Chapter 5. Cloud Security

Attackers never start by attacking the component they’re the most interested in exploiting. If an attacker is interested in stealing customer information from your database, they’re unlikely to attack your database first. They’re much more likely to get a foothold behind your firewall through a less-secure channel.

The two least-secure channels in enterprise systems are via social engineering and known vulnerabilities. We will cover both while focusing on the latter.

Your systems are only as secure as their weakest link, and the weakest link in an organization are the people themselves. It doesn’t take much to convince a well-meaning person to give up critical information, including sensitive details such as passwords and other valuable information. Most people are hardwired to be helpful, and attackers exploit this weakness. Systems don’t only need to defend against attackers from the outside, but also against attackers from the inside—even if the person themselves doesn’t know that they’re acting on behalf of an attacker.

In fact, we should assume that attackers are already in our systems, which is the cornerstone of NSA’s defense in depth strategy.

There’s no such thing as “secure” any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in.

Debora Plunkett, U.S. National Security Agency (NSA)

An attacker often uses strategic social engineering ...