Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: 15 Per Cent of Business Cloud Users Have Been Hacked

Posted by samzenpus on from the no-silver-lining dept.

An anonymous reader writes Recent research has identified that only one in ten cloud apps are secure enough for enterprise use. According to a report from cloud experts Netskope, organizations are employing an average of over 600 business cloud apps, despite the majority of software posing a high risk of data leak. The company showed that 15% of logins for business apps used by organizations had been breached by hackers. Over 20% of businesses in the Netskope cloud actively used more than 1,000 cloud apps, and over 8% of files in corporate-sanctioned cloud storage apps were in violation of DLP policies, source code, and other policies surrounding confidential and sensitive data. Google Drive, Facebook, Youtube, Twitter and Gmail were among the apps investigated in the Netskope research.

72 comments

  1. It's a lie! by Runaway1956 · · Score: 4, Funny

    The vendors have assured us that their servers are secure!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:It's a lie! by Anonymous Coward · · Score: 1

      Nah! The servers are secure, it's just the customer's data that isn't!

    2. Re:It's a lie! by MrBigInThePants · · Score: 4, Insightful

      I am sure it was those dastardly cloud people!

      In unrelated news....15% of passwords were set to "password" or similar....

      80% of the data was of little use.

      100% of the data was irrelevant to the well being and/or advancement of humanity.

    3. Re:It's a lie! by Charliemopps · · Score: 3

      The vendors have assured us that their servers are secure!

      You got modded funny, but that's exactly the point. The customers data is stored in my database. So I don't technically care if that data is stolen... other than the legal liability that would put me under. So I go to the Cloud service and they "assure" me that's secure and sign a contract stating as such. I'm done! It doesn't really matter if it really is secure or not. If the data's lost and the customer sues we point at the vendor.

    4. Re:It's a lie! by Charliemopps · · Score: 0

      I am sure it was those dastardly cloud people!

      In unrelated news....15% of passwords were set to "password" or similar....

      80% of the data was of little use.

      100% of the data was irrelevant to the well being and/or advancement of humanity.

      You have no idea how this works. "Passwords" are not going to be the problem in a hacking event on the scale of an enterprise cloud service. Even with your admin passwords there should be no way for an attacker to get in.

    5. Re:It's a lie! by Rick+Zeman · · Score: 2

      Remember the literal definition of the cloud: "Someone else's server."

    6. Re:It's a lie! by h4ck7h3p14n37 · · Score: 3, Insightful

      It sounds like you're using a crappy vendor. We have a bunch of gear at Rackspace and I have to sign legal waivers when I access certain features of their portal such as the firewall management section. They have never assured me that our systems are secure given I have enough access to make things incredibly insecure.

      Due to the nature of the data that we're working with we are legally obligated (PCI, HIPAA, etc.) to care about it being secure. If something does happen we are required to report a breach and can be fined by the government. We can't simply point to the vendor. Rackspace partners with companies such as Alert Logic (threat/vulnerability management), Imperva (traffic analysis, dynamic ip blocking, etc.) and Vormetric (data-at-rest encryption) in order to help us secure our environment.

    7. Re:It's a lie! by Anonymous Coward · · Score: 0

      Remember the literal definition of the cloud: "Someone else's server."

      And "Someone else's network."
      And "Someone else's storage."

    8. Re:It's a lie! by tlhIngan · · Score: 1

      The vendors have assured us that their servers are secure!

      You joke, but it's perfectly possible that's the case.

      The servers weren't hacked - the user credentials were. After all, you won't believe some of the phishes that get out there, and once they steal credentials, well, it doesn't matter how well the vendor protects the data - the vulnerability will always be stolen credentials.

      Short of having cloud vendors mandate 2-factor security (imagine having to carry around an RSA key just to log into dropbox!), well, there's not much one can do.

      Even SMS based functionality can break - apparently Google refuses to send you SMS if you travel overseas, so if you rely on that for authentication, you're screwed.

    9. Re:It's a lie! by MrBigInThePants · · Score: 1

      lol.

      I do know how it works. And you are waving a VERY broad brush there from a very short high horse.

      And have no sense of humour.

      I will bite my thumb at them, which is disgrace to them if they bear it.

    10. Re:It's a lie! by Charliemopps · · Score: 1

      Right, but you're talking about physical rackspace and not "the cloud" so you're entirely off topic. Why would they ever guarantee the security of a rack slot?

