Tweet
After some TDF advice: esp eg Ian_6301
I have an AWS account used for intermediary processing from a big customer to some service providers in the marketplace. We see about 10 million transactions a day, so a non-trivial workload.
Connectivity into and out of the AWS VPC is private using Direct Connect and some dedicated switches hosted at various PoPs, with redundant leased lines to the customers and to our own WAN with VRFs for end to end connectivity.
All AWS regions are in Europe and the architecture is active/active. AWS security features are applied according to best practice and common sense e.g. zoned subnets, security groups, routing tables, IAM roles, etc. All compute is using Dedicated Instances. The EC2 instances all have HIDS and FIM. Apps run in docker containers which are managed using kubernetes. All logs are shipped to a SIEM system in another VPC using VPC peering. Data is encrypted at rest and in transit. Master keys are in KMS.
We have a bastion host with internet access for VPN for admin users who might be located globally.
How would you start to do a pen test or ethical hacking on such a setup ? Is the VPN the only attack vector or how would I attempt to access the VPC in other ways ? Our internal pen-testing team are more accustomed to working on B2C systems which are Internet facing, not entirely private ecosystems with no apparent way in.
I do not want (and do not have permission for) them to be given privileged access and to mount attack from within.
They asked me where my PoPs are but I won't even tell them in which countries, apart from it's all EU based, if a hacker could find out then they can find out.
To demonstrate compliance but also start to win over the cloud non-believers ... some people in positions of authority still believe a lot of the old cloud myths and I want to use this application to help those individuals understand how cloud done right can be more secure than their own on-premise data centres.
Personally I believe the threats to corporates are from social engineering and from the web browser with internet access they put on everyone's desktops, not my kind of cloud hosted applications in a B2B SasS model. But one step at a time.
Sent from my iPhone using Tapatalk
I have an AWS account used for intermediary processing from a big customer to some service providers in the marketplace. We see about 10 million transactions a day, so a non-trivial workload.
Connectivity into and out of the AWS VPC is private using Direct Connect and some dedicated switches hosted at various PoPs, with redundant leased lines to the customers and to our own WAN with VRFs for end to end connectivity.
All AWS regions are in Europe and the architecture is active/active. AWS security features are applied according to best practice and common sense e.g. zoned subnets, security groups, routing tables, IAM roles, etc. All compute is using Dedicated Instances. The EC2 instances all have HIDS and FIM. Apps run in docker containers which are managed using kubernetes. All logs are shipped to a SIEM system in another VPC using VPC peering. Data is encrypted at rest and in transit. Master keys are in KMS.
We have a bastion host with internet access for VPN for admin users who might be located globally.
How would you start to do a pen test or ethical hacking on such a setup ? Is the VPN the only attack vector or how would I attempt to access the VPC in other ways ? Our internal pen-testing team are more accustomed to working on B2C systems which are Internet facing, not entirely private ecosystems with no apparent way in.
I do not want (and do not have permission for) them to be given privileged access and to mount attack from within.
They asked me where my PoPs are but I won't even tell them in which countries, apart from it's all EU based, if a hacker could find out then they can find out.
To demonstrate compliance but also start to win over the cloud non-believers ... some people in positions of authority still believe a lot of the old cloud myths and I want to use this application to help those individuals understand how cloud done right can be more secure than their own on-premise data centres.
Personally I believe the threats to corporates are from social engineering and from the web browser with internet access they put on everyone's desktops, not my kind of cloud hosted applications in a B2B SasS model. But one step at a time.
Sent from my iPhone using Tapatalk
Comment