadow IT.[13] This behavior is risky when it implies insecure cloud services that do not meet the corporate guidelines. IBM recently found that one out of three employees at Fortune 1000 companies regularly use cloud-based SaaS apps that have not been explicitly approved by internal IT departments.[5] An example of shadow IT that causes much more issues than what it was supposed to solve, was the adoption of chat room service for managing a post-attack scenario on a big company. The chat room allows an attacker to learn sensitive information about the company due to an unknown vulnerability that was used without alerting the security department.[14] For the sanctioned app misuse, it is very complex to be detected but still very dangerous and can be connected to external threat actors that impersonalize legitimate internal users. An example of app misuse that is a violation of the company policy is to do a backup on a personal SaaS service. This threat is connected with a lack of security governance/awareness and with the need of having users’ behavioral analysis for compliance with company policies.

Assets: “Virtual machine”, “Platforms”, “Infrastructure”.

Related Attack

Threat T3.4.7: Code execution and injection (unsecured APIs)

At the virtualization level, it is possible to execute code on hypervisor from a malicious VM via memory modification (heap memory) of hypervisor or to compromise the management interface via its web application exploiting CSS and SQL injection. Cloud applications are built on web services models; APIs can then become a target of the attack, and be vulnerable to well-known attacks, such as the Open Web Application Security Project (OWASP) Top Ten list [10] (see Section 3.7). In particular, code execution (e.g., XSS) and injection (e.g., SQL injection) are critical classes of attacks that can increase risks.  Cloud computing strongly relies on software user interfaces (UIs) and APIs to allow customers to manage and interact with cloud services. The security and availability of general cloud services are dependent on the security of these APIs. They are exposed at the perimeter and therefore very likely to be attacked. An increasing emphasis was dedicated to how to handle API keys as they are largely used in cloud services.[15] More specifically for the cloud, CSA identified metastructure (i.e., the protocols and mechanisms that provide the interface between the infrastructure layer and the other layers) and applistructure (i.e., the applications deployed in the cloud and the underlying application services used to build them) failures as related to the APIs that ignore their existence, for instance, when APIs still use just username and password ignoring the other more advanced offered security features. Similarly, to mitigate applistructure failures, in 2019, Apple restricted iOS app providers to do screen-recording as a means of analytics. Glassbox is one of the most famous applications that was blocked due to this Apple policy.

Assets: “Middleware”, “Virtual machine”, and “Platforms”.

Related Attack


Threat Group TG3.5: Legal

Threat T3.5.1: Violation of laws or regulations data

The occurrence of a breach of EU and national laws. Depending on the exact form of EU law, certain regulations (e.g. GDPR) are directly applicable across the EU Member States, while those in the form of Directive (e.g. NIS Directive) become applicable as soon as they are transposed in the national legal orders of the Member States.  Note that in the occurrence of a breach of law affected individuals and organizations may seek remedies both in the national courts, as well as before the European Court of Justice.

Assets: All assets.

Related Attack


Threat Group TG3.6: Organisational threats

Threat T3.6.1: Skill shortage

A possible shortage of skilled system administrators and managers is one of the main threats to complex systems. Lack of skill for virtualized environments, as well as the lack of technical competences on a specific cloud ecosystem, may have a tremendous impact on the entire cloud system. These sectors even if are somehow related to the sysadmin area requires specific competencies to be acquired to maintain security under control. This threat has a strong link to threat group TG3.1 “Unintentional damage/loss of information or IT assets”.

Assets: “Roles”.

Related Attack

Threat T3.6.2: Malicious insider

Insider threats can be distinguished in unintentional or malicious insiders. Unlike external threat actors, insiders do not have to penetrate firewalls, VPNs and other security defenses at the perimeter. Insiders operate within a company’s security circle of trust, where they have direct access to resources. This makes this type of threat very complex to counteract. The Netwrix 2018 Cloud Security Report indicates that 58% of companies attribute security breaches to insiders, including negligence.[16] Being in this privileged position, the insider can be the vector of many other threats, like the ones relative to poisoning TG3.3, but also to nefarious activities TG3.4.

Assets: “Data”, “Middleware”, “Management”, “Infrastructure”, “Security Mechanisms”.

Related Attack


[1] IBM X-Force Threat Intelligence Index https://www.ibm.com/security/data-breach/threat-intelligence

[2] Europol, Internet Organised Crime Threat Assessment (IOCTA), Strategic, policy and tactical updates on the fight against cybercrime https://www.europol.europa.eu/sites/default/files/documents/iocta2018.pdf

[3]C. Maurice, C. Neumann, O. Heen e A. Francillon, «C5: Cross-cores cache covert channel,» in Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2015.

[4]Intentionally Insecure: Poor Security Practices in the Cloud https://www.f5.com/labs/articles/cisotociso/intentionally-insecure–poor-security-practices-in-the-cloud

[5]Gartner predicts that by 2020, one-third of all successful security attacks will come through shadow IT systems.

[6]Hybrid Cloud Security Best Practices Focus On The Five C’s: Console, Configuration, Connectivity, Cloud Data, And Containers https://cyberdefense.orange.com/wp-content/uploads/sites/9/2019/09/forrester_report_hybrid_cloud_security.pdf

[7]Half of management teams lack awareness about BPC despite increased attacks https://www.helpnetsecurity.com/2018/12/07/business-process-compromise/

[8]B. Albelooshi, K. Salah, T. Martin e E. Damiani, «Experimental Proof: Data Remanence in Cloud VMs,» IEEE 8th International Conference on Cloud Computing (CLOUD) 2015, 2015.

[9]B. Albelooshi, K. Salah, T. Martin e E. Damiani, «Experimental Proof: Data remanence in cloud VMs,» in Proceedings of the International Conference on Cloud Computing, 2015.

[10]S. T. King e P. M. Chen, «SubVirt: Implementing malware with virtual machines,» in In Proceeedings of the IEEE Symposium on Security and Privacy, 2006.

[11]A. Desnos, E. Filiol e I. Lefou, «Detecting (and creating!) a HVM rootkit (aka BluePill-like),» Journal in Computer Virology, pp. 23-49, 2011.

[12]A. Jasti, P. Shah, R. Nagaraj e R. Pendse, «Security in multi-tenancy cloud,» in Proceeedings of the IEEE International Carnahan Conference on Security Technology, 2010.

[13]Bring shadow IT into the light: Discover, assess, approve and educate https://www.ibm.com/information-technology/bring-shadow-it-light-discover-assess-approve-and-educate-0

[14]Shadow IT: Every Company’s 3 Hidden Security Risks https://www.darkreading.com/endpoint/shadow-it-every-companys-3-hidden-security-risks/a/d-id/1332454

[15]Insecure API Implementations Threaten Cloud https://www.darkreading.com/cloud/insecure-api-implementations-threaten-cloud/d/d-id/1137550

[16]Cloud Security Risks and Concerns in 2018 https://blog.netwrix.com/2018/01/23/cloud-security-risks-and-concerns-in-2018/