09:53 PM
Connect Directly

Cloud Services Face Different Security Threats

Alert Logic study finds that cloud and on-premises customers face about the same number, but different types, of threats.

Alert Logic has examined the idea that the cloud is less secure than an on-premises enterprise data center and found it wanting. Both are about equally risky, it concluded, although the nature of the risk is different in each site.

Alert Logic is a security-as-a-service supplier to both on-premises locations and service providers in the cloud. That puts it in a position to examine 70,000 security incidents arising from over 1.5 billion security events occurring over the last year to its 1,600 customers. It analyzed data from the incidents to determine the nature of the risk at each type of site.

Alert Logic's study, "State of the Cloud Security Fall 2012," might have been skewed in favor of the cloud providers because many of Alert Logic's customers are experienced data center companies likely to have strong security practices. They include: SunGard, the disaster recovery specialist that has gone into cloud services; Rackspace, generally considered the runner-up to Amazon Web Services when it comes to providing infrastructure-as-a-service (IaaS); Internap Network Services, the colocation company and content delivery network; and Datapipe, an IaaS and managed services supplier. But the high profile of these companies also ensures that they garnered attention from some of the most virulent malware makers.

"Service provider-managed environments did not encounter a greater level of threats than on-premises environments. All factors in the analysis supported this conclusion," including types of incident, frequency of incidents, and diversity of threats assailing each type of environment, concluded the study.

[ Want to learn more about what constitutes the chief security threats from a federal IT point of view? See Federal IT Survey: Hacktivists, Cybercriminals Are Top Threats. ]

And while some industries, such as public electrical utilities or financial services, might fear being targeted by skilled hackers, Urvish Vashi, VP of marketing at Alert Logic, said "most attacks are not targeted" at a specific company or industry. They occur almost equally across industry groups, indicating attackers "are looking for vulnerable targets rather than selecting specific organizations to attack." The opportunistic nature of attacks was reinforced by the high level of reconnaissance activity--searching for backdoors, open network ports, etc.--through which an attacker might enter. They occurred across all industry groups, rather than, say, being concentrated on financial services.

Web application attacks, where attackers use toolkits that try to take advantage of an application's known vulnerabilities, such as a buffer overflow exposure, were common to both service providers and on-premises data centers. But they were more frequent among service providers, where 53% of those examined had experienced one. For on-premises data centers, they occurred among 43% of the customers.

But on-premises data centers tend to run a wider variety of applications and operating systems, meaning that those that were attacked would face a larger number of threats, an average of 61.4 such attempts versus 27.8 for service providers.

The opposite was true when it came to brute-force attacks, where malware attempts to gain access through a power penetration program such as password cracking. Forty-six percent of on-premises facilities experienced such attacks versus 39% of service providers. The frequency of such attacks leaned heavily toward on-premises facilities, which averaged 71.7 per customer, versus service providers, which averaged 42.6 per customer.

Those were the two most common attacks experienced at either location. Also common among service providers was the number three threat, the reconnaissance attack, where an agent scans for open ports or attempts to pick up the fingerprint of a running application on a particular network. With such information, the attacker hopes to later find a vulnerability. Thirty-eight percent of service providers experienced such an attack during the six-month period covered by the study. But such attacks were less common on premises, where 32% of customers had experienced them.

The number three on-premises threat came from intrusive malware and netbots, such as the Conflicker and Zeus bots that try to take command of desktop communications. Thirty-six percent of on-premises customers had experienced such attacks, compared to only 4% of service providers.

Vashi said the number of security incidents in each environment lead Alert Logic to conclude there was little security advantage to one over the other. On the contrary, the different types of attack experiences match the different profiles of service providers and on-premises data centers. The service provider is a server-dominated environment with few end users, but relatively rich in application targets, leading to more reconnaissance attacks. The large number of end users in on-premises environments leads to more attempts to crack desktops through Trojan horses, bots, and other malware.

Vashi said IT staffs in both types of environments attempt to keep the environment protected from outside threats, but he gave an edge to service providers, whose task may be somewhat simpler and directly tied to their survival as a business. They tend to supervise large sets of similar servers, running identical or a few closely related operating systems. "The difference is a smaller IT footprint and attack surface," he said. Service providers in some instances are rigorously implementing best security practices, due to the exposed nature of their business.

On-premises IT has a more complicated task of keeping a wide variety of operating systems and applications up to date with patches and may have more points of entry as IT tries to adapt to the many types of computers and handheld devices that it is trying to support. On-premises sites are more likely to have a misconfigured system running somewhere that has (at least momentarily) been lost track of.

"While there are many factors to weigh when deciding whether to move infrastructure to the cloud, an assumption of insecurity should not be among them," the study concluded.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Moderator
9/18/2012 | 11:20:45 PM
re: Cloud Services Face Different Security Threats
This survey certainly illustrates some interesting differences regarding the challenges of securing on-premise versus cloud environments -- especially the preponderance of desktop attacks against enterprises and application/infrastructure attacks against cloud providers. Obviously, these strategies make sense. One element of the security equation that is the common across both environments is Gǣdefense in depthGǥ data protection. Applying layers of protection to data, such as access controls, encryption and activity monitoring, is required on-premise and in the cloud.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.