- David Geer, Geer Communications
The global cloud security products and services market is expected to grow by a compound annual growth rate of 13.9% through 2024, according to Grandview Research. But will more tools genuinely keep cloud security risks contained and valuable data safe from nation-state hackers and privacy threats? Not unless companies plug the primary security hole: human error.
It's the human errors that nation-states most often exploit and that most frequently let the private data "cat" out of the cloud computing "bag," according to CISOs.
Nine out of 10 cybersecurity professionals worry about cloud security, according to Crowd Research Partners; they find the top three cloud security challenges to be data loss and leakage, threats to data privacy, and breaches of confidentiality.
Still, there are ways to lessen the threat from powerful foreign hackers and reduce the potential for privacy leaks and breaches. But, first, it's important to understand the human weaknesses these attackers exploit.
Cloud security risks: Nation-state attacks on private data
It doesn't matter whether their attack is technical or not so technical; nation-state assaults on the cloud usually use vulnerabilities that derive from human error. As Rebecca Wynn, CISSP, CCISO, head of information security at Matrix Medical Network, explained, "There have been public attacks on container deployments, but most of them targeted low-hanging fruit or mimicked attacks that you see on a VM [virtual machine] -- e.g., misconfigurations, credentials, secrets in public code." Among the trending cloud security flaws are those created by people who misconfigure cloud settings or who expose their login credentials. Another stems from the regrettable software development practice of hard-coding credentials into programs.
Nation-state attacks on cloud data are high profile and severe. "Nation-state hackers are targeting managed service providers (MSPs) to access large companies, and this trend is on the rise," Wynn said. "The DHS announced late in 2018 that there were active threats targeting MSPs." It's unclear how many global MSPs were breached as a result, let alone how many of their customers were exposed. But it's those customers who were the targets all along: China, the nation-state in question, sought to steal priceless proprietary trade secrets and intellectual property to advance its enterprises in competition with the rest of the world.
The aforementioned "not so technical" nation-state cloud attacks that exploit human error are primarily phishing attacks. The Lazarus Group, a team of North Korean hackers, uses spear phishing to compromise employees during cryptocurrency exchanges to steal massive Bitcoin sums. The hackers use the currency to supplement losses due to international sanctions so the country can continue to fund its nuclear and ballistic missile initiatives, according to a 2019 U.N. report.
Closing the cloud security gap
Here are five ways to address some of the vulnerabilities end users can expose:
- Institute stronger password management.
- Share social media best practices.
- Establish approved back channels for sensitive data.
- Ramp up security awareness training.
- Offer attractive (but vetted) alternatives.
Source: Osterman Research Inc., "Best Practices for Implementing Security Awareness Training," October 2018
"All these cryptocurrency exchanges live in the cloud," said Mark Lynd, managing partner at Relevant Track. Lynd and executives at Relevant Track serve companies as fractional CISOs, filling in for executives at those companies. According to Lynd, most nation-state bad actors gain unauthorized access to the cloud through phishing attacks and work to elevate access and privileges to get what they want.
Nation-state attackers don't just steal from the cloud; they also corrupt cloud data. According to Lynd, sometimes they pollute the information that otherwise enables companies to use sophisticated tools like machine learning to validate accounts. The corruption forces companies to use more manual processes, which are less challenging for nation-states to thwart.
Don't think there is some unique sanctuary for private data in the cloud. If attackers can get to intellectual property in the cloud, they can get to personally identifiable information and protected health information that lives there, too.
Enterprise perceptions of cloud security risks
Rebecca WynnHead of information security, Matrix Medical Network
Though mitigating cloud vulnerabilities and attack vectors is a juggling act to challenge even the most talented CISO, most are coming to grips with the new reality.
Cloud customers are adjusting to nation-state attacks and threats to private data. "The nation-state deployment of ransomware, the rash of high-profile data breaches involving personal identity information and the use of social media is becoming the new norm in proxy warfare," Matrix Medical Network's Wynn said.
It helps to know the source of most of your cloud problems, and CISOs agreed that it's the unchanging nature of the fallible human being.
"Breaches occur when people don't apply security controls or they apply them partially or improperly to address specific threat vectors. Such vectors are myriad, and you need to identify, understand and remediate them," said Allan Alford, CISO at telecommunications company Mitel.
