---

Introduction

Module 19: Cloud Computing – Securing the Virtual Sky

Cloud platforms have become the core of modern IT, offering scalability, agility, and global access — but they also introduce new attack surfaces.
This module explores how attackers target cloud infrastructures, misconfigurations, APIs, and identity systems.
Learners study cloud service models (IaaS, PaaS, SaaS), key threats like insecure storage and privilege escalation, and defensive practices such as shared responsibility, encryption, and zero-trust access.

Module 20: Cryptography – Guarding Data Through Mathematics

Cryptography is the science that ensures data confidentiality, integrity, and authenticity.
This module covers encryption algorithms, hashing, digital signatures, and key management principles essential to cybersecurity.
Learners gain an understanding of how encryption is applied in real-world systems — from securing communications to protecting passwords and verifying identities — and how attackers attempt to break or misuse it.

Module 19: Cloud Computing

1. Purpose and Importance

Cloud computing underpins modern digital transformation — powering SaaS, data centers, and hybrid infrastructures.
For ethical hackers, understanding cloud vulnerabilities, attack surfaces, and defensive architectures is vital.
This module explores how cloud environments differ from traditional IT systems and how attackers exploit those differences.

2. Core Concepts of Cloud Computing

Definition

Cloud computing delivers on-demand network access to a shared pool of configurable computing resources — servers, storage, applications, and services — that can be rapidly provisioned and released.

Five Key Characteristics (NIST Definition)

1. On-demand self-service – users provision resources automatically.
2. Broad network access – accessible from anywhere via internet protocols.
3. Resource pooling – shared physical and virtual resources.
4. Rapid elasticity – scale resources dynamically.
5. Measured service – usage is metered for billing and management.

3. Cloud Service Models

IaaS (Infrastructure as a Service) Provides virtualized compute, storage, and networking resources. AWS EC2, Google Compute Engine, Azure VM

PaaS (Platform as a Service) Developers build apps without managing servers or OS. Google App Engine, Azure App Service

SaaS (Software as a Service) End-users access hosted software online. Salesforce, Microsoft 365, Gmail

Security responsibility increases as you move from SaaS → PaaS → IaaS.

4. Cloud Deployment Models

1. Public Cloud – shared infrastructure managed by a provider (e.g., AWS, Azure).
2. Private Cloud – dedicated infrastructure for one organization (on-prem or hosted).
3. Hybrid Cloud – mix of public and private, enabling workload portability.
4. Community Cloud – shared among organizations with common concerns.

5. The Shared Responsibility Model

Security in the cloud is a shared duty:

• Cloud provider secures the infrastructure (physical data centers, hypervisors, core services).
• Customer secures data, applications, identity management, and configurations.

Failure to understand this split often leads to misconfiguration-based breaches.

6. Cloud Architecture Components

• Cloud Service Provider (CSP) – delivers infrastructure, platform, or applications.
• Cloud Consumer – uses or manages deployed resources.
• Cloud Broker – manages service use and performance between consumer and providers.
• Cloud Auditor – conducts independent security reviews and compliance checks.
• Cloud Carrier – network or service provider enabling connectivity.

7. Cloud Attack Surfaces and Threat Vectors

Primary Attack Surfaces

• APIs and management interfaces
• Hypervisors and virtual machines
• Storage systems and databases
• Cloud-based identity systems (IAM, SSO, OAuth)
• Misconfigurations and overly permissive access policies
• Insecure DevOps pipelines (CI/CD)
• Inter-tenant isolation and data leakage

Common Threats

1. Data breaches – theft from misconfigured buckets or APIs.
2. Insecure APIs – exposed endpoints or unvalidated inputs.
3. Misconfiguration – open S3 buckets, public VM ports, weak IAM policies.
4. Insider threats – abuse of privileged access or leaked credentials.
5. Account hijacking – stolen cloud credentials or tokens.
6. Insecure interfaces & weak authentication – reused passwords, poor MFA adoption.
7. Denial of Service (DoS) – resource exhaustion to impact availability.
8. Supply chain & dependency attacks – compromised SDKs, images, or containers.
9. Shadow IT – unapproved use of cloud apps without central governance.
10. Data loss & regulatory exposure – unencrypted or misplaced backups.

