A recent research paper published by Alert Logic, based on output from its cloud security service running across...
a large number of clients, found that the majority -- 73% -- of cyberattacks focused on the cloud were directed at web applications.
Web application attacks can affect any organization that hosts a website, whether it is a static page or a page that hosts a login or e-commerce application. Most attacks are focused around the OWASP Top 10 -- attackers tend to target the low-hanging fruit -- and the most effective are SQL injection attacks and cross-site scripting.
Web application attacks can affect both your organization and your clients directly. Hackers can potentially extract information directly from the database behind the application, including the personally identifiable information of clients, or they can target users with credential stealing attacks or even install malware on their machine.
Attackers who are able to take control of the content management system (CMS) an organization uses, or who use cross-site scripting attacks, can also deface the company's website. This means that any time a customer visits the company site, they will see whatever the hacker decides they want them to see -- and they could potentially download what the hacker wants, as well.
Infrastructure as a service (IaaS) platforms, such as those offered by Amazon Web Services and Microsoft Azure, are notable for having excellent security surrounding the hardware provided by the hosting companies. However, in all cases, the IaaS providers operate a shared responsibility model in which the provider handles the underlying hardware security, but anything installed on that hardware -- including web applications -- is the responsibility of the client.
Therefore, if the client runs an out-of-date version of a particular CMS that has a published vulnerability -- such as Magento, Joomla or WordPress -- then hackers can target this with relative ease simply by searching for and running the exploit code. Equally, if the client hosts a bespoke web application in the cloud with custom code that has not been adequately tested for vulnerabilities, it can lead to attacks that target the vulnerable application.
In many cases, these web application attacks are fully automated, and they may not even be targeted specifically at the vulnerable application; automated tools are simply scanning the entire internet for particular signatures and then running the exploit. This demonstrates that organizations need to ensure they are not complacent when they host their applications in the cloud. Even if the application is hosted on a secure IaaS platform, targeted web application attacks are just as likely to succeed.
Although automated attacks that use common techniques were used by hackers in most instances, Alert Logic noted that, in some cases, these web application attacks were custom written and beyond the capability of automated attack tools. This shows a trend toward taking traditional methods -- such as SQL injection and cross-site scripting -- and adapting them to work against increasingly sophisticated defenses.
The main point to note is that hosting web applications in the cloud neither enhances nor detracts from the security at the application layer. The standard practice of using the latest versions of plug-ins and frameworks, combined with secure coding techniques and regular penetration testing, is required just as much in the cloud as it is in any other environment.
Discover four common cloud attacks and how to prepare for them
Find out how to decide between IaaS and platform-as-a-service microservices
Learn whether WordPress is the right CMS for your organization