Ride the Lightning

Cloud Security Alliance Warns of the “Treacherous 12” Cloud Computing Threats

March 16, 2016

At the recent RSA Conference, the CSA (Cloud Security Alliance) listed the "Treacherous 12," the top 12 cloud computing threats organizations face in 2016. The CSA released the report to help both cloud customers and providers focus their defensive efforts.

As an InfoWorld article reported, the on-demand nature of cloud computing introduces the possibility of new security breaches that can erase any gains made by the switch to cloud technology as the CSA warned. Cloud services by nature enable users to bypass organization-wide security policies and set up their own accounts in the service of shadow IT projects. New controls must be put in place to enhance security. Here are 12 top threats.

1. Data breaches. Cloud environments face many of the same threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. Cloud providers typically deploy security controls to protect their environments, but ultimately, organizations are responsible for protecting their own data in the cloud. The CSA has recommended organizations use multifactor authentication and encryption to protect against data breaches.
2. Compromised credentials and broken authentication. Data breaches and other attacks frequently result from lax authentication, weak passwords, and poor key or certificate management. Organizations often struggle with identity management as they try to allocate permissions appropriate to the user's job role. More important, they sometimes forget to remove user access when a job function changes or a user leaves the organization. Multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards protect cloud services because they make it harder for attackers to log in with stolen passwords.
3. Hacked interfaces and APIs. Practically every cloud service and application now offers APIs. IT teams use interfaces and APIs to manage and interact with cloud services, including those that offer cloud provisioning, management, orchestration, and monitoring. The security and availability of cloud services — from authentication and access control to encryption and activity monitoring — depend on the security of the API. APIs and interfaces tend to be the most exposed part of a system because they're usually accessible from the open Internet.
4. Exploited system vulnerabilities. System vulnerabilities, or exploitable bugs in programs, are old news but they've become a bigger problem with the advent of multitenancy in cloud computing. Organizations share memory, databases, and other resources in close proximity to one another, creating new attack surfaces. Best practices to prevent a problem include regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.
5. Account hijacking. Phishing, fraud, and software exploits are still successful, and cloud services increase the threat because attackers can eavesdrop on activities, manipulate transactions, and modify data. Attackers may also be able to use the cloud application to launch other attacks. Organizations should prohibit the sharing of account credentials between users and services, as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner.
6. Malicious insiders. This might be a current or former employee, a system administrator, a contractor, or a business partner. The goal might anything from data theft to revenge. The CSA recommends that organizations control the encryption process and keys, segregating duties and minimizing access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.
7. The APT parasite. The CSA aptly calls advanced persistent threats (APTs) "parasitical" forms of attack. APTs infiltrate systems to establish a foothold, then stealthily exfiltrate data and intellectual property over an extended period of time. APTs typically move laterally through the network and blend in with normal traffic, making them difficult to detect. The major cloud providers apply advanced techniques to prevent APTs from infiltrating their infrastructure, but customers need to be as diligent in detecting APT compromises in cloud accounts as they would in on-premises systems. Common points of entry include spear phishing, direct attacks, USB drives preloaded with malware, and compromised third-party networks. In particular, the CSA recommends training users to recognize phishing techniques.
8. Permanent data loss. Reports of permanent data loss due to provider error have become extremely rare. But malicious hackers have been known to permanently delete cloud data to harm businesses, and cloud data centers are as vulnerable to natural disasters as any facility. Cloud providers recommend distributing data and applications across multiple zones for added protection. Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments. If a customer encrypts data before uploading it to the cloud, then that customer must be careful to protect the encryption key. Once the key is lost, so is the data.
9. Inadequate diligence. Organizations that embrace the cloud without fully understanding the environment and its associated risks may encounter a "myriad of commercial, financial, technical, legal, and compliance risks," the CSA warned. Due diligence applies whether the organization is trying to migrate to the cloud or merging (or working) with another company in the cloud. For example, organizations that fail to scrutinize a contract may not be aware of the provider's liability in case of data loss or breach.
10. Cloud service abuses. Cloud services can be commandeered to support nefarious activities, such as using cloud computing resources to break an encryption key in order to launch an attack. Other examples including launching DDoS attacks, sending spam and phishing emails, and hosting malicious content.
11. DoS attacks. DoS attacks have gained prominence again thanks to cloud computing because they often affect availability. Systems may slow to a crawl or simply time out. "Experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock; there is one way to get to your destination and there is nothing you can do about it except sit and wait," the report said. Cloud providers tend to be better able to handle DoS attacks than their customers, the CSA said. The key is to have a plan to mitigate the attack before it occurs, so administrators have access to those resources when they need them.
12. Shared technology, shared dangers. Vulnerabilities in shared technology pose a significant threat to cloud computing. Cloud service providers share infrastructure, platforms, and applications, and if a vulnerability arises in any of these layers, it affects everyone. "A single vulnerability or misconfiguration can lead to a compromise across an entire provider's cloud," the report said. The CSA recommended a defense-in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources.

A
very long post,
but there's a lot of meat to chew on here. These threats are why so many law firms are afraid of moving data to the cloud, though it is also true that many clouds protect data better than the law firms would themselves.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson