The Cloud is Getting Darker
Please attribute to Sherif El-Nabawi, Senior Director, Systems Engineering, Asia Pacific , Symantec
Bangkok, Thailand – December 6th, 2017 – We are living in a cloud generation powered by a fundamental shift in the way enterprises, employees and customers use technology. The traditional corporate security perimeter is being transformed by the dominance of hybrid IT infrastructure, growth in personally owned devices, ubiquitous high-speed internet and cloud-based computing platforms.
Now more than ever, cloud is playing an increasing role in organizations. This does not come as a surprise given the greater speed, the ability to scale and improved performance and productivity that cloud apps, such as Office 365, Google and Dropbox, bring. However, with cloud usage by both enterprises and consumers becoming mainstream, its appeal to attackers has naturally increased. Businesses need to ensure they’re guarded against the new forces of cybercrime.
While cloud attacks are still in their infancy, 2016 saw the first widespread outage of cloud services as a result of a denial of service (DoS) campaign, serving as a warning for how susceptible cloud services are to malicious attack. Widespread adoption of cloud applications in corporations, coupled with risky user behavior that the corporation may not even be aware of, is widening the scope for cloud-based attacks.
Overall the interest and awareness on risks of the cloud generation has gone up, but a lot more needs to be done on the policies and procedures around how users in an organization use cloud services. A lack of policies and procedures around how users in an organization use cloud services increases the risk of cloud app use. By the end of 2016, the average enterprise organization was using 928 cloud apps, up from 841 earlier in the year. However, most CIOs think their organizations only use around 30 or 40 cloud apps. What they do not realize is, the increased use of cloud services by organizations and their employees means that companies’ data governance is being eroded and they are susceptible to weaknesses that exist outside of their organization.
SMEs adopting cloud
Cyber criminals may see SMEs as easy targets because they often have weaker cyber security defenses as compared to larger enterprises. In 2016, 1 in 145 companies with 250 employees and below received malware. SMEs with limited budget spending on IT infrastructure do not have the capacity to build up their security requirements. To ensure cost-savings and efficiency, they often have less robust IT infrastructure, less manpower dedicated to upkeep cyber security solutions such as having the latest firmware. In some cases, SMEs even do away with cyber security practices entirely – believing that their small size would not make them attractive targets.
By shifting their infrastructure into the cloud, SMEs could enjoy the levels of agility and security to help stores their data akin to that of an enterprise environment. Of course, it is equally important that SMEs select the right cloud service provider, who can provide adequate security provision to ensure that their data is protected from basic vulnerabilities.
Enterprise customer are also moving to the cloud with the business objective of sharing information with their business partners, or to allow their employees to be more agile in their work. Rather than spawning an internet facing server and build a security stack around it, they subscribe to cloud services with a high level of security, and focus on their business objectives in a digital workspace environment.
Increased use of cloud services by organizations and their employees means that companies’ data governance is being eroded and they are susceptible to weaknesses that exist outside of their organization. This could be very serious. Symantec analysis found that 76 percent of websites contain vulnerabilities, nine percent of which are critical. This statistic is explored in more detail in the chapter on Web Attacks.
The Dyn attack, previously covered in the IoT section of this chapter, is an example of attackers targeting one organization, but affecting services provided by numerous enterprises, including Amazon Web Services, SoundCloud, Spotify, and GitHub. It underlined the risks businesses take when using cloud services.
A number of ransomware attacks against cloud-based services demonstrated the susceptibility of cloud-based data to cybercrime attacks. A recent high-profile case was when tens of thousands of MongoDB open source databases were hijacked and held for ransom. The incident occurred after older MongoDB databases were left open by users in a default configuration setting. While there was no inherent security vulnerability in MongoDB itself, and the company alerted users about this issue, numerous older implementations that hadn’t applied security best practices remained online, with more than 27,000 databases reportedly being hijacked. These attacks underlined the need for users to remain vigilant and ensure any open source software they are using is secure.
There was also a report in early 2016 from a California firm that ran its entire operation through a managed cloud solutions firm. After one of its employees opened a spam email, it found that no one in the company could access the more than 4,000 files it had stored in the cloud. The company had fallen victim to ransomware, specifically TeslaCrypt (Ransom.TeslaCrypt). Fortunately, the cloud provider kept daily backups, but it still took a week for the company’s files to be restored. This is just one example of the amount of disruption ransomware can cause to businesses.
IoT and cloud: Potential partners in cyber crime
The rush to bring any and all devices online has meant that security is often an afterthought. This was patently evident in the case of CloudPets, internet-connected teddy bears. Spiral Toys’ CloudPets are soft toys that allow children and their parents to exchange recorded messages over the internet. However, researcher Troy Hunt found that the company stored customer data in an unprotected MongoDB that was easy to discover online. This exposed more than 800,000 customer credentials, including emails and passwords, and more than 2 million recorded messages. Hunt said that even though the credentials were secured using secure hashing function bcrypt, a large number of the passwords were weak enough to make it possible to decrypt them.
