A hacker tricks a customer service representative at an online gaming company into giving him full access to 100 million customer accounts, along with the ability to change passwords and ban users. A misconfigured AWS S3 bucket exposes volumes of patient data from a West Coast network of drug treatment centers. Those are two common examples of the vulnerabilities that pose a threat to secure cloud computing. While cloud services are no more prone to security breaches than are on-premises environments, they have become popular targets of cybercriminals.
Verizon’s Data Breach Investigations Report noted that as companies have moved applications and data to the cloud, cyber-criminals have followed. Now that the COVID-19 pandemic has pushed the majority of office workers to home-based computers outside of corporate firewalls, there’s more reason for hackers to target the cloud.
The cloud offers many benefits, particularly in flexibility and productivity, but like all good things there are also risks. From my experience working in cloud security, I find it’s not usually a technology per se that’s to blame, but how end users and IT professionals use it. For example, cloud misconfigurations are the number one cause of cloud data breaches, according to the State of Cloud Security 2020 survey. It doesn’t take a clever hacker to steal data from an unsecured cloud server.
The biggest roadblocks to secure cloud computing
Besides misconfigured or unsecured resources, here are my votes for the biggest risks to cloud applications and data.
No matter what security technologies you put in place, human nature is often the weak link in those defenses. Here’s a common example: An employee receives a LinkedIn email with a funny picture, which actually harbors malicious code. The end-user assumes it’s from a work colleague and clicks on the .gif. The malware is activated and now the attacker has a foot inside your network. Email and social media are typically the easiest points of entry. It only takes a momentary lapse in judgement for an end-user unleash malware. The objective is usually to plant command and control (C&C) code into your environment. C&C code “phones home” to the attacker’s C&C server and can provide him with information your systems as well as distribute malware or backdoors to other connected devices, download personally identifiable information (PII) or steal passwords and other credentials.
The only way to prevent social engineering exploits against employees is by educating them. They need to be able to recognize a phishing attempt, a malicious email, and the importance of never clicking on an attachment or link unless they’re positive it’s legitimate. End-user education is particularly important now that more people are working remotely. On a personal laptop over home Wi-Fi, it may not be possible to monitor user activities or stop them from making mistakes. Instead, you need to educate them on current threats and reinforce safe web browsing and email practices.
Zoom has become the conference platform of choice for many personal and company meetings. Unfortunately, the notoriety has also highlighted some of Zoom’s security vulnerabilities. Until recently, hackers could crash meetings uninvited, potentially spying on sensitive conversations. Likewise, unsecured recordings and transcriptions of Zoom meetings stored in the cloud could be accessed by unauthorized users. Zoom isn’t the only cloud-based messaging platform with security problems. WebEx, Skype, Teams, Slack, and others all have had potentially serious vulnerabilities.
However, now that so many business discussions taking place on these platforms, with so much confidential information being shared, they’ve become a major target for hackers. Even healthcare professionals are using VoIP and video to consult with patients or collaborate with colleagues. A cybercriminal who successfully spies on a confidential conversation or steals a transcript gets potentially valuable data they can sell on the Dark web.
Advanced persistent threat (APT)
This category of threat is on the rise and has the power to cause the greatest damage to a business or organization. Why? Because an APT is always sophisticated and difficult to detect, so it can take weeks or months to find. By that time, a business data may be all over the internet. An APT is advanced, meaning that the developer has had access to sophisticated tools probably funded by a nation state or criminal group. It’s persistent meaning the attacker has purpose and a target. It’s not a random attack. If you’re hit with an APT, it’s because you have something they want, like intellectual property, personally identifiable information or credit card data. Or they may want to damage or destroy your systems or data. The Stuxnet APT that damaged Iranian nuclear facilities was designed to damage programmable industrial control systems. Security firm Kaspersky predicts that APTs in 2020 will target sensitive personal information such as biometric data and focus on sophisticated social engineering using video and audio “deep fakes.”
Also read: New Cybersecurity Challenges: 5G, IoT and AI
How do you secure cloud computing in your organization?
What can you do to protect your organization from attacks and address these vulnerabilities?
First, always require passwords for all online meetings. Don’t accept meetings unless they’re password-protected, and don’t send passwords through chat in the same meeting. Identify all attendees within the meeting. Also, check that the platform you’re using encrypts your stored conversations, so if someone does siphon off your data, they get binary sludge they can’t use. Follow basic security best practices and you’ll be in a much better position.
Second, patch your applications and double-check security settings and configurations. Patching may sound basic, but you need to patch systems and applications as soon as you identify a security flaw, or as soon as your vendor alerts you. If you patch frequently, you can prevent many breaches. The faster you plug a hole, the lower the odds that a hacker will go through it.
Always stay on top of emerging threats so you can respond rapidly if one comes your way. I always encourage CISOs to sign up for alerts such as US-CERT, be a part of the security community so you hear about threats. There are threat intelligence feeds you can subscribe to. You don’t want to learn about a new ransomware attack on the evening news.
Finally, take the information you have and work with your team to create a response plan. If a zero-day threat is detected in the wild, your company needs to be nimble enough to get necessary controls and protections in place quickly.
Secure your cloud environment
Have you evaluated your cybersecurity strategy to account for these threats? Are you implementing best practices to educate your employees, instituting strong password policies, and building not just a strong security perimeter but defense-in-depth? We can help you. Contact us to learn more and build the right cybersecurity policy for your IT infrastructure.
Shawn Connelly is the Senior Director of Digital Forensics and Security Infrastructure at TierPoint.