Cloud Computing vulnerabilities and Threats
Cloud
computing is the delivery of "on-demand computing resources; everything
from applications to data centers — over the internet on a pay-for-use
basis"(IBM, n. d). Cloud computing allows users access to applications
over the internet rather than having it installed on the local system. The
Cloud network also allow firms to be flexible with bandwidth demand since it
allows firms to scale up capacity as needed. Additionally, cloud computing
allows a firm to be cost-effective since a firm might decide to rent a cloud
storage for example rather than having its own data centers.
Cloud
computing, however, has some vulnerabilities and threats that mitigate against
the sanctity of the information system. Some of these vulnerabilities and
threats are listed below:
§ Data
Loss
§ Malicious
insiders
§ Advanced
persistent threats (APTs)
§ Abuse
and nefarious use of cloud services
§ Denial
of services (DoS)
§ Account
hijacking
§ Insufficient
identity, credential, and access management
§ Data
Breach
§ Insecure
interfaces and APIs
Data
Loss
Data loss can be
characterized as a process or an event that resulted in the loss/corrupt
of data, deleted or made unreadable by an attacker. Data loss could also be the
result of an accidental deletion or overwrite, the loss could affect data at
rest or in motion. An effective countermeasure for data loss includes
encryption of data at rest and in motion, strong data access control and data
backup.
However,
the probability of a data loss is low in cloud computing, when it does occur,
it could cost the firm a substantial sum to recover such data and its
reputation. Recently, Amazon Web Services was disabled by a 2012 storm which
crippled all business activities associated with that platform. The downtime
cost Amazon millions in revenue and reputational damage. A good Incident
response team and Incident response plan can help during a data loss incident
also, the firm must have a Data Loss Prevention (DLP) system plan in place.
Malicious
Insider:
A
malicious insider could be a current or former employee, a contractor, or other
business partners with authorized access to sensitive data. A malicious insider
can gain access to sensitive data and use it for a nefarious purpose. A
malicious insider in cloud computing has a high-risk categorization since such
access by the malicious user can allow him/her access to a broader array of
data. Corporate entities hire and downsize frequently, such strategy could
result in a terminated employee gaining access to organization's information
system.
Conversely,
this could mean a disgruntled employee who seeks retribution from management,
such employee's activities could go on for years without detection. For
instance, Edward Snowden, a defense contractor has been stealing top secret
material for years and he was undetected. The damage a malicious insider could
inflict on an organization can be enormous, therefore, employing different
defense strategy can help mitigate such risks. Some of these strategies include
using multi-factor authentication, Auditing of user access and monitoring of
activity logs. Also, removing all access from ex-employees including all
account access, passkeys, ID badge, and granting limited privileges to
contractors. The action of Edward Snowden not only cost the firm he/she
represents a reputational damage, it cost the customers.
Advanced
persistent threats (APTs)
This is a form of attack on a cloud system,
this attack allows the attacker to gain access to the cloud and remain
undetected for an extended period. The primary mission of an APTs attack is to
steal data from the cloud system, the focus of an APTs is the target of
high-level organizational data. This type of attack gain access to a firm's
network via email, file, network or an attachment. The attacker then probes the
network for additional network access and then establish a point of compromise
to ensure the attack continues. Once, a reliable access is established, the attacker then monitors the network for
sensitive data.
This
type of attack is considered high-risk threat but uncommon, a famous example of
this type of attack was in 2003 on a defense contractor. A peculiar thing about
this attack was " the use of multiple attack vectors (channels of attack),
which combined well-researched social engineering attacks on specific, targeted
individuals with stealthy Trojan horse attacks using malware techniques that
were calculated to bypass contemporary security countermeasures"
(ITBusinessedge.com, n. d). A good defense against this type of attack includes
Defense-in-Depth practices, Multi-factor security, Two-factor authentication,
the use of asymmetric encryption.
