Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: 15 Per Cent of Business Cloud Users Have Been Hacked

Posted by samzenpus on from the no-silver-lining dept.

An anonymous reader writes Recent research has identified that only one in ten cloud apps are secure enough for enterprise use. According to a report from cloud experts Netskope, organizations are employing an average of over 600 business cloud apps, despite the majority of software posing a high risk of data leak. The company showed that 15% of logins for business apps used by organizations had been breached by hackers. Over 20% of businesses in the Netskope cloud actively used more than 1,000 cloud apps, and over 8% of files in corporate-sanctioned cloud storage apps were in violation of DLP policies, source code, and other policies surrounding confidential and sensitive data. Google Drive, Facebook, Youtube, Twitter and Gmail were among the apps investigated in the Netskope research.

21 of 72 comments (clear)

  1. It's a lie! by Runaway1956 · · Score: 4, Funny

    The vendors have assured us that their servers are secure!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:It's a lie! by MrBigInThePants · · Score: 4, Insightful

      I am sure it was those dastardly cloud people!

      In unrelated news....15% of passwords were set to "password" or similar....

      80% of the data was of little use.

      100% of the data was irrelevant to the well being and/or advancement of humanity.

    2. Re:It's a lie! by Charliemopps · · Score: 3

      The vendors have assured us that their servers are secure!

      You got modded funny, but that's exactly the point. The customers data is stored in my database. So I don't technically care if that data is stolen... other than the legal liability that would put me under. So I go to the Cloud service and they "assure" me that's secure and sign a contract stating as such. I'm done! It doesn't really matter if it really is secure or not. If the data's lost and the customer sues we point at the vendor.

    3. Re:It's a lie! by Rick+Zeman · · Score: 2

      Remember the literal definition of the cloud: "Someone else's server."

    4. Re:It's a lie! by h4ck7h3p14n37 · · Score: 3, Insightful

      It sounds like you're using a crappy vendor. We have a bunch of gear at Rackspace and I have to sign legal waivers when I access certain features of their portal such as the firewall management section. They have never assured me that our systems are secure given I have enough access to make things incredibly insecure.

      Due to the nature of the data that we're working with we are legally obligated (PCI, HIPAA, etc.) to care about it being secure. If something does happen we are required to report a breach and can be fined by the government. We can't simply point to the vendor. Rackspace partners with companies such as Alert Logic (threat/vulnerability management), Imperva (traffic analysis, dynamic ip blocking, etc.) and Vormetric (data-at-rest encryption) in order to help us secure our environment.

  2. Shit by Anonymous Coward · · Score: 3, Funny

    What if I simply 3D print all my data and use Amazon drones to deliver it to other people? Is that still good? I don't want to be a Luddite!

  3. Achilles heel of the cloud apps.... by erp_consultant · · Score: 5, Interesting

    I've been around long enough to see things comes and go. The current flavor of the month is "cloud". Cloud this, cloud that. Even the behemoths of the ERP world - Oracle and SAP - are making an aggressive push to "the cloud". Companies like Workday and Salesforce are growing at a tremendous rate.

    It all seems very appealing. Say goodbye to multi year implementations and increasingly difficult and costly upgrades. Rent it by the seat rather than making large capital outlays. Fully object oriented design. Open standards vs. proprietary tools. Lots of great benefits.

    But.....

    As Willie Sutton once famously stated when asked why he robbed banks..."because that's where the money is". The data of your company, and other companies in the typical "multi-tenant" configuration is all in the one place. The bad guys know this. They will target these data centers to be sure.

    You are essentially taking your data from an environment you can control (largely) to one you cannot. That is a huge leap of faith.

    I expect that it is only a matter time before there will be a massive data breach for hosted cloud apps. We're not talking about someone's email account or twitter account. We're talking about an entire database full of SSN's and other personal information getting stolen. Everyone in your company and possibly customer and partner data as well. I don't want to be the one holding that press conference.

