Vulnerabilities / Threats
4/6/2016
11:30 AM
Ron Zalkind
Ron Zalkind
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding The Cloud Threat Surface

How today's borderless environment creates new threat vectors from third-party apps, brute force password attacks, and login attempts with stolen credentials.

To say that cloud adoption is accelerating is an understatement. You can almost sense the “uplift” of applications and data into the cloud evidenced across the massive growth in the volume of accounts, files, collaboration, and connected third-party cloud applications. Enterprises have begun to standardize on SaaS applications. Meanwhile, users are speeding by, taking advantage of self-provisioning capabilities enabled by the BYOD and cloud phenomena. In 2015, it was reported that external collaboration via public cloud applications increased four times, and there were ten times as many files are being stored in public cloud applications.

As data, apps, and users shift to the cloud, we must ask ourselves what is the impact to our threat surfaces and what new attack opportunities will emerge. While most security professionals are aware of how traditional data breaches happen, few have dissected the who, what, when, where, and how a breach takes place in the cloud. The traditional “kill chain” used by outside bad actors or the vehicle used by insider bad actors changes significantly. This presents a challenge to security teams as they must adjust their approach to identifying and evaluating breaches in this new environment.

Breaches Outside of Traditional Borders

The conventional security model was physical in nature and relied on perimeter defenses. The goal was to erect fences around assets and resources and grant users access to specific, designated zones. To attack this paradigm, adversaries focused on getting into the desired perimeter or zone. More often than not, the exploit is the user who can enter that perimeter.

When the sensitive assets are behind the firewall, an attacker follows typical patterns: find a way to deploy a weapon onto a users’ machine, user (with machine) gets the attacker inside the perimeter, then craft various sophisticated techniques to establish a control channel with the outside world and attempt to syphon off sensitive assets directly, or through lateral movement, all the while remaining undetected and avoiding the multitude of cyber technologies that have been deployed on the network.

As we move our critical assets to the cloud and access it from anywhere, and while workers can operate more freely, the borderless environment creates new threat vectors.

The first two threat vectors fall under the category of insider threat. Most cloud applications provide value when they drive productivity, collaboration, and business workflows. The ease of getting things done together is transformational. SaaS applications like those from Salesforce.com and Office 365 facilitate an exchange of information, making it easy to share with people external to companies or with personal, non-corporate accounts.

This is an entirely new threat vector. The typical scenarios encountered are oversharing due to inadvertent or malicious extraction of data. Sharing through cloud applications is a risk that needs to be modeled and addressed. In fact, findings indicate that the average organization has 12% of files shared organization-wide, while another 10% of files are exposed externally, and 2% are accessible publicly or searchable on the public Web.

Another important dimension of cloud applications is that the most successful applications create an ecosystem of third-party apps that can be connected via APIs to provide additional value and extend the apps inherent, core capabilities. These third-party applications are great for many reasons and serve many different purposes at work and at home. What organizations must realize is when you authorize these applications to access your identities in the cloud, or the data in the cloud apps, a connection is established between the user and a third-party entity -- your corporate environment. Effectively, their security is now your security, because through this connection you have possibly granted access to read your emails, view and manage your files, and perform operations even while you’re not using the application.

This is a new threat used today as a new form of malware: Cloud Malware. An attacker can deliver malware through such a third-party app and gain access to users’ data immediately. The cyber technologies that are deployed on-premises do not exist here, as this vector is outside the enterprise network, beyond the firewall. In fact, without a modern cloud security technology, this type of attack will go completely unnoticed and untraceable.

The last threat vector of interest is that as cloud applications are out in the wild, they are being attacked through brute-force password attacks or through attempts to login with stolen credentials under the premise that many users use the same password everywhere. And they’re right. While this isn’t necessarily new, it is important to highlight as cloud apps contain our sensitive data.

Reducing the Cloud Threat Surface

So how do we address these new threats? It’s important to realize that cloud presents an opportunity for better security. In the cloud, you operate under a shared responsibility model: The cloud vendor provides security of the cloud while you (the customers) provide security in the cloud. 

This means that you can focus on how to enable and configure cloud applications and services as opposed to spending time patching systems. You can focus on user education and enablement and not blocking, which tends to lead to shadow IT. In addition, consolidating users and data in several major cloud applications can actually lead to an overall reduction of your threat surface in comparison to the distributed and heterogeneous IT environment on premises. You do, however, need to model these threats, assess their impact on your company, and prioritize which ones to deal with.

Good news is that you can use the cloud itself to help. You can use the ultra-elastic and scalable cloud and the availability of APIs to connect cloud apps and platforms to build an intelligent, adaptive cloud security system that runs in the cloud and protects the cloud.  

Related Content:

 

Interop 2016 Las VegasFind out more about Ron's Interop conference session Friday  May 6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register. 

