But this is just a tip of the iceberg. In addition there were:
- Nearly 1 million new malware threats released every day – based on CNN News
- 20 million network attacks on Utah secure government networks, increasing dramatically within last months – based on Deseret News
Serious numbers to consider…
What is a data breach?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
If we look at the history of past big data breaches, we can see an increasing trend for more regular data breaches and severity. Since last 10 years, starting from 2005 big AOL data breach affecting 100M+ user accounts we have seen many other huge and disastrous data breaches: Sony Playstation Network (80M users), US Military (80M), Adobe (40M), Evernote (50M), US Office (20-25M), Ebay (150M), Target (70M), JP Morgan Chase (80M), Home Depot (60M), Anthem (80M), Ashley Madison (40M), …
Millions and millions of user accounts are being breached on daily basis and the trend is clear: frequency and severity of cyberattacks is increasing. As a matter of fact, I recently saw an article stating that there is a “340% increase in cyberattacks in the healthcare industry”.
Can we be sure that our data is secure on the cloud?
Can we be sure our data is safe on-premise?
Types of Threats
What types of threats and attacks there are? Let’s take a look at some most common threats.
One of the most common attack types is called DoS, Denial Of Service or its’ advanced variation called Distributed Denial of Service. The DoS involves flooding of computer resources with more requests it can handle, which causes server to crash/halt/jam and thereby prevents access to it’s services for authorized users. This is very popular nowadays, if not the most popular, where we see news on weekly basis.
Some other popular cyber attacks include SQL Injections, Email bombing, Phishing and Hacking.
SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution to exploit a security vulnerability in an application’s software, e.g. in user input with incorrect error handling for string literal escape characters embedded in SQL statements. This is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Email bombing is about sending large amount of emails to victims email resulting in interruption of victim’s emails or even email server of the organization.
Phishing includes the mass distribution of ”spoofed” email messages which appear to be coming from the correct origin, e.g. banks, insurance agencies, logistics companies, retailers, credit card organizations. These are designed to fool recipients to give sensitive information such as passwords, credit card details, account names, etc.
According to the FBI, thieves stole nearly $750 million in email related crimes (phishing, frauds and scams) from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. This is only in United States.
Hacking is a straight-forward threat involving gaining unauthorized access to a computer and modifying the system to enable continuous access, changing the configuration, collecting data/information or operating the system, all without the knowledge or approval of the system owners.
Then we have Malware and Viruses that are means to steal data or gain unauthorized access to the systems or otherwise make damage to the victims environment. Usually used as part of more wide scale attacks, such as Advanced Persistent Attacks or Watering Hole.
Advanced Persistent Attack (APT) is a set of stealthy and continuous computer hacking processes, often done by humans targeting a specific organization. APT is usually done for business or political motives, and they require a high degree of stealth mode activity over a long period of time. The APT usually uses sophisticated techniques using malware to exploit vulnerabilities in systems.
Watering Hole is a computer attack strategy identified in 2012, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites that specific target group often uses and infects one or more of them with malware. Eventually, some members of the target group gets infected.
Many attacks typically involve insider threat, for instance a case where malicious software is used or unauthorized access is used to modify the system in a way that it involves changing the raw data just before it’s processed by a computer and then changing it back to original values to prevent identifying the attack. This is called data diddling. The source of this kind of attack could be fraudulent application developer or database administrator or DevOp.
Financial institutions faced some years ago a cyber-crime where group of persons used a technique called salami attack; This is typically used for financial crimes by making the alteration of so insignificant that in a single case it would go completely unnoticed by individual/organization, e.g. a bank employee inserts a program into bank’s servers that deducts a small amount from every customer account. This could also happen on enterprise level.
Very often used technique with stolen credit cards to proceed automated purchases of very insignificant.
Nowadays banks and credit card companies are implementing heuristics and algorithms to detect such methods in an automated way and luckily there are 3rd party anti-fraud solutions available as well, such as PayApi among others.
