In this edition of the Meet the ICS Expert series, we sit down with Chris Parker, a cloud security penetration testing consultant at Incursion Cyber Security (ICS), to look into his expertise in cloud security audits. Parker’s background in the military and focus on offensive cybersecurity positions him to offer invaluable insights into cloud security audits, shedding light on common cloud security blind spots, the integration of AI technologies, and the tooling consultants at ICS deploy to ensure robust approach is taken when testing cloud security measures. Join us as Chris shares his knowledge and expertise in helping businesses both small and large in securing their cloud infrastructure environments.

Interview Questions

1. Can you tell us about your career journey into cyber security and what you enjoy most about Cloud security audits? 

“As I approached the end of my military service, cybersecurity wasn’t initially on my radar. With a background in communications, I was leaning towards roles in the telecommunications industry. However, everything changed when I attended an InfoSec event, the talks were interesting which cemented my interest in the industry. That event led me to enrol in a course that provided offensive cybersecurity skills training eventually earning me a CPSA certification, paving the way for a career transition into cyber. I began my journey with NCC Group through their consultancy program, starting as a junior consultant gradually advancing to the role I currently hold with ICS.”

2. Cloud penetration testing, what exactly is this and why is it important?

“Cloud penetration testing is like a traditional internal or external penetration testing environment, but with a focus on the cloud infrastructure rather than a physical location. The distinction lies in its execution within a data centre rather than an abstract entity. The specific type of hosting environment is determined by the cloud estate and customer IP ranges within it. Cloud configuration and build reviews are very much part of a cloud assessment. Cloud reviews are largely governed by the cloud vendor like AWS, GCP or Azure, generally when doing a config review, you are looking to see if that cloud environment is configured to best practice standards. 

However, in the cloud, it’s easy to make mistakes, and many people misconfigure their settings due to misunderstanding the shared responsibility model. This includes during simulated attacks, which are integral to penetration testing, where controls play a crucial role in configuration reviews.” 

3. Cloud, multi-cloud and cloud native (serverless environments), which do you believe present the most security risks and challenges?  

“Cloud, Multi-Cloud, and Cloud-native (serverless environments) each bring unique security risks and challenges. Access management, access key rotation, and the secure storage of credentials, along with insufficient role-based access, are critical concerns. Insecure interfaces and API configurations further compound the risks. Misconfigurations, such as inadvertently exposing data in public repositories, pose significant threats, exacerbated by the complexities of managing change and maintaining visibility into exposures. 

Architecture complexities also heighten security vulnerabilities, especially when there’s a lack of understanding or strategy around secure architecture. Common errors like exposing information through remote desktop protocol add to the risks. The democratisation of IT, with users spinning up servers independently, often leads to configuration issues and code exposure in public repositories. Moreover, threat actors are leveraging AI/ML to automate and scale advanced cloud attacks, amplifying the risks across architectural complexities and multi-cloud environments.” 

4. What is the most common cloud security blind spots and flaws that companies often overlook? 

“The common flaws I often see generally fall into one of the following five pillars: 

• Failure to understand shared responsibilities: Many organizations mistakenly assume that cloud service providers handle all security aspects, resulting in confusion and gaps in security measures. This misconception can expose businesses to significant risks, including data breaches and compliance violations. 
• Sprawl and Shadow IT: Employees frequently circumvent official channels to adopt unauthorized cloud services, leading to a lack of visibility and control over sensitive data. This can pose significant business risks, such as loss of intellectual property and regulatory non-compliance. 
• Infrastructure as Code (IaC) misconfigurations: Errors in configuring cloud resources using IaC tools can create vulnerabilities, exposing data to unauthorized access. Such misconfigurations can have severe consequences for businesses, including data leaks and reputational damage. 
• Rapidly changing cloud environments: Continuous updates and changes in cloud configurations pose challenges for businesses to maintain compliance and security requirements. Failure to keep pace with these changes can leave organizations vulnerable to cyber threats and regulatory fines. 
• Inadequate Identity Access Management (IAM) policies: Poorly managed IAM policies often lead to unauthorised access to cloud resources, increasing the risk of data breaches and insider threats. This can result in significant financial losses and damage to the organisation’s reputation. 

Common issues such as insecure API configurations, inadequate access privileges, and failure to rotate keys are vulnerabilities I encounter quite a bit that can easily be mitigated by implementing the correct controls and configurations. It may surprise you to learn that some organisations still don’t have Multi Factor Authentication (MFA) in place which is a really easy way to minimise potential impact of a security breach.”  