      We're talking about "The cloud" here, which is entirely different. You don't even know where the data is stored. Is it in New York? Chicago? India? All 3 places at once? To the laws of the country its stored in make the data available to local authorities without a warent? Is the vendor hiring temp workers from a country that has poor privacy laws and allowing them to remotely access your data? Just because they signed a contract stating that they wouldn't 4years ago, does that mean they still abide by that condition? Or even know that it was ever agreed to in the first place?

      Crappy vendor? They're all crappy vendors.

    11. Re:It's a lie! by Anonymous Coward · · Score: 0

      100% of the data was irrelevant to the well being and/or advancement of humanity.

      So what your telling me is that the hundreds of selfies I took of myself and posted on Farcebook is NOT an advancement of humanity???

      How could you be so cruel.

      BTW if you use Pa33w0rd its alll safe.

  2. Investigated... but were they vulnerable? by Anonymous Coward · · Score: 0

    Investigated... but were they vulnerable?

    1. Re:Investigated... but were they vulnerable? by arglebargle_xiv · · Score: 4, Funny

      I also like the term "not enterprise-ready". What does this mean exactly? They don't have the word "Enterprise" in the product name? They don't cost $50,000 minimum?

      New Netskope report out, now with 27% more statistics showing that 51% of things differ from a previous 37% that you weren't expecting 76% of the time!

  3. But cloud is still good, right? by Anonymous Coward · · Score: 0

    Because that's what they tell me so I'm still using it. Everyone gets hacked and I have nothing to hide. So I don't mind. Cloud FTW!

  4. Passwords ? by Anonymous Coward · · Score: 0

    how much of that is down to stupid passwords ?

  5. Encryption . . . anyone ? by nehumanuscrede · · Score: 1

    It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

    1. Re:Encryption . . . anyone ? by Anonymous Coward · · Score: 0

      It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

      I thought that everything put in Cloud was automatically encrypted for me? You are saying it isn't?

    2. Re:Encryption . . . anyone ? by Shados · · Score: 4, Interesting

      If a big part of the service is actually manipulating your data (email, database, charts, data analysis, etc...), then it needs to get decrypted somewhere at some point. The data can be intercepted then.

    3. Re:Encryption . . . anyone ? by dbIII · · Score: 4, Insightful

      It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

      Your HR department and your payroll staff.

    4. Re: Encryption . . . anyone ? by Anonymous Coward · · Score: 0

      So how are you deploying your keys on the cloud if you don't trust the provider?

    5. Re:Encryption . . . anyone ? by Charliemopps · · Score: 3

      It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

      That's not going to help. I've administer a lot of these cloud products in my time. The main point is, you don't get to encrypt it yourself.

      You go to the vendor and say: "Encrypt it!"
      Vendor: "Ok! It's done!"
      You: "That was awfully fast, is it really encrypted?"
      Vendor: "Yes!"

      Demand an audit: We audited it and it meets our contract!
      Give us detailed information about XYZ: That's proprietary and/or security related, we can't release it!
      We want to put X in the contract: No, this is our standard contract and the only one we'll sign. Don't like it? Take a hike. By the way, we already have all your data and a migration would cost millions!
      Go to a different service: Here's the same contract that other place had and no we wont alter it.
      Find out its not encrypted when they said it was: Oh that was a bug or the fault of some admin we fired months ago. It's fixed now, trust us!

      It's virtually impossible to "Secure" a cloud service. I had so many problems with it I finally resigned myself to assuming cloud services have at best barely passable security. So nothing goes in that I'm afraid to lose. Even in the best cases, you have their entire support staff sitting there, probably hundreds or thousands of people, with the ability to reset all your admin passwords and even more direct DB access you have. Even if it's encrypted, they'll have all the keys. Whats worse, they control the firewall and gateways so an attack could be ongoing for weeks or months and you'll have no idea.

  6. Conflict of Interest? by Anonymous Coward · · Score: 1

    A study produced by a company that sells cloud security solutions, how convenient their finds everyone needs their product.

    Really /. these posts are just getting sad.

  7. Shit by Anonymous Coward · · Score: 3, Funny

    What if I simply 3D print all my data and use Amazon drones to deliver it to other people? Is that still good? I don't want to be a Luddite!

