We are living in a cloud generation powered by a fundamental shift in the way enterprises, employees and customers use technology. The traditional corporate security perimeter is being transformed by the dominance of hybrid IT infrastructure, growth in personally owned devices, ubiquitous high-speed internet and cloud-based computing platforms.
Now more than ever, cloud is playing an increasing role in organisations. This does not come as a surprise given the greater speed, the ability to scale, and improved performance and productivity that cloud apps, such as Office 365, Google and Dropbox, bring. However, with cloud usage becoming mainstream, its appeal to attackers has naturally increased. Businesses need to ensure they’re guarded against the new forces of cybercrime.
While cloud attacks are still in their infancy, 2016 saw the first widespread outage of cloud services as a result of a denial of service (DoS) campaign. The DoS campaign served as a warning for how susceptible cloud services are to malicious attack. Widespread adoption of cloud applications in corporations, coupled with risky user behaviour, is widening the scope for cloud-based attacks.
Overall the interest and awareness on risks of the cloud generation has gone up, but a lot more needs to be done on the policies and procedures around how those in an organisation use cloud services. A lack of policies and procedures increases the risk of cloud app use. By the end of 2016, the average enterprise organisation was using 928 cloud apps, up from 841 earlier in the year. However, most CIOs think their organisations only use around 30 or 40 cloud apps. What they do not realise is, the increased use of cloud services by organisations and their employees means that companies’ data governance is being eroded, and they are susceptible to weaknesses that exist outside of their organisation.
Tokenisation of IT
The need for data security, compliance, and residency is also driving CISOs to look for encryption and/or tokenisation solutions to support their Software as a Service (SaaS) initiatives.
Despite such measures, security challenges remain. Cybercriminal groups are opportunistic in the way they operate, using flaws in legitimate operating systems, tools, and cloud services to compromise networks. To effectively counter such behaviours, CISOs require unparalleled visibility and control over sensitive content that users upload, store and share via the cloud. Rather than relying on one-off fixes and reactive patches to protect confidential information, successful CISOs are eradicating exploitable vulnerabilities by deploying proactive, end-to-end solutions.
SMEs adopting cloud
Cyber criminals may see SMEs as easy targets because they often have weaker cyber security defenses as compared to larger enterprises. In 2016, 1 in 145 companies with 250 employees or less received malware. SMEs with limited budget spending on IT infrastructure do not have the capacity to build up their security requirements. To ensure cost-savings and efficiency, they often have less robust IT infrastructure, and less manpower dedicated to upkeep cyber security. In some cases, SMEs even do away with cyber security practices entirely – believing that their small size would make them unattractive targets.
By shifting their infrastructure into the cloud, SMEs could enjoy the levels of agility and data storage secuirty akin to that of an enterprise environment. Of course, it’s equally important that SMEs select the right cloud service provider, who can offer adequate security provision to ensure that their data is protected from basic vulnerabilities.
Enterprise customers are also moving to the cloud with the objective of sharing information with their business partners, or to allow their employees to be more agile in their work. Rather than spawning an internet facing server and building a security stack around it, they subscribe to highly secure cloud services, and focus on their business objectives in a digital workspace environment.
A number of ransomware attacks against cloud-based services demonstrated the susceptibility of cloud-based data to cybercrime attacks. In a recent high-profile case, tens of thousands of MongoDB open source databases were hijacked and held for ransom. The incident occurred after older MongoDB databases were left open by users in a default configuration setting. While there was no inherent security vulnerability in MongoDB itself, and the company alerted users about this issue, numerous older implementations that hadn’t applied security best practices remained online. More than 27,000
databases were reportedly hijacked. These attacks underlined the need for users to remain vigilant and ensure any open source software they are using is secure.
There was also a report in early 2016 from a California firm that ran its entire operation through a managed cloud solutions firm. After one of its employees opened a spam email, it found that no one in the company could access the more than 4,000 files it had stored in the cloud. The company had fallen victim to ransomware, specifically TeslaCrypt (Ransom.TeslaCrypt). Fortunately, the cloud provider kept daily backups, but it still took a week for the company’s files to be restored. This is just one example of the amount of disruption ransomware can cause to businesses.
IoT and cloud: Potential partners in cyber crime
The rush to bring any and all devices online has meant that security is often an afterthought. This was patently evident in the case of CloudPets, internet-connected teddy bears. Spiral Toys’ CloudPets are soft toys that allow children and their parents to exchange recorded messages over the internet. However, researcher Troy Hunt found that the company stored customer data in an unprotected MongoDB that was easy to discover online. This exposed more than 800,000 customer credentials, including emails and passwords, and more than 2 million recorded messages. Hunt said that even though the credentials were secured using secure hashing function bcrypt, a large number of the passwords were weak enough to make it possible to decrypt them.
This case illustrates how the combination of IoT and cloud can put customer data at risk. Many IoT devices gather personal data and rely on cloud services to store that data in online databases. If those databases are not adequately secured then customer privacy and security is being placed at risk.
Living off the land
Increased use of cloud services also helps facilitate a trend in attackers opting to “live off the land” instead of developing their own attack infrastructure. Two of the most high-profile cases of 2016—the hacking of the Gmail account of Hillary Clinton’s campaign chief John Podesta,
and the hacking of the World Anti-Doping Agency (WADA)— were facilitated through the use of cloud services. Attackers used social engineering to acquire the password for John Podesta’s Gmail. Additionally, the attackers reportedly used cloud services to exfiltrate the stolen data rather than build custom infrastructure for this purpose.
Cloud is attractive to attackers as, depending on how it is used and configured, it allows them to bypass local security; data stored on the cloud can be more easily accessible to attackers than data stored on local servers. Targeting cloud services also allows attackers to cause maximum disruption with relatively
little effort—as seen with the Dyn DNS DDoS attack. As the usage of cloud services becomes increasingly common, it stands to reason that attacks on such services will also become more frequent in the future.
Addressing cloud security through a holistic approach
Limiting employees to using secure, popular file-sharing apps like Office 365 and Box cannot fully mitigate risks to this data from employee misuse or account compromise by hackers. Enforcing smart cloud data governance practices, such as identifying, categorising, and monitoring the use of all cloud data, is critical to prevent data loss. Additionally, following best practices to stay guarded:
Symantec’s cloud security lifecycle follows a series of repeatable steps that to drive awareness of the importance of cloud security with executive management and cloud users. By refining and repeating this process, organisations can begin to build this awareness. Over time risky cloud usage will decrease due to better controls and deeper understanding of how users can safely use cloud apps and services.
Failure to ensure appropriate security protection when using cloud services could ultimately result in higher costs and potential loss of business, thus eliminating any of the potential benefits of cloud computing. Organisations require a new model of integrated security which provides stronger protection, greater visibility and better control of critical assets, users, and data.
Addressing cloud security holistically creates operational efficiencies and allows New Zealand CISOs to take full advantage of the cloud. This approach guarantees their critical information is secure and protected, giving them the peace of mind they need to lead their companies in the data-driven era.
Questions to consider when defining a cloud security strategy:
In today’s digital age, data is a critical asset. With the need for quick access to information from anywhere at users’ convenience, the vector of access to critical assets have since expanded. We now find sensitive data stored in cloud services, such as Dropbox and Office 365, and there has been a convergence of tools used for work as well as personal use. As a result, it is no longer sufficient to adopt a traditional approach of building a strong perimeter around data assets and relying Firewalls or Data Loss Prevention solution to confine sensitive data and activities employees to company-issued laptop or desktop.
While there is no silver bullet when it comes to cyber security, there are best practices that organisation can adopt to drastically reduce the risk of exposure: