Minimizing Exposures Associated with Free Cloud Services
By MATT GILLESPIE
Free and low-cost public cloud services such as email and storage drops have democratized IT disruption. One result is an extended attack surface, affecting companies large and small.
Verizon’s 2019 Data Breach Investigations Report finds that compromised cloud-based email accounts now comprise 60% of web application hacks. Likewise, improper configuration of cloud-based file storage is leading to massive data exposure, accounting for 21% of breaches caused by errors.
Dave Hylender, a senior risk analyst at Verizon, clarifies. “We’re not saying that companies should be wary of cloud-based services because of some inherent weakness; it’s more that as companies do adopt them, there is an opportunistic targeting response among attackers.”
Understanding what those risks are and how they are playing out is instrumental in formulating an effective response.
New vectors for credential weakness and theft
The hard-to-miss financial and efficiency advantages of public cloud-based services have led to dramatic rises in adoption by both individual users and entire businesses. Hylender notes that “a lot of cloud-based email services are packaged up with other applications or services. If the credentials are popped, the attacker gets access to those assets as well.”
Beyond the “one-door-to-many-rooms” aspect of that shared system of credentials, email is a treasure trove for bad actors in its own right. Employee email often contains massive amounts of non-public information, much of which is helpfully labeled “confidential.”
Perhaps more critical, illicit access to a legitimate email account is an excellent platform to mount lateral phishing and pretexting attacks. Contacting coworkers while posing as the compromised victim can simplify targeting specific sensitive data. Email is also the medium of choice for password resets, which can deliver a bonanza of unsanctioned resources.
Common targets attacked using stolen email credentials include databases, web apps, code repositories and domain controllers. A related set of concerns revolves around cloud-based file repositories, which can be adopted by any user who wants to, for whatever purpose they see fit. “We see a lot of cases where people set up a storage bucket in the cloud and brought it live without a username or password,” Hylender explains. “It’s just wide open for anyone to do a search and find it.”
Aside from that type of setup shortcoming, exposures from cloud email and storage services are generally associated with stolen credentials. “When you use these services, you can log on to them from almost anywhere, so if you’re on vacation, you can check your email using a public computer at the hotel,” Hylender says. “That’s obviously a great way for your credentials to get owned, but people do it all the time.”
Security adaptations to accommodate the new reality
Training and outreach to improve security hygiene among end users is the first requirement for improving data protections around cloud-based services. Building awareness of social engineering and fundamental mistakes such as reusing passwords, not securing a file share or entering credentials on public computers can go a long way.
At the same time, every IT group should create and enforce standards to require strong passwords for cloud-based services, prevent password reuse and require passwords to be changed on a regular basis. Encouraging the use of password managers can give credentials another layer of protection.
Hylender asserts that the most effective technology at our disposal is two-factor authentication, which should be employed everywhere possible. “Anything that’s customer-facing, any remote-access, cloud-based email—anything like that—you should always have two-factor authentication as a must.”
In addition to training users about how to recognize and avoid social attacks, security operations centers should bolster that user awareness with traffic monitoring measures. For example, detecting links and executables within email traffic can help provide early warning of a phishing attack.
The reality of most attacks on cloud services is that they are crude but effective. Many of the measures that need to be in place are mundane and familiar, such as good antivirus/antimalware software that is well maintained.
Hylender brings home this point: “I wish I could say something more glamorous, but at the end of the day, a huge percentage of these attacks are successful because they still work. They are simple, but basic security measures aren’t being consistently followed, and that’s why they work.”
Adoption of cloud services has brought familiar threats to the fore in a new presentation. As attackers consider their options for assault on these novel resources, security teams must mount a defense, and the means for doing so are already well established.
Matt Gillespie is a technology writer based in Chicago. He can be found at www.linkedin.com/in/mgillespie1.