Compromised credentials: A bane to cloud security
At the onset of the pandemic, business continuity and mitigating the interruptions to operations was the primary concern, and security took the back seat.
Cloud Security is no longer a choice; it is protocol. With businesses being forced to transition to remote work options due to the Covid-19 global pandemic, the need for Cloud Security has never been more paramount. At the onset of the pandemic, business continuity and mitigating the interruptions to operations was the primary concern, and security took the back seat. However, once things had adjusted, security was focused upon, and many glaring flaws were revealed when it came to cloud security. For example, application developers’ foremost priority is to deliver the product and not worry about the infrastructure security, as they usually depend on the company’s IT personnel. However, the usage of personal systems and home networks have made the Cloud vulnerable.
A recent report titled 'The state of Office 365 backup' indicated heightened challenges in data protection due to the pandemic-induced neo-culture of remote working. The report revealed that about 74% of IT decision-makers in the Indian corporate milieu confessed that their organisation has experienced a ransomware attack. It also highlighted that 84% of organisations are still relying solely on capabilities built in Office 365 to backup and recover Office 365 data while 89% are concerned about ransomware locking their Office 365 data.
Cloud is usually made secure by various methods, starting from basic two-factor authentication to high-level encryption. Some basic techniques that are in large scale use for securing the cloud involve one or a combination of:
Password Authentication: A password is used to obtain access. Usually a combination of strings.
Two Factor Authentication: Commonly, a timed One-Time Password (OTP) is sent to the user’s mobile device, which is then entered to authenticate.
Token-based Authentication: It’s a protocol that generates encrypted security tokens after users verify their identity to websites. The token gives them access to applications, websites, and resources without having to verify their identity every time they are directed to a new site.
Cyclic Redundancy Check (CRC): A CRC code is added to the end of the data and is transmitted to the end-user, after which verification of the data and CRC code takes place with the original; if values are the same, access is granted. This error-detecting code is used to determine if a block of data has been corrupted.
These methods are most common simply because they are easy to implement, easy to use on a daily/regular basis, provides a decent sense of security. But these methods are also heavily reliant on the human factor, too dependent on the strength of the credentials that a user chooses. These methods are equivalent to keeping your money in your sock instead of your wallet while travelling. If the hacker is persistent enough, the Cloud is going to get hacked. When credentials, thereby the human factor, are the security infrastructure foundation, then the risk factor multiplies exponentially. As the common saying goes, ‘Hackers don’t break in; they Log in!’
According to a survey of 150 IT shot-callers, in the USA, conducted by the market research firm Censuswide, it has been revealed that nine in ten cases where the security of the Cloud was breached is due to Compromised Credentials. In total, 65% of respondents said they had been made aware of attempted attacks on their cloud environments, with 80% of those respondents admitting their cloud environments were successfully compromised. The survey makes it apparent security issues are a concern regardless of what type of cloud is employed. Nearly half of respondents (45%) have set up a private cloud, while almost a third (31%) use hybrid and multi-cloud environments. Just under a quarter (23%) rely exclusively on a public cloud.
Cyberattackers are constantly scanning the internet to find systems they can penetrate through and upon finding them, they look out for weaknesses such as, leaked user credentials, unpatched vulnerabilities, or misconfigurations that might gain them access. One of the most common methods a hacker uses to target the credentials is called Credential Stuffing. Typically, a hacker purchases many stolen credentials obtained in a breach and uses them to access the cloud. Credential Stuffing is executed by adding a list of stolen username and password pairs to a botnet that automates the process of trying those credentials on multiple sites at once. If a pair matches even in one website, that leads to a domino effect with the last tile falling after all of their data has been compromised.
Given the current Work-from-home (WFH) situation, this no longer means that it’s only the individual who has been made vulnerable but the entire organisation they are a part of. Thus, it is crucial to ensure that all user accounts employ good password practices. That said, passwords should be complex. They should never be reused on other systems, and they should never be shared.
Meanwhile, organisations need to have well-defined processes for requesting and approving access to their systems, including guidance that helps limit unnecessary access and implements a system of least privilege. They can start with building their Zero Trust roadmap to manage privileged access to services. The Zero Trust model shifts the company network perimeter and moves it to every device and user within a company that’s trying to access information. It increases the chances that if an asset is compromised, it won’t affect the entire company.
Since, it is a well-known saying that “prevention is better than cure”, backing up data in the cloud becomes the best bet forward to safeguard valuable assets. For this, business organisations need to be cognizant regarding the location of all data on their network and optimise a veritable backup system that duplicates data directly to the cloud while also extending unlimited storage and a resilient search and restore capacity.
Security is a reasonable expectation any online user has and it is expected to become a more natural extension of the quality assurance process soon. Of course, there is no 100% security; there is always a chance that the hack is too sophisticated for the infrastructure to handle. In the meantime, cybersecurity teams would need to find a way to establish a meaningful working relationship with application developers inside their organizations to establish a systematic and diligent infrastructure that can prevent user credentials from getting compromised.
This article has been written by Murali Urs, Country Manager, India, Barracuda Networks