    1. Re:Shit by Anonymous Coward · · Score: 0

      No, no, you're doing it all wrong, you forgot to coat it in graphene!

  8. Achilles heel of the cloud apps.... by erp_consultant · · Score: 5, Interesting

    I've been around long enough to see things comes and go. The current flavor of the month is "cloud". Cloud this, cloud that. Even the behemoths of the ERP world - Oracle and SAP - are making an aggressive push to "the cloud". Companies like Workday and Salesforce are growing at a tremendous rate.

    It all seems very appealing. Say goodbye to multi year implementations and increasingly difficult and costly upgrades. Rent it by the seat rather than making large capital outlays. Fully object oriented design. Open standards vs. proprietary tools. Lots of great benefits.

    But.....

    As Willie Sutton once famously stated when asked why he robbed banks..."because that's where the money is". The data of your company, and other companies in the typical "multi-tenant" configuration is all in the one place. The bad guys know this. They will target these data centers to be sure.

    You are essentially taking your data from an environment you can control (largely) to one you cannot. That is a huge leap of faith.

    I expect that it is only a matter time before there will be a massive data breach for hosted cloud apps. We're not talking about someone's email account or twitter account. We're talking about an entire database full of SSN's and other personal information getting stolen. Everyone in your company and possibly customer and partner data as well. I don't want to be the one holding that press conference.

    1. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      I had this conversation many years ago, when Amazon's service was fairly "new", and management had a hard-on for the idea of sending all our applications to "the cloud". I listened, and then said "so you want to put stuff like the ethics investigation system, legal investigation system, payroll/HR data, etc, out on 3rd party servers in who-knows-where, and you're not going to put any thought into the security of it nor what would happen if that data gets out to the world?"

      They "hadn't thought about that". (rolling my eyes).

    2. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      mr ac, that's not even an argument. why is keeping the data in-house safer? please explain.

    3. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      I don't see any mention of safety in there. Maybe you can show me? All I saw was a question about accountability.

    4. Re:Achilles heel of the cloud apps.... by afidel · · Score: 3, Interesting

      Control is an illusion, if the folks at RSA can be spearfished and have their most valuable assets stolen basically anyone can. People are fallible and the bad guys only need one successful attack while the good guys need to defend perfectly. We run a relatively tight shop, no local admin, patches up to date, AV/Antispam on the email gateways, AV and Antimalware on the desktop, IDS/IPS in the firewall with additional IDS by spanning the vlans going to our firewall and the server vlan. What we've found is that we still end up with ~1% of our clients managing to get some kind of infection or infection attempt per month (the attempts are generally where an exploit of some kind succeeded but the payload was stopped by one of the defense layers from actually becoming persistent on the client).

      As far as the point from the article, we're moving to have as many of our cloud apps as possible use our SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc. It doesn't help if the service itself is breached, but it at least stops the more casual authorized user leaks that seem to be one of the more common failures identified.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    5. Re:Achilles heel of the cloud apps.... by Dan667 · · Score: 2

      no one cares about your data as much as you do. On average, companies are willing to put more effort into protecting it than some "cloud" vendor..

    6. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      mr ac, that's not even an argument. why is keeping the data in-house safer? please explain.

      As the AC you were responding to, I didn't say keeping the data in-house is "safer", what I was commenting on is that management pretty much had read "CIO magazine" or whatever and heard "cloud, cloud, cloud!" and instantly wanted to move to the "new fad", without any real thought into it.

      I'm sure the cloud can be just as secure as anything else, *IF* proper thought/planning/action is put into it. On the flip side, my management was ready to start decommissioning servers and shoving stuff to "the cloud, tomorrow", and I took it as my job to ask the obvious questions they seemed to not be thinking about in their rush to add "the cloud" to their resume for the next job. ... or as we used to joke, the latest 'bungee boss' comes in, launches the department into a 'new direction' based on some grand idea touted by some article, which gets 70% implemented in the next 3 years before he leaves (any more than 3 years in a management job and you're considered "dead", something is "wrong") and the next boss comes in with all new plans that completely throw out all the work of the prior years and get 70% implemented before... you get the idea.

    7. Re:Achilles heel of the cloud apps.... by dave562 · · Score: 1

      SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc.

      You sir, sound like you know what you are doing.

