Microsoft to reward up to $40,000 on Azure Bug Bounty Program

Infrastructure As A Service (IaaS) attacks is an IT department’s worst nightmare. Imagine a cybercriminal planting a backdoor inside your server, at which point they can consistently use to discreetly steal data. Furthermore, this does not only affect the bare-metal server as this backdoor will remain intact as the cloud infrastructure goes from one customer to another. Microsoft decided to tackle IaaS attacks head-on by launching the Azure Security Lab. Basically, it is an isolated platform where researchers can test against all kinds of IaaS attacks, which will not affect Azure customers in any way. Also, in an effort to bolster security even more, Microsoft has increased the maximum reward of the bug bounty program to $40,000. 

Before we get into all of the security threats facing IaaS, let’s briefly review what exactly IaaS is and why customers choose to use it. 

What is IaaS?

Infrastructure as a Service (IaaS) allows the customer to virtually access a cloud provider’s underlying IT infrastructure which allows the customer to provision these resources on demand. This is beneficial for the customer because they do not have to worry about procuring and managing hardware and data centers since all of this will be provided by the cloud provider. IaaS is usually a good choice for companies that are looking to secure applications and operational systems themselves, via patches and updates. 

Customers who choose to go with IaaS will need to decide whether they will use a public cloud, private cloud, or a hybrid approach to host their infrastructure. If they choose a public cloud from an outside service provider they get advantages such as on-demand computing resources and fast scalability, but it is not a good idea to store sensitive information because of the security risks. 

Security Vulnerabilities in the IaaS Cloud

When it comes to attacks such as SQL injections, cross-site scripting, and many other IaaS systems are just as vulnerable as standard IT environments. In a cloud service environment, client apps are like mystery boxes for hackers. Ultimately, the customer is still responsible for securing his own application. This usually means there are likely to be some applications without adequate protection. With all of this in mind, cloud applications need to be built with secure coding practices and require regular maintenance and updates. Let’s take a look at some common security issues that are plaguing cloud computing environments today. 

• Insecure Application Programming Interfaces (APIs) – Cloud service providers usually offer a set of custom APIs to access their services. If the API is poorly implemented, it opens the door for hackers to penetrate the application. It is the cloud provider’s responsibility to fix these sort of issues without affecting the end-user. This can be challenging, however, because updates to the API settings could cause existing customer applications or functions to break. 
• Denial of Service (DoS) – If a customer exhausts all of their cloud resources it may result in  lower service quality for other apps in the same cloud section. Cybercriminals can take advantage of this opportunity by attacking all of the shared resources in order to slow down the target’s systems. When done in conjunction with a network-based denial of service attack, the cybercriminal could potentially block the targetfrom accessing their cloud resources. 
• Data Loss/Breach – While cloud service providers usually build their infrastructure with greater redundancy than most companies, it is still possible for data to be lost forever. This could happen through hardware failure or hacking attacks. There has been an increasing amount of vulnerabilities discovered in core software components making it difficult for both cloud service providers and customers to keep up. Critical software bugs such as Heartbleed and Shellshock have caused quite a stir in the media recently causing service providers to scramble in order to patch them in a timely manner. 

Now that we have looked at some of the vulnerabilities facing IaaS, let’s take a look at some of the steps you can take in order to remediate them. 

Penetration Testing 

Penetration testing will give your company an overall idea of how well you are capable of defending your application, network, and user endpoints from external attacks. The results of the penetration test can confirm if you are indeed vulnerable to a specific threat allowing your IT department to take the needed steps to remediate the vulnerability. Furthermore, penetration testing can show you exactly how each vulnerability can be exploited which will give you an understanding of how critical the vulnerability is. 

By conducting regular penetration testing you can avoid potential fines and reputation damage that come from security breaches asit is expensive enough to recover from security flaws alone. If you factor in the potential costs of legal fees, loss of revenue, discouraged trade associates and other expenses and losses, it could be disastrous for your business. 

Bug Bounty Program

Microsoft increased the reward for their bug bounty program because they understand that new threats emerge all the time and it would make more sense to reward people for reporting them instead of exploiting them. This is why they have issued more $4.4 million in bug bounty rewards over the past year. Perhaps Cisco Chairman John Chambers said it best: “There are two types of organizations: the ones that have been hacked and the ones who don’t know that they have been hacked.” 

Therefore, every organization’s penetration testing program should include a bug bounty program. It gives companies an opportunity to take part in the global community of ethical hackers who would like to help your company secure their products in return for a reward. 

The security of any service that runs in the cloud will rely on the security of the cloud infrastructure. While security breaches involving your infrastructure are a huge concern, the cloud service provider will usually keep their infrastructure well patched and configured to reduce the risk of hackers exploiting vulnerabilities. However, it is also your job to ensure the overall security of your product and by conducting regular penetration testing and implementing a bug bounty program you can better mitigate those risks.