CSA顶级云安全威胁网络安全英文版201760页

CLOUDSECURITYALLIANCETheTreacherous12-TopThreatstoCloudComputing+IndustryInsights©2017,CloudSecurityAlliance.Allrightreserved.1©2017CloudSecurityAlliance–AllRightsReservedAllrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktoTheTreacherous12-CloudComputingTopThreatsin2016at:(a)theReportmaybeusedsolelyforyourpersonal,informational,non-commercialuse;(b)theReportmaynotbemodifiedoralteredinanyway;(c)theReportmaynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.YoumayquoteportionsoftheReportaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstoTheTreacherous12-CloudComputingTopThreatsin2016.ThepermanentandofficiallocationforCloudSecurityAllianceTopThreatsresearchis©2017,CloudSecurityAlliance.Allrightreserved.2Acknowledgments.................................................................................................................................................5ExecutiveSummary...............................................................................................................................................6Methodology.............................................................................................................................................................81.DataBreaches.............................................................................................................................................92.InsufficientIdentity,CredentialandAccessManagement.....................................................123.InsecureInterfacesandAPIs..............................................................................................................154.SystemVulnerabilities..........................................................................................................................175.AccountHijacking..................................................................................................................................196.MaliciousInsiders...................................................................................................................................217.AdvancedPersistentThreats...............................................................................................................238.DataLoss....................................................................................................................................................259.InsufficientDueDiligence...................................................................................................................2710.AbuseandNefariousUseofCloudServices..................................................................................3011.DenialofService.....................................................................................................................................3212.SharedTechnologyVulnerabilities...................................................................................................34ContentsCLOUDSECURITYALLIANCETheTreacherous12-TopThreatstoCloudComputing+IndustryInsights©2017,CloudSecurityAlliance.Allrightreserved.3Acknowledgments..............................................................................................................................................37ExecutiveSummary............................................................................................................................................38.Boxmismanagementofinvitelinks-DataBreaches..........................................................................................................................................39Yahoobreach-DataBreaches..........................................................................................................................................40LinkedInfailuretosaltpasswordswhenhashing-InsufficientIdentityCredentialAccessManagement..............................................................41Instagramabuseofaccountrecovery-InsufficientIdentityCredentialAccessManagement.............................................................42MongoDBMexicanvoterinformationleak-InsufficientIdentityCredentialAccessmanagement..............................................................43MongoDBunprotected,attackedbyransomware-InsufficientIdentityCredentialAccessManagement.............................................................44Moonpiginsecuremobileapplication-InsecureInterfaceandAPIs................................................................................................................45DirtyCowLinuxprivilegeescalationvulnerability-SystemVulnerabilities...............................................................................................................