      Do you ever have attempts coming back from any of your vendors?

      Or is the vendor simply passing data back to you about when accounts from your site are used in failed logon attempts to the cloud apps, via whatever their presentation layer is?

    8. Re:Achilles heel of the cloud apps.... by Bearhouse · · Score: 1

      Also, often the cost savings are a myth, especially for larger organisations.
      I ran the numbers for one of my customers recently - an Exec had suddenly decided that since "everyone" else had Salesforce, they must have it too.
      Replacing their existing well-crafted and nicely integrated CRM with SF would have cost a bomb in transition costs, with higher annual maintenance, for LESS functionality.

      Needless to say the boss killed that "good idea" pretty quick.

    9. Re:Achilles heel of the cloud apps.... by Lennie · · Score: 2

      SAML ? Don't make me laugh:

      "In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them ... have critical XML Signature wrapping (XSW) vulnerabilities"

      " In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."

      https://www.usenix.org/confere...

      --
      New things are always on the horizon
    10. Re:Achilles heel of the cloud apps.... by afidel · · Score: 1

      SAML has all authentication happen at the IDP (user organization side), not at the relying party/service provider so any login attempts are at your SAML endpoint. In theory you could even not allow passwords at the SAML point at all (if you have all your machines Kerberos joined you could use the Kerberos claim ticket to generate the SAML assertion and not have an alternate fallback authentication method, but for convenience and interoperability that isn't usually the case and there's generally a forms based login, in our case we have 3rd parties that use our cloud resources and have accounts in our authentication realm but not machines supplied by us so a forms bases login is a requirement). If an attacker wants to try to brute force one of your logins they have to do it at your SAML endpoint which you can and really should monitor tightly with all your normal tools, in fact since it's a single source of failure for security (the flipside of single signon) it should be better monitored than your average server.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    11. Re:Achilles heel of the cloud apps.... by afidel · · Score: 1

      That's cool, and I appreciate the security researchers and their work to strengthen both protocols and implementations, but in the real world the entire conversation happens inside a TLS stream so it's not that easy, not only do you have to insert yourself into the communications path between the user and the resource, but you have to break TLS in realtime. It does increase the scope of attacks like BEAST/CRIME/POODLE a bit, but since that paper is almost 3 years old you would hope that at least the major providers have patched frameworks in place.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    12. Re:Achilles heel of the cloud apps.... by Lennie · · Score: 2

      You might not be aware of what the attack is.

      The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.

      This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.

      --
      New things are always on the horizon
    13. Re:Achilles heel of the cloud apps.... by afidel · · Score: 1

      Uh, no from the paper they are hijacking an existing challenge/response session with a valid signed SAML assertion but exploiting a weakness where the code that validates the assertion and the code that reads the claim token are not necessarily checking the same part of the response and so they can insert a bogus claim ticket with a valid assertion. This would require intercepting the assertion response and modifying it, and since the whole conversation is within a TLS session it requires some kind of MitM attack.

      But thinking on it further, you could use it as a privilege escalation attack, use a compromised user account to receive a valid assertion but modify your response to include the bogus claim ticket to login as a more privileged account, that's a lot more concerning as it's a lot easier to compromise a single account then pull off a MitM attack.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    14. Re:Achilles heel of the cloud apps.... by Junta · · Score: 1

      Open standards vs. proprietary tools

      Actually, if anything the typical cloud experience doubles down on proprietary tools. Sure the vendor may be availing themselves of open technologies on the backend, but the vast majority of them use proprietary interfaces to interact with their customers.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    15. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      So you have a basic security stack. You need to add a good PKI implementation with 2FA smartcard/token based authentication for all priv and non-priv accounts.

      Utilize this PKI for encryption of all corporate email internally (bet Sony would like to have done this!), and set a policy that email received from external sources must be digitally signed by a trusted source if the email contains attachments. Otherwise, the email goes to the spam/phish bucket for review.

      Oh yeah, and now you can't do business anymore... ahaha! because 99% of the rest of the world is clueless.

    16. Re:Achilles heel of the cloud apps.... by Anonymous Coward · · Score: 0

      I expect that it is only a matter time before there will be a massive data breach for hosted cloud apps. We're not talking about someone's email account or twitter account. We're talking about an entire database full of SSN's and other personal information getting stolen. Everyone in your company and possibly customer and partner data as well.

