In recent years, security has gone from cloud objection to cloud benefit. In fact, according to the Oracle and KPMG Cloud Threat Report 2018, 83 percent of respondents to the report’s survey said they believe their cloud service providers’ security is as good or better than their own.
While this growing confidence bodes well for an increasingly cloud-enabled world, companies would be wise not to drop their guard when it comes to security. Bad actors of all kinds have found ways to exploit weaknesses in your security posture—most notably, in the customer’s end of the shared responsibility model.
Recently, my co-author on the Oracle and KPMG Cloud Threat Report 2018, Brian Jensen from KPMG and I discussed some of the top attacks and pitfalls that companies are falling prey to.
At its core, phishing in all its forms is a social engineering attack designed to create fear, uncertainty, and doubt. And even the best of us have been suckered by a phishing attack at one point or another. The main goal here is to get credentials by tricking the user into handing them over. A phishing email might say “Click here to learn about the audit problem we just discovered,” then take the user to a fake website where they have to log in. Or it might have a malicious attachment or link. But once they have those credentials, the attackers have free rein inside the system.
As Brian noted during our conversation, what makes phishing so successful is that not only have we moved some of our most valuable information outside the firewall, but that many of our core business applications are similar across companies.
“This leads to a one-two-three punch. Phishing is easy. The data is outside the firewall. And everything is pretty much the same. So, once I identify a pattern as a breacher, I can do it over and over and over again,” Brian said.
According to the Oracle and KPMG Cloud Threat Report, 55 percent of survey respondents have experienced phishing.
Malware and Ransomware
Phishing can often be a vehicle to unload malware onto a system. The Oracle and KPMG Cloud Threat report noted that of all their expected security concerns during the next 24 months, four of the top five have to do with malware.
One of the common forms of malware that we see is ransomware, where the victim is locked out of their system until the attacker is paid some sort of fee, usually in the form of bitcoin. This form of attack can wipe out an organization and leave it without a way to recover its information.
Another way organizations put themselves at risk is by not having proper controls around cloud configurations. In fact, 45% of respondents to the Cloud Threat Report survey said they had experienced one or more incidents where the attacker exploited an unpatched vulnerability—either known or unknown. These unpatched gaps are especially dangerous because the attacker can wreak havoc on an organization (or multiple organizations using the same vulnerability) until it’s patched.
The problem here, as Brian noted during our conversation, is that companies don’t have a good framework for (1) knowing that they’re using cloud, (2) categorizing the type of cloud they have, (3) having an understanding of the shared responsibility model for that cloud instance, (4) framing the configuration model, and (5) monitoring and patching it.
To be fair, this is no easy task. The number of people and details involved make separating responsibilities and defining processes a real problem. But it’s a problem that needs to be solved if you want to secure your organization.
Protecting Your Organization from These Pitfalls
Of course we all want to protect our organizations, but buying the right tools is only a third of the answer. What it really takes is a focus on your people, your processes, and then your technology.
In terms of people, organizations need to make sure their people are properly trained. All of your general users need to know the basics behind identifying a phishing attempt. But more importantly, cyber teams, email teams, and application teams need to be trained correctly on how to maintain configuration and compliance.
Next, there needs to be a process behind everything. If you have a system that has stayed unpatched for the last two days, what’s your process? If you’re introducing a new cloud application, what’s your process for making sure it’s secure? This can be one of the hardest aspects because it requires communicating and establishing agreed upon actions across departments. But it’s also the most necessary.
And lastly, you have technology. And that’s the part where Oracle does a really good job. We provide some excellent technologies for securing your cloud investment.
At the end of the day, people’s confidence in the cloud isn’t misplaced. Organizations just need to adjust their thinking to protect themselves from evolving threats.
For more on this topic, join us for our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register here.