Security as a Strategy (SaaS)

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

How Einstein Protects Government Computer Networks

Ever wondered what the Department of Homeland Security (DHS) is doing to protect government networks and what you can do too? Government networks are some of the most highly targeted sites by cyber terrorists. They come under attack hundreds of times per year. To protect government assets DHS uses a network flow monitoring system called Einstein 1 and a system called Einstein 2 - an intrusion detection system.

DHS is in charge of monitoring the .gov domain for potential threats and works with several non-federal partners in various network security programs. While primarily focused on federal networks, DHS is now branching out to deploy Einstein on civilian and state networks in partnership programs under the auspices of DHS' U.S. Computer Emergency Readiness Team (CERT).

Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, DHS, has said a third version of Einstein with more advanced technology is envisioned that would be an intrusion prevention system across civilian networks and systems. The additional surveillance and intrusion response capability would give the government better awareness to protect the public, according to Mr. Reitinger.

In addition to Einstein 3, DHS has a variety of other initiatives under way to enhance the cyber security of federal and civilian networks including:

• Consolidating agencies' external Internet connections to reduce the number of entry points for potential outside threats
• Developing a supply chain risk management framework to address security threats and vulnerabilities that could be introduced into hardware and software acquired by federal agencies
• Establishing the Industrial Control Systems Cyber Emergency Response Team facility, to synchronize incident response activities related to attacks on control systems operating the Nation's critical infrastructure
• Initiating an information-sharing pilot working with the Financial Services Information Sharing and Analysis Center to enhance threat information sharing with the financial services sector

So what we learn from the DHS programs is that a solid network security plan will include: (1) a network security system that monitors, detects and prevents intrusions; (2) a strategy of reducing access points (network nodes, connections, rogue devices, multiple software packages used by end users); and (3) collaboration with trusted security partners to share incident response and threat information.

Security Trends and Outlook for 2010

There was a call recently, sponsored by Symantec, in which security experts and analysts discussed the security trends in 2009 and what they expected to see in 2010. Here's what they said:

2009 Trends

• Drive-by. In 2008 there were 18 million drive-by download attempts. In the first half of 2009 there already 17.5 million. This activity is increasing. (see last blog for discussion of drive-by downloads)
• Plug-ins. Drive-by downloads that target browser plug-ins as well as websites are increasing.
• Trusted websites. Legitimate websites are now being compromised. The vast number of blocked downloads, per Symantec, were from legitimate websites. Cyber criminals are finding ways to post, especially on social networking websites, malicious Java applets or Active X components that target users of these websites.
• Rogue security software. From July 2008 to July 2009 Symantec states there were 43 million software installation attempts by rogue security software. The latest ploy by cyber criminals is to package free anti-virus software found on the web and either resell it for a fee, or attach some malware which will hijack the user's computer once the application is installed.
• Content scams. The latter half of 2009 saw increasing content-based attacks. How this works is the scam artist creates fake sites based on popular search items or current news events. This poisons search engine results - presenting sites laden with malicious links, ads or drive-by downloads.
• Security breaches. Data breaches continue to grow risking identity theft. 400 breaches were reported in 2009 which compromised 200 million records. 80% of breaches are caused by insiders within an organization. And adding to this is the fact that 59% of employees when they leave a company take confidential information with them.

2010 Outlook

• URL shortening services. Bloggers, Twitter users and many social networking site users often utilize what are called "URL shortening services" to provide short worded links that redirect to links which are actually longer in length. For example, if I have a link that is 30 characters long that I want to embed in a message, and I'm sending a Tweet that has a 140 character limit, I can use a service that allows me to post a 10 character link that will point to the actual link. URL shortening services provide a hosted solution that redirects a user from a longer URL to a shorter one. What has happened is cyber criminals are finding ways to redirect those links hosted by the URL shortening service provider to malicious links.
• Capture technology. When you register for new accounts on many websites, you are asked to type in a code displayed in a funny, groovy looking text box. By doing this the website owner insures that an actual human is registering and not a computer application. Some cyber criminals are now using low-cost labor in sweatshops, in places like India, to manually create accounts. Once registered within a website that for example offers an Instant Messenger (IM) account, the attacker uses the IM account to send malicious links to other IM users.
• Non-English spam. Most spam to date has been sent in English. However there has been a significant increase in countries like the Netherlands, Germany and France with native language spam.
• Focused malware. Symantec sees increases in specialized malware that targets specific systems such as Automatic Teller Machines (ATMs), and phone-based voting systems (e.g. those used in realty TV shows for the public to vote ).
• Cell phones. Smartphones are becoming targets for rogue security software download attempts. With so many applications now being made available for wireless devices like the BlackBerry, attackers are looking to exploit the same scams used on computer users.
• Bandwidth. Increased bandwidths in developing countries, created by the installation of broadband networks, has brought back a resurgence of botnets by spammers.
• Social networking sites. Scammers are trolling popular social media sites like Facebook for opportunities to implant malicious content and micro applications. By infecting users who receive and trust messages from others in their circle, attackers can exploit entire networks.

What to do? Symantec has embarked on a concept they call "reputation-based security." All websites are assumed guilty until proven innocent. So look for increased certifications and diligence in the safe-guarding of content, web links and applets on websites.

In addition, as individuals, one of the best practice security tips you should follow is: (1) don't store your passwords in the browser (don't click on the "remember me" option). And (2) use strong passwords in your home wireless routers (change the one that comes with your system) as well as at all web sites you register with.

Obstacles to Proactive Security

A fair amount of talk in the security industry involves whether organizations are being proactive, reactive, or some combination of both. Risk assessments can proactively identify threats/vulnerabilities while security devices (firewalls, IPS, anti-virus software, etc.) contend, and in most cases deliver, early detection and mitigation of security threats (real or suspected).

While most people would agree that assessments and security devices are necessary, convincing management to make the investment in them is a challenge. Regulations and industry standards (not just within the security industry) can help justify the investment, but is that enough? Obviously, in today's economy cost is a big factor and, truth be told, some of these devices (and their implementation costs) can be expensive. Other than costs, what other "reasons" (good, bad, or otherwise) do organizations have that prevent them from taking a more proactive stance to information security?