Abuse
and nefarious use of cloud services
The
same advantage that allows a firm to only rent the amount of cloud space or
conduct a business remotely via a cloud network also allows an attack to launch
an attack via the cloud network. It is cheap to rent a space on the cloud from
a Cloud Service Provider (CSP) for an attack using the bandwidth and CPU power
launch different attacks against a cloud service.
Additionally, some Cloud services allow trial
periods for their Cloud services, such trial
period can be used by an attacker, such an attack can white label the
trial period and resell them to other users. A customer can be affected by this
type of attack which can cause the service to slow down. Cloud computer can
also become vulnerable to phishing attack due to its remote accessibility. To
effectively mitigate against such attack, the firm must ensure a multi-factor
authentication is in place, create an effective Acceptable Use Policy (AUP),
the use of Firewall, and IDS/IPS.
Denial
of services (DoS)
Denial-of-Service is an attack on the network
infrastructure of the firm, this type of attack targets the availability of the
information system by preventing a legitimate user from using the network.
Denial-of-Service occurs when an attacker sends too many requests to a which
cause the systems to accept more request than it can handle thereby causing
system downtime. "One common attack technique used by a number of freely available DDoS toolkits
involves using fragmented IP packets with a fixed payload" (Rains T.,
2014).
This year, the city of Atlanta systems was infected with a ransomware which prevented
valid customers from using the platform for days. This incident caused the city
of Atlanta to issue a statement stating that "currently experiencing
outages on various internal and customer-facing applications, including some
applications that customers use to pay bills or access court-related
information.” (Robinson, T. 2018). A sound defense against denial-of-service
attacks includes using an up-to-date Antivirus and having a firewall at as part
of the perimeter security.
Account
hijacking
Cloud
Account hijacking involves the process where an attacker hijacks the account of
an individual or that of an organization. This type of attack is common with
identity theft type of attack in which the attacker may assume the identity of
the individual or use the account to conduct a malicious act against the firm
or another individual. In this type of account, the attacker uses the victim's
compromised email identity or credentials to impersonate the account owner.
Such an account can be used to open a bank account, ask for sensitive
information, or to create a new account. A good example of this type of attack
is the internet spam mail that is sent via a victim's email address claiming to
be the attack victim.
An
acceptable use policy can inform users on what type of security they need on
their account for such account to be secured. Furthermore, an effective
security awareness campaign can help inform users on how to safeguard their
password, set a standard for password length and combination, installing anti-spamware
on the email server, and the use of strong encryption can help protect the
cloud system from account hijackers.
Insufficient
identity, credential, and access management
A
cloud system is susceptible to attackers pretending to be a legitimate user,
administrators, or developers to modify, delete, or read sensitive data.
Furthermore, lack of identity management can enable an attacker to breach
organization's data. Such identity management includes a weak password, lack of
cryptographic keys, passwords, and certificates to confirm the identity of the
user. Additionally, public cryptographic keys must be properly secured to
ensure key-management.
For
instance, multifactor authentication systems like smart cards, phone
authentication are required by mobile applications to verify the user's
identity. Such multifactor authentication help ensures that one of the security
tenets is upheld i.e. nonrepudiation. It also helps address password theft. In
a corporate setting, insufficient access management can lead to unauthorized
access to customer information. Such an access can lead to serious consequences
in the healthcare industry when an unauthorized
actor accesses patient information.
Data
Breach:
There have been substantial breaches
of the cloud system in recent years, the likelihood of a data breach risk has
doubled and is becoming costlier. Although it is cost effective for firms to move
its data to cloud base to minimize the cost of information infrastructure, such
strategy comes with different risks. Some of these risks include loss of data
control by the data owner. Data breach means an incident that involves the
unauthorized viewing, accessing, and retrieval of data by an unauthorized user
or application. Furthermore, such user could be an employee, a contractor or a
hacker, these activities can result in loss of revenue and services using such
platform and can cause an organization to lose face with its customers.
