Sunday, June 8, 2025
News PouroverAI
Visit PourOver.AI
No Result
View All Result
  • Home
  • AI Tech
  • Business
  • Blockchain
  • Data Science & ML
  • Cloud & Programming
  • Automation
  • Front-Tech
  • Marketing
  • Home
  • AI Tech
  • Business
  • Blockchain
  • Data Science & ML
  • Cloud & Programming
  • Automation
  • Front-Tech
  • Marketing
News PouroverAI
No Result
View All Result

You should be worried about cloud squatting

December 26, 2023
in Cloud & Programming
Reading Time: 3 mins read
0 0
A A
0
Share on FacebookShare on Twitter


Most security issues in the cloud can be traced back to someone doing something stupid. Sorry to be that blunt, but I don’t see ingenious hackers out there. I do see misconfigured cloud resources, such as storage and databases, that lead to vulnerabilities that could easily be avoided.

I always teach how your first line of defense is not cool security tools but training. This is often ignored, considering that budgets are directed at new tools rather than teaching admins how not to do dumb things. It is frustrating considering the investment needed versus the value gained. Oh well.

A new threat

Although cloud squatting is being pushed as a new threat, we’ve known about it for years. What changed is that as we move more assets into the public cloud and have new people taking care of these assets, there seems to be a renewed interest in this vulnerability. Perhaps the bad actors are getting better at exploiting it.

The core issue is that cloud asset deletions often occur without removing associated records, which can create security risks for subdomains. Failure to also delete records allows attackers to exploit subdomains by creating unauthorized phishing or malware sites. This is called cloud squatting.

Resources are provisioned and deallocated programmatically, typically. Allocating assets such as virtual servers and storage space is quick, generally done in seconds, but deallocation is more complex, and that’s where the screwups occur.

We’re seeing the creation of multiple records pointing to temporary cloud resources for different applications and tools; then organizations fail to delete cloud assets and associated records. Let’s discuss how this happens.

Mitigating cloud squatting

Identifying and fixing cloud squatting is challenging for large enterprises with vast amounts of domains. Moreover, global infrastructure teams have varying degrees of training, and with 100 or more people in the security admin team, you’re bound to run into this problem a few times a month. Keep in mind it is avoidable.

To mitigate this risk, the security teams design internal tools to comb through company domains and identify subdomains pointing to cloud provider IP ranges. These tools check the validity of IP records assigned to the company’s assets. These are assigned automatically by cloud providers. I always get nervous when companies create and deploy their own security tools, considering that they may create a vulnerability.

Mitigating cloud squatting is not just about creating new tools. Organizations can also use reserved IP addresses. This means transferring their owned IP addresses to the cloud, then maintaining and deleting stale records, and using DNS names systemically.

If you’re not a network person and don’t know your DNSs from your IRSs, that’s fine. The idea is to remove the ability for old, undeleted records to be exploited. Anyway, what you can do is not a complex process. Also, enforce a policy to prevent hard-coding of IP addresses and using reserved IPv6 addresses (if offered by the cloud provider).

Two-phase approach

We can deal with this risk in two stages:

First, address the large attack surface by implementing the above-mentioned mitigation strategies.

Second, enforce policies for using DNS names, and regularly maintain records for effective management.

If this seems like nothing too taxing, you are correct. However, two things are occurring right now that are causing cloud squatting to become more of a threat.

The issue is the rapid expansion of cloud deployments during the pandemic. Massive amounts of data were pushed into the clouds, with domains allocated to find that data and little thought about removing them when they became unnecessary. I see this often left out of deployment playbooks. When I call people out on it, I usually get the response, “We did not have time to think about that.”

We’re also working with a talent deficiency right now. Most of these issues can be traced to inadequate training or hiring lower-tiered cloud administrators to keep things going. Often, certifications will get you a job, whereas actual experience is more important. I suspect that most enterprises will have to “touch the stove” to understand the impact.

Copyright © 2023 IDG Communications, Inc.



