Photographee.eu - Fotolia
- Johannes Ullrich, SANS Technology Institute
It is almost certain that your social security number has been leaked in a breach. There's also a high probability that at least one of your credit card numbers will fall into the wrong hands over the next 12 months.
In the past, attacks to steal such data represented lucrative and sustained criminal enterprises. But due to the abundance of stolen data, the value of individual records has plummeted, and many stolen records never get used. Criminals have had to find new ways to monetize their skills. They have turned to ransomware to increase the value of the information by selling it back to the victim. Now it's not just your identity at risk, but important business documents and, in some cases, critical medical data.
Future attacks will combine many of the patterns we have seen recently, and criminals will continue to automate these attacks. They have already started taking advantage of the expanded use of network-connected devices and cloud-based systems to find new ways to threaten information security. Many industries increasingly depend on network-connected devices to regulate everything from manufacturing to delivering products. Up to now, most of the attacks against these systems happened accidentally. The few intentional attacks documented so far are attributed to nation-state actors with resources and insight into the protocols these systems use.
Holding IoT devices 'hostage'
But like sophisticated techniques well-funded groups have used in the past, even attacks against industrial control systems will become commoditized. As tools and methodologies behind these attacks spread, less-skilled hackers will be able to launch ransomware attacks against these systems. These malware attacks will hold the systems hostage, threatening to stop or destroy manufacturing facilities until the victim pays a ransom.
In everyday life, similar systems are used and susceptible to these same cloud security threats. Your car may not start until you pay off a ransom, or your door locks may not open until you transfer the right number of bitcoins to the attacker holding them hostage. With faster ways to find vulnerable devices, and by using existing compromised devices as a bridge into vulnerable networks, it will be up to the creativity of the attacker to find ways to turn the internet of things (IoT) against us.
Home automation is one area where the internet of things is exploding, and standards for control of these systems are starting to emerge. With standardization, the products become not only more attractive to consumers who look for interoperability between different devices, but also to attackers who can use standard communication APIs to attack these products. Research into home automation often focuses on insecure wireless communication protocols. But while attacks against these protocols require physical proximity, much of the cloud-based control infrastructure of these devices is remotely accessible and just as vulnerable to cloud security threats.
Many devices in home automation and alarm systems use cloud-based systems to communicate. The smart home device will regularly send status updates to the cloud server and retrieve new commands to execute. Weak and incorrectly implemented authentication between device and cloud is often the failure point that can be exploited to either attack the cloud infrastructure or the device. For instance, a simple distributed denial-of-service (DDoS) attack against a cloud service controlling thermostats can disable them and in colder climates may cause substantial damage. Some of these attacks have also been demonstrated against modern cars that rely on cloud-based services to communicate with mobile applications used to remotely start a car or open doors.
IoT attacks also have the possibility to be more destructive. So far