Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Businesses Haven't Inspected Cloud Services For Malware (betanews.com)

Posted by msmash on from the security-woes dept.

Ian Barker, reporting for BetaNews: Echoing the findings we reported earlier that companies leave cloud protection to third-parties, a new study from cloud security company Netskope reveals most companies don't scan their cloud services for malware either. The study conducted with the Ponemon Institute shows 48 percent of companies surveyed don't inspect the cloud for malware and 12 percent are unsure if they do or not. Of those that do inspect 57 percent of respondents say they found malware. It also shows that while 49 percent of business applications are now stored in the cloud, fewer than half of them (45 percent) are known, officially sanctioned or approved by IT.

34 comments

  1. I call bullshit by Anonymous Coward · · Score: 0

    I'm looking out the window right now. It's a cloudy day. I don't see any malware.

  2. How? by Anonymous Coward · · Score: 2, Insightful

    Exactly how does one scan for malware on the cloud?

    Do they mean scanning files once downloaded on your computer?

    Scanning local app installers required to use the cloud app?

    Because short of that, there is no way to scan a cloud application. Sure your AV can scan URLs and content download on your machine via web rbwoser, but if you access services via an app on a lockdown mobile device, how do you scan that?

    Scanning packets sent by cloud provider? How do you accomplish that if it's all encrypted?

    1. Re:How? by Anonymous Coward · · Score: 3, Interesting

      Best not to ask these kinds of questions. In God and Cloud we trust.

      Cloud is a cute word for "outsourcing your shit to someone else's data center" (disaster recovery an optional add on, which no one buys)

      This is how we get there... CIO read something in a magazine while sitting on a Delta Airlines flight in first class, and said: Dude... we gotta have this cloud shit. Look at the size of this fucking Amazon AWS advertisement. It's a whole page. IN COLOR. That's probably pretty expensive. These guys clearly know what they are talking about. My IT guys can't even make a Powerpoint slide that looks half this good.

    2. Re:How? by Anonymous Coward · · Score: 0

      Although they can't really scan every file that comes through their services/servers, I suppose they mean some kind of automated port scans or... something? I looked at the report and they don't really go into detail.

    3. Re:How? by Anonymous Coward · · Score: 0

      Also, other than you having an extra digit, we have very similar user IDs. What a time to be alive.

    4. Re:How? by The-Ixian · · Score: 1

      I am assuming this is stuff like OneDrive/SharePoint/Google Drive/Dropbox etc. where files are sync'd from user computers to the cloud.

      It would make sense that malware would live in the cloud since it is user computers that are interfacing with it.

      That doesn't necessarily mean that the malware is automatically going to infect anyone else inside the organization or out.

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:How? by The-Ixian · · Score: 1

      Another thought is email cloud services will be rife with malware because that is the standard deployment vector these days.

      TFA is pretty much FUD...

      --
      My eyes reflect the stars and a smile lights up my face.
    6. Re:How? by Anonymous Coward · · Score: 0

      Then, there are different cloud services. Did someone tamper with an AMI so it loads a copy of the OS with a backdoor? Did someone replace an object with Glacier with something different in the same archive? Did someone replace your EC2 instance with X1.32xlarge instances with every VM so your Amazon bill bankrupts the company?

      How do you protect yourself? Again, no one solution. If you want to be as certain about security as possible, run the stuff in your local data center where you have physical control over the servers, as opposed to taking a cloud provider's promise of security. Vandalism in the EC2 sector? That is something for HR, legal, and maybe even forensics.

      Cloud storage? There are clientside solutions available.

      Best way to win with the cloud game is not to play. Second best is to keep as low an avenue of attack as possible. Your archives sitting in Glacier should be cryptographically signed and encrypted, for example.

    7. Re:How? by mlts · · Score: 1

      For home use, something like Viivo, Tresorit, or Boxcryptor comes to mind for clientside encryption. A party with access to the cloud files can delete or corrupt stuff, but can't turn a saved off download into something malicious.

    8. Re:How? by rewardian · · Score: 1

      I'd argue that sites like Beta News exist to publish commercial propaganda, and that they'd like you leave questions of that sort to a cloud security company, like Netskope (http://betanews.com/2016/10/12/business-cloud-service-malware/) or CTERA Networks (http://betanews.com/2016/10/12/enterprise-cloud-protection/).