Source link

Tags: cloudsquattingworried
Previous Post

Hyundai Exter and Tata Punch Comparison: Design, features, safety, price and mileage

Next Post

Content Marketing Predictions for 2024

Related Posts

Top 20 Javascript Libraries You Should Know in 2024
Cloud & Programming

Top 20 Javascript Libraries You Should Know in 2024

June 10, 2024
Simplify risk and compliance assessments with the new common control library in AWS Audit Manager
Cloud & Programming

Simplify risk and compliance assessments with the new common control library in AWS Audit Manager

June 6, 2024
Simplify Regular Expressions with RegExpBuilderJS
Cloud & Programming

Simplify Regular Expressions with RegExpBuilderJS

June 6, 2024
How to learn data visualization to accelerate your career
Cloud & Programming

How to learn data visualization to accelerate your career

June 6, 2024
BitTitan Announces Seasoned Tech Leader Aaron Wadsworth as General Manager
Cloud & Programming

BitTitan Announces Seasoned Tech Leader Aaron Wadsworth as General Manager

June 6, 2024
Copilot Studio turns to AI-powered workflows
Cloud & Programming

Copilot Studio turns to AI-powered workflows

June 6, 2024
Next Post
Content Marketing Predictions for 2024

Content Marketing Predictions for 2024

Turning Eco-Choices into Playful Wins

Turning Eco-Choices into Playful Wins

This Paper Explores the Legal and Ethical Maze of Language Model Training: Unveiling the Risks and Remedies in Dataset Transparency and Use

This Paper Explores the Legal and Ethical Maze of Language Model Training: Unveiling the Risks and Remedies in Dataset Transparency and Use

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Trending
  • Comments
  • Latest
23 Plagiarism Facts and Statistics to Analyze Latest Trends

23 Plagiarism Facts and Statistics to Analyze Latest Trends

June 4, 2024
Accenture creates a regulatory document authoring solution using AWS generative AI services

Accenture creates a regulatory document authoring solution using AWS generative AI services

February 6, 2024
Managing PDFs in Node.js with pdf-lib

Managing PDFs in Node.js with pdf-lib

November 16, 2023
Graph neural networks in TensorFlow – Google Research Blog

Graph neural networks in TensorFlow – Google Research Blog

February 6, 2024
13 Best Books, Courses and Communities for Learning React — SitePoint

13 Best Books, Courses and Communities for Learning React — SitePoint

February 4, 2024
From Low-Level to High-Level Tasks: Scaling Fine-Tuning with the ANDROIDCONTROL Dataset

From Low-Level to High-Level Tasks: Scaling Fine-Tuning with the ANDROIDCONTROL Dataset

June 10, 2024
Can You Guess What Percentage Of Their Wealth The Rich Keep In Cash?

Can You Guess What Percentage Of Their Wealth The Rich Keep In Cash?

June 10, 2024
AI Compared: Which Assistant Is the Best?

AI Compared: Which Assistant Is the Best?

June 10, 2024
How insurance companies can use synthetic data to fight bias

How insurance companies can use synthetic data to fight bias

June 10, 2024
5 SLA metrics you should be monitoring

5 SLA metrics you should be monitoring

June 10, 2024
From Low-Level to High-Level Tasks: Scaling Fine-Tuning with the ANDROIDCONTROL Dataset

From Low-Level to High-Level Tasks: Scaling Fine-Tuning with the ANDROIDCONTROL Dataset

June 10, 2024
UGRO Capital: Targeting to hit milestone of Rs 20,000 cr loan book in 8-10 quarters: Shachindra Nath

UGRO Capital: Targeting to hit milestone of Rs 20,000 cr loan book in 8-10 quarters: Shachindra Nath

June 10, 2024
Facebook Twitter LinkedIn Pinterest RSS
News PouroverAI

The latest news and updates about the AI Technology and Latest Tech Updates around the world... PouroverAI keeps you in the loop.

CATEGORIES

  • AI Technology
  • Automation
  • Blockchain
  • Business
  • Cloud & Programming
  • Data Science & ML
  • Digital Marketing
  • Front-Tech
  • Uncategorized

SITEMAP

  • Disclaimer
  • Privacy Policy
  • DMCA
  • Cookie Privacy Policy
  • Terms and Conditions
  • Contact us

Copyright © 2023 PouroverAI News.
PouroverAI News

No Result
View All Result
  • Home
  • AI Tech
  • Business
  • Blockchain
  • Data Science & ML
  • Cloud & Programming
  • Automation
  • Front-Tech
  • Marketing

Copyright © 2023 PouroverAI News.
PouroverAI News

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In