Study: 15 Per Cent of Business Cloud Users Have Been Hacked

An anonymous reader writes Recent research has identified that only one in ten cloud apps are secure enough for enterprise use. According to a report from cloud experts Netskope, organizations are employing an average of over 600 business cloud apps, despite the majority of software posing a high risk of data leak. The company showed that 15% of logins for business apps used by organizations had been breached by hackers. Over 20% of businesses in the Netskope cloud actively used more than 1,000 cloud apps, and over 8% of files in corporate-sanctioned cloud storage apps were in violation of DLP policies, source code, and other policies surrounding confidential and sensitive data. Google Drive, Facebook, Youtube, Twitter and Gmail were among the apps investigated in the Netskope research.

Slashdot Has Been Hacked by PRNewswire.com

[retroworks]

Read the Summary, followed the links, ran the numbers. The firm that posted the PRNewswire.com press release obviously offered the Slashdot summary, and there is no solid data or info except "BE AFRAID! (And by the way, we are in the be-less-afraid-,-security-business). Perhaps there's plenty of discussion to be had on the premise, but the premise arrived via BINSPAM.

no one cares about your data as much as you do

[Dan667]

I am surprised people were naive to think "cloud" vendors could be trusted with their data.

protecting against those IS security

[raymorris]

> The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.

I don't know that most of the major incidents were, but let's just assume that's true for a moment. Those are all security. Security is more than just the firewall.

A complete answer would run 600 pages, but here are some solutions in summary.

Lax user pass words - pass words are so 1980. Use pass phrases and keys. Just doing a search and replace to say "pass phrase" or "secret sentence" every where we've written "password" would largely solve that problem.

Internal access - has normally been COMPLETELY UNNECESSARY internal access. Snowden didn't need access to all of those documents to do his job, and that's the NSA, an organization that should have good security. Right now at work we're auditing internal access. Everyone should, because in most organizations some people have far, far more access than what makes sense.

Social engineering - test and reward. Call up a few employees at random maybe once per year with a social engineering pen test. Employees who properly refuse to give out sensitive information get a gift card for dinner or some other recognition for doing a good job. Tell employees ahead of time that you plan to do that this year. When the attacker calls, employees will think "maybe this is security calling, here's my chance to show I know better and win".

Those are a few examples. For technical vulnerabilities, it requires changing the mindset from "does the system give good output when fed good input?" to also include "what happens if a bad guy feeds it unexpected input?". My coworkers are slowly starting to realize that if they announce "the new system works, you type your password and it logs you in", I'm going to ask "what happens if I type in SQL code instead of my password?".

Not just what happens when everything goes right, but what happens when things go wrong? This has the side effect of producing far more reliable systems. For example, ALL providers in a certain blind of business had the same bug in their software - it would all empty the data file if the disk was full. That's because they all wrote the new version of the data on top of the old. We made patched copies of all their software that gracefully handles disk full. What happens when things aren't as you expect. At work, we had lots of intermittent errors that were hard to track down, so they were just tolerated for years, with people cleaning up the mess they made every week. Asking "what happens if things don't go as expected?" revealed these were concurrency issues that were easily solved. So these security threats are not only solvable, but the changed perspective results in better, more reliable systems, and therefore less time-consuming and error-prone manual handling of errors.