The Increasing Business Risk of Cloud Cyberattacks
It is hard to figure out which is growing at a faster pace -- movement to the cloud or cybercrime. Cybercrime is following the data to the cloud, according to reports, to find and steal cloud data of hotel records, credit card information, and maybe even corporate secrets and the client files of lawyers.
The cloud is actually old news. The concept of managing data for business on a remote computer has been around for 50 years. It began as a college effort to make computing available to students in 1964, when Dartmouth University started a remote computing service called "time-sharing." That service used telephone lines rather than Internet connections.
Now the cloud is big business. In 2013, IBM paid US$2 billion to acquire SoftLayer, a public cloud IaaS (Infrastructure as a Service) provider that complemented IBM's private cloud business, and IBM recently announced that it is committing $1 billion to rebrand itself as a cloud company.
One feature of the cloud is that the servers may be anywhere in the world. That creates interesting and complex legal questions regarding privacy of data stored in the cloud. Nevertheless, more and more businesses are migrating to the cloud to host data, often without regard to the legal consequences.
Cloud Cyberattack Predictions
Willie Sutton is said to have robbed 100 banks in the early 20th century. Why? Because "that's where the money is," he said. McAfee used Willie Sutton's comment in describing cybercriminals' interest in the cloud.
"Cybercriminal gangs of the 21st century will target cloud-based applications and data repositories because that's where the data is" according to McAfee Labs' 2014 Threat Predictions.
Cloud cyber-vulnerability "could be through business applications that have not been assessed by IT against corporate security policies," the report notes. "More than 80 percent of business users use cloud applications without the knowledge or support of corporate IT."
The 2014 Threat Predictions are presented in seven categories. Among them, deployment "of cloud-based corporate applications will create new attack surfaces that will be exploited by cybercriminals."
Nation vs. Nation
"Acts of cyberwarfare -- whereby a nation state launches cyberattacks against another country -- are on the increase, "and cybercriminals are keen to learn new techniques that can make their own attacks more effective," suggests Kaspersky Lab's special report entitled "Who is Spying on you?"
Cloud vulnerability is at the top of the Kaspersky's list for threats of cyberattacks against a nation's critical infrastructure. Risks to that infrastructure include the following:
- loss of access to cloud-based services and data storage;
- inability to process online financial transactions, including paying suppliers and employees or enabling customers to place orders;
- supply chain issues -- including late shipments and delays in the processing of imports/exports;
- failure of telecoms systems -- including communications via VOIP or LAN lines;
- failure of other parts of a country's critical infrastructure -- such as power generation/distribution; and
- loss of data that's required for compliance activities.
With all the headline news about cyberattacks, Kaspersky's report is hardly a surprise.
Cloud Malware: an Ominous Problem
Amazon's public cloud is considered the largest in the world.
Amazon had more malware than any other cloud provider, according to the Solutionary Security Engineering Research Team's Quarterly Threat Intelligence Report, apparently because cybercriminals who distribute malware believe they have the greatest opportunities on Amazon's cloud, The Washington Post reported.
The "U.S. accounts for 44 percent of hosted malware," which makes it the world's largest host of cloud malware, SERT states.
Cloud "hosters and service providers need to do more to prevent malicious use of their services," the SERT report urges.
This cloud-based malware issue should of great concern to businesses around the world, since the presence of malware portends serious problems for data integrity.
NIST Offers Cybersecurity
Perhaps the U.S. government has come to the rescue with the February 2014 release of version 1.0 of the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. This Framework is the result of an executive order by the president in February 2013, which was to establish
"the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."Further, the framework must "include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities," the president ordered.
It is too soon to know if the NIST Framework will provide any real benefit to protect against cyberattacks.
As more and more companies migrate to the cloud as a means to reduce their IT costs, they are creating new malware-based and cybercrime risks to their businesses. Unless the NIST Framework really works, it is possible that the cybercrime problems threatening data integrity in the cloud may outweigh benefits to using it.
If cybercrime and cloud-focused malware continue to grow along with the cloud, the predicted growth of cloud migration may not be realized.