Cloud services aren't fundamentally vulnerable because they're badly designed; they're vulnerable because they are used by people who can easily be manipulated via social engineering. If your business uses cloud services and you don't educate your staff, you might as well kiss your data and your reputation goodbye.
Lightning picture from Shutterstock
Veteran ethical hacker Peter Wood made that argument in a presentation at Data Centre World in London (which I'm covering as part of our ongoing World Of Servers series). Wood's company has been penetration testing systems since 1989. While the technical approaches to hacking have changed radically over that time frame, the social engineering techniques needed to access information remain fundamentally the same.
"What's different in cloud from a security view is when you're renting software-as-a-service, you've given away the management of security to a third party," Wood said. "Do you want to outsource the responsibility for security? You can't outsource the responsibility; you can only outsource the function. That doesn't mean security can be ignored, because in the end it's your brand and your reputation that's on the line if there's a data breach."
"The big issues for a cloud-based model is the ability to largely log in from anywhere, and the fact that t's mostly delivered through a browser," Wood continued. "In most cases, the credentials are trivial. In most cloud environments, there's no concept of intrusion detection or prevention, and if they are there people don't know how to use them." Those technologies are also meaningless if attackers blag legitimate login credentials through social engineering.
Stealing those credentials can be accomplished through targeted attacks. "Spear phishing is massively increasing as a primary entry point technique," Wood noted. However, in many cases more basic techniques, such as ringing up and pretending to be a worker who has lost their remote login credentials, can be equally effective. "We get social engineering attacks by telephone almost every week," Wood said.
What can be done to counter that problem? "Don't give the staff a hard time and tell them they're the weakest link," Wood advised. "Turn them into a human firewall. Invest time and money into getting staff to understand why these attacks take place, that they are real, and how to resist them."
Two other simple changes can also help. Ensure staff only have administrative access to systems when that's essential. "There is no reason for the old adage 'if you work in the IT department, you must have admin privileges'," Wood said.
Finally, make sure that corporate processes for dealing with new or exiting staff effectively cover all credentials. "The biggest fault we find in most organisations is that the joiners, movers and leavers process isn't fast enough and isn't thorough enough."
Lifehacker's World Of Servers sees me travelling to conferences around Australia and around the globe in search of fresh insights into how server and infrastructure deployment is changing in the cloud era. This week, I'm in London for Data Centre World, paying particular attention to how to maximise efficiency and lower costs in the data centre.