      That shit happens every day, and it's not a risk exclusive to cloud services. This is just fear mongering for the sake of making money.

      The truth is it doesn't matter what sort of infrastructure you invest in, if you're fucking stupid about it and don't follow basic security principles you're just as vulnerable as anyone else.

    17. Re:Achilles heel of the cloud apps.... by Lennie · · Score: 1

      Sorry, my mistake. You are closer to the prerequisites than I was.

      You need a signed assertion:

      https://www.youtube.com/watch?...

      But getting a signed assertion is pretty easy, if it's a cloud service.

      Just sign up.

      Anyway, most implementations have been fixed. I hope. ;-)

      Unless they upgrade or downgrade the XML-parser and break it by accident.

      --
      New things are always on the horizon
    18. Re:Achilles heel of the cloud apps.... by erp_consultant · · Score: 1

      Yes, good observation. I have found that to be true also.

  9. true, but daily hacks by raymorris · · Score: 4, Insightful

    You make a good point. Also, every other day we see another story of "XXX million lost in hack".

        It's become so frequent we almost get completely numb to it. A week ago, someone posted here that Microsoft hadn't had any significant issues in a while - 48 hours after their Xbox network was taken down for several days. Having the whole network down for a several days is so common that we forget all about it a couple of days later. That's how common major security issues are right now. We need to make some significant changes in how we develop systems.

    1. Re:true, but daily hacks by thegarbz · · Score: 2

      Yes but how? Wasn't the microsoft outage the result of a co-ordinated DDoS? It doesn't matter if you make the world's most secure system it won't deal with that kind of assault. Do we re-design the internet to prevent them?

      Very few of the hacks in the past x number of years were actual hacks using exploits. The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.

    2. Re:true, but daily hacks by Lennie · · Score: 1

      Also as a foreigner I'm now a 100% sure I can't put my data in a US cloud:

      http://media.ccc.de/browse/con...

      --
      New things are always on the horizon
  10. Slashdot Has Been Hacked by PRNewswire.com by retroworks · · Score: 4, Informative

    Read the Summary, followed the links, ran the numbers. The firm that posted the PRNewswire.com press release obviously offered the Slashdot summary, and there is no solid data or info except "BE AFRAID! (And by the way, we are in the be-less-afraid-,-security-business). Perhaps there's plenty of discussion to be had on the premise, but the premise arrived via BINSPAM.

    --
    Gently reply
    1. Re:Slashdot Has Been Hacked by PRNewswire.com by Anonymous Coward · · Score: 0

      And no mention of Microsoft's cloud offerings, only Google, etc. Hmm.

  11. Press-Release-Dot by Anonymous Coward · · Score: 0

    The summary should have read "Some company wants to scare you into buying their product."

    This is ridiculous - it's not news, and it sure as shit isn't for nerds.

  12. Re:Achilles heel of the cloud apps.... AND? by retroworks · · Score: 1

    "As Willie Sutton once famously stated when asked why he robbed banks..."because that's where the money is"." ...AND?

    AND the people who listened to famous Willie Sutton put their money under their mattresses? Was the money in the mattress more secure than the bank? Were they robbed by locals and it was never reported in the "study"? Is locally stored data more secure than the Cloud? Willie Sutton is a great spokesperson for PRNewswire.com promotion of their cloud security.. "AND?"

    --
    Gently reply
  13. no one cares about your data as much as you do by Dan667 · · Score: 3, Informative

    I am surprised people were naive to think "cloud" vendors could be trusted with their data.

    1. Re:no one cares about your data as much as you do by MobyDisk · · Score: 1

      I am surprised people were naive to think "cloud" vendors could be trusted with their data.

      You are assuming that the cloud vendors are at fault, but the article doesn't really pin the blame on anyone. Everyone's knee-jerk reaction is to blame the vendor, but who really is at fault here?

      The article talks about business users sharing files inappropriately, like opening them up publicly or storing files like source code on the cloud which is often in violation of the policies. It says that 15% of business users' accounts have been compromised, but it doesn't say why or how. So we don't know if the cloud vendor was the one at fault, or if it was the users' fault. Looking at the top cloud apps they are listing, they are things like Google Drive, Facebook, and YouTube. So far I don't think there have been any major compromises to these apps, so that indicates that the problem is more likely on the users' side. I wonder if the real report says that.

