Cloud crime is evolving. Your cloud security needs to evolve too
If you’re in business, the cloud is the place to be. It has been for some time — it was more than two years ago that Druva, a cloud data management and security company, reported that of 170 companies it surveyed, an overwhelming majority — 90% — said moving virtualized workloads to the cloud was either a reality or a near-term goal.
That’s both good and bad.
It’s good for reasons that are by now well-established. Cloud environments are generally scalable, reliable, and highly available. They make it easier to forecast ROI, and implementation costs are minimal. The cloud offers more effective disaster recovery, ease of management, and less expensive storage. It gives organizations the capability to do more with less downtime, allows remote employees access and the ability to work online, and reduces infrastructure overhead.
What’s not so good is that the cloud is also a dangerous place. Predictably, if the good guys are there, that’s where the bad guys want to be as well. Not that this is new either. Alcatel-Lucent’s Motive Security Labs (now part of Nokia), in a report on malware in 2014, showed that the cloud was increasingly a major target for cybercriminals.
And that threat has only increased since then. Cyber crime is evolving, as it always does, to take advantage of the same cloud services that attract legitimate businesses. Trend Micro reported last month that “the benefits of using cloud services and technologies are not just reaped by legitimate companies, but also by cybercriminals who keep up with the trend.”
The report said cybercriminals are increasingly selling access to “clouds of logs” — caches of stolen credentials and other data hosted on the cloud — calling it “a growing underground market.”
High-speed crime
“With the introduction of cloud-based services and technologies, criminals are equipped to steal, purchase and use data to conduct their attacks much faster when targeting organizations,” the researchers said.
That means instead of it taking weeks for buyers of stolen data to launch their own secondary attacks, it can be done in days, or even hours.
And the attacks expose more than just the users whose credentials were stolen. “Organizations that these users are part of are also placed at risk since criminals could reuse stolen credentials to subsequently enter organizations’ IT premises,” the report said.
Not to mention that the cloud is also a crowded place. Monika Chakraborty, security consultant at Synopsys, said the core of mitigating cloud risk is “data loss protection or data leakage prevention (DLP). In a public cloud, multitenant environment, DLP requires proper controls to ensure certain data are accessible by only authorized entities,” she said.
Chakraborty said an organization’s data are generally more secure when held on premises. But she said the reality is that “to do business, it is necessary to share information with outside third parties and also consume information provided by others.”
Boris Cipot, senior security engineer at Synopsys, isn’t surprised at the clouds-of-logs trend, since criminals have long taken advantage of cloud services.
“Cybercriminal groups have already seen that malware as a service is a profitable scheme,” he said. “Selling trojans or other types of malware and offering services to configure those tools to be used on different targets is an old model. Selling data collected on cloud instances for easier access, along with tools that let you find information you seek faster, is not surprising. It shows that cyber criminals are really intelligent and know how to look for different ways to increase their revenue.”
And he agrees that the clouds-of-logs model does put organizations at greater risk. “The risk has always been there,” he said, but noted that the tooling capabilities and services now being offered make it more attractive to criminals who might not have been interested before.
“More attackers may try to win the game, and the more attacks there are, the bigger the chance that more will succeed,” he said.
Custom crime
Especially when the massive amounts of data on offer can now be, “sliced and diced” by criminals so they can take only what they think they can exploit most effectively. The sellers of the data make it convenient to do that by renting access to it at varying price ranges and providing tools to let customers find exactly what they want.
The data can include recorded keystrokes, authentication credentials to online portals, authenticated session attributes, personally identifiable information (PII) such as email addresses or domain names, browsing history, cookies, information about the victim environment that can be used to evade antifraud systems, scans of documents, tax reports, invoices, bank account payment details for things like credit cards, and more.
The attacks can range from ransomware to botnets, keyloggers, exploit kits etc.
In other words, the amount and variety of data are huge, the threats are real, and they are expanding. So what should organizations do to keep from being an easy target?
In many cases, it comes down to what is often called “security hygiene.” Do the basics. Or as Cipot put it, “There is no magic ingredient that would solve this issue. There is just the paved road to good security practices.”
One of the basics is encryption of data, both at rest and in transit. “If confidential data are stolen in encrypted form without an encryption key available to decrypt it, then they are of no use,” Chakraborty said. “If data are in clear text, then definitely the risk is higher.”
Other security measures that should be mandatory include:
Strong multifactor authentication: “It should not be short message service (SMS)-based, but something like the Google Authenticator app,” Chakraborty said.
Indeed, SMS authentication has long been regarded as unsecure, since it was designed and deployed decades ago when cybersecurity was in its infancy. According to multiple experts, SMS infrastructure often stores, transmits, and receives data in plain text and relies on phone numbers that are generally unsecured and easy to steal or spoof.
An app like Google Authenticator requires both a password and a code generated by the app on the phone.
Least privilege: A bank doesn’t give the keys to the vault to every employee. And organizations should do the same when it comes to digital valuables. Workers should only have access to what they need to do their jobs. That way, if they do get compromised, the whole company isn’t at risk.
“If normal users have access to your servers, then the attacker can attack those employees and abuse their user rights to get to the data,” Cipot said.
The same principle can apply to data. “I have seen organizations move sensitive data and applications selectively to the cloud,” Chakraborty said. “Only move to the cloud what others may need to use.”
Shared security: A reputable cloud provider will provide a secure environment, along with security software for organizations to use. But as the latest Building Security In Maturity Model (BSIMM) report put it, “cloud providers are 100% responsible for providing security software for organizations to use, but the organizations are 100% responsible for software security.”
In other words, “it’s the responsibility of application teams to configure their applications following best practices and in a secure manner,” Chakraborty said.
Configure, configure: Trend Micro recommends that organizations “establish, implement, and actively manage the security configuration of network infrastructure devices using a thorough configuration management and change control process.”
That way, if attackers try to change something, an organization is more likely to detect it and know, much sooner than later, that it has been breached.
Train your workers: Security awareness training, done regularly and correctly, can turn employees from liabilities to assets. Trend Micro notes that training can help workers “manage potential security threats that could come from downloading malicious apps, sharing passwords, using unsecured networks, and clicking on suspicious links, among others.”
Track your attack surface: Given that most people use multiple digital devices and dozens of apps, it’s important to know what they are and what kinds of access they allow, Cipot said.
“For example, are your employees’ smartwatches allowed to be on the same network as your data center? It might seem banal to look at such things but think of the software running on those devices and what kind of attack surface you get if all the devices are connected, from phones to cameras, smart locks to people counters,” he said.
“These are all assets you need to monitor and see if there are any loopholes in the form of vulnerabilities.”
None of these, even if you do them all, will make your organization bulletproof — nothing will. But they will make you a much tougher target, and most attackers are looking for easy targets.
Which means you will be much more likely to be able to enjoy the benefits of the cloud and avoid its liabilities.