    1. Re:Achilles heel of the cloud apps.... by afidel · · Score: 3, Interesting

      Control is an illusion, if the folks at RSA can be spearfished and have their most valuable assets stolen basically anyone can. People are fallible and the bad guys only need one successful attack while the good guys need to defend perfectly. We run a relatively tight shop, no local admin, patches up to date, AV/Antispam on the email gateways, AV and Antimalware on the desktop, IDS/IPS in the firewall with additional IDS by spanning the vlans going to our firewall and the server vlan. What we've found is that we still end up with ~1% of our clients managing to get some kind of infection or infection attempt per month (the attempts are generally where an exploit of some kind succeeded but the payload was stopped by one of the defense layers from actually becoming persistent on the client).

      As far as the point from the article, we're moving to have as many of our cloud apps as possible use our SAML repository for authentication so that we can treat it as much as possible like an extension of our general security stance with password attempt monitoring, rate throttling and attack blocking, user lockout, etc. It doesn't help if the service itself is breached, but it at least stops the more casual authorized user leaks that seem to be one of the more common failures identified.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:Achilles heel of the cloud apps.... by Dan667 · · Score: 2

      no one cares about your data as much as you do. On average, companies are willing to put more effort into protecting it than some "cloud" vendor..

    3. Re:Achilles heel of the cloud apps.... by Lennie · · Score: 2

      SAML ? Don't make me laugh:

      "In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them ... have critical XML Signature wrapping (XSW) vulnerabilities"

      " In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."

      https://www.usenix.org/confere...

      --
      New things are always on the horizon
    4. Re:Achilles heel of the cloud apps.... by Lennie · · Score: 2

      You might not be aware of what the attack is.

      The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.

      This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.

      --
      New things are always on the horizon
  4. true, but daily hacks by raymorris · · Score: 4, Insightful

    You make a good point. Also, every other day we see another story of "XXX million lost in hack".

        It's become so frequent we almost get completely numb to it. A week ago, someone posted here that Microsoft hadn't had any significant issues in a while - 48 hours after their Xbox network was taken down for several days. Having the whole network down for a several days is so common that we forget all about it a couple of days later. That's how common major security issues are right now. We need to make some significant changes in how we develop systems.

    1. Re:true, but daily hacks by thegarbz · · Score: 2

      Yes but how? Wasn't the microsoft outage the result of a co-ordinated DDoS? It doesn't matter if you make the world's most secure system it won't deal with that kind of assault. Do we re-design the internet to prevent them?

      Very few of the hacks in the past x number of years were actual hacks using exploits. The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.

  5. Slashdot Has Been Hacked by PRNewswire.com by retroworks · · Score: 4, Informative

    Read the Summary, followed the links, ran the numbers. The firm that posted the PRNewswire.com press release obviously offered the Slashdot summary, and there is no solid data or info except "BE AFRAID! (And by the way, we are in the be-less-afraid-,-security-business). Perhaps there's plenty of discussion to be had on the premise, but the premise arrived via BINSPAM.

    --
    Gently reply
  6. Re:Encryption . . . anyone ? by Shados · · Score: 4, Interesting

    If a big part of the service is actually manipulating your data (email, database, charts, data analysis, etc...), then it needs to get decrypted somewhere at some point. The data can be intercepted then.

  7. no one cares about your data as much as you do by Dan667 · · Score: 3, Informative

    I am surprised people were naive to think "cloud" vendors could be trusted with their data.

  8. Re:Encryption . . . anyone ? by dbIII · · Score: 4, Insightful

    It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

    Your HR department and your payroll staff.

  9. Re:Investigated... but were they vulnerable? by arglebargle_xiv · · Score: 4, Funny

    I also like the term "not enterprise-ready". What does this mean exactly? They don't have the word "Enterprise" in the product name? They don't cost $50,000 minimum?

    New Netskope report out, now with 27% more statistics showing that 51% of things differ from a previous 37% that you weren't expecting 76% of the time!