  14. Re:Achilles heel of the cloud apps.... AND? by Anonymous Coward · · Score: 0

    Well, before the government stepped in with deposit insurance, mattresses were indeed safer than banks.

    Perhaps an understanding of history would help?

  15. Re:Achilles heel of the cloud apps.... AND? by Anonymous Coward · · Score: 0

    Well, before the government stepped in with deposit insurance, mattresses were indeed safer than banks.

    Perhaps an understanding of history would help?

    Given the 'resolution' they just passed to fund the government, including a little bit letting the banks gamble with your FDIC "insured" bank deposits - effectively making you, the taxpayer, liable for the banks going to Vegas, betting 30x what they actually have (leveraged) on red, losing... and you get to bail them out... and given that you earn 0.01% on whatever you *do* put in the bank anyways, it's pretty easily arguable that even today the mattress is safer than the banks.

  16. can't be true by Tablizer · · Score: 1

    That's completely and utterly ridic^~ %`4& --FREE V1AGRA! @ wanker7.com

    --
    Table-ized A.I.
  17. Cloud Security is a Bitch by dave562 · · Score: 1

    A typical SaaS vendor has numerous clients, all with varying levels of sophistication in their password and identity management procedures.

    As if the need to ensure tenant isolation does not put enough pressure on the architects, they also have to worry about how well their customers are securing their own staff. The smart ones are doing Federation for predictable data transfers, and two-factor to secure the application layer. Even then, the legal people still make them sign disclaimers that ultimately, data breaches due to compromised credentials are the responsibility of the authorized bearer of the credentials.

    It sucks to have to secure a slew of web servers, especially for those who have to run LOB apps on Windows platforms. VDI is being used pretty heavily on that front prevent information leakages. It's cheaper to spin up a session for them via a webpage, than it is to trust that their client is secure. Not to mention easier to maintain and troubleshoot. Staff can shunt the user to a clean session, shadow it, hold the user's hand through whatever.

    On the plus side, with a good cloud provider, when your datas get pwnt, it is replicated somewhere else. Maybe even on tape in some cold, humidity controlled warehouse. Because no matter how good security is, sooner or later, it will get compromised.

    At that point though, it is all about RTO/RPO which is outside the scope of security. BTW even with LTO6, restore rates from cold storage still blow.

  18. protecting against those IS security by raymorris · · Score: 3, Informative

    > The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.

    I don't know that most of the major incidents were, but let's just assume that's true for a moment. Those are all security. Security is more than just the firewall.

    A complete answer would run 600 pages, but here are some solutions in summary.

    Lax user pass words - pass words are so 1980. Use pass phrases and keys. Just doing a search and replace to say "pass phrase" or "secret sentence" every where we've written "password" would largely solve that problem.

    Internal access - has normally been COMPLETELY UNNECESSARY internal access. Snowden didn't need access to all of those documents to do his job, and that's the NSA, an organization that should have good security. Right now at work we're auditing internal access. Everyone should, because in most organizations some people have far, far more access than what makes sense.

    Social engineering - test and reward. Call up a few employees at random maybe once per year with a social engineering pen test. Employees who properly refuse to give out sensitive information get a gift card for dinner or some other recognition for doing a good job. Tell employees ahead of time that you plan to do that this year. When the attacker calls, employees will think "maybe this is security calling, here's my chance to show I know better and win".

    Those are a few examples. For technical vulnerabilities, it requires changing the mindset from "does the system give good output when fed good input?" to also include "what happens if a bad guy feeds it unexpected input?". My coworkers are slowly starting to realize that if they announce "the new system works, you type your password and it logs you in", I'm going to ask "what happens if I type in SQL code instead of my password?".

    Not just what happens when everything goes right, but what happens when things go wrong? This has the side effect of producing far more reliable systems. For example, ALL providers in a certain blind of business had the same bug in their software - it would all empty the data file if the disk was full. That's because they all wrote the new version of the data on top of the old. We made patched copies of all their software that gracefully handles disk full. What happens when things aren't as you expect. At work, we had lots of intermittent errors that were hard to track down, so they were just tolerated for years, with people cleaning up the mess they made every week. Asking "what happens if things don't go as expected?" revealed these were concurrency issues that were easily solved. So these security threats are not only solvable, but the changed perspective results in better, more reliable systems, and therefore less time-consuming and error-prone manual handling of errors.