8. Common Cloud Vulnerabilities (and Why They Exist)

• Default configurations – public access enabled by default.
• Lack of encryption – unprotected data at rest or in transit.
• Improper key management – weak or exposed keys in code repositories.
• Unvalidated inputs in APIs – injection or privilege escalation.
• Multi-tenancy isolation flaws – hypervisor escape or shared cache leakage.
• Unsecured containers & orchestration tools – open Kubernetes dashboards, image poisoning.
• Weak identity controls – no MFA, excessive privileges, shared service accounts.
• Insufficient monitoring – cloud logs not centralized or reviewed.

9. Cloud Attack Techniques (Conceptual)

1. Reconnaissance

• Public resource enumeration (buckets, APIs, DNS, metadata endpoints).
• Exploiting misconfigurations for reconnaissance (open directories, leaked configs).

2. Credential and Token Theft

• API keys exposed in source code or CI/CD environments.
• OAuth token theft or JWT replay.

3. Exploiting Weak Configurations

• Unrestricted object storage permissions (read/write).
• Exposed cloud database ports (MongoDB, Elasticsearch).

4. Lateral Movement

• Compromise of one cloud service → pivot to others using shared credentials or roles.

5. Abuse of Cloud Resources

• Crypto-jacking using compromised VMs.
• DDoS amplification via cloud misconfigurations.

6. Privilege Escalation

• Misconfigured IAM roles enabling privilege chaining.
• Exploiting trust relationships across accounts.

7. Data Exfiltration

• Moving sensitive data to attacker-controlled storage buckets.

10. Cloud Security Controls (Defense-in-Depth)

A. Identity and Access Management (IAM)

• Enforce least privilege for users, roles, and services.
• Enable MFA for all accounts.
• Rotate keys regularly and avoid embedding secrets in code.
• Review IAM roles and trust relationships.

B. Network Security

• Use virtual private clouds (VPCs) with subnets and network ACLs.
• Apply security groups and firewall rules to restrict traffic.
• Segment environments (prod, dev, test) and disable unused endpoints.

C. Data Protection

• Encrypt data at rest and in transit (AES, TLS 1.2+).
• Use cloud-native key management systems (KMS).
• Manage data lifecycle and enforce deletion policies.

D. Logging and Monitoring

• Enable CloudTrail / Activity Logs for audit trails.
• Monitor for API abuse, failed logins, and privilege escalations.
• Integrate logs with a SIEM for continuous monitoring.

E. Vulnerability Management

• Regularly scan cloud workloads and containers.
• Patch virtual machines, container images, and libraries.
• Monitor vulnerability feeds from providers (AWS, Azure, GCP).

F. Configuration Management

• Use tools like Cloud Security Posture Management (CSPM).
• Continuously evaluate policies for compliance.
• Automate guardrails using IaC (Infrastructure-as-Code) templates with security scanning.

G. Incident Response in Cloud

• Define clear IR playbooks for cloud incidents.
• Automate detection and response (serverless triggers, alerts).
• Isolate compromised instances and rotate secrets immediately.

11. Virtualization and Hypervisor Security

• Hypervisor attacks target the layer managing VMs (e.g., VMware ESXi, Xen).
• VM Escape: Exploiting flaws to break isolation between guest and host.
• VM Sprawl: Excessive untracked VMs increasing attack surface.
• Secure hypervisors with regular patching, limited admin access, and network isolation.

12. Cloud Forensics and Legal Considerations

• Cloud forensics requires provider cooperation — data resides across multiple jurisdictions.
• Challenges: Lack of physical access, data volatility, multi-tenancy, time synchronization.
• Use provider audit logs, API histories, and access records for investigations.
• Understand compliance frameworks: GDPR, HIPAA, ISO 27017, SOC 2, PCI DSS.