Impact
Impact for businesses result in loss of data, loss of control of their IT systems and therefore interruption of their services. Nowadays the problems include not only down-time of IT systems but instead more and more result in loss of revenues and harm to the company’s brand image.
Based on Ponemon Institute study for sample of organizations with over 1000 employees, the cost of cybercrime reaches $15 Million annually per organization.
The regulatory organizations, such as European Union Data Security is leading the definition of Personal Data Protection Act which results in direct penalties for the companies.
Not to forget Intellectual Property, knowledge and internal assets. Think about your valuable company data or sensitive information being published on Internet or even sold to your competitors?
How to protect?
How do we protect from these threats?
What can we do to minimize the impact of such attacks?
Protecting from threats, including both external and internal threats, require tools and activities that help to PREVENT… DETECT… and REACT.
The traditional check-list based security approach should be transformed to a risk based security: identifying, analysing and evaluating potential threats, planning preventive and corrective actions, defining a plan B and recovery plans.
The security actions should also cover all levels of IT infrastructure, from top to bottom, left and right, multi-layered approach considering end-to-end type of security.
The common CIA type of security approach is a good starting point for the security strategy. The acronym CIA in this context stands for Confidentiality, Integrity and Authorization. Often also added with additional A for Availability.
Database is the most vulnerable to attacks. According to the IDG’s CSO Online survey, 52% of CSOs said that DB is the most vulnerable to attacks; network being the 2nd with 34%. Then on the other hand they allocated only 15% of their IT budget to secure database vs. network 67% vs. application 15%.
That said, it was stated that ”Investments are going up to secure database”.
The dilemma here was that CSO thinks it is DBA’s job. And DBA thinks it’s CSO’s job, because he is only involved in performance and optimization tasks.
What can we do to protect? Some good tips include:
- Define data inventory which helps to prioritize defenses
- Identify normal data flows for sensitive data. Monitor these! Abnormal data movement is often the first sign of a compromise.
- The largest proportion of data breach discoveries are gound using data loss prevention actions on data movements and intrusion detection and prevention systems.
Including data security controls such as encryption, account analysis and access auditing - Security policy and risk management provide the necessary review and oversight to protect your sensitive data while keeping it accessible to those who need it
- Finding hidden endpoints and identifying weaknesses; measuring the effectiveness continuously
In addition to this, the cloud service provider should guarantee and comply that:
- Invalid/fraudulent requests are blocked before they reach the service
- All security actions are documented and can be used with external audits and compliancy checks
- Use specific Network Intrusion Detection Systems, firewalls, IP Filtering, VPN Connectivity, and other security mechanisms. Even specific DDoS attack prevention should be in place/implemented.
- Data centers should be physically guarded; all physical processes and operations should be documented and monitored.
- 24/7 availability. Infrastructure should ensure 99.999% availability (cooling, electricity, facilities)
- Cloud provider and their data center facilities should do background checks of employees; security training, physical access security (electronic token access, surveillance cameras, guards, log of all visitors, access logs, escorted visitors)
- Logs should be encrypted and should not reveal sensitive customer data
If all or some of the above are not in place with your cloud service provider, I would highly recommend to clarify the gaps and make a proper risk analysis to decide proper actions on the potential threats.
Summary
A short recap… 🙂
Cloud Threats happen continuously. They happen every day and involve millions of users on daily basis. There is a great variety of threats and so called, attack vectors; new ways are identified while old ones are being blocked.
The impact on companies result in interruption of services, loss of data, even business losses and negativity to the brand image.
The traditional checklist based security is not sufficient nowadays; firewall and encryption is not the silver bullet anymore… We need risk-based end-to-end security that is continuously reviewed and updated: this covers protection, detection and reaction to the threats.
And there are solutions available: it is up to companies to determine the risk and to decide necessary effort to minimize or avoid such risk being realizing. There are solutions and many things can be considered with cloud systems and services.
Perhaps Cloud is more secure than On-Premise in some use cases with credible cloud service provider which has good resources to implement necessary security measures?
Questions?
If you have any questions re: this matter, please do not hesitate to contact me using this.
—