    1. Re:protecting against those IS security by Buchenskjoll · · Score: 1

      Is that you, Bobby Tables?

      --
      -- Make America hate again!
    2. Re:protecting against those IS security by thegarbz · · Score: 1

      So we're talking about the same thing, designing better systems meaning the entire security ecosystem within a company.

      Unfortunately the social engineering aspect is hard. Very hard. Extremely hard. I work for a major in the oil and gas industry and we have monthly internal phishing emails which are staged by IT&S and education campaigns etc and they send around the stats that some 3% of employees STILL fall for the "The manager has awarded you an iPad, click on this website and enter your login details" trick.

      Designing such a system is not as easy as code reviews and eliminating bugs through careful programming.

      The other thing I was talking about Internal Access was not necessarily having employees have internal access but the idea of "trust". I've been working where I am for 6 years now. Security no longer check me when I walk in and out. I know ever guard by name, I've even attended one of their birthday parties. I get waved through, everything because I'm familiar. But why? I'm no more senior now, I'm still working in the same department, all in all nothing has changed yet because I work there and because I have done so for many years no one questions me anymore. The same is true for IT systems. What used to be long approval processes is now a quick tick and flick exercise because everyone knows me and with a knowing someone comes and inherent idea of "trust" despite the fact that few people can really say they know someone on a truly personal level.

      Snowden's access levels may have been unnecessary. They may even have been restricted. But that won't necessarily stop someone if he goes up to a lowly employee of another department that he knows and sweet talks his way to accessing the files.

      Just designing the IT system itself is really a tip of the iceberg.

  19. Recent cyber-hacker-research has shown that by Anonymous Coward · · Score: 0

    cyber-space is in fact infected with cyber-bogeymen that do cyber-hack the cyber-gibson with virtual abandon, leaving virtually every cyber-business in the cyber-cloud hacked to the cyber-bits by virtually unnamed cyber-hackers in the virtual cyber-cloud-space.

    This is "research" these days. These are the days of the virtual cyber-hacker cloud!

  20. "Per Cent"? by l0n3s0m3phr34k · · Score: 0

    So, we're using UK English now? In the US, that's spelled "percent". Are we going to start seeing per centage and per centile too? The 1700's just called and said they want Slashdot to stop using their archaic spellings.

    1. Re:"Per Cent"? by Buchenskjoll · · Score: 1

      Maybe Anonymous User is British? I consider SlashDot an international news site, not an American one. If you want to complain about language start with all jerks mixing up then and than.

      --
      -- Make America hate again!
  21. "daily hacks" mean nothing by Anonymous Coward · · Score: 0

    They're the "cyber" codeword for "it wasn't us, it was dem cyberbogeymen of dem intarwebbertubes!"

    It doesn't mean anything other than "standard generic excuse #1337". It's empty. Keep talking about "hacks" and "hacking" and "hackers" and all you're doing is perpetuating the myth that computer security can not get better than it already is. That we've reached the pinnacle of the shitpile and cannot ever get off again. You'd be playing right into the industry's FUD. Which is expensive but still very handy for the rest of the industry: Just claim "hackers did it", then run to some security company and very publicly buy a hackton of digital indulgences. "See? All better now!"

    In fact, there are laws against "computer hacking" (curiously left undefined in the law) that can be brought to bear against just about anything and anyone as long as some form of "computing device" (which is what, exactly? do "terrorist watches" qualify? they count numbers, don't they?) is involved, and often lead to people getting cut off from the internet, their freedom, both, for years, not unlikely for nothing more than vague allegations without proof whatsoever. Such is the power of vague words deliberately left undefined.

    It isn't that they're so frequent. It's that the wording deliberately means nothing. Yes, that's right, "hack", "hacker", and "hacking" are now doomy vague words of vague doomy doom of vagueness. The. Words. They. Mean. Nothing.

    So the first thing we need is to stop using those words entirely. Then we can start to talk about what we could and should be doing instead.

  22. Encrypted computing is possible, if limited by Lennie · · Score: 2

    You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
    http://css.csail.mit.edu/crypt...

    And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
    https://css.csail.mit.edu/myla...

