The popularity of cloud computing has been growing for years, but the near ubiquitous rush to remote work in early 2020 caused a remarkable acceleration of that trend, resulting in increased cyber risk. IT professionals were forced to speed up cloud migrations and implementations, often failing to anticipate risks or overlooking vulnerabilities.
In a report published in 2019, the Software Engineering Institute at Carnegie Mellon identified fundamental vulnerabilities of cloud computing. Looking at what has happened since, how have we fared? The discussion is no longer academic; these vulnerabilities have proven exploitable.
Identified Vulnerability: Reduced visibility and control
Because organizations rely on a cloud service provider (CSP) to secure the infrastructure, they don’t have the visibility and control they would over an on-premises system. They are unable to see everything the CSP is doing to secure the cloud itself, or even what a managed service provider (MSP) is doing for the offerings it has built in the cloud. Customers benefit from the stringent security standards of the providers and, from a compliance standpoint, inherit the provider’s security controls. But visibility into those practices and controls is limited.
For an organization that is new to the cloud, visibility and control are also an issue for an even simpler reason; there is a learning curve as IT and security practitioners become familiar with the cloud environment. Managing various cloud accounts for multiple business units, for example, may seem scattered in contrast to the top-down view of an on-premises system. It’s important to implement the right tools to gain the visibility and control needed.
Exploited Vulnerability: Wegmans misconfiguration – 2021
In June 2021, two misconfigurations in cloud databases missed by Wegmans’ cloud configuration management exposed customer names, addresses, phone numbers, birth dates, rewards card numbers, email addresses, and passwords.
Identified Vulnerability: On-demand self-service
With each benefit comes new risk, and on-demand self-service is no exception. Such services make it quick and easy for users to efficiently provision the services they need to be increasingly productive. They can stand up servers in minutes. Yet, this often leads to rampant unauthorized use and wasteful spending.
Worse yet, if a bad actor gains access to a cloud account, they too can spin up servers, or even an entire infrastructure, spending the victim’s money. Such systems can then be used to mine cryptocurrency or to create botnets to scam or attack others. Another risk is that they may provision these services in an unsecure way, making it possible to break into related accounts.
Exploited Vulnerability: Tesla Crypto-jacking – 2018
In February of 2018, it was reported that Tesla’s cloud infrastructure was infected with mining malware by a sophisticated crypto-jacking scheme. The attackers used an unprotected Kubernetes console, use it to discover credentials for other administrative functions, and then launched their own resources within Tesla’s cloud environment. The attackers made all of the crypto-mining profit while Tesla received all of the utilization bills.
Identified Vulnerability: Compromised management APIs
Modern systems are very API-based. Application programming interfaces (API) are used for management, orchestration, and monitoring. Threat actors look for firewall misconfigurations or vulnerabilities in APIs.
System owners must take control of APIs. Each time an API is activated or used, the system owner should be alerted. Proper firewalls limit access to IP addresses where APIs are present. APIs should be turned off and ports blocked when they are not in use.
Exploited Vulnerability: Venmo scrape – 2019
In June of 2019, it was reported that online payment vendor Venmo was breached via an unsecured API, which otherwise functioned as intended, and subsequently had 200 million transactions “scraped.” These transactions included sender names, memos, and transaction values.
Identified Vulnerability: Incomplete data deletion
One major advantage of the cloud is multiple redundancies to protect data from accidental loss or corruption. But it’s easy to delete something and forget that it still exists in other locations. With the lack of visibility into data from some cloud service models, it is difficult to ensure deleted data is truly eradicated.
Special security controls are needed to verify data deletion. It’s not as simple as deleting a file and wiping hard drives. And of course, you can’t shred obsolete hard drives as you would in an on-premises environment. Additional logical controls are required to replace the physical controls inherent to on-premises systems.