5. What’s your thoughts on security teams leveraging AI and graph-based technologies to accurately discover and prioritise cloud risks and attack paths? 

“In my view, while AI holds a great deal of potential, its effectiveness hinges on proper and continuous training. It’s a fantastic tool for businesses and security teams, provided there’s a commitment to ongoing refinement and continuous education.  However, it’s important to recognise AI is just an assistant rather than a fully training ready to go resource. Its role is to complement a human cybersecurity consultants’ expertise rather than replace it entirely.”  

6. Do you follow a prescribed methodology, if yes, what steps does it involve and are these based on best practice or an internal methodology to Incursion Cyber Security? 

“At Incursion Cyber Security, we employ a methodology grounded in industry best practices across our pen testing and broader cybersecurity services. Utilising tools like Scout Suite, NESSUS, and Prowler, we conduct thorough cloud asset reviews while aligning with CIS security benchmarks to ensure the relevance and currency of our findings.  

Moreover, for leading cloud platforms such as Azure, AWS, and GCP, we leverage their API tools via command-line interface for streamlined communication. Our assessments are guided by the CIS benchmark, minimizing false positives and reinforcing our commitment to delivering high-quality cybersecurity services tailored to our clients’ needs.” 

7. For companies not conducting regular penetration tests in their cloud environments and relying on cloud vendors for security, what advice would you offer to change their perspective on security? 

“Where businesses are not conducting regular penetration tests in their cloud environments and relying solely on their cloud vendors for security, my advice would be to shift their perspective on security. 

While cloud service providers are responsible for the security of the cloud infrastructure itself, including the data centres and physical environments, the business is solely responsible for the assets they have stored and operated within their cloud environment. It’s essential to recognise that the flexibility the cloud offers is only beneficial when configured securely. 

Many companies overlook the fact that cloud vendors do not manage or control what’s stored in their client’s cloud environments, nor are they responsible for who accesses it, or the day-to-day security measures. Therefore, it’s crucial to factor security into the management of cloud services as part of your overall cloud strategy.” 

8. What’s one of the most worrisome vulnerabilities you’ve encountered, and how did you communicate its potential impact to your client? 

“I discovered a publicly accessible cloud storage area containing sensitive client data, which could be easily accessed via a standard web browser due to misconfigured access rights. I notified the client immediately, emphasising the potential impact of this type of regulatory data breach could have on their business operations. This incident is just one of many I’ve uncovered, reinforcing the critical importance of correctly configuring all cloud security controls. This also demonstrates the vital role of maintaining proactive client-tester communications and nurturing a strong client-tester partnership in mitigating risks and preserving trust.”

9. How do you see cybersecurity budget restrictions affecting cloud security strategies, especially considering recent research indicating that cloud security is a top priority for many CISOs, despite 65% reporting inadequate budgets? 

“As a cybersecurity consultant, I understand the significant impact budget constraints can have on cloud security strategies, particularly considering the concerning increase in cloud breaches. This disparity between priority and budget allocation highlights the critical need for boards to view cybersecurity budgets as business enablers rather than cost centres. My suggestion is to prioritise penetration testing as a cost-effective method to optimise resource allocation. By aligning strategic investments with evolving security standards and trends, organisations can enhance their cloud security posture within budget constraints.”  

10. What advice would you give to someone just starting out as a Cloud Penetration tester? 

“Consistently engage in learning by exploring platforms like Hack The Box to learn about various vulnerabilities. Utilise gamification to learn the basics of infrastructure, applications and cloud technologies to gain an understanding of the common vulnerabilities and basic testing practices. Cloud service providers also offer free training sometimes, for learning about cloud computing specific to their own brand platforms. 

Developing a solid understanding of both Windows and Linux systems is essential for success in cybersecurity and cloud penetration testing. Given the breadth of knowledge required in the field, consider focusing on a particular area of interest to become a specialist. Decide whether you prefer offensive or defensive roles within the industry and tailor your learning path from there.” 

At Incursion Cyber Security we offer a number of robust Cloud Infrastructure vulnerability assessments from security cleared, certified experts. Discover how a pen test can help you to maintain compliance and increase operational resilience.

Get a fast cloud security pen testing quote from CREST and The Cyber Scheme certified security experts.