The business world is rapidly changing and the evolution of handheld technology has greatly impacted consumer behavior. Today, both as consumers and employees, people demand immediate, anywhere, anytime access when it comes to purchasing goods and services or working for the organizations that provide them.
To meet these demands, businesses have looked to cloud technology to keep up, migrating their operations and business processes to multiple cloud environments that provide the speed and flexibility required. Unfortunately, this results in an increased attack surface, one that not only makes it difficult for security leaders to locate dispersed data, but also protect it. But with this expanded malicious playground, what are attackers looking to compromise first and what should security leaders be focusing on to protect themselves?
To answer that question we asked Trustwave SpiderLabs Director of EMEA Ed Williams, who provides security professionals with the following knowledge and advice.
How do you think these malicious actors perceive these cloud-based environments when it’s time for them to go about with their malicious deeds?
Ed Williams: What has happened is a bit rush to the cloud for the last two to three years. Everyone now has a cloud-first agenda. But what that rush to the cloud inevitably brings is complexity and people not fully understanding that with this rush to the cloud, errors and issues crop up that result in misconfigurations, which lead to data breaches. Misconfigurations I see as being as big of an issue as phishing was two to three years ago.
Do you think these misconfiguration issues are being talked about enough? Phishing still seems to grab the headlines. Would you say that’s the case? If so, why?
Ed Williams: Massively. The “why” is probably because phishing is something that we now understand. We’re becoming more mature on that topic and understand what the impact is. It’s only now with a bulk of data breaches around misconfigured cloud instances, particularly around Amazon S3 buckets. The default policy was that the buckets were publicly available, and we’re still seeing these people who have these large amounts of “sensitive data” in buckets and they’re not configured correctly. To be fair to Amazon, they’ve moved forward a lot in a couple of years. They’ve changed the default settings, they’ve made it easier to search for these erroneous permissions. But we’re still seeing people make mistakes because they don’t fully understand the actions, they take in cloud environments. Once that maturity comes, then the security will catch up with it.
How much does the immense complexity that security leaders experience tied to this topic benefit attackers?
Ed Williams: With the advent of the cloud, it’s easier to spin up machines, and if they’re not configured securely from the beginning, it’s going to cause issues. We see that through excessive services on the internet and excessive API endpoints. The way an organization’s security posture looks like today has changed. Before, all of your internal infrastructure was located behind a number of firewalls. That’s changed now. Many organizations now have a hybrid model where you have certain things on-premises, some in the cloud, and it’s difficult for older security mindsets to match up with current, modern environments.
What are attackers looking to exploit first in these environments?
Ed Williams: The first thing I believe they’re looking at, and that penetration testing teams have a huge amount of success with, is software-as-a-service solutions. Things like Office 365. You can make cloud environments absolutely bulletproof, but they can easily not reach that state. Gaining access to usernames and passwords associated with Office 365 and using that as a launchpad into other parts of the organization is common. If you have an Office 365 mailbox, the mail that you then send to other parts of the organization is “trusted.” We see a lot of organizations that say they have multi-factor authentication on their Outlook 365, but what they’re not doing – which we recommend – is remove legacy services. It’s easy for attackers to abuse these legacy services. By enabling them, the benchmark’s already being lowered by organizations.
For organizations operating in multi-cloud environments, where are the major risks located?
Ed Williams: What organizations need to do is simulate what they’re going to store in the cloud and conduct a threat assessment around that. If you’re going down the Office 365 route, they need to simulate what the attack vectors are likely to be – such as phishing and weak passwords – and prioritize security around that. If they’re putting data repositories in the cloud, how are they securing that data? It’s important for organizations to put threat analysis around what they’re putting in the cloud. Operating in multi-cloud environments can be secure, but just like anything, it can also be very insecure because since it’s in the cloud, the impact will likely be greater.
As Williams puts it, it’s possible for cloud environments to be very secure. To reach that ideal state, he highlighted three things security leaders need to hone in on:
- Understand the Ramifications of Operating in the Cloud
Each organization is unique, and chances are they’re utilizing cloud services for very different reasons. Based on your core business functions, understand what it means to store what your organization deems “sensitive information” in the cloud. - Conduct a Threat Assessment
It’s important to conduct a threat assessment around the “stuff” that you’re looking to place in the cloud. If you have a multi/hybrid/on-prem cloud environment, are the connections between all those elements secure? There’s only one way to do that and it’s through testing. - Regular Testing
Proactive security testing can help you understand where your risks and vulnerabilities reside, enabling you to better prevent, detect and respond to security incidents and continuously improve your overall security posture. This is especially the case when working in cloud environments.
Securing the modern-day cloud environment goes back to the old maturity model. Understanding your assets, make sure the basics are covered, and ensure you’re conducting continuous pen testing and red teaming. Once you start doing that, you’ll begin to increase your organization’s security maturity.
For more insights on securing organizations that operate in multi-cloud environments, download our latest e-book.
Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.