    9. Re:How? by Anonymous Coward · · Score: 0

      There are lots of ways, although it depends on if it's PaaS, SaaS, or IaaS. And yeah, obviously decryption is required to do deep inspection on payloads, but that's true of on-prem or cloud environments.

      What Netskope specifically talks about with their product is data that's in flight to your offsite/"cloud" DC; they accomplish it through a variety of methods, agents on managed devices, an appliance that ingests span/tap data and has some control ability through it's other interfaces, and use of the cloud providers API (obviously dependent on them offering that).

      I know it's been the trend in the last ten years of IT to mock anything that says "cloud" and try to pose simple, elegant, and incorrect reasons for why it will never work, but it's maybe time to look around and realize that 90+% of business use hosting/cloud services in some way or the other and instead of continually arguing why it won't work, accept the fact that it has been for the last decade*.

      * Obviously there are still technical hurdles to deal with, but well, there are still technical hurdles with TCP, multicast, spanning tree, any routing protocol, load balancers, vmware/virtualization, wireless, BYOD, etc etc etc. We still use all that stuff, right? Aside from spanning tree, because F spanning tree.

    10. Re:How? by datavirtue · · Score: 2

      Good luck getting your guys to set up a Hadoop cluster to process a 500GB data source with a machine learning algorithm in 45 minutes. Three months later....still working out some kinks to the tune of $20,000+. There is a bitch slap of truth coming to troglodyte IT "pros."

      --
      I object to power without constructive purpose. --Spock
    11. Re:How? by Anonymous Coward · · Score: 0

      dude, scanning vaporized dihodroxide molecules ain't that easy... cut me some slack. Tripwire called from the past, looks like what is old is new again.

  3. News flash: they don't care. by LTIfox · · Score: 5, Insightful

    True story: A guy I know was developing cloud based real estate management suite. Lots of sensitive information in there as you can imagine.
    So I was, like, "Are you nervous about hackers and stuff because it is hosted God knows where by God knows whom?"
    And they guy's reply was: "Nope. I have this here certificate"
    I was like: "But that certificate will not protect you from hackers!"
    He replied: "It would".
    Me: "What?! Are you nuts?!"
    He looks at me as I'm a kind of an idiot and patiently explains that he does not care if users data will get stolen or not. If something bad happens - his ass is protected by this here certificate. I.e. he did his due diligence and whatever happened is not his fault.
    Me: "..."

    1. Re:News flash: they don't care. by Anonymous Coward · · Score: 0

      He had better be damn sure that cert is air-tight. Because i guarantee that if user data gets stolen and a lawsuit happens the provider is going to be "it was an application issue that caused the leak", or will pull out some technicality to make it not their problem.

    2. Re:News flash: they don't care. by Monoman · · Score: 1

      Yes because many businesses today do not care about doing what is right. They only care about minimizing costs and their exposure to risk ... risk only matters if it incurs costs.

      --
      Keep the Classic Slashdot.
    3. Re:News flash: they don't care. by Anonymous Coward · · Score: 1

      One would be surprised. The defense with the cert is that the company took all reasonable precautions, but got hacked anyway, which I have personally seen win lawsuits.

    4. Re:News flash: they don't care. by mlts · · Score: 2

      Yep, "security has no ROI" is a catch phrase I've heard many times. It won't change anytime soon in this climate.

    5. Re:News flash: they don't care. by Anonymous Coward · · Score: 0

      Well, you were being an idiot.

      Certificates like that exist for a reason, and it's not just to keep printers in business. It's not his job to personally check the integrity of every link in the information chain he deals with.

      And be thankful it's not yours either, or you'd be checking, line by line, the code of your OS, every device driver on your machine, the compilers, and of course checking, gate by gate, the architecture of the chips on your motherboard.

      Focus on your job. If everyone in the world did that, we'd be a lot better off than we are.

  4. Shock and awe.... by Anonymous Coward · · Score: 0

    The service that is sold on the idea of being a conceptually nebulous panacea, is one in which those sold on the idea don't bother checking up on it.... because it's "in the cloud".

  5. This suprises me not at all by Jawnn · · Score: 3, Informative

    We're encumbered by industry and government regulations when it comes to security. Many (most, actually) of our similarly encumbered peers have no idea how the rules apply when it comes to cloud services. If the vendor says "Yeah, it's compliant", that's all they need to hear. So it is absolutely no surprise that most cloud customers do not vet the security of the things they're buying. What was it, barely a year ago? When it was discovered that "big data" vendors had exposed entire databases to the world with exactly zero security? That's not a little screw up. It's a fundamental fail. How did the customers not know this going in? Answer: They did not look.

