Cyber crime and cloud computing: Security perspectives
There is a clear and obvious trend for the greater adoption of cloud computing. More and more businesses are deploying IT services and applications in this way as they seek simpler management, utility-based payments and less reliance on traditional datacentres and admin teams. It would be rare to find an organisation that hasn’t adopted PaaS, IaaS or SaaS for some of their hosting or business applications.
Similarly, the threat from cyber crime is at least as omnipresent and is also clearly growing all the time; driven by an increasingly versatile adversary, complete reliance on IT systems to run the business and a growing technical complexity of platforms, applications, interactions and devices. Hence the combination of these two is a factor on the radar of both the CIO and the CISO.
Cyber crime and cloud security
The reasons for this growth are simple, in the same way cloud computing gives greater flexibility and functionality options to companies, it can offer the same flexibility to cyber criminals, and the pay-as-you-play usage model means that they can also benefit from utility billing (and might not have to pay at all).
For companies, the challenge is a side-effect of the nature of cloud itself – in moving away from physical servers that you control, see, touch and manage directly to a cloud platform that can be anywhere, is virtual and isn’t under your direct control, you simplify the management and purchasing processes, but expose new vulnerabilities that derive from this more “arms-length” way of providing access to data and delivering IT capability.
Criminals using cloud as a business platform
In the same way businesses look to leverage the cloud to host applications, run shop fronts or applications backends, deliver web sites, store and share files etc… organised cyber criminals will do likewise.
The ability to run a global business (legitimate or not) and deliver services, applications, manage databases, deliver content, run discussion boards and helpdesks are all business activities that form part of the international ecosystem that makes up the criminal community.
Much of this is of course underground (whether on the dark web or not) but the same ability businesses have to be global in reach and flexible in resourcing are available to those who might attack them also.
Criminals using cloud to mount attacks like DoS
One thing that cyber crime has made extensive use of is the highly scalable “on demand” nature of cloud platforms. If you have a distributed denial of service attack to mount one way is to harness millions of vulnerable, exploited computers into a botnet and use that to mount an attack.
Another is to operate from a cloud platform that allows you to rapidly and temporarily ramp up your processing power and network bandwidth, mount the attack to take systems down temporarily and then scale it all back.
Of course, there is a question as to how the cyber criminal pays for this service. Utility-based computing allows users to pay for what they need/use, to uncapped levels and be billed accordingly.
The advantage the cyber criminal has, compared to a “normal” cloud user, is that they can leverage this with no intention of paying whatsoever, either through the use of a credit card that has itself been the result of cyber crime, or by piggybacking their IT demands on top of those of a legitimate cloud customer business (who will only know this has happened when they get their service charges at the end of the month).
In fact, theft of IT resources in this way could be used to handle any peak of computing activity, crunching through a key space or password database to decrypt credentials or keys, mining bitcoins, sending large volumes of spam or phishing emails… anything where the computing power or network bandwidth costs are the limiting factor suddenly becomes possible when you don’t have to actually pick up the tab.
Cloud as a platform for employee misuse
Cloud platforms provide ease-of-use, flexibility, global access and cheap IT resources to both companies and cyber criminals. They also of course provide a wealth of facilities and services to end users, people themselves.
If a user wants a handy contact management system, or a place to store files that they can work on in the workplace or at home, or a translation service for text, or a social network/messaging app to communicate with business partners – the cloud is out there.
It is probably free, it is probably flexible and it is probably available now, rather than at some future point in time when your IT department can deliver it.
However, it also exposes sensitive corporate data, maybe even personal data, outside the organisation’s control on an external application provider’s servers or in their database.
It most likely allows access to the data from home systems that could be shared, might be missing anti-virus software or patches applied (and might already be compromised). For the employee, they have just found a neat way to solve a business problem, they won’t have read the T&Cs and almost certainly won’t be aware of the risks.
In short it is a bit of a security nightmare – so much so that it has a suitably dark name: “Shadow IT”.
Additionally, if you are looking to steal or extract data maliciously the cloud helps as well. You can copy a file to a file upload service and bypass corporate email gateways with their filters on file sizes, types, content and detailed logging of message senders and recipients. If stealing customer lists, intellectual property, source code or other valuable data is your game, cloud storage makes it easy.
Business cloud platforms are a cyber crime target
As businesses adopt the cloud, its widely known that common cloud platforms hold increasing amounts of valuable business data. Hence for an attacker it is not about finding a company to target, it is about finding a place on the cloud that isn’t as secure as it could be, taking the information that they find there and then worrying about whose information it is.
There is a report here about hacks on Salesforce – although it is worth noting that these attacks often exploit the weaknesses introduced by users such as flawed passwords or are driven by phishing attacks that then allow access to the cloud platform.
It is wrong to say the cloud is “less secure” than a businesses own IT infrastructure. In fact, a well-run, enterprise class cloud platform could easily be more resilient, robust and secure than the less well-run networks of the smaller businesses that use it as a platform (See this article). But the aggregation of data and common access methods will always make the cloud a target.
Forensics in the cloud
The last thing to consider is the difference between on-premise and cloud when it comes to incident response and forensics. Here you have both pros and cons.
In a cloud environment there isn’t a physical server you can isolate and take to a lab and directly examine. It is nowhere to be found, so a breach might be harder to investigate given just the log and activity data and the current state of the configuration are available (both of which might have been modified/compromised by the attacker).
On the upside, you might be able to spin up an identical replacement (or a patched version thereof) and continue providing services without interruption, thus allowing you to take a server off-line more easily to examine it and diagnose the breach. This means you don’t have to suffer from letting service levels drop and upsetting customers.
- A physical server is easier to directly examine, investigate and diagnose;
- A cloud server is easier to replace and keep services running while you investigate.
There is an article on forensics in the cloud here.
Cyber crime: Is the cloud easier or harder to defend?
The answer, in each of these cases, is a rather non-committal “it depends”.
It provides an easy, flexible and cost-effective way for business to deliver IT services without having to be focussed. This means that the hosting and security management can be, to an extent, handled by the cloud provider in a much more robust, 24-hour/7-days, proactive and focussed way.
It does put control and definition of security requirements, logs and investigative capability at “arm’s length” and reduces the degree of control over data and systems management the business can exert.
It also allows users to access business applications easily in the office, at home and on the move and share data or interact very easily.
On the down-side, it also allows users to bypass IT and commission these types of applications themselves. They can solve the same business problems but in an invisible way and outside of the view of IT, or to achieve the same level of IT capability for nefarious purposes if they are so inclined.
Monitoring is critical in the cloud
All this means that having visibility and oversight of cloud security, accesses, data flows, transactions and user operations is vital. If you can’t see or touch the servers, you do need to know what’s going on in terms of usage and potential attacks.
It is key to ensure that user access to non-IT provided cloud platforms is visible. So monitoring for shadow IT – for example access to file sharing or cloud storage sites – is useful as it identifies places or flow of data outside the company’s control.
You can’t stop a cyber criminal using cloud services to run their business or using cloud-hosted servers and systems (including hijacked ones) to attack you. However, you can take steps to make sure that it is not a part of your cloud server farm they are using, and not your IT services bill they are running up, when mounting these attacks against someone else.