Attacks/Breaches
9/14/2012
09:53 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cloud Services Face Different Security Threats

Alert Logic study finds that cloud and on-premises customers face about the same number, but different types, of threats.

Alert Logic has examined the idea that the cloud is less secure than an on-premises enterprise data center and found it wanting. Both are about equally risky, it concluded, although the nature of the risk is different in each site.

Alert Logic is a security-as-a-service supplier to both on-premises locations and service providers in the cloud. That puts it in a position to examine 70,000 security incidents arising from over 1.5 billion security events occurring over the last year to its 1,600 customers. It analyzed data from the incidents to determine the nature of the risk at each type of site.

Alert Logic's study, "State of the Cloud Security Fall 2012," might have been skewed in favor of the cloud providers because many of Alert Logic's customers are experienced data center companies likely to have strong security practices. They include: SunGard, the disaster recovery specialist that has gone into cloud services; Rackspace, generally considered the runner-up to Amazon Web Services when it comes to providing infrastructure-as-a-service (IaaS); Internap Network Services, the colocation company and content delivery network; and Datapipe, an IaaS and managed services supplier. But the high profile of these companies also ensures that they garnered attention from some of the most virulent malware makers.

"Service provider-managed environments did not encounter a greater level of threats than on-premises environments. All factors in the analysis supported this conclusion," including types of incident, frequency of incidents, and diversity of threats assailing each type of environment, concluded the study.

[ Want to learn more about what constitutes the chief security threats from a federal IT point of view? See Federal IT Survey: Hacktivists, Cybercriminals Are Top Threats. ]

And while some industries, such as public electrical utilities or financial services, might fear being targeted by skilled hackers, Urvish Vashi, VP of marketing at Alert Logic, said "most attacks are not targeted" at a specific company or industry. They occur almost equally across industry groups, indicating attackers "are looking for vulnerable targets rather than selecting specific organizations to attack." The opportunistic nature of attacks was reinforced by the high level of reconnaissance activity--searching for backdoors, open network ports, etc.--through which an attacker might enter. They occurred across all industry groups, rather than, say, being concentrated on financial services.

Web application attacks, where attackers use toolkits that try to take advantage of an application's known vulnerabilities, such as a buffer overflow exposure, were common to both service providers and on-premises data centers. But they were more frequent among service providers, where 53% of those examined had experienced one. For on-premises data centers, they occurred among 43% of the customers.

But on-premises data centers tend to run a wider variety of applications and operating systems, meaning that those that were attacked would face a larger number of threats, an average of 61.4 such attempts versus 27.8 for service providers.

The opposite was true when it came to brute-force attacks, where malware attempts to gain access through a power penetration program such as password cracking. Forty-six percent of on-premises facilities experienced such attacks versus 39% of service providers. The frequency of such attacks leaned heavily toward on-premises facilities, which averaged 71.7 per customer, versus service providers, which averaged 42.6 per customer.

Those were the two most common attacks experienced at either location. Also common among service providers was the number three threat, the reconnaissance attack, where an agent scans for open ports or attempts to pick up the fingerprint of a running application on a particular network. With such information, the attacker hopes to later find a vulnerability. Thirty-eight percent of service providers experienced such an attack during the six-month period covered by the study. But such attacks were less common on premises, where 32% of customers had experienced them.

The number three on-premises threat came from intrusive malware and netbots, such as the Conflicker and Zeus bots that try to take command of desktop communications. Thirty-six percent of on-premises customers had experienced such attacks, compared to only 4% of service providers.

Vashi said the number of security incidents in each environment lead Alert Logic to conclude there was little security advantage to one over the other. On the contrary, the different types of attack experiences match the different profiles of service providers and on-premises data centers. The service provider is a server-dominated environment with few end users, but relatively rich in application targets, leading to more reconnaissance attacks. The large number of end users in on-premises environments leads to more attempts to crack desktops through Trojan horses, bots, and other malware.

Vashi said IT staffs in both types of environments attempt to keep the environment protected from outside threats, but he gave an edge to service providers, whose task may be somewhat simpler and directly tied to their survival as a business. They tend to supervise large sets of similar servers, running identical or a few closely related operating systems. "The difference is a smaller IT footprint and attack surface," he said. Service providers in some instances are rigorously implementing best security practices, due to the exposed nature of their business.

On-premises IT has a more complicated task of keeping a wide variety of operating systems and applications up to date with patches and may have more points of entry as IT tries to adapt to the many types of computers and handheld devices that it is trying to support. On-premises sites are more likely to have a misconfigured system running somewhere that has (at least momentarily) been lost track of.

"While there are many factors to weigh when deciding whether to move infrastructure to the cloud, an assumption of insecurity should not be among them," the study concluded.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
9/18/2012 | 11:20:45 PM
re: Cloud Services Face Different Security Threats
This survey certainly illustrates some interesting differences regarding the challenges of securing on-premise versus cloud environments -- especially the preponderance of desktop attacks against enterprises and application/infrastructure attacks against cloud providers. Obviously, these strategies make sense. One element of the security equation that is the common across both environments is GÇ£defense in depthGÇ¥ data protection. Applying layers of protection to data, such as access controls, encryption and activity monitoring, is required on-premise and in the cloud.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.