Cyber security threats through the Cloud
As with most of technology, security goes through periodic changes, cycles and generations. Hardware, software, applications and methodologies all arrive, become commoditized and standardized to the point of being invisible, and then come back in a new evolved form. New platforms and new devices create new opportunities but are also subject to new evolved threats – something that remains true of security.
Cloud Computing: a brand new landscape for threats
IT security threats evolve and adapt to the new IT environment. As corporate and personal IT usage habits have changed, so too have the types of security threats present in the world. New IT practices like Cloud Computing give end-users great benefits in terms of mobility, flexibility and productivity, but they also give malicious third parties new routes to breaching security and increase risks. So while the Cloud has given users a whole new world of mobile computing, it has also created a whole new landscape for hackers and viruses to attack from.
The rise and rise of mobile usage and the Cloud have seen third party attackers change their approaches. Cloud services, social media websites and Android operating system devices have all become new targets, while traditional user data and website denial of service hacks remain popular.
Recent malicious examples in Australasia have included the damaging loss of over 20,000 customer passwords by surf wear brand Billabong and Web giant Google having its Australia office’s building control system hacked into. Similarly it was revealed recently that the Reserve Bank of Australia was compromised by a phishing attack, while the Commonwealth Bank of Australia recently stated, in the light of hacking attacks on Australia Security Intelligence Organization, that cyber security is among its top concerns.
The risks posed by hackers and phishing attacks haven’t gone away, they’ve just evolved.
the ever-changing nature of the cyber security threat
Cyber security attacks and the ways in which they affect people and organizations are always in a state of transformation. As one IT specialist finds a solution to a particular problem or type of attack, so the creative hackers out there come up with something new and improved.
So as the Cloud has played out its role as both a disruptor and an enabler in the technology world, so too new threats have emerged from it. The leading threat to both organizations and individuals is data breaches. Companies fear sensitive corporate data falling into the hands of competitors, private citizens fear their bank details and credit card information being misappropriated and abused. This is of course not a new threat in itself, but the Cloud enables new routes to the hack, virtual machines and poorly-designed multitenant databases both offering different access points.
In addition to data breaches and data loss, there are the ever-present threats of account hijacking and denial of service, both of which can now be attempted differently thanks to the Cloud. API keys – the coding that Cloud applications use to identify each other – are another tool in the hacker’s armory, allowing malicious parties to launch denial of service attacks or accumulate fees and charges on a victim’s account.
cyber security: a critical business issue
So while the threat is still similar in nature to previously, the avenues to getting in have increased. What this means is that it is time for companies to start thinking about security as a defined strategic issue.
Data security threats and attacks are major factors in successfully achieving regulatory compliance, whatever industry a company might be in. Non-compliance through having inadequate protection of corporate and customer data is a terrifying thought for any company director, so cyber security now really needs to sit at the top of any senior executive’s ‘to do’ list.
but end-users suffer too
At an individual level, the Cloud has helped to bring phishing into the mainstream of cyber security threats. Phishing was previously quite an insidious tactic, but today it has become incredibly brazen and up front, particularly in the mobile world. Because people now use their mobile devices by second nature, often inputting their password dozens of times a day, users are simply less vigilant.
It is estimated that mobile users look at their devices for one reason or another up to 150 times per day – this means entering that precious four-digit PIN code repeatedly – and how many end-users are really certain about what site they are distractedly tapping their password into?
changing threats mean changing strategy
To address this ever-changing security threat, a change of thinking is required. For many years companies and governments acknowledged the need for IT security, were both aware of and concerned about the threats involved, but were still very reactive. So this change in thinking means no longer considering IT security as ‘just’ an IT issue. The focus must change to making cyberspace a strategic asset which requires as much security as physical borders and buildings do.
The Australian government has recently taken the proactive step of investing in cyber security, identifying the threat as a strategic one which affects not just ‘the Web’, but the country’s entire economy, infrastructure and the nation’s future prosperity. It has been estimated that during 2012, 5 million Australians were affected by cyber security issues, at a cost to the country of around $1.6 billion. So it is to the government’s credit that even in an election year it has given the problem due consideration and taken the initiative, ploughing money into cyber security. That’s how significant an issue cyber security and the new threats available through the Cloud have become.
risk management is required at all three levels
The evolution of cyber security threats to the new environment means that the threat exists at three different levels
- the personal
- the organizational
- and the nation state or community level.
At each of these levels the consequences can be dramatic and risk management is required at all three levels.
photo credit: © DURIS Guillaume - Fotolia.com
July 1, 2013Gordon.email@example.comHi Graeme
Thanks for the feedback. It is always great to receive feedback. You are right. Advanced Persistent Threats (APTs) are becoming a key concern and receiving a higher profile. I alluded to APTs but did not refer to them directly. They typically fit into the cybercrime category directed at business and political targets. Commercial & political cyber espionage is currently in the news and new disclosures are happening on a daily basis. APTs are typically categorised by a high degree of stealth and longer term objectives directed by groups or organizations rather than individuals. They coordinate multi-vector email attacks against a specific business, educational, or government organisation. An APT might consist of a combination of socially engineered email with a URL attack, credential request, compromised websites and malware in order to steal information. APT attacks are difficult to identify. However the theft of data should never be completely invisible. Detecting anomalies in outbound data is one of the methods for identifying that a network has been the victim of an APT attack. This response is again a C level view of APTs, maybe more details in a future blog. Thanks, Gordon
June 27, 2013Graeme woodGreat article. Good summary for c levels to understand. You did not cover the most recent threats called targeted threats or APT. Worth including because we can do things to minimise ( lower social media content on ourselves) and there are solution to stop them from trend micro and fireeye