We live in an always-on, digital world. Information is at our fingertips. Mobile devices are pervasive.
Interactive websites, allowing users to comment on posts, and social networking are de rigueur. All these things encourage us to consume—and share—information continuously and often without regard for the consequences. Criminals are increasingly using this information, often detailed about personal lives, to their advantage in social engineering exploits that specifically target individuals and that attempt to exploit the trust that they have in the technology, applications and websites that they use.
Ransomware was distributed through Dropbox, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them.
In recent years, consumers have flocked to file sharing sites that allow them to upload and share very large files such as photos and videos with friends and family. Seeing just how convenient such sites are, many users are increasingly adopting their use for business purposes as well, using them to upload information so that it’s available to them from any device that they wish to use, wherever they are. It has been recognized for some time that this creates security risks for organizations regarding sensitive data being placed on file sharing sites that are outside of the control of the IT department—often without their knowledge. Bloor Research has recently published research that discusses the problems surrounding unsanctioned use of file sharing sites in organizations and that provides pointers as to what organizations can do to provide employees with the convenience and flexibility they demand, but in a way that safeguards sensitive information and shields them from the perils of data loss.
But a relatively new problem with the use of file sharing sites is currently in the news. Criminals are turning to the use of such sites for hosting and spreading malware and viruses. In one such campaign, the Dropbox file sharing service has been targeted, with an estimated 500,000 users affected. In this case, ransomware was distributed, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them. It’s believed the attackers have so far netted $62,000 from this campaign alone.
Such attacks have been known about for some five years or so, but appear to be increasingly common. Just this month, an emerging practice came to light in terms of using file sharing sites for high-value, low-volume attacks against high-profile, lucrative industries that include banking, oil, television and jewelry businesses. Discovered by Cisco, these attacks are attributed to a group calling itself the “String of Paerls” group, which has been flying under the radar or security researchers since 2007, constantly changing their tactics to avoid detection.
These attacks highlight the problems many organizations are facing with the use of consumer-oriented services. Many organizations are still grappling with the issue of controlling the deluge of personally owned devices that are connecting to their networks—often outside of the purview of the IT department—as well as the use of cloud-based services by individuals or particular business units, many of which are not officially sanctioned by the organization. Now there is further evidence that they must add control of consumer-oriented file sharing services into the mix—not just to guard against the loss of sensitive information, but to prevent them being used as another vector for attacking the organization.
There are options available to IT that allow them to offer the same levels of convenience to users, but in a way that can bring back control over who is sharing what and with whom. Some of these options are discussed in the research published by Bloor Research referenced above. Centralized control and high levels of security are paramount. They must also be as easy to use as the consumer-oriented services employees are already used to if they are to gain widespread acceptance.
Today’s generation of consumers and employees demand convenience and the freedom to work as they wish. But that convenience brings many dangers to organizations if they cannot control where sensitive information is being posted or transferred, and who is accessing it, or guard against the dangers employees might be exposing the organization to through the use of unsanctioned services. There is a fine line to be tread between ensuring employees are satisfied and productive, and guarding the organisation from malicious exploits and data loss that could dent their revenues, brand and reputation.
London was again the venue for the 18th Infosecurity Europe conference last week. Along with over 100 other exhibitors, it was a busy three days for Mimecast – security workshops (summarized in our blog post last week), talking to crowds attracted to our eye-catching stand and some great conversations with media, customers and prospects.
As expected at the premier security event, security was hotly discussed with topics such as mobile security, cyber warfare, threat detection and prevention reoccurring themes.
Given security is a vital part of our offering, we’re most interested in the evolution of the security landscape and how it impacts communication technology in business. From this viewpoint, we noticed a clear point emerging from the conversations this year – we’re entering a new chapter in the maturation of how businesses consider cloud services.
Gone are the days of businesses questioning whether its data is safer in the cloud, now the focus is on issues such as whether a vendor truly believes in industry standards – for instance, there is an increasing expectation of vendors to be accredited against third party standards e.g. ISO 27001 and participate in transparency initiatives such as the CSA STAR registry.
In addition, IT teams are becoming increasingly sophisticated in testing whether vendors can stand by their SLAs. On this subject, one of our customers Paul Dryden invoked a vivid example in one of our workshops about how he evaluates cloud vendors – during a tour of the data centre he spontaneously asks the vendor to cut the power to see how the system reacts. Apparently, only one vendor has managed to perform the immediate simulated power cut for Paul and while this is one of the most extreme examples, we’ve encountered other customers and prospects that have indicated that they’re testing the SLAs of cloud vendors more rigorously.
With increasing pressure to comply with industry standards and more demanding tests around the strength and depth of their service, cloud vendors seem to be at a cross-road. Those services which have the scale and rigour to meet these growing expectations can look forward to growing recurring revenue, while the others will find themselves outside of the commercial conversation.
