Security Resilience in The Cloud

Background

As the advancement in technology grows and the demands for new multifunction devices soar, the fast pace of cloud services soar, the complexities and features grow into an enormous compliance and security nightmare. On the other hand, it can be equally construed that the security issues that accompany these devices are a major cause for Information Security has gained momentum over the years and the pace at which the demand for assurance in Information Security is growing. In addition, it is only natural to face the challenges and tackle the issues that are imminent which posses a threat to the global corporate world of business.

The growth of hackers, numerous malicious software codes and the inevitable zero day exploitation is only getting worse. The way in which enterprises challenge and mitigate these risks is to use all the possible counter measures there are to prove their success or failure in a global dynamic IT environment.

What are the threats in a hosted cloud environment?

The threat landscape is constantly changing. However, some of the most dangerous threats are those that are ‘old school’ with a more sophisticated new approach in launching an Some of the typical threats that are pertinent to cloud services are:

Command Execution

A command string, executed in server-side code, contains invalidated user input

Potential impact

  • The attacker can execute arbitrary code using the web server privileges
  • This code could retrieve data from the server or directly alter the server

Simple example

  • Web user is supposed to provide a filename to be displayed or retrieved
  • The web server uses “echo” or “copy” directly on filename, as provided
  • An attack provides a filename “stupid.txt & myMaliciousCommand”

Session Hijacking

This is sometimes also known as cookie hijacking. This is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorised access to information or services in a computer system. This type of attack happens when the Security malicious user guesses or steals the authentic token or token key for that session and by doing so, accesses the webserver system or resources as a legitimate user. This can lead to further security breaches via carrying a man-in-the-middle attack, browser attacks or even installation of malicious codes onto system.

Compliance and legislation

The challenge of legislation and compliance in the cloud is a slow adoption. Only a few internal businesses tend to be able to comply and manage to satisfy compliance in an interconnected cloud environment. Compliance requirements such as SOX, HIPPA, Safe Habour agreement are some of the main cross-country challenges businesses have to battle with to provide assurance and security. One of the biggest problems with the increased use of cloud services is that the client cannot, with confidence, control where their data is stored, who is processing or harvesting their data; and that in itself is a security challenge.

Especially where the services offered by the cloud services provider is free, the client will not have any say/control over the location their data is being stored, backed up and managed.

Compromise of Interconnected Systems

Resulting from exploitation of a trusted path through an insecure application or networkresource, resulting in the compromise of partner systems and their data; in turn leading to a loss of reputation and customer confidence. Clinton at Security Aware calls it ‘Cross contamination exploits’ – this is an exploit that has been coined in a way such that it compromises all the systems hosted in a shared environment.

Denial of Service

Resulting in the unavailability of network and application resources, potentially leading to the loss of revenue.

What are some of the vulnerabilities?

These key threats are most often realised through the following vulnerabilities within the internal network:

  • Unused open ports and services
  • Missing security patches/updates
  • Poor design, configuration and implementation of services
  • Default/generic user accounts (username & passwords)
  • Lack of understanding of best practices and security requirements
  • Lack of or poor internal monitoring and auditing of systems
  • Excessive privileges assigned to users within an unrestricted environment

When should you perform security assessment of your cloud system?

With new vulnerabilities and malware exploits populating the web daily, it is best practice to develop a robust vulnerability management strategy to manage the threats your business faces continuously. Assessment should be done on a regular basis to have constant visibility of the threats your business faces. Some companies have systems in place to identify and manage vulnerabilities on a weekly, fortnightly or monthly basis. In some cases, bigger companies with an allocated budget and resources normally perform security assessments on a daily basis.

In addition, it is critical to perform an assessment of corporate networks and their services both prior to their initial roll out and on a regular basis to ensure that any and all specific security threats are understood, managed and remediated.

Ten top cyber security tips for small business

SMEs and start-ups are some of the most profitable and fastest growing companies with a flare for innovation, passion and a surplus amount of energy. However, due to the very nature of these individuals (hunters) they do not really see the need to slow down and assess the things that helps them fine-tune and streamline the structure of their business; unless they are lucky enough to have the backing and support of a venture capital (VC) firm.

The security and compliance are the last things on their mind…their aim is to succeed and push the barriers of opportunity and as such sometimes need ‘bolt-on’ support to piece all the scattered piece of puzzles together. Especially if they reach a point where they decides to sell or move into new markets; markets that requires them to demonstrate and operate in a defined manner.

So, for all the buzzing enthusiastic entrepreneur out there, try and get it right as go you along and don’t just ignore the little things that could potentially boost your position in winning the next deal.

Here are some tips to bear in mind prior to starting your journey as an entrepreneur and during your journey to achieve your entrepreneurial aspirations:

 

  • Understand the market you are targeting and ensure that you address all the possible standard requirements they would need even before engaging you
  • Make sure you understand your obligation around preserving the confidentiality, integrity and holistic security of their data
  • Develop a security policy
  • Develop and implement an acceptable usage policy internally if you have other employees
  • Always ensure you utilise at a minimum, a non-disclosure agreement and have at least a client engagement letter to solidify your business relations with clients
  • Carry out regular security scanning/assessment of your website/systems/applications if you are an ecommerce business or predominantly operating online
  • If you are an ecommerce business, be sure to think about doing the minimum – a PCI-DSS self-assessment questionnaire. You need to show that you take client data security and the security of your business seriously
  • Ensure you register with your data protection and privacy Agency, (in the UK, register with the ICO)
  • Develop and implement a mobile device usage strategy and policy
  • If you have a lot of uncontrolled devices or your employees uses their own devices, there are more reason to focus on the security and compliance of these devices regardless of who owns the device – at the end of the day, whatever data is being pushed to these devices, you as a company is responsible for how it’s used and processed
  • Develop and implement a social media policy to help your business utilise these mediums to maximise the full benefits to be had from social media
  • Start to seriously thinking about or purchasing a cybersecurity insurance policy to help you cover for any breach in relation to cybersecurity hacks/breach
  • Take every opportunity to educate yourself and your employees on a regular basis on the changes in legislation that may impact the way you operate your business (EU Directives, Safe harbour agreement, Data protection Act, FOI, Bribery Act) as well as how to deal with potential security scams and suspected breach
  • Some people may say this is not relevant because their company is too small to be doing some of these but a key thing to have in place is a business continuity plan…what if you were to fall ill, your business is flooded, caught fire, civil unrest etc., would you still be capable of providing the same levels of service to your clients?
  • Have a clear easy to understand incident response plan
  • Encrypt every piece of data you deem important to the running of your business
  • Perform a risk assessment on your business (at least the critical areas)