    1. Re:This suprises me not at all by Attila+Dimedici · · Score: 3, Informative

      In some ways it is worse than that. Many IT professionals are aware that they do not know exactly how to meet the government regulations (and criteria for certain quality certifications). In addition, they know that they can be held accountable for doing so (even though they are not even aware of all of the regulations they are accountable for). However, most of those regulations (and certification standards) offer them an out if they have purchased a service from someone else who promises to make them compliant. Theoretically, that someone else will be held accountable if they are discovered to not be compliant. In practice that does not happen. AND the IT professional who fobbed the responsibility off on them is no longer responsible (as long as they have done their due diligence by hiring a company that is big enough to not be held accountable).

      --
      The truth is that all men having power ought to be mistrusted. James Madison
  6. Hosted data or hosted servers? by Anonymous Coward · · Score: 0

    Data doesn't really matter since it should be scanned upon download by the client. Regardless, Office365 automatically scans all emails for spam and viruses, and scans files in OneDrive/Sharepoint for viruses. The one gotcha is Microsoft does not scan files over 25MB. Again, it doesn't matter since it is the responsibility of the client to scan upon download. Hosted server are a completely different matter and will depend on the contract you have with the hosting provider. I would expect most servers didn't have anti-virus on them to begin with outside of Microsoft's built-in anti-malware.

    Generally, servers are less important to scan since they are supposed to be locked down in the first place to prohibit infection, insert Linux fanboy statement here.

    1. Re:Hosted data or hosted servers? by mlts · · Score: 1

      In a lot of compliance regs, servers, even Linux machines have to have some sort of AV on them. I've had to install McAfee on Solaris LDOMs and AIX LPARs just to be able to tick off checkboxes before, even though in real life, it is difficult for a POWER8 machine is going to get nailed by a Windows executable.

    2. Re:Hosted data or hosted servers? by Anonymous Coward · · Score: 0

      This always baffled me. WTF. I'd rather there not be government as I could then at least hire my own security with the additional $33,000 USD plus I'd have PER YEAR and I'm one of those people who make $65,000 USD. We don't need government. We need people to take responsibility for themselves and stop demanding a nanny state that is totally inept to take care of itself left alone tell others who know but don't care how to do things. All we get is a more costly less safe environment to live in. I will say there are technical solutions that could be implemented to protect people from unscrupulous people and businesses without having the regulations that we currently have. Think something along the lines of an app for phones that reported restaurants where people had gotten sick. If people checked in like people do with eBay once in a while we'd be far better off in protecting ourselves. We don't even need a big corporate entity behind the app. A decentralized non-profit developed solution would do just fine where users made the contributions financial and otherwise (code). People are starting these sorts of apps (cell 411 for example, though far from perfect particularly from a code release stand point, to eliminate the need for police, etc) in spite of the fact we are paying ridiculously for services like police [that tends to utilize violence against peaceful people on behalf of government or dickish cops].

  7. Cloud apps and servers Alert Logic specializes in by raymorris · · Score: 1

    For pure consumer-like cloud *storage* ala Dropbox, scanning on upload and download is probably fine. You *could* map it it as a drive and scan it.

    In the enterprise, I think more of cloud-hosted applications and cloud servers, not files. One company that specializes in security for cloud is Alert Logic. When you get cloud services from Amazon, there is a checkbox to add Alert Logic security services (and they have other services not directly through Amazon).

  8. Amazon actually has an API for all that, and secur by raymorris · · Score: 1

    > How do you protect yourself? Again, no one solution.

    Actually Amazon's APIs can be used to watch for the kinds of things you listed, and security providers such as Alert Logic have security suites built around those APIs.

  9. My credit card was hacked somehow by Anonymous Coward · · Score: 0

    Got two emails from my card company informing me of two expensive Apple Mac purchases I didn't make from a card with a chip. Leaving me to try and figure out where anyone could have gained access since the card is new. I went back through charges and found no possibly skimming opportunity. No online purchases, and yet could the same card be in the cloud somewhere? Obviously when my chip card came the account number stayed the same, the pin changed which as anyone knows is pretty worthless. People should be careful storing credit card information along with personal info. on a web site which most likely uses a outside server farm. I would assume if your the customer storing information, its up to you to scan it for malware. Don't assume a server provider is going to do anything.