14 DAY TRIAL // The Cloud Security Alliance (CSA) initiated a hacking challenge linked to their approach to computer security called Software Defined Perimeter (SDP) that remains undefeated after two weeks.
The organization is non-profit and its mission is to promote the use of best security practices in cloud computing.
SDP is a new concept developed by the organization as an open security standard, which combines technologies like Mutual TLS with DHE and the need-to-know access approach in order to defend the systems against network-based attacks, “by dynamically creating perimeter networks anywhere in the world—including in a cloud, on the DMZ, and in the data center.”
Hackers use different types of attacks to break SDP
During the hackathon, which started on September 18, individuals sent 2.9 billion packets originating from 104 countries attempting to breach SDP-protected servers.
Two weeks into the competition, CSA recorded almost 11 million attempts to break the first layer of the SDP, all resulting in failure.
Most of the attacks from hackers all around the world consisted in denial-of-service attacks, but directed attacks against TCP 443, as well as port scans, have also been employed.
The hackathon is scheduled to finish on October 16, but it could see an end sooner if someone manages to penetrate the protected file server. The prize for successfully reaching the asset is $10,000 / €7,900.
Participants are playing the role of an inside attacker, and as such, are offered details like the IP address of the target server and the SDP components that protect it.
Security system relies on need-to-know model
“We look forward to seeing hackers continue to brave this challenge,” said Junaid Islam, CTO of Vidder Inc. and co-chair of the CSA SDP Working Group. “The early results only reinforce SDP’s intrinsic ability to secure connectivity – one application at a time – anywhere in the world, including in a public cloud.”
SDP is initially deployed with zero visibility and connectivity, building a network to trusted applications dynamically, after authorized users and their devices have been authenticated.
The solution is intended for enterprises looking to protect Internet-facing assets ranging from cross-company collaboration tools and websites to ensuring secure hybrid cloud computing.
The new approach should prove to be appropriate for other purposes too, including protection of internal business-critical applications for non-employees and BYOD access.
The developers of SDP systems believe that they are a proper response against common network-based attacks like SQL injection, vulnerability exploits, man-in-the middle, XSS, CSRF or pass-the-hash.