This case illustrates how the combination of IoT and cloud can put customer data at risk. Many IoT devices gather personal data and rely on cloud services to store that data in online databases. If those databases are not adequately secured then customer privacy and security is being placed at risk.
Living off the land
Increased use of cloud services also helps facilitate a trend discussed elsewhere in this report of attackers opting to “live off the land” instead of developing their own attack infrastructure. Two of the most high-profile cases of 2016—the hacking of the Gmail account of Hillary Clinton’s campaign chief John Podesta, and the hacking of the World Anti-Doping Agency (WADA)— were facilitated through the use of cloud services. Attackers used social engineering to acquire the password for John Podesta’s Gmail. Additionally, the attackers reportedly used cloud services to exfiltrate the stolen data rather than build custom infrastructure for this purpose. Both of these high-profile cases are covered in depth in the Targeted Attacks chapter.
Cloud is attractive to attackers as, depending on how it is used and configured, it allows them to bypass local security; data stored on the cloud can be more easily accessible to attackers than data stored on local servers. Targeting cloud services also allows attackers to cause maximum disruption with relatively little effort—as seen with the Dyn DNS DDoS attack. As the usage of cloud services becomes increasingly common, it stands to reason that attacks on such services will also become more commonplace in the future.
Addressing cloud security through a holistic approach
Limiting employees to using secure, popular file-sharing apps like Office 365 and Box cannot fully mitigate risks to this data from employee misuse or account compromise by hackers. Enforcing smart cloud data governance practices, such as identifying, categorizing, and monitoring the use of all cloud data, is critical to prevent data loss. Additionally, following best practices that can be considered to stay guarded:
- Build a cloud security program aligned to both the organization’s business and security requirements.
- Reorient the organization to take a security-first approach in the cloud and regularly include users in continual process enhancement – leverage in application coaching where available.
- Extend sensitive data monitoring policies and workflows to cloud- based services by integrating on-prem and cloud-based DLP.
- Integrate a multi-factor authentication solution with the Cloud Applications and CASB to leverage device and behavior profiling to block risky login attempts.
Symantec’s cloud security lifecycle follows a series of repeatable steps that organizations can follow to drive awareness of the importance of security in the cloud with executive management and cloud users. By refining and repeating this process, organizations can begin to build this awareness. In addition, over time risky cloud usage will decrease due to better controls and deeper understanding of how users can safely use cloud apps and services.
- Identify. To identify cloud apps, uncover and classify cloud data; identify risky data, activities and users and plan cloud security strategy.
- Detect. Monitor for policy violations; detect anomalous user behavior that could indicate account compromise, data destruction r data ex filtration; Monitor/detect incidents, malware, and data loss.
- Protect. Block non-secure apps; define cloud policy; set risk thresholds, communicate policy and enforce policy.
- Respond. Quarantine data and user; encrypt and tokenize sensitive content; adjust login requirements when ThreatScore is elevated (MFA); Block downloading of sensitive content; Remediate risky exposures in file shares; take appropriate action with HR or legal as necessary.
- Recover. Investigate violations and exploits; Revise policy; educate users.’
Failure to ensure appropriate security protection when using cloud services could ultimately result in higher costs and potential loss of business, thus eliminating any of the potential benefits of cloud computing. To ensure success, organizations require a new model of integrated security which provides stronger protection, greater visibility and better control of critical assets, users, and data.
Addressing cloud security holistically creates operational efficiencies and allows CISOs to take full advantage of the cloud. This approach guarantees their critical information is secure and protected, giving them the peace of mind they need to lead their companies in the data-driven era.
Questions to consider when defining a cloud security strategy:
- How can I build a cloud Security Advisory Board? Do I need one?
- What are my riskiest cloud apps and services?
- What are the most critical data types in my organization?
- Who are my riskiest cloud users?
In today’s digital age, data is a critical asset. With the need for quick access to information from anywhere at users’ convenience, the vector of access to critical assets have since expanded. We now find sensitive data stored in cloud services, such as Dropbox and Office 365, and there has been a convergence of tools used for work as well as personal use. As a result, it is no longer sufficient to adopt a traditional approach of building a strong perimeter around data assets and relying Firewalls or Data Loss Prevention solution to confine sensitive data and activities employees to company-issued laptop or desktop.
While there is no silver bullet when it comes to cyber security, there are best practices that organization could adopt to drastically reduce the risk of exposure:
- People: Educating the users to look out for malicious activity and best practice to handling of sensitive data. Share with them the right way of using cloud application
- Processes: Challenging the IT and cyber security teams to always be ready for an attack. Having proper processes in places for users to easily and quickly report malicious activity. Adopt a framework approach (Such as NIST) to holistically review the organization strategy against threats.
- Technology: Adopt an integrated cyber security approach where technology integrates into business strategy. In the landscape today, it is no longer enough just to have a technology to address a singular cyber security problem. This is because security threats have evolved to multi-dimensional that could involve many factors such as Cloud, devices and apps. It is important to build an integrated platform or strategy, where security technology need to have telemetry between each other.