As CTO, Ron is responsible for CloudLock's overall technology and continuous innovation. Prior to founding CloudLock, Ron was Director of Product Management at Interwise (acquired by AT&T), and held varied Engineering Management positions in private and military sectors ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
5/17/2017 | 8:28:06 AM
Measures to reduce the threats
To address the threats you mentioned, one should turn to SAM tools as well, such as Binadox. You can use it to monitor what SaaS (cloud) services were subscribed to/used by your employees and analyze the corresponding terms of service to determine risks.
ChopperDan64
50%
50%
ChopperDan64,
User Rank: Apprentice
4/11/2016 | 12:18:48 AM
Generalizations of threat don't = new threat vectors
I would challenge you in your article, every place you reference the cloud assuming public cloud, replace it with corporate IT and see if there is anything new. Unlikely you will find any differences. Generalizing all IT vulnerabilities to say they are cloud vulnerabilities just because an organization connects to a SaaS services does not mean all IT vulnerabilities are now cloud specific. As an example your research, reference states, "Nearly one in four users (25%) own data that violates corporate security policy". The issues you bring up which are good ones, are unlikely cloud specific, just IT general vulnerabilities.
RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:28:26 PM
Re: The Public vs Private Cloud

The public cloud is not as scary and dark a place as you imagine, WilliamM801. It just takes user education to ensure the data is kept secure. There are downsides and upsides to each — public and private. Ultimately  it's up to the organization to decides what's right for them.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:28:16 PM
Re: The Public vs Private Cloud

The public cloud is not as scary and dark a place as you imagine, WilliamM801. It just takes user education to ensure the data is kept secure. There are downsides and upsides to each — public and private. Ultimately  it's up to the organization to decides what's right for them.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:27:29 PM
Re: Moving from a house to a hotel.....

Good point, Nathanwburke. They way I look at it is security can be a reason to move to the cloud from on-premises. The cost savings, highly flexible and scalable, elastic nature are why we've seen this exponential growth in cloud adoption.

RonZalkind
50%
50%
RonZalkind,
User Rank: Author
4/8/2016 | 2:27:29 PM
Re: Moving from a house to a hotel.....

Good point, Nathanwburke. They way I look at it is security can be a reason to move to the cloud from on-premises. The cost savings, highly flexible and scalable, elastic nature are why we've seen this exponential growth in cloud adoption.

WilliamM801
50%
50%
WilliamM801,
User Rank: Apprentice
4/6/2016 | 5:30:40 PM
The Cloud dare to compare
Cloud technologies have conquered vast IT territories and keep marching in all directions. How do cloud solutions compare to the old fashioned Server solution in small business environments? The simplest, most accurate answer is rather ambiguous: "it all depends". For some businesses, cloud technologies can play a very limited role, while others should embrace it at once in order to enjoy a savings, support simplicity, and longevity of a cloud solution.

www.alloraconsulting.com/it-solutions/93-cloud-technologies-vs-server-solutions-for-small-business
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
4/6/2016 | 4:18:27 PM
The threat surface actually shrinks
The cloud environment is no scarier than the existing enterprise environment, which contains its own liabilities. Ron Zalkind's analysis is a good one and points out what issues to try to address. In the long run, I think the cloud environment represents the one that can be made most secure.
nathanwburke
100%
0%
nathanwburke,
User Rank: Author
4/6/2016 | 3:10:29 PM
Moving from a house to a hotel.....
Ron,

Good points, and your article makes me think of a few things:

The cloud isn't just a "different on-prem". In the early days, companies saw their move to the cloud as simply a matter of location...instead of having a server room in the building, they used someone else's. 

It's almost like moving from a house into a hotel and expecting everything to remain exactly the same. 

You store all your stuff in your house, and you're responsible for keeping it all safe. You do that by only giving out keys to people you trust, and you get a service like ADT as an extra layer of defense. 

When you move into the Mariott, you still want to keep your stuff safe, but now it's different.
  • You have a couple of keys, but they belong to the front desk, and they can create any number of copies at a moment's notice.
  • Although you still only give your keys to people you trust, the hotel has master keys that they give to the cleaning staff and others. In essence, they control access. Not you. 
  • You can ask the front desk if you can install ADT in just your room, but that's probably not going to happen. Even if they agreed (they won't), you'd still have to give them the access codes. 
  • If someone breaks in to the hotel's security system, they now have access to your stuff as well as every other guest. 

But it's not all bad. You could be staying at a hotel that has better security than you could possibly have at home. Not only that, you have access to the pool, the gym, a free paper, a concierge, and maybe even breakfast is thrown in. You now have capabilities that wouldn't be available at home. 

It's not necessarily better or worse, just different. And with that, you can't take the same approach to security. You have to adapt to protect yourself against different threats. And perhaps giving the front desk a $5 handshake every now and then could significantly increase your security posture. Worth a shot. 
WilliamM801
50%
50%
WilliamM801,
User Rank: Apprentice
4/6/2016 | 1:41:19 PM
The Public vs Private Cloud
The public cloud is a scary dark cloud...when you never meet who holds your data

 

A private cloud like in this article here is the safe bet in my opinion

www.alloraconsulting.com/it-services/managed-cloud-domain-controller
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.