AWS Vulnerability Scanning to Define the Risk on Your System - CYBRI
Cybri LogoCreated with Sketch.

AWS Vulnerability Scanning to Define the Risk on Your System

IN

|

BY Paul Kubler

Known and Unknowns of AWS Security 

AWS defined clearly in their customer contracts, procedure documents, and licensing forms their stance around providing world class security teams, integration of security tools, and console access support. AWS leveraged several layers of network, application, access, and cloud security controls. Each tenant receives a monthly and quarter security review report. Yet, with several millions of dollars of investment in security architecture, AWS is not immune from cyber attacks and breaches. AWS offers their tenants security services, including penetration testing and vulnerability scanning. AWS also offered several 3rd party tools within the marketplace that clients can purchase and install within their tenant environment. Many organizations may lack the skills and resources supporting these tools. Most often, these tools become a liability to the organization. An incorrect vulnerability scan could result in a denial-of-service attack against the organization or an adjacent company within the same IP range. 

Should organizations trust integrated AWS security controls and processes?

AWS requests the tenant not post or share any information about a potential vulnerability in any AWS owned component or setting until AWS has researched, responded to, and addressed the reported vulnerability, and informed customers if needed.

Who really owns the data in the cloud?

With AWS, you control where your data is stored, who can access it, and what resources your organization is consuming. With AWS, you control your data by determining where your critical information needs to be stored. Yet, even in the shared responsibility model shared between the tenant and AWS, the tenant mandates their data security control requirements, not AWS. AWS provides several safe guards including data encryption, data in transit services, and data local for global compliance. 

Vulnerability scanning, remediation, and penetration testing

A common misconception is that a vulnerability scan is a penetration test. On the surface, yes, these two critical workflows seem to execute the same function. Yet, these two serve two completely different functions.

Vulnerability scanning through manual or automated execution against a system or network to help determine if the element is visible to a cyber attack. Vulnerability scanning helps give the organization a level of risk through a scoring method or better known as a common vulnerability scoring system.

How are vulnerabilities scored?

The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3. X standards. The NVD provides CVSS ‘base scores’, which represent the characteristics of each vulnerability. The NVD does not currently provide environmental scores. Organizations will access the scoring risk level to determine if the system needs a critical, rudimentary, or passive remediation cycle. Companies do not have the business cycles to patch every vulnerable system. Using the CVSS system, companies can prioritize the most critical systems first for the remediation cycles.

Remediation Cycles

Scanning will identify vulnerable systems and devices on the network. Once a system has been detected containing vulnerabilities, the security group team can place the device into a suspended state and remove it from the production environment. Many 3rd party tools could automate this function, including performing a post remediation scan or move the device into a sandbox network for further security vulnerability assessment or a pen test.

Pen testing as a valuable sprint 

Pen test is a human interactive execution designed to see if a hacker can compromise the vulnerable system before or after the remediation cycle. While pen testing is far more expensive than running automated vulnerability scans, the test will help identify hidden security risks not captured by the vulnerability scan. Not every system in the network needs a pen test after remediation. However, the most critical ones that map to a compliance framework or security audit should go through a pen test work stream. During the post evaluation of a pen test, the client sees a list of security findings, potential compliance issues, and many security weaknesses. 

Define the level of risk on your systems

Conducting regular vulnerability scans will help you determine the overall effectiveness of your security measures. Scanning will also show failures are adaptive controls that should be protection of the corporate system. Vendors often require the client to patch their products. When the operation teams cannot stay current with the various patches and updates, a vulnerability scan will report this as a high- or low-risk system. If SECOPS teams are inundated with vulnerabilities, that is a key sign your systems or software are severely flawed and need to be reconsidered as a replacement from another vendor.

Leveraging 3rd party vulnerability and pen testing teams outside of AWS.

AWS required express permission to run any form of vulnerability assessment on servers within the AWS infrastructure. They updated the rules in 2016 to allow organizations to run vulnerability scans on EC2 instances, network address translation gateways and Elastic Load Balancers, Amazon Relational Database Service, CloudFront, Amazon API Gateway, Lambda and Lambda edge functions, and Elastic Beanstalk. 

The best method to conduct AWS vulnerability scans is to install a virtual instance of a vulnerability scanning appliance directly into AWS. The appliance you choose will depend on your enterprise’s vulnerability scanning needs and the expertise of your security admins.

Many appliances work with AWS’ shared security model to ensure enterprises don’t violate Amazon’s penetration testing and vulnerability scanning rules. Such tools are available from a variety of third-party vendors, such as CYBRI.

The following activities are out of scope for the AWS Vulnerability Reporting Program. Conducting any of the activities below will cause disqualification from the program permanently.

  1. Targeting assets of AWS customers or non-AWS sites hosted on our infrastructure
  2. Any vulnerability got through the compromise of AWS customer or employee accounts
  3. Any Denial of Service (DoS) attack against AWS products or AWS customers
  4. Physical attacks against AWS employees, offices, and data centers
  5. Social engineering of AWS employees, contractors, vendors, or service providers
  6. Knowingly posting, transmitting, uploading, linking to, or sending malware
  7. Pursuing vulnerabilities which send unsolicited bulk messages (spam)”

Vulnerability Assessments are not a one-and-done process or work streams. Conducting regular vulnerability scanning will ensure security holes are found and remediated in a timely manner.

Define the level of risk on your systems

Conducting regular vulnerability scans will help you determine the overall effectiveness of your security adaptive controls.

Summary

As a tenant of AWS, employing 3rd pen testing and vulnerability scanning teams is a necessity as a clear check and balance mandate. It is globally known AWS for excellent security architecture, controls, and process. However, not every system or cloud instance is perfect. Leveraging expert 3rd party pen testers will provide more insight beyond the AWS view to help with real-time compliance checks, validate security standards are being followed, while enabling a continuous monitoring of all critical systems.

https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach

Discuss your project now

Request A Demo

Related Content

Previous
Next

Schedule a personalized demo with CYBRI.

Don't wait, reputation damages & data breaches could be costly.

Tell us a little about your company so we can ensure your demo is as relevant as possible. We’ll take the scheduling from there!
Michael B.
Michael B.Managing Partner, Barasch & McGarry
Read More
I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
Tim O.
Tim O.CEO at Cylera
Read More
I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
Sergio V.
Sergio V.CTO at HealthCare.com
Read More
I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
L.D. Salmanson
L.D. SalmansonCEO at Cherre.com
Read More
We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
Marco Huslmann
Marco HuslmannCTO MyPostcard
Read More
CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
Alex Rothberg
Alex RothbergCTO IntusCare
Read More
I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
John Tambuting
John TambutingCTO Pangea.app
Read More
I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
Previous
Next

Discuss your Project







    Michael B.
    Michael B.Managing Partner, Barasch & McGarry
    Read More
    I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
    Tim O.
    Tim O.CEO at Cylera
    Read More
    I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
    Sergio V.
    Sergio V.CTO at HealthCare.com
    Read More
    I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
    L.D. Salmanson
    L.D. SalmansonCEO at Cherre.com
    Read More
    We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
    Marco Huslmann
    Marco HuslmannCTO MyPostcard
    Read More
    CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
    Alex Rothberg
    Alex RothbergCTO IntusCare
    Read More
    I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
    John Tambuting
    John TambutingCTO Pangea.app
    Read More
    I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
    Previous
    Next

    Find mission-critical vulnerabilities before hackers do.

    CYBRI’s manual pen tests are performed by U.S.-based highly certified Red Team experts.

    We help businesses detect & remediate catastrophic vulnerabilities in applications, cloud, and networks.

    Contact Us