Equifax recently reported a data breach that
affected the personal information of about 143 million of its customers. The
customer information stolen included Social Security numbers, birth dates, and
addresses of its customers. Although most data farms are proactive in deploying
their security, the cloud system is still vulnerable to a data breach. However,
there are some countermeasures that a firm's cybersecurity team can put in
place to mitigate such incident. Reports show that data breach is on the rise
and most firms are reactive to cloud security rather than being proactive. The
data breach that affected Tesla is an example of how prevalent the issue of a
data breach has become. "Tesla breach resulted from the exposure of Amazon
Web" after hackers penetrated Tesla’s Kubernetes console, which was not
password protected This led to the exposure of the company’s Amazon S3 cloud
account, which contained sensitive data including the Tesla vehicle
telemetry" (Rash, W., 2018).
To effectively mitigate any threats
from data breaches, a firm must ensure all data are
encrypted with strong encryption methods, the firm must also embrace key
management security best practices, all security keys must be stored in-house. The firm must also ensure
they draft a security policy that is compliance with regulations like the
PCI-DSS, FFIEC, and FISMA. Furthermore, user’s activities must be monitored and all activity logs must be audited regularly.
Insecure
interfaces and APIs
Insecure Application User Interface
is used by the Cloud service providers to bridge the cloud network with a
user’s workstation. It allows for customers to manage, interact, and access
information on the cloud network. "Cloud computing providers expose a set
of software user interfaces (UIs) or application programming interfaces (APIs)
that customers use to manage and interact with cloud services" (Instasafe,
2017). In most cases, security of the
APIs depends on the security policies used by the software and APIs. It is,
however, imperative that cloud services have strong security to mitigate any
untrusted connections to its information infrastructure.
Such security should include strong
encryption, access control, and authentication of users to guide against circumventing
security policies. A case study of this
type of breach of a firm's cloud system is the Moonpig security breach which
led the firm to shut down its mobile application. A developer discovered weak
security in the company's application, it was found
that the application uses a static set of credentials regardless of the type of
account. The only difference between different users was their username and
password, and the URL (Constantin, L., 2015). Such a loop can allow an attacker
gain and escalated privilege to customer's personal information. Authenticating
user before access can mitigate this type of threats also, data encryption can
also help reduce data being sent in plain
text.
References
Constantin, L., (2015). Moonpig jeopardizes
data of millions of customers through insecure API.
https://www.computerworld.com/article/2865794/moonpig-jeopardizes-data-of-millions-of-customers-through-insecure-api.html
DataCenterknowledge.com, (n. d).
Security Breaches, Data Loss, Outages: The Bad Side of Cloud. Retrieved from:
http://www.datacenterknowledge.com/archives/2015/03/16/security-breaches-data-loss-outages-the-bad-side-of-cloud
IBM, (n. d). What is cloud computing?
Retrieved from: https://www.ibm.com/cloud/learn/what-is-cloud-computing
Instasafe, (2017). Security Concern:
Insecure Interfaces and APIs. Retrieved from: https://instasafe.com/blog/2017/06/08/security-concern-insecure-interfaces-apis/
ITBusinessedge.com, (n. d). Titan
Rain. Retrieved from: https://www.itbusinessedge.com/slideshows/the-most-famous-advanced-persistent-threats-in-history-14.html
Rains T., (2014). Threats in the
Cloud – Part 2: Distributed Denial of Service Attacks. Retrieved from: https://cloudblogs.microsoft.com/microsoftsecure/2014/02/06/threats-in-the-cloud-part-2-distributed-denial-of-service-attacks/
Rash, W., (2018). Tesla Cloud Account
Data Breach Revealed in RedLock Security Report. Retrieved from:
http://www.eweek.com/cloud/tesla-cloud-account-data-breach-revealed-in-redlock-security-report
Robinson, T. (2018), Atlanta computer
systems under siege in possible ransomware attack. Retrieved from:
https://www.scmagazine.com/atlanta-computer-systems-under-siege-in-possible-ransomware-attack/article/753123/
No comments:
Post a Comment