• Blog
  • Partners
    • Overview
    • Partner Resource Center
  • Customer Login
    • North America
    • Europe
  • Support
Alert Logic
  • Why Alert Logic
    • Overview
    • Full Stack Security
    • Experts Included
    • Built For Cloud
    • Success Stories
    FEATURED CASE STUDY
    Wealth Wizards Featured Case Study - Customers Nav
    WealthWizards

    "We chose Alert Logic because we can be safe in the knowledge that we've got experts looking at our network activity 24/7 when we're not able to do it."

    Richard Marshall
    Head of Platform

  • Solutions
    • Solutions
    • Solutions Overview
      Security-as-a-Service Offerings
    • Cloud Defender
      Managed Cloud Security
    • Cloud Insight Essentials
      AWS Vulnerability Management
    • Log Manager & Log Review
      Log Correlation & Analysis
    • Web Security Manager
      Web Application Firewall
    • Threat Manager
      Network Intrusion Detection
    • ActiveWatch
      Managed Services
    • Use Cases
    • Assess
    • Detect
    • Block
    • Comply
    • Environments
    • Amazon Web Services
    • Microsoft Azure
    • Google Cloud Platform
    • Hybrid

    Full-Stack Security.
    Experts Included.
    Built For Cloud.

    Schedule Demo
  • Resources
    • Resource Library
    • Blog
    • Industry Reports
    • Cloud Security Report 2017
    • Case Studies
    • Security Checklists
    • Datasheets
    • ActiveIntegration API
    • Infographics
    • Webinars
    • Whitepapers
    • Videos
    • Help Center
    Alert Logic CLoud Security Report 2017 - Download Here
    Download Report
  • About Us
    • OVERVIEW:
    • About Us
    • Leadership
    • Board of Directors
    • Investors
    • Awards
    • Corporate Compliance
    • MEDIA & EVENTS:
    • Press Releases 
    • Media Coverage
    • Events
    • Cloud Security Summit
    • SUPPORT:
    • Community
    • Alert Logic Docs
    • Learn
    • Knowledge Base
    • CAREERS:
    • Alert Logic Careers
    • Alert Logic Jobs
Contact Sales

Close
  • Home
  • Why Alert Logic
    • Overview
    • Full Stack Security
    • Cyber Security Experts Included
    • Built For Cloud
  • Solutions
    • SOLUTIONS
    • Alert Logic® Cloud Defender®Managed Cloud Security Solution
    • Alert Logic® ActiveWatch™ActiveWatch Managed Detection & Response
    • Alert Logic® Web Security ManagerManaged Web Application Firewall (WAF)
    • Alert Logic® Threat Manager™Network Intrusion Detection System (IDS)
    • Alert Logic® Cloud InsightAWS Vulnerability Scanning
    • Alert Logic® Log Manager™Log Management Software
    • Compliance
    • USE CASES
    • Assess
    • Detect
    • Block
    • Security Compliance
    • ENVIRONMENTS
    • AWS Security
    • Microsoft Azure Security
    • Google Cloud Security
    • Hybrid Cloud Security
  • Partners
  • Resources
    • Resource Library
    • Blog
    • Industry Reports
    • Cloud Security Report 2017
    • Case Studies
    • Webinars
    • Whitepapers
    • Security Checklists
    • Datasheets
    • ActiveIntegration API
    • Infographics
    • Videos
    • New Economics of Cloud Security
    • Support
  • About Us
    • About Us
    • Leadership
    • Board of Directors
    • Investors
    • Awards
    • Corporate Compliance
    • Press Releases 
    • Media Coverage
    • Events
    • Alert Logic Careers
    • Alert Logic Jobs
    • Cloud Security Summit
    • LEARN
  • Support
  • Contact Us
  • Home
  • Blog
  • Top 5 Cloud Vulnerabilities

Top 5 Cloud Vulnerabilities

  • Posted Oct 03 2016
  • BY: Joseph Hitchcock
  • Alert Logic Security Research
  • Amazon Web ServicesCloud SecurityData BreachMalwareVulnerability ManagementWeb Application Security

Vulnerabilities to your network security can and should be addressed with several steps to making absolutely sure your security detection is at the level it should be. This article will break down the key areas to address when remedying cloud security threats in a quick and easy fashion, for compliance solutions that include being in full HIPAA compliance, PCI compliance, SQL injection prevention, Sox compliance, OWASP resources and tools, and more.

1. Account Hijacking/Session Riding. It's known as account hijacking, session riding, or session hijacking, and it's becoming all too commonplace.Last year, over 150 million PayPal accounts were one click away from being hijacked and exploited for the personal and financial information gained by those who abuse valid computer sessions, or session keys, in order to commit yet another form of online theft. If a supposedly secured and bonded site like PayPal can suffer PCI Compliance data breaches like this, then what can you do about them? The answer is, have a threat detection expert diagnose and shore up any potential cloud computing account hijacking threats with some key moves that will basically put layers of hardware and software between your sensitive data and potential session hijackers. Also, beware of any suspicious work emails, web links, and even requests to reset passwords. It is always best to double check their validity before you click or submit. 