Even in the cloud, you need to defeat phishing. Start by teaching employees to recognize the phishers and throw them back in the depths of the internet without biting on their hooks. "I do strongly believe that phishing is the biggest issue along with social engineering, and you have to educate users," Relevant Track's Lynd said.
It makes no difference whether you're using cloud or not; phishing is still a major security threat, Lynd agreed. As long as some phishing emails get through and one person responds to it -- revealing their username and password -- it's still the easiest way for criminal hackers to get a credential. And once they have that credential, they can elevate privileges on your network.
After employee education, taking preventive measures will best protect data in the cloud. In other words, an ounce of prevention is worth a pound of cure every time. Wynn agreed: "Investment in cybersecurity and digital emergency preparedness is of vastly increased importance going forward; it should at least be on par with preparation for other catastrophic events, like fire and extreme weather."
According to Wynn, cybersecurity strategies should encompass the gamut of potential attacks and events that could strike a crippling blow to a company's operations; these include nation-state attacks on infrastructure and cloud providers and services.
Cyberinsurance policies are an absolute must-have component of cyber-readiness. Wynn mapped out a detailed approach to getting the right cyberinsurance policy, one that takes into account the potential for nation-state attacks and cloud vulnerabilities:
- Get coverage for ransomware and the many types of cyberattacks.
- Review your policy annually or more often, and update your coverage as needed.
- Keep your software up to date and comply with all reasonable security measures that your policy defines. (Many policies predicate coverage on whether you took these measures.)
- Demand that your insurer removes any nation-state exclusions in your cyberinsurance policy.
- Be aware that you may need coverage -- for a ransomware attack, for example -- in more than one clause. The interruption to your business may require coverage under a separate section from the attack itself.
- Exclusions and gaps in insurance coverage are often complicated and hard to identify. Enlisting an experienced coverage counsel to navigate coverage for the ever-evolving cybersecurity landscape can help ensure your company's resilience to these attacks.
To address the cloud security risks to private data in the cloud, follow best practices. Perform risk assessments on the cloud that mirror the assessments you do internally, Wynn said. "I assess access controls, identity management, auditing and logging, and policies and procedures. I use independent third-party audits with attestations."
Mitel's CISO advised going back to the basics, but only for starters. "Use good security and privacy practices that are applicable regardless of whether the environment is on premises or cloud-based," Alford said. Alford also suggested applying these specific practices:
- Perform a maturity assessment. These assessments reveal your current cybersecurity
- Use a comprehensive risk analysis.
- Institute a program to address risks in priority order.
- Use proper processes and policy to keep your security program growing in the right direction.
There are specific cloud privacy steps you should take to minimize cloud security risks. "All the major cloud service providers offer unique security controls that can complement firewalls, WAFs [web application firewalls], encryption and other industry-standard controls," Alford said. Cloud security controls include encryption, cloud backups and cloud disaster recovery.
Negative impact of privacy laws
The GDPR limits law enforcement's ability to pursue suspects in cybercrimes. Cybercriminals register new domain names for websites they use in committing cybercrimes; the new law forces the removal of readily available public information about website registrants to protect their privacy. Where law enforcement used to be able to look up a registrant with their location and contact information, today they must go through a tedious process.
Europol has publicly stated that "while these developments [GDPR and others] are positive, all will in some way impact on our ability as law enforcement officers to effectively investigate cybercrime."
In the full report, the "2018 Internet Organized Crime Threat Assessment," Europol stated that "from 25 May law enforcement agencies need to initiate formal legal process and mutual legal assistance and get a specific authorization from a prosecutor or a judge to obtain information on registrants of domain names from registries, registrars and lower-level providers."
According to Matrix Medical Network's Wynn, the new California privacy laws will have a similar effect. The California Consumer Privacy Act -- which will go into effect January 1, 2020 -- is more restrictive than the GDPR in that it protects data that you can reasonably link directly or indirectly with a particular consumer or household. "I expect that law enforcement investigations will see negative impacts until they discover and use another avenue to track internet activities of users," Wynn said.
Nation-state hackers are scary. They play in a much bigger sandbox. And privacy concerns are magnified by laws that push the problem back onto your shoulders. What can you do? Take every current, applicable measure to counter cloud security risks. Insure the daylights out of your cyber responsibilities. And it can't hurt to pray.