    --
    New things are always on the horizon
    1. Re:Encrypted computing is possible, if limited by Charliemopps · · Score: 1

      You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
      http://css.csail.mit.edu/crypt...

      And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
      https://css.csail.mit.edu/myla...

      I don't think you've ever used Cloud software. The entire point of it is to move development and maintenance outside your organization. Yes, I could upload encrypted data to "The cloud" and then write my own database and front end for it. But would defeat the entire point of putting it in the cloud in the first place. What you're describing is basically just an online data backup. No-one really needs that.

      Lets say you're a small non-profit and you want to create a ticketing system to track donations. Buying anything at all... that you'd host locally would cost a fortune. You could get a free/open source app, but that doesn't come with any support or guartee that the product will even still be developed a year from now and you don't have the resources to continue development should you need to.

      You can go get a Cloud based Saas ticketing system relatively cheap. They maintain everything for you. And if you need a special customization they have developers on staff year round ready to jump on your request. But is your data secure? You have no idea. You can write it into the contract, you can do audits, but you never really know. In fact, it's not possible to know. And being a small non-profit you don't have the clout to force a better contract on them or anyone else. All the contracts come with NDA's embedded so you can't even rely on other companies to report problems with the vendor. It's literally a black box that your data goes in an out of, and what happens inside that box is mostly a mystery to you.

    2. Re:Encrypted computing is possible, if limited by Lennie · · Score: 1

      There are so many definitions of cloud.

      The above mentioned solution could be based on open source software (the research project is open source).

      In a similar fashion to how Wordpress is currently hosted, your get updates from the vendor (WordPress) not from the hoster, but in the case above with encrypted data.

      Yes, SaaS providers will pretty much never go for it, because dealing with encryption means extra work for them.

      I was just pointing out it isn't completely impossible. Because that is what most people assume.

      --
      New things are always on the horizon
  23. Make your own cloud by Anonymous Coward · · Score: 0

    Once upon a time businesses had their own clouds - back then they were simply called "servers", and they were in another room called "the server room". When and why did this change? Are we all so lazy now that we can't look after our own data, files, apps and so on? A good old terminal server set-up preferably Linux, on or offsite access, and a good IT team. That's all you need.

    1. Re:Make your own cloud by Anonymous Coward · · Score: 0

      The dark dreary server room. We had one of those, not sure what was lurking in it. Now it's called the Server Farm. Runs some legacy WTS and the rest is Red Hat. Access via NX server

  24. The 'cost savings' by Junta · · Score: 1

    Your point is a big part of why management should be very careful about apparent 'cost savings' In a large amount of cases, management is chasing a buzzword more than carefully examining what comprises their budget for in-house versus cloud hosted.

    Part of the cost savings of the cloud operator is having them do things to the data that most companies would never approve for themselves. Additionally, only a relatively small portion of the expense is moved 'to the cloud'. A lot of work still *should* happen that is lumped into the presumed cost of being internal versus external. So either a new budget starts growing to cover the cost previously not broken out or work stops happening that may critically matter.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  25. Shocking ... by Cassini2 · · Score: 1

    The level of network hacking against servers and internet systems is somewhat astonishing, and not widely known outside the industry.

    I did a small project where a small company wanted to monitor our equipment on a very small fleet of cars. One day, I discovered we were getting telemetry data from our cars. This created much excitement and surprise in the office, as no one was supposed to be driving any of our cars. After a bit more work, I discovered the car in question was in China. Now that was a surprise ...

  26. MONEY = "BONUSES" & expense accounts by Anonymous Coward · · Score: 0

    Businesses don't want the added payroll, insurances/benefits etc. - et al: So they got rid of those (& gave their top mgt. raises & expense accounts larger than many companies' entire payrolls, lol...!).

    * There's your answer: The era of the MBA & outsourcing/offshoring, when the "Holy $" is THEIR God...

    APK

    P.S.=> A relative told me once "Well, a business can choose to live or die" well, when I see the mgt. get many Many, MANY times the wage & then bonuses + golden parachutes of their AVERAGE employee? That's not choosing to live or die: That's killing it & raping it @ the hands of the few in upper mgt. & boards of directors etc. far faster than paying to have good workers onboard steady that you can see & trust vs. paying & retaining folks longterm (unions for it workers etc. in general, ARE needed - bigtime)...

    ... apk