2. Data Breach/Loss. This is a situation when the breach and data loss has already occurred to your cloud computing or backup network. You're frantic, asking yourself, "What can I do now?" It may be ransomware or other type of malware, it could be data theft due to a hacked or stolen company mobile device; it could be data loss due to a natural disaster, such as a fire or flood. The best tool you can have at your disposal in this situation is a secure, encrypted server that allows you to retrieve data through your cloud center. 

3. Insecure API. Cloud networks are typically put at risk by insecure API keys. A large problem with API keys is the inclusion of third-party applications or services where your API keys may be exposed without you knowing adding another attack surface. Attackers with improper or illegal access to keys can cause a denial-of-service or cause fees to rack up in the victim's name. One of the reasons for insecure API keys in networks is the insecure storage of API keys and bad management or not disposing of the API keys once they’re no longer needed. "There is a need to protect these cloud API keys," Jeremy Westerman, Vordel's director of product management, at the RSA Security Conference said, speaking in 2012. "There is a lot of awareness in the industry about protecting, say, SSL keys. Unfortunately, protecting API keys has not reached that level of awareness."

4. Malicious Insiders. There has also been a lot in the news in recent months regarding malicious insiders, like the use of malicious software installs on point-of-sale devices, the trojan horse Delilah information blackmailer, and remote methods of implanting malicious insiders that creep and crawl your data networks for sensitive information. A simple fix for this for IT departments is to always minimize the attack surface of your network so if a malicious insider does gain entry to sensitive data, it is confined to one area. For the unknowing malicious insider, block access to sites where malware flourishes like file sharing sites and porn where Trojans like Delilah freely roam and of course, educate your team on the dangers of these threats.

5. System Vulnerabilities. Some common system vulnerabilities include:

  • Lack of input validation on user input
  • Lack of sufficient logging mechanism
  • Fail-open error handling
  • Not closing the database connection properly

Good solutions to common system vulnerabilities are: better encryption, addressing the OWASP Top 10 vulnerabilities, intrusion detection systems for AWS, and getting a Web Application Firewall WAF) for AWS workloads, to help shore up or eliminate security threats.

Alert Logic can help your IT department or development strategy remain safe and secure with managed cloud security and AWS Vulnerability Scanning options that protect AWS applications and workloads with Cloud Insight, Cloud Defender, PCI compliance for small business, SQL injection prevention, Sox compliance, and a host of other solutions to keep your company safe and solvent when threats and attacks target your data centers

Zero Day Magazine Summer 2016

Zero Day, powered by Alert Logic, provides IT security professionals with a broader view of the current state of IT security, vulnerabilities, and cloud security trends. Every quarter, we deliver news, analysis, and commentary on the security challenges that industries face.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | Articles: 10
Previous Post
Next Post

Subscribe To Our Blog Digest

Categories

  • Amazon Web Services
  • Azure
  • Cloud Security
  • Compliance
  • Customer Reference
  • Data Breach
  • Ecommerce
  • Editorial
  • Event
  • Healthcare
  • Honeynet Stats
  • Industry News
  • IT Security
  • Life at Alert Logic
  • Log Management
  • Malware
  • Microsoft Azure
  • Network Threat Detection
  • PCI DSS
  • Rackspace
  • Threat Intelligence
  • Vulnerability Management
  • Web Application Security


Archives
  • 2018
    • All Posts For 2018
    • April
    • March
    • February
    • January
  • 2017
    • All Posts For 2017
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2016
    • All Posts For 2016
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2015
    • All Posts For 2015
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2014
    • All Posts For 2014
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2013
    • All Posts For 2013
    • December
    • November
    • October
    • September
    • August
    • July
    • June
    • May
    • April
    • March
    • February
    • January
  • 2012
    • All Posts For 2012
    • December
    • November
    • October
    • September
    • August
    • July
  • 2011
    • All Posts For 2011
    • October
    • September
    • July
    • June
    • May
    • April
    • February

Latest Tweets

  • Alert Logic Alert Logic @alertlogic
    Our engineers want to know - what do you regularly look at in the Alert Logic console? Let them know about your con… https://t.co/CMaFU9jaTo Retweets: 0 Likes: 0
    19 April
    • Reply
    • Retweet
    • Like
  • Alert Logic Alert Logic @alertlogic
    Listen as your peers talk about their experiences with Alert Logic. Learn about the results they’ve achieved by lev… https://t.co/Gykj7ERhQm Retweets: 0 Likes: 0
    19 April
    • Reply
    • Retweet
    • Like
  • Alert Logic Alert Logic @alertlogic
    What you need to know to increase the efficacy of your #threatdetection program. Download 5 Top Recommendations for… https://t.co/gzUxouBw5s Retweets: 0 Likes: 0
    19 April
    • Reply
    • Retweet
    • Like
Alert Logic
  • Solutions
  • Customers
  • Partners
  • Resources
  • About Us
  • Toll Free: +1.877.484.8383
  • Corporate: +1.713.484.8383
  • UK: +44 (0) 203 011 5533
  • Fax: +1.713.660.7988
  • Email: info@alertlogic.com
Alert Logic

Contact Us

United States:
844.816.1051

United Kingdom:
+44 (0) 203 011 55331

Or fill out the form below and an Alert Logic represetitive will contact you shortly.

Copyright © 2010-2018 Alert Logic, Inc.
All rights reserved. Terms of Use | Privacy Policy