One of the key selling points for most cloud services is security—the idea that a team of professionals managing your cloud infrastructure or application resources can do a better job at securing both than you can in-house. However, while that's certainly true of some providers, it's not true of everyone. In fact, recent research seems to indicate that cloud security as a whole is in worse shape than ever.
How bad has cloud security become? RedLock Inc., a cloud security intelligence company, recently conducted survey and incident research that identified not only key cloud threats that have been known for a while but also a brand-new, up-and-coming one: cryptojacking. Over the last year, RedLock found that instances of cryptojacking—in which cybercriminals hijack cloud services to use as compute platforms for cryptocurrency mining—have tripled.
RedLock believes this trend is happening because security readiness on the whole is surprisingly lacking in the cloud. For example, according to RedLock, roughly half of all organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) compliance regulation fail to meet that standard. Additionally, 85 percent of cloud resources have no restrictions on outbound traffic, which means those cryptojackers and cybercriminals can syphon all of the data they want from your compromised cloud service—and your managed service provider has no way of knowing. This surprising spike in cybercrime was noted by RedLock researchers in their May 2018 "Cloud Security Trends" report.
Above graphic from report reprinted with permission from RedLock, Inc. (Click to enlarge.)
Bad Security Habits
RedLock and other security researchers have found many reasons for this this surge in cloud crime, but most agree that a key factor is lax compliance with not only security regulation but even with simple IT security policy in many cloud data centers. And bad habits there translate to equally bad habits in their corresponding cloud services. The surge in cloud crime is also due to the fact that public clouds are still a fairly new resource, so the steps required to set up and implement security best practices are not only less understood by many IT professionals but are also constantly evolving.
The other key factor in this rise in cybercrime activity is that the bad guys are trying harder because, in the cloud at least, crime pays. This is especially true now that the means to steal processor cycles from someone's cloud are so well-known. That's a big incentive because cryptocurrency mining can make someone a lot of untraceable money, especially if they don't have to pay the computing bills—bills that can be seriously hefty. According to Varun Badhwar, co-founder and CEO of RedLock, it's not uncommon for victims of cryptojacking to receive bills from their cloud provider that run anywhere from an extra $50 up to a whopping $100,000 per day for stolen cloud services.
While cryptojacking seems to be a key motivator for cyber-baddies, the methods they use to steal what they need tend to revolve around three key threats. Account compromises, due to bad security habits such as using the root log-in for everything or succumbing to phishing attacks, is the first big threat. The second threat is configuration errors that let cloud data become exposed. The third threat is the ongoing problem with known vulnerabilities that remain active because companies fail to patch and update software.
According to Badhwar, lost and stolen credentials are continuing to be a significant security problem. He said that his researchers have found such credentials spread widely across the public internet in places such as GitHub uploads. Once those credentials are harvested, attackers can spin up vast compute instances for whatever purpose they want.
In addition, access to credentials through cloud application programming interfaces (APIs) is now providing added means of access once a process on a virtual machine (VM) is compromised. That process can use APIs to gain access to metadata on the cloud service and that metadata can then be used to gain new access.
Set Up Default Settings Correctly
However, not all bad practices use new and exotic methods to compromise cloud services. For instance, the RedLock researchers found that 85 percent of cloud firewalls did not have their default settings set to "deny" for outbound traffic. This is actually a fairly easy setting to configure when configuring your cloud instance, but it requires that the person who is doing the work first knows about the setting and then makes sure it's set up properly. This is where hiring IT staffers with specific skill sets in security can be a real value-add, expecially for technology companies doing business via cloud services.
Badhwar said that, as companies set up their cloud services for the first time, they frequently lack the training and the awareness of how cloud security works. This is why it's not set up properly and it's frequently how they lose their credentials. "It's like leaving your house keys in the front yard," Badhwar said.
Finally, Badhwar said that one reason for the spike in cryptojacking is that the rewards are very high and the consequences of getting caught are minimal. "The attackers are starting to understand how they can fly below the radar for a long time," he said, "and the repercussions are fairly limited. The worst that can happen is that you can shut them out of the environment."
Minimize the Threats to Your Cloud
Badhwar said that, while the laws against unauthorized access to a computer and the theft of computer resources still apply, there's no regulatory requirement that companies report cryptojacking activity. This means that, once the breach is discovered, there's little incentive to do anything beyond kicking the intruder out.
So, what can you do to protect your organization against these threats to its cloud footprint? RedLock provides these nine tips:
- Eliminate the use of root accounts for day-to-day operations,
- Enforce multifactor authentication (MFA) on all privileged user accounts,
- Implement a policy to automatically force periodic rotation of access keys,
- Automatically disable unused accounts and access keys,
- Implement user and entity behavior analytics solutions to identify malicious behavior,
- Implement a "deny all" default outbound firewall policy,
- Monitor north-south and east-west network traffic to identify any suspicious activities, including cryptojacking,
- Monitor user activity for any unusual or abnormal behavior, such as unusual attempts to spin off new compute instances, and
- Ensure cloud resources are automatically discovered when they are created, and that they're monitored for compliance across all cloud environments.
You can configure your cloud environment security settings and security apps to handle those suggestions but you have to know that it's something you should do. This requires deeper learning on the specifics of using your chosen cloud environment.Fortunately, if you invest some time in learning, you'll find that choosing the right options can be fairly simple, and in practice usually winds up involving just a few simple mouse clicks. Sure, it might cost some money to implement tighter security setting after your initial configuration. However, that's not always the case, and it will certainly be cheaper than whatever you'll pay for lost data, productivity, revenue, and maybe customers as well.