This post is part of an ongoing blog series examining predictions and recommendations for cybersecurity in 2018.
To say that 2017 was a challenging year for organisations would be an understatement. As we become increasingly interconnected, businesses should look at cyberattacks as foreseeable events they should be planning for today. All businesses should maintain a good level of “cyber hygiene” wherein they regularly backup their data, patch their systems and applications, and reduce the attack surface of their digital assets as much as possible.
As we continue to transform the way we do business in 2018 by leveraging new technologies, we need to be aware of security concerns and act to reduce the risk rather than avoid these new technologies. It’s about being sensible and trying to stay ahead of cybercriminals by understanding current and potential threats, and what can be done to mitigate the risks.
1. The Cloud Is Someone Else’s Computer: You Still Need to Protect Your Information
Third-party cloud storage has been a recurring theme in the news of late, in particular Amazon's Simple Storage Service, otherwise known as S3. In AWS, there is a so-called “bucket” that is your organisation’s container for online data storage on the AWS cloud; and this can contain sensitive information.
Some organisations have had sensitive data exposed via misconfigured AWS S3 buckets. In recent months, we have seen exposure of sensitive files, passwords, home addresses, customer databases and information on over 180 million U.S. voters. In each case, a misconfiguration of the S3 buckets left the data freely accessible to anyone via the internet.
Buckets can have specific security settings, which is where the problem begins. The reason for that is human error.
AWS, like many other cloud providers, has a shared responsibility model. This means Amazon is responsible for the security of the cloud and infrastructure, which includes network, storage, and compute. The customer, on the other hand, is responsible for security of the data in the cloud. When you leave the data open for anyone to read, the exposure is clearly the fault of the customer and not AWS. This is not an AWS-specific problem, but one that applies to any other cloud platform or data repository.
Now, the challenge every organisation needs to consider is that if we leave the buckets open to be read, they are automatically exposed. The risk is greater for data that can be overwritten. If an adversary were to locate a bucket that could be modified, they would have the ability to upload malware into the bucket and overwrite files. In addition, if you were to store codes in a repository like this, people could make changes to those too.
Tools are already available on the internet to allow an adversary to easily search your organisation’s buckets using keywords. If the bucket happens to be open to read and/or write, then changes can easily be made.
With most businesses either embarking on or already leveraging cloud to store data, as well as migrate or build applications, every organisation needs to inspect and verify who is accessing its data/applications. Based on recent events, it’s foreseeable that someone will come looking for your information, but it’s up to you to manage the risk. Therefore, you should consider and get answers to the following questions:
- What sensitive data is stored in the cloud, and what kind of impact would there be if the data was exposed?
- Who among your employees and third parties has access to your sensitive data?
- How is the data protected? Does the protection you have in place meet the right level to mitigate risk?
2. Data Is the New Oil, and Integrity Is the Key
The basic principles of information security are confidentiality, integrity and availability.
Traditionally, most attacks target confidentiality and availability: an attacker compromises or steals your intellectual property or some form of data you have, and engages denial-of-service attacks to prevent you from accessing your information and/or systems. Businesses have become so used to looking at these two issues that we may have forgotten about integrity – yet that’s one area in which more challenges are appearing.
Data is the new oil. It propels businesses forward and dictates everything from business operations to the way governments roll out policy. As such, the risks data theft poses are well-understood. However, the dangers of hackers changing their approach and instead choosing to manipulate data are only just becoming clear.
Data integrity is the assurance that information can be accessed or modified only by authorised users. A data integrity attack compromises that assurance with the aim of gaining unauthorised access to modify data for any of a number of reasons, such as financial gain, reputational damage or simply making the data worthless.
Financial markets could be poisoned and collapsed by faulty data, such as through manipulating sales figures to inflate the value of a company’s stock. Utility companies, smart cities and other IoT systems, from traffic lights to the water supply, could be severely disrupted if the data they run on were altered.
Every organisation should begin the conversation now to prevent these types of attacks from being successful. As part of this conversation:
- Educate employees and customers on the steps they should take to remain safe and protect their personal data themselves. This helps build their understanding of how to protect the company’s data.
- Understand what data you have, how it is collected and produced, and where the most sensitive parts of that data sit. It’s crucial to understand what you are trying to protect before you can even think about how to protect it.
- Leverage multi-factor authentication, which provides that extra layer of security should usernames or passwords become compromised. This security measure involves having something you know and something you have, rather than just the former (i.e., a password).
- Utilise encryption to protect sensitive data, whether it is on-premise, in the public cloud, or in a hybrid environment. If someone were to get to your “crown jewels,” it would be better to limit the impact they could have by destroying or modifying the data. Encryption is only as good as the key management strategy employed, and companies must ensure keys are kept safe through steps like storing them in secure hardware modules. It’s no good having the best locks on your house if you leave the house keys under the mat for someone to pass by and take them.