Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
There is a clear and obvious trend for the greater adoption of cloud computing. More and more businesses are deploying IT services and applications in this way as they seek simpler management, utility-based payments and less reliance on traditional datacentres and admin teams. It would be rare to find an organisation that hasn’t adopted PaaS, IaaS or SaaS for some of their hosting or business applications.
Similarly, the threat from cyber crime is at least as omnipresent and is also clearly growing all the time; driven by an increasingly versatile adversary, complete reliance on IT systems to run the business and a growing technical complexity of platforms, applications, interactions and devices. Hence the combination of these two is a factor on the radar of both the CIO and the CISO.
The reasons for this growth are simple, in the same way cloud computing gives greater flexibility and functionality options to companies, it can offer the same flexibility to cyber criminals, and the pay-as-you-play usage model means that they can also benefit from utility billing (and might not have to pay at all).
For companies, the challenge is a side-effect of the nature of cloud itself – in moving away from physical servers that you control, see, touch and manage directly to a cloud platform that can be anywhere, is virtual and isn’t under your direct control, you simplify the management and purchasing processes, but expose new vulnerabilities that derive from this more “arms-length” way of providing access to data and delivering IT capability.
In the same way businesses look to leverage the cloud to host applications, run shop fronts or applications backends, deliver web sites, store and share files etc… organised cyber criminals will do likewise.
The ability to run a global business (legitimate or not) and deliver services, applications, manage databases, deliver content, run discussion boards and helpdesks are all business activities that form part of the international ecosystem that makes up the criminal community.
Much of this is of course underground (whether on the dark web or not) but the same ability businesses have to be global in reach and flexible in resourcing are available to those who might attack them also.
One thing that cyber crime has made extensive use of is the highly scalable “on demand” nature of cloud platforms. If you have a distributed denial of service attack to mount one way is to harness millions of vulnerable, exploited computers into a botnet and use that to mount an attack.
Another is to operate from a cloud platform that allows you to rapidly and temporarily ramp up your processing power and network bandwidth, mount the attack to take systems down temporarily and then scale it all back.
Of course, there is a question as to how the cyber criminal pays for this service. Utility-based computing allows users to pay for what they need/use, to uncapped levels and be billed accordingly.
The advantage the cyber criminal has, compared to a “normal” cloud user, is that they can leverage this with no intention of paying whatsoever, either through the use of a credit card that has itself been the result of cyber crime, or by piggybacking their IT demands on top of those of a legitimate cloud customer business (who will only know this has happened when they get their service charges at the end of the month).
In fact, theft of IT resources in this way could be used to handle any peak of computing activity, crunching through a key space or password database to decrypt credentials or keys, mining bitcoins, sending large volumes of spam or phishing emails… anything where the computing power or network bandwidth costs are the limiting factor suddenly becomes possible when you don’t have to actually pick up the tab.
Cloud platforms provide ease-of-use, flexibility, global access and cheap IT resources to both companies and cyber criminals. They also of course provide a wealth of facilities and services to end users, people themselves.
If a user wants a handy contact management system, or a place to store files that they can work on in the workplace or at home, or a translation service for text, or a social network/messaging app to communicate with business partners – the cloud is out there.
It is probably free, it is probably flexible and it is probably available now, rather than at some future point in time when your IT department can deliver it.
However, it also exposes sensitive corporate data, maybe even personal data, outside the organisation’s control on an external application provider’s servers or in their database.
It most likely allows access to the data from home systems that could be shared, might be missing anti-virus software or patches applied (and might already be compromised). For the employee, they have just found a neat way to solve a business problem, they won’t have read the T&Cs and almost certainly won’t be aware of the risks.
In short it is a bit of a security nightmare – so much so that it has a suitably dark name: “Shadow IT”.
Additionally, if you are looking to steal or extract data maliciously the cloud helps as well. You can copy a file to a file upload service and bypass corporate email gateways with their filters on file sizes, types, content and detailed logging of message senders and recipients. If stealing customer lists, intellectual property, source code or other valuable data is your game, cloud storage makes it easy.
As businesses adopt the cloud, its widely known that common cloud platforms hold increasing amounts of valuable business data. Hence for an attacker it is not about finding a company to target, it is about finding a place on the cloud that isn’t as secure as it could be, taking the information that they find there and then worrying about whose information it is.
There is a report here about hacks on Salesforce – although it is worth noting that these attacks often exploit the weaknesses introduced by users such as flawed passwords or are driven by phishing attacks that then allow access to the cloud platform.
It is wrong to say the cloud is “less secure” than a businesses own IT infrastructure. In fact, a well-run, enterprise class cloud platform could easily be more resilient, robust and secure than the less well-run networks of the smaller businesses that use it as a platform (See this article). But the aggregation of data and common access methods will always make the cloud a target.
The last thing to consider is the difference between on-premise and cloud when it comes to incident response and forensics. Here you have both pros and cons.
In a cloud environment there isn’t a physical server you can isolate and take to a lab and directly examine. It is nowhere to be found, so a breach might be harder to investigate given just the log and activity data and the current state of the configuration are available (both of which might have been modified/compromised by the attacker).
On the upside, you might be able to spin up an identical replacement (or a patched version thereof) and continue providing services without interruption, thus allowing you to take a server off-line more easily to examine it and diagnose the breach. This means you don’t have to suffer from letting service levels drop and upsetting customers.
There is an article on forensics in the cloud here.
The answer, in each of these cases, is a rather non-committal “it depends”.
It provides an easy, flexible and cost-effective way for business to deliver IT services without having to be focussed. This means that the hosting and security management can be, to an extent, handled by the cloud provider in a much more robust, 24-hour/7-days, proactive and focussed way.
It does put control and definition of security requirements, logs and investigative capability at “arm’s length” and reduces the degree of control over data and systems management the business can exert.
It also allows users to access business applications easily in the office, at home and on the move and share data or interact very easily.
On the down-side, it also allows users to bypass IT and commission these types of applications themselves. They can solve the same business problems but in an invisible way and outside of the view of IT, or to achieve the same level of IT capability for nefarious purposes if they are so inclined.
All this means that having visibility and oversight of cloud security, accesses, data flows, transactions and user operations is vital. If you can’t see or touch the servers, you do need to know what’s going on in terms of usage and potential attacks.
It is key to ensure that user access to non-IT provided cloud platforms is visible. So monitoring for shadow IT – for example access to file sharing or cloud storage sites – is useful as it identifies places or flow of data outside the company’s control.
You can’t stop a cyber criminal using cloud services to run their business or using cloud-hosted servers and systems (including hijacked ones) to attack you. However, you can take steps to make sure that it is not a part of your cloud server farm they are using, and not your IT services bill they are running up, when mounting these attacks against someone else.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.