13. Cloud Governance and Risk Management

• Implement a Cloud Security Governance Framework (CSGF):
  • Define policies for access, data protection, and compliance.
  • Classify data and define ownership.
  • Perform regular cloud audits and third-party risk assessments.
• Align with standards like NIST SP 500-291, CSA CCM, and ISO/IEC 27017.

14. Cloud Security Best Practices

• Design for Zero Trust — verify every request, inside and out.
• Use multi-region backups and disaster recovery strategies.
• Avoid hardcoded credentials; use secrets management services.
• Continuously train administrators and developers on secure cloud practices.
• Conduct periodic penetration testing under provider-approved scopes.

15. Emerging Trends and Challenges

• Serverless security: protecting function-based workloads (FaaS).
• Container security: hardening Kubernetes and image registries.
• AI/ML in cloud: securing training data, models, and APIs.
• Multi-cloud complexity: ensuring consistent policies across providers.
• Edge computing: extending cloud to IoT and industrial systems introduces hybrid risks.

16. Incident Response Flow for Cloud Environments (Conceptual)

1. Detection: Cloud logs, alerts, or anomaly monitoring.
2. Containment: Isolate affected resources (VMs, buckets).
3. Eradication: Remove malicious components or roles.
4. Recovery: Rebuild from trusted images or backups.
5. Post-Incident: Review configuration baselines, rotate credentials, and strengthen policies.

17. Exam Focus and Key Takeaways

• Understand cloud models (IaaS, PaaS, SaaS) and shared responsibility.
• Recognize common misconfigurations (public storage, weak IAM, exposed APIs).
• Identify key defensive controls (IAM, encryption, monitoring, segmentation).
• Be aware of cloud-specific attack methods (API abuse, privilege chaining, crypto-jacking).
• Know compliance and legal aspects unique to cloud forensics.

18. Memory Hooks

“CLOUD SAFE” mnemonic:

• C – Configure securely (no public exposure)
• L – Least privilege IAM
• O – Observe activity via logging
• U – Use encryption everywhere
• D – Detect anomalies with monitoring
• S – Secure APIs and keys
• A – Apply Zero Trust
• F – Forensics-ready logging
• E – Educate teams continuously

Module 20: Cryptography

1. Introduction to Cryptography

Definition:
Cryptography is the science of securing information by transforming it into an unreadable format to ensure confidentiality, integrity, authenticity, and non-repudiation.

It is derived from the Greek words:

• Kryptos → hidden
• Graphia → writing

Modern cryptography underpins secure communications, online transactions, digital signatures, and data protection.

2. Objectives of Cryptography (The CIAAN Model)

1. Confidentiality – Prevent unauthorized disclosure of information.
2. Integrity – Ensure data is not altered during transmission or storage.
3. Authentication – Verify the sender or source identity.
4. Authorization – Ensure the recipient has permission to access data.
5. Non-Repudiation – Prevent denial of a sent or received message.

3. Basic Cryptographic Concepts

Plaintext

Original, readable data or message before encryption.

Ciphertext

Encrypted output of plaintext after encryption.

Key

A secret value used to encrypt or decrypt information.

Algorithm (Cipher)

A mathematical process or formula used for encryption and decryption.

Keyspace

All possible key combinations an algorithm can produce — larger keyspace = stronger encryption.

Cryptanalysis

The art of breaking cryptography (finding weaknesses or discovering the key).

4. Types of Cryptography

A. Symmetric Key Cryptography (Secret Key)

• Uses one key for both encryption and decryption.
• Fast and suitable for large data sets.
• Key distribution and management are the biggest challenges.

Examples:

• DES (Data Encryption Standard)
• 3DES (Triple DES)
• AES (Advanced Encryption Standard)
• RC4, RC5, RC6
• Blowfish, Twofish

Advantages:

• Faster and efficient for bulk data.
  Disadvantages:
• Key exchange is insecure if transmitted openly.

B. Asymmetric Key Cryptography (Public Key)

• Uses two mathematically related keys:
  • Public key for encryption
  • Private key for decryption
• Slower but more secure and scalable.
• Solves the key distribution problem.