  10. protecting against those IS security by raymorris · · Score: 3, Informative

    > The majority were the result of lax user passwords, social engineering, or internal access to systems. Any design around these issues has a direct result of reducing functionality.

    I don't know that most of the major incidents were, but let's just assume that's true for a moment. Those are all security. Security is more than just the firewall.

    A complete answer would run 600 pages, but here are some solutions in summary.

    Lax user pass words - pass words are so 1980. Use pass phrases and keys. Just doing a search and replace to say "pass phrase" or "secret sentence" every where we've written "password" would largely solve that problem.

    Internal access - has normally been COMPLETELY UNNECESSARY internal access. Snowden didn't need access to all of those documents to do his job, and that's the NSA, an organization that should have good security. Right now at work we're auditing internal access. Everyone should, because in most organizations some people have far, far more access than what makes sense.

    Social engineering - test and reward. Call up a few employees at random maybe once per year with a social engineering pen test. Employees who properly refuse to give out sensitive information get a gift card for dinner or some other recognition for doing a good job. Tell employees ahead of time that you plan to do that this year. When the attacker calls, employees will think "maybe this is security calling, here's my chance to show I know better and win".

    Those are a few examples. For technical vulnerabilities, it requires changing the mindset from "does the system give good output when fed good input?" to also include "what happens if a bad guy feeds it unexpected input?". My coworkers are slowly starting to realize that if they announce "the new system works, you type your password and it logs you in", I'm going to ask "what happens if I type in SQL code instead of my password?".

    Not just what happens when everything goes right, but what happens when things go wrong? This has the side effect of producing far more reliable systems. For example, ALL providers in a certain blind of business had the same bug in their software - it would all empty the data file if the disk was full. That's because they all wrote the new version of the data on top of the old. We made patched copies of all their software that gracefully handles disk full. What happens when things aren't as you expect. At work, we had lots of intermittent errors that were hard to track down, so they were just tolerated for years, with people cleaning up the mess they made every week. Asking "what happens if things don't go as expected?" revealed these were concurrency issues that were easily solved. So these security threats are not only solvable, but the changed perspective results in better, more reliable systems, and therefore less time-consuming and error-prone manual handling of errors.

  11. Encrypted computing is possible, if limited by Lennie · · Score: 2

    You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
    http://css.csail.mit.edu/crypt...

    And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
    https://css.csail.mit.edu/myla...

    --
    New things are always on the horizon
  12. Re:Encryption . . . anyone ? by Charliemopps · · Score: 3

    It's 2015. . . who the hell puts anything on " The Cloud " without first heavily encrypting it ?

    That's not going to help. I've administer a lot of these cloud products in my time. The main point is, you don't get to encrypt it yourself.

    You go to the vendor and say: "Encrypt it!"
    Vendor: "Ok! It's done!"
    You: "That was awfully fast, is it really encrypted?"
    Vendor: "Yes!"

    Demand an audit: We audited it and it meets our contract!
    Give us detailed information about XYZ: That's proprietary and/or security related, we can't release it!
    We want to put X in the contract: No, this is our standard contract and the only one we'll sign. Don't like it? Take a hike. By the way, we already have all your data and a migration would cost millions!
    Go to a different service: Here's the same contract that other place had and no we wont alter it.
    Find out its not encrypted when they said it was: Oh that was a bug or the fault of some admin we fired months ago. It's fixed now, trust us!

    It's virtually impossible to "Secure" a cloud service. I had so many problems with it I finally resigned myself to assuming cloud services have at best barely passable security. So nothing goes in that I'm afraid to lose. Even in the best cases, you have their entire support staff sitting there, probably hundreds or thousands of people, with the ability to reset all your admin passwords and even more direct DB access you have. Even if it's encrypted, they'll have all the keys. Whats worse, they control the firewall and gateways so an attack could be ongoing for weeks or months and you'll have no idea.