ERP News

Top cloud security risks that keep experts up at night

221 0

Hackers are after your assets in the cloud. Here’s how they get in and what you can do to plug security holes, starting with minimizing the risks created through human error.

Cloud Security Risks

Cloud Security Risks

Cloud Security Risks-The global cloud security products and services market is expected to grow by a compound annual growth rate of 13.9% through 2024, according to Grandview Research. But will more tools genuinely keep cloud security risks contained and valuable data safe from nation-state hackers and privacy threats? Not unless companies plug the primary security hole: human error.

It’s the human errors that nation-states most often exploit and that most frequently let the private data “cat” out of the cloud computing “bag,” according to CISOs.

Nine out of 10 cybersecurity professionals worry about cloud security, according to Crowd Research Partners; they find the top three cloud security challenges to be data loss and leakage, threats to data privacy, and breaches of confidentiality.

Still, there are ways to lessen the threat from powerful foreign hackers and reduce the potential for privacy leaks and breaches. But, first, it’s important to understand the human weaknesses these attackers exploit.

Cloud security risks: Nation-state attacks on private data

It doesn’t matter whether their attack is technical or not so technical; nation-state assaults on the cloud usually use vulnerabilities that derive from human error. As Rebecca Wynn, CISSP, CCISO, head of information security at Matrix Medical Network, explained, “There have been public attacks on container deployments, but most of them targeted low-hanging fruit or mimicked attacks that you see on a VM [virtual machine] — e.g., misconfigurations, credentials, secrets in public code.” Among the trending cloud security flaws are those created by people who misconfigure cloud settings or who expose their login credentials. Another stems from the regrettable software development practice of hard-coding credentials into programs.

Nation-state attacks on cloud data are high profile and severe. “Nation-state hackers are targeting managed service providers (MSPs) to access large companies, and this trend is on the rise,” Wynn said. “The DHS announced late in 2018 that there were active threats targeting MSPs.” It’s unclear how many global MSPs were breached as a result, let alone how many of their customers were exposed. But it’s those customers who were the targets all along: China, the nation-state in question, sought to steal priceless proprietary trade secrets and intellectual property to advance its enterprises in competition with the rest of the world.

The aforementioned “not so technical” nation-state cloud attacks that exploit human error are primarily phishing attacks. The Lazarus Group, a team of North Korean hackers, uses spear phishing to compromise employees during cryptocurrency exchanges to steal massive Bitcoin sums. The hackers use the currency to supplement losses due to international sanctions so the country can continue to fund its nuclear and ballistic missile initiatives, according to a 2019 U.N. report.

“All these cryptocurrency exchanges live in the cloud,” said Mark Lynd, managing partner at Relevant Track. Lynd and executives at Relevant Track serve companies such as Bank of America, GameStop and Cisco as fractional CISOs, filling in for executives at those companies. According to Lynd, most nation-state bad actors gain unauthorized access to the cloud through phishing attacks and work to elevate access and privileges to get what they want.

Nation-state attackers don’t just steal from the cloud; they also corrupt cloud data. According to Lynd, sometimes they pollute the information that otherwise enables companies to use sophisticated tools like machine learning to validate accounts. The corruption forces companies to use more manual processes, which are less challenging for nation-states to thwart.

Don’t think there is some unique sanctuary for private data in the cloud. If attackers can get to intellectual property in the cloud, they can get to personally identifiable information and protected health information that lives there, too.

Leave A Reply

Your email address will not be published.