It’s possible that we’ll look back at 2013 as the year that there was a shake-out of the cloud service vendors, with security one of the key drivers for this change.
Spring finally arrived and ironically, the sun was shining in London at Infosecurity Europe with no clouds to be seen. The good news for us was this didn’t deter people from joining our Chief Scientist Nathaniel Borenstein and Technical Evangelist, Orlando Scott-Cowley to talk about the cloud. The session was so well received, we thought it’d be useful to summarize the content of the presentation (below):
Left to right: Orlando Scott-Cowley, Nathaniel Borenstein, Paul Dryden
They started by agreeing what the cloud is and what it means for security. There’s the public cloud (fully open and accessible), which many vendors use for customer’s data; private cloud (closed), which offer private, business-sensitive uses, and hybrid cloud, which combines features of both. Each allows you different levels of control and security.
“There’s plenty of cloud washing going on with many vendors claiming things to be in the cloud that aren’t.” — Orlando Scott-Cowley
The Cloud is now accepted as being more secure than your own network.
Putting your data in the cloud does give you an opportunity for better security, as cloud vendors’ security is usually a core part of their business. They’ll have more security and cloud expertise available to them, and are strongly motivated to do a great job – developing a reputation for poor security would likely destroy them. Generally, reputable cloud vendors have the resources to keep up to date with advances in technology and are highly motivated to do a good job and continue innovating.
But it’s also fair to say that cloud providers are bigger targets for attack. So a good place to start your assessment is taking a look at the vendor’s security reputation. If they’ve been around for a while (Mimecast has been here for over 10 years BTW) and you haven’t found any horrifying stories then as Nathaniel said they’re “…likely to be good at cloud security. Cloud vendors live or die by their security. The trick is really knowing whether or not a particular vendor is good at it”. Good cloud vendors are deeply committed to security and very open to talking about it.
So once you know you want a cloud how do you assess a vendor – what questions do you need to ask about them?
Talk to them about security standards. ISO 27001 accreditation is important. But assessing the scope of their compliance is vital – ensure the scope of the accreditation includes the production systems that process customer data, rather than unrelated systems like internal HR or billing platforms.
Also, the workshop discussed the CSA STAR registry from Cloud Security Alliance which allows customers to see detail on participating vendors’ activities and procedures, helping you to compare and evaluate how they protect your data.
Willingness to be open about security standards is an important test for vendors. If they’re happy to share this they have nothing to hide. (Of course, there are certain kinds of data that they don’t disclose because it would be a security leak to do so; passwords are just the most obvious example of this class of information.)
Where is my data?
Some customers also need to know where their data is housed and under what jurisdiction it sits. Assess what this means for your business. If this matters to you, then the cloud vendor should be willing to discuss this with you. This is not just a matter of legal concerns. Think also about connectivity – businesses in areas with poor Internet connectivity will often be much better off accessing servers that are nearby.
Will you get the service you want if the data is located somewhere you can’t guarantee the network performance you need? What continuity plans does the vendor have in place to keep their performance guarantees? It’s always acceptable to ask questions about the service – a good vendor will say ‘yes’ to allowing you to test the reliability of their service too. (However, if they’ve already been tested by several independent auditors that you’re inclined to trust, it’s not necessary that you burden them by repeating the tests.)
What do you take to the cloud?
When you’ve a service or application that is commoditized, it’s well suited to benefiting from the cloud. There’s also a whole set of apps, such as data mining, that largely can’t exist outside the cloud – they’re made possible by the characteristics of processing data aggregated in the cloud, or analytics for example. With older apps and services hybrid systems are often a good option – ask, ‘can you get the benefits of the cloud without going fully to the cloud?’
Nathaniel then laid out a list of questions customers should get answers to from all vendors – the questions that vendors “dread being asked.” The questions were:
How do you manage your cryptographic keys?
How do you handle change control in your software?
How do you handle patches to your OS and other key software?
How do you encrypt all client data at rest? Do you guarantee its integrity? What is my role in keeping it safe?
Are your development and operational platforms well separated?
What access do your administrators have to customer data?
What are BCPs on matters like testing, documentation etc?
How redundant is your data and how do you prevent/recover from outages?
Do your employees have constrained, granular roles that are easily configured?
How do you manage security incidents? What is logged? How long is it retained?
Who are your third party security auditors?
Do you do regular penetration testing and vulnerability scanning?
Is your platform and business IOS 27001 accredited? If not, why not?
By the end of the session, it was clear both that there’s a strong appetite for this kind of help in assessing cloud vendors, and that there are even more questions that belong on the list.
Watch this space for more on this as we will explore the questions in a future post.
If we’ve missed out a great question that worked for you we’d love to hear it – post the question here or email Orlando at firstname.lastname@example.org.
This weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.
There are a couple of interesting observations one can make as a result of this last hack.
The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.
Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.
Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.
What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.