Exploited Vulnerability: Facebook, Cultura Colectiva, At the Pool – 2019
In April of 2019 two Facebook app datasets developed by third parties were found exposed to the public internet. These datasets dated back as far as 2014. One, originating from the media company Cultura Colectiva, contained 146 gigabytes of data including over 540 million records detailing Facebook users and activity. The other was a Facebook app called “At the Pool.” Facebook data and application passwords for 22,000 users were exposed.
Identified Vulnerability: Stolen credentials
Credentials theft is not new and has been used to access on-premises accounts for some time. However, because the cloud is accessible over the Internet, the risk is magnified. It is important to guard against this risk by implementing multifactor authentication and imposing stringent user security.
Exploited Vulnerability: Zoom credential stuffing – 2020
In April of 2020, Zoom was reported to have experienced credential stuffing attacks that resulted in numerous passwords being compromised. It is notable that the attackers did not break into Zoom directly. Instead, they used the dark web and other sources to find credentials from previous breaches dating back to at least 2013, well before Zoom became a household name. Knowing that many users reuse usernames and passwords for multiple online services, they ran previously stolen credentials against the target, leading to 500,000 compromised Zoom logins.
Identified Vulnerability: Increased complexity
Greater efficiency requires greater complexity. Cloud simplifies many things, such as standing up resources without having to worry about hardware, and some critical configuration is done automatically. However, other aspects are more complicated. Understanding the relationships among various accounts or tenants can be difficult. Vulnerabilities can be missed, code deployment pipelines can have more vulnerabilities, and other risks related to complexity need to be monitored and managed. When cloud is combined with on-premises infrastructure in a hybrid-cloud model, there is even more complexity to manage.
This concern is exacerbated by the current shortage of experienced cloud professionals. There are IT professionals with twenty, thirty, or more years of experience with traditional server architectures. But cloud is new. We don’t yet have comparable accumulated knowledge.
Exploited Vulnerability: SolarWinds international incident – 2020
In December of 2020, the cyber-world-shattering disclosure was made that the SolarWinds Orion Platform enabled malicious patches to be deployed to numerous U.S. Government agencies and commercial customers. Believing they were downloading a fix that would make their systems safer, these organizations unknowingly swallowed malware that would enable a nation state to gain backdoor access to the most secure segments of their networks.
The breach, which became serious in March of 2020, went undetected for several months due to the complexity of the environment SolarWinds was intended to secure. Some of the malicious activity occurred in the cloud realm, while other parts of this sophisticated attack occurred on premises; the attack was not purely a cloud attack or an on-premises attack but had elements of both. Gaps in correlating cloud and on-premises security information contributed to the delay in discovering the attack.
Identified Vulnerability: Insider threat
The power to create is the power to destroy. Capability to stand up resources in minutes means there’s also the ability to destroy or leak data in seconds.
Access controls need to be applied carefully to minimize and reduce this risk. Additionally, insider threat training should be employed throughout an organization so that fellow employees are able to identify and report risky actions taken by co-workers. Without clear ownership and careful access management, things can go bad very quickly.
Exploited Vulnerability: Capital One – 2019
In July of 2019, Capital One reported that the personally identifiable information of 100 million customers was breached and posted on GitHub. The data included names, addresses, phone numbers, email addresses, Social Security Numbers, and bank accounts. But in this case, the attack was perpetrated not by a nation state or amorphous hacker collective, but rather by a former employee of the cloud vendor who had exclusive knowledge of misconfigurations to exploit.
Embrace the cloud, but know the challenges
Cloud-based technologies are modernizing everything from the workplace to healthcare and education. Yet, for organizations and IT professionals with experience grounded in on-premises systems, cloud is not a plug and-play solution. It has different challenges, and attempts to implement and secure cloud systems the same way things were done on premises are doomed to failure.
Know your own limitations. Understand the various cloud vendors and what each has to offer. Study each vendor’s shared responsibility model so that you know what you have to do to secure your system and what you inherit from the CSP.
The hasty way in which many organizations were forced to adopt cloud services during the COVID pandemic was certainly not ideal, but it enabled a quick and effective response to an unprecedented situation. Now is the time for IT and cyber risk professionals to review cloud systems and plan for the trend to continue.