The Cloud’s Hazy Security

A significant percentage of IT systems are cloud-based, according to a CompTIA survey of 502 U.S companies.

The cloud is a key enabler for emerging technology, suggests the poll, which was conducted last month.

Cloud computing was one of four trends respondents expected to feature heavily in IT conversations over the next 12 to 18 months, CompTIA found. Others were artificial intelligence, the Internet of Things and cybersecurity.

Apart from improved CapEx and OpEx, the cloud offers better security, proponents have argued.

“The state of security in the public cloud is fairly mature,” said Don Meyer, head of product marketing, data center, at Check Point.

However, a number of factors have made cloud security problematic:

  • Failure of companies using the cloud to take adequate precautions;
  • The rise of cryptomining — the use of malware to take over victims’ computers and use them to mine for cryptocurrencies; and
  • Processor vulnerabilities.

Poor user and API access hygiene, combined with ineffective visibility and user activity-monitoring, make organizations vulnerable, according to RedLock.

For example, a recent survey revealed that 73 percent of organizations allowed root user accounts to be used to perform activities, contrary to security best practices, and 16 percent potentially had compromised user accounts.

In the past, hackers were interested mainly in stealing data — but now they also hijack compute resources to mine cryptocurrencies. In research released last fall, 8 percent of organizations were affected by that type of hacking, RedLock found.

User-Created Problems

Challenges to cloud security “stem from a false sense of security and/or confusion with regards to the shared responsibility model,” Check Point’s Meyer told the E-Commerce Times. “Companies must understand the model and their role in the model to ensure proper security measures are deployed to keep their environment secure.”

Misconfigurations are the cause of “a lot of security issues that crop up,” noted Dave Lewis, global security advocate at Akamai.

Amazon Web Services S3 buckets are “a perfect example of this misconfiguration problem,” he told the E-Commerce Times. These buckets by default are not publicly accessible, but they “are often set by customers to allow for access.”

Further, the level of security knowledge among cloud architecture and DevOp disciplines is “fairly limited,” while strong knowledge of the cloud, automation and DevOps processes is “lacking among network security disciplines,” Meyer noted. More education is needed on both sides.

The Rise of Cryptomining

The rise in cryptocurrency adoption has led to a sharp increase in the number of cryptomining malware strains, and the number of devices infected with them, according to a recent Internet security report from Akamai.

The increase in cryptojacking “is not a surprise if you understand the seven habits of highly effective criminals,” quipped Barry Greene, principal architect at Akamai. “Principle 2, ‘don’t work too hard, and Principle 3, ‘follow the money,’ both [indicate] malware and botnet operators will shift to cryptojacking.”

Twenty-five percent of the organizations that participated in a RedLock survey earlier this year had found cryptojacking activity within their cloud environment.

XMRig — cryptomining malware that works on the endpoint device rather than the Web browser — appeared on Check Point’s “most wanted” malware list in March. XMRig can mine the Monero cryptocurrency without needing an active browser session on the device.

“We have seen attackers use more sophisticated evasion techniques,” said Varun Bhadwar, CEO of RedLock.

For example, hackers who hit the Tesla cloud earlier this year installed their own mining pool software and configured the malicious script to connected to an unlisted or semipublic endpoint, Bhadwar told the E-Commerce Times. “This makes it difficult for standard IP or domain-based threat intelligence feeds to detect the malicious activity.”

The Tesla cloud hackers also used the following tactics:

  • Hid the mining pool server’s true IP address behind CloudFlare, a free content delivery network service;
  • Configured their mining software to listen on a nonstandard port; and
  • Kept CPU usage low.

Spectre Haunts Intel Processors

Eight new variants of the Spectre vulnerability, lumped together as “Spectre-NG,” came to light earlier this month, according to the German computer magazine c’t. They target Intel CPUs.

Intel designated four of them as high-risk.

“There is no real recourse or respite” because the root cause, poor security isolation between processes on virtual machines, “continues to not be addressed,” said Satya Gupta, CTO of Virsec.

One variant can be used to steal data from the Speculative Execution Engine cache from across virtual machines, he told the E-Commerce Times.

That would allow sensitive data from one customer on a given bare metal used by a cloud compute provider like Amazon to be scraped by another customer whose VMs were deployed on the same bare metal, Gupta explained. “This will obviously impact cloud compute providers the most.”

Possible Solutions

Cloud service users should take a holistic approach to security, advised RedLock’s Bhadwar, by employing “a combination of configuration and monitoring of user activity, network traffic and host vulnerabilities.”

They also should invest in cloud-native security tools, he recommended.

Companies should adopt a more automated and integrated approach toward infusing strong security into DevOps processes and workflows “to keep the security folks in control without forcing the DevOps folks to break their models,” Check Point’s Meyer said.

“There’s always something else to do,” observed Akamai’s Greene. “If you get all the best common security practices done, you cannot stop. Ask your cloud provider what’s next for their security architecture. If they’re still doing the basics, consider other options.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.

You Might Also Like