(ISC)²'s bi-monthly e-newsletter Cloud Security INSIGHTS, delivers timely, must-read original articles for the professional development of infosecurity practitioners focused on cloud security.
Convenient access anytime, anywhere is the new normal. That’s why cybersecurity pros must effectively deliver seamless access while vigilantly defending user identities and critical data – but not at the cost of slowing innovation or growth. Read RSA Security’s latest newsletter featuring the “Identity and Access Management in 100 Tweets” report from Gartner and other tips and best practices to help you protect your organization against today’s most advanced identity threats.
Issue: 2017 July
Malware in the Cloud 101
By Todd Clarke
Companies have underestimated the scope of cloud adoption by nearly 10 times. Its rapid rise has created a new effect: a “cloud attack fan-out.” With so many devices now connected to the cloud, the attack surface has increased. Sync and share activities have increased data velocity in the cloud, and the propensity for, and severity of, malware attacks have intensified.
Working in cybersecurity, this is not breaking news. But with all the hype surrounding cloud security, how concerned should we be about malware aimed at public, private and hybrid clouds?
And, of course, there’s ransomware, droppers and plenty of others.
Netskope reported that nearly 44 percent of malware in enterprise cloud apps delivered ransomware. More concerning, 56 percent of malware-infected files in cloud apps are shared with internal or external users, or even publicly.
Enterprise users allow access to files each day while doing their work, not thinking about the security implications downstream. This is how we currently work in the age of the cloud — and attackers exploit this.
Up to 77 percent of the cloud storage apps we use every day are not yet “enterprise ready.” It’s even worse for other types of cloud services. Cloud providers are often pressured to meet minimum security requirements to “get in the door” and start collecting revenue. Security is simply an “add on” as they further develop the product.
Easy to see how security holes develop, right?
We’ve created an ecosystem users love. But attackers love it more.
Sure, most cloud providers are quick to respond to incidents and emerging threats by removing malicious files and closing down accounts. But this becomes a scalability issue. There’s only so much a limited amount of support people and resources can do. Is more automation needed? Absolutely. But there is still more to do than we can currently handle.
The role of shadow IT
While many security professionals have been anti-shadow IT, most now see its prevalence as an opportunity to leverage employees to improve enterprise security.
- Shadow IT is at least 10 times the size of known cloud usage
- 72 percent of companies don’t know how prevalent shadow IT is in their own company
- The average organization uses 1,427 different cloud services and 57 different file sharing services
- The average employee uses 30 cloud services
- Only 8.1 percent of more than 17,500 cloud services used in enterprises meet strict data security and privacy requirements
- 80 percent of workers admit to using SaaS applications at work, approved or not
With cloud usage growing four times faster that IT staffing (at 27 percent annually, compared to 6.7 percent for IT), IT is not equipped to handle the shadow IT spike in use.
IT is no longer able to best manage the physical infrastructure of apps either. Yet, IT is still responsible for ensuring security and compliance for the corporate data that employees upload to the cloud.
Many IT shops block cloud apps, at least the ones they know about. The big hurt here: people will find, and use, other lesser-known, potentially riskier apps in their place. Ouch.
Consider these questions to help you plan for a more secure cloud services solution:
- Which services are your people using?
- What are the categories for those services (e.g., file sharing, social media, collaboration)?
- Which services are becoming popular and, thus, should be considered for enterprise-wide adoption?
- How effective are your firewalls and proxies at identifying cloud services and enforcing acceptable policies?
- Which redundant services should be eliminated?
- How can you quantify risks and compare to industry peers?
- What are the security capabilities for services storing sensitive data?
The usual suspects
Ransomware: Ransomware is certainly a hot topic these days. It seems primed to continue to be the biggest malware player for a while. It took in a billion dollars in 2016. With that kind of payoff, you can bet there’ll be more of these cyber criminals getting into the game. Ransomware is a sophisticated piece of malware that blocks victims’ access to their files. The only way to regain access to the files is to pay a ransom. Encryptors block system files. Lockers lock victims out of the operating system, making it impossible to access their own desktop, apps and files.
This type of malware is most intrusive when it lives on servers and cloud-based file-sharing systems, accessing a business’s core. Businesses, financial institutions, government agencies, academic institutions, healthcare organizations and other types of organizations can and have been infected with ransomware. This destroys sensitive or proprietary information, disrupts daily operations and, of course, inflicts financial losses. Attackers aim at targeted files, databases, CAD files and financial data. Ransomware can also harm an organization’s reputation or, in the case of healthcare, harm lives.
It is easy to understand why this is such a lucrative business model for criminals.
Droppers: Droppers are a Trojan type of malware. Droppers gain a foothold on a computer, to exploit known vulnerabilities, then deliver a second-stage payload to inflict damage. They learn and adapt. You can think of a dropper as a malware package.
Email: Email is still a major attack vector used to target businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware and credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.
How do ransomware hackers collect? They use Bitcoin or another type of cryptocurrency. Bitcoin is a secured, distributed payment system. Most ransomware attackers display the amount of the fee in Bitcoins. Victims transfer the money from account A into account B, which anyone can see. But no one knows who owns those accounts or is conducting the traffic between those accounts. Bitcoin breaks the original payment into several parts, then sends them on to different accounts, using multiple transfers. This makes catching any attackers nearly impossible.
A decade ago, malicious hackers may have enjoyed creating corporate havoc, just for the fun of it. Today, it’s big business.
Andrew Hay, CTO at LEO Cyber Security, suggests information security professionals step back to look at your security program as a whole:
- Do you have coverage for the prominent data theft occurring these days?
- Do you have backups for critical systems?
- Can you restore those backups?
- Have you tested those backups?
In other words: Can you maintain business continuity in the face of an attack?
Often, only the most mature organizations have robust plans in place. Even then, many of those companies have allowed their plans to become stale. Now is the time to go through your policies, plans, procedures and guidelines to determine if you are measuring the right things for the success of your security programs. Perhaps it’s time to analyze and rewrite your cloud security plans?
Ben Eu, a partner within the infrastructure and endpoint security practice at IBM, places an emphasis on endpoints and a zero-trust architecture. More than ever, workers use laptops and other portable devices outside of the corporate network. Therefore, we can better understand and optimize the data flow between these endpoints. Cyber threat modeling can help develop a list of the different types of attacks, learn how attackers gained access, then determine how to remove this threat type.
Heat maps also help. Use these to show areas having coverage (including multiple coverage) and areas with no coverage. Consider appropriate software apps to help cover any holes, or perhaps a new security stack altogether.
- Identify your sensitive data before investing in security controls. Once done, make the data classification useful … and simple.
- Map how your sensitive data flows across the network and between users.
- Architect your network to see how transactions flow and how users and applications access unsanctioned data. Identify areas to optimize, such as physical vs. virtual gateways, for example.
- Automate rules to enforce access control and limit access on a need-to-know basis.
- Continuously monitor to log and inspect all traffic for malicious activity and areas of improvement. Internal traffic should be held to the same standard as external traffic.
Todd Clarke is a freelance writer based in Seattle, Wash. This is his first article for Cloud Security Insights.
A bimonthly email