Examples:

• RSA (Rivest–Shamir–Adleman)
• ECC (Elliptic Curve Cryptography)
• Diffie–Hellman Key Exchange
• ElGamal

Use Cases:

• Digital signatures
• SSL/TLS communication
• Secure email (PGP, S/MIME)

C. Hash Functions (Message Digests)

• One-way mathematical functions — no decryption possible.
• Used to verify integrity.
• Input → fixed-length hash output.

Examples:

• MD5 (128-bit)
• SHA-1 (160-bit)
• SHA-2 (256/512-bit)
• SHA-3 (Keccak-based)
• RIPEMD-160

Key Concept:
Even a small change in input → drastically different hash (Avalanche effect).

5. Encryption Algorithms in Detail

1. DES (Data Encryption Standard)

• Block cipher (64-bit block, 56-bit key).
• Uses Feistel network with 16 rounds.
• Weakness: Brute-force susceptible — obsolete.

2. 3DES (Triple DES)

• Applies DES three times with 3 keys (168-bit).
• Stronger than DES but slower — legacy use.

3. AES (Advanced Encryption Standard)

• Symmetric block cipher replacing DES/3DES.
• Key sizes: 128, 192, or 256 bits.
• Operates on 128-bit blocks.
• Resistant to all known attacks — global standard.

AES Advantages:

• High speed and security.
• Hardware acceleration (AES-NI).

4. RC4

• Stream cipher using a key-stream generator.
• Once common in WEP and SSL but now deprecated due to vulnerabilities.

5. Blowfish / Twofish

• Fast, open-source block ciphers with variable key lengths (up to 448-bit).
• Common in VPNs and password encryption.

6. Asymmetric Algorithms

RSA (Rivest–Shamir–Adleman)

• Based on factoring large prime numbers.
• Key sizes: 1024, 2048, 4096 bits.
• Common in digital signatures, SSL/TLS, SSH.

ECC (Elliptic Curve Cryptography)

• Uses elliptic curve mathematics over finite fields.
• Offers stronger security with smaller keys (e.g., 256-bit ECC ≈ 3072-bit RSA).
• Ideal for mobile and IoT environments.

Diffie–Hellman (DH)

• First public key exchange algorithm.
• Allows secure key exchange over insecure channels.
• Vulnerable to Man-in-the-Middle (MITM) without authentication.

ElGamal

• Based on DH concept but slower.
• Used in PGP encryption and digital signatures.

7. Hashing Algorithms (Integrity Protection)

Algorithm Output Size Usage Status MD5 128-bit Checksums Broken SHA-1 160-bit Legacy digital signatures Broken SHA-2 256/512-bit TLS, SSL, IPSec Secure SHA-3 (Keccak) Variable Future standard Secure RIPEMD-160 160-bit European standard Secure

Purpose: Validate data integrity (e.g., verifying downloads, password storage).

8. Digital Signatures

Purpose:
Provide authentication, integrity, and non-repudiation.

Process:

1. Message hashed → message digest created.
2. Digest encrypted with sender’s private key → digital signature.
3. Receiver decrypts signature using sender’s public key → verifies hash match.

Standards:

• DSS (Digital Signature Standard)
• ECDSA (Elliptic Curve Digital Signature Algorithm)

9. Public Key Infrastructure (PKI)

Definition:

A framework managing digital certificates and encryption keys across users and devices.

Core Components:

• CA (Certificate Authority): Issues and manages certificates.
• RA (Registration Authority): Verifies identity before certificate issuance.
• CRL (Certificate Revocation List): Lists invalid or revoked certificates.
• OCSP (Online Certificate Status Protocol): Real-time certificate validity check.
• Digital Certificate: Contains public key, identity, and CA signature.

Lifecycle:

1. Certificate request → 2. Issuance → 3. Use → 4. Renewal/Revocation → 5. Expiration.

10. Steganography

• Technique of hiding data within other media, such as images, audio, or text.
• Used for covert communication or data exfiltration.
• Example: embedding malicious code or text inside a JPG file.

Detection:
Steganalysis tools identify abnormal patterns, file size anomalies, or altered headers.

11. Cryptographic Attacks

1. Brute-Force Attack

Trying every possible key combination — mitigated by large keyspaces.

2. Dictionary Attack

Uses precomputed wordlists to guess keys or passwords.

3. Rainbow Table Attack

Uses precomputed hash tables to crack hashed passwords — mitigated by salting.

4. Birthday Attack

Exploits hash collisions — affects weak hash functions like MD5 and SHA-1.

5. Replay Attack

Intercepts and reuses encrypted packets — prevented by timestamps and nonces.

6. Side-Channel Attack

Exploits physical implementation leaks (power, timing, EM radiation).

7. Chosen-Plaintext and Ciphertext Attacks

Attacker controls input/output pairs to deduce key — mitigated with strong algorithms.

8. Man-in-the-Middle (MITM)

Intercepts key exchange — countered by mutual authentication (certificates).

12. Cryptography in Real-World Security

A. SSL/TLS

• Protects HTTP communications (HTTPS).
• Uses asymmetric encryption for session key exchange, then symmetric for data.

B. VPNs

• Uses protocols like IPsec, SSL, L2TP, PPTP for secure tunnels.
• Relies heavily on symmetric encryption and key negotiation.

C. Email Encryption

• PGP (Pretty Good Privacy): Combines hashing, compression, and both symmetric/asymmetric encryption.
• S/MIME: Uses X.509 certificates for enterprise email encryption.

D. Disk Encryption

• Tools like BitLocker, VeraCrypt use AES to protect stored data.

E. Blockchain

• Uses hashing (SHA-256) and asymmetric keys for immutable transaction verification.

13. Cryptography Key Management

• Keys must be securely generated, distributed, stored, and destroyed.
• Use Hardware Security Modules (HSMs) for key storage.
• Rotate keys periodically and never hardcode them in code or scripts.
• Backup encryption keys securely (offline or encrypted vaults).

14. Legal and Ethical Considerations

• Use of encryption may be restricted or regulated by law (e.g., export controls).
• Ethical hackers must follow organizational policies and legal frameworks.
• Privacy regulations (GDPR, HIPAA) often mandate encryption for sensitive data.

15. Best Practices for Cryptographic Security

1. Always use current, standardized algorithms (AES, SHA-2, RSA 2048+).
2. Never develop custom encryption algorithms for production.
3. Implement end-to-end encryption for sensitive communications.
4. Apply perfect forward secrecy (PFS) to prevent key reuse.
5. Salt and hash passwords before storing them.
6. Use strong entropy sources for key generation.
7. Periodically audit and update certificates and cryptographic libraries.

16. Emerging Cryptography Trends

• Quantum-Resistant Algorithms (Post-Quantum Cryptography):
  Algorithms like CRYSTALS-Kyber and Dilithium counter quantum threats.
• Homomorphic Encryption:
  Allows computations on encrypted data without decryption.
• Zero-Knowledge Proofs (ZKP):
  Prove possession of information without revealing the data.
• Blockchain-based Cryptography:
  Enhances trust and immutability in decentralized systems.

17. Exam Focus Summary (Key Takeaways)

• Understand symmetric vs. asymmetric encryption thoroughly.
• Know AES, RSA, ECC, Diffie-Hellman, SHA functions by use and key size.
• Recognize PKI components and digital signature verification.
• Identify cryptographic attacks (brute force, MITM, rainbow table).
• Learn real-world use cases — VPNs, SSL/TLS, PGP, Disk Encryption.
• Remember cryptography objectives (CIAAN) and key management principles.

18. Memory Hook

“HIDE SAFE” mnemonic for crypto principles:

• H – Hash for integrity
• I – Identity verified via digital signature
• D – Data encrypted for confidentiality
• E – Exchange keys securely
• S – Salt hashes against rainbow tables
• A – Apply AES or RSA standards
• F – Forward secrecy for sessions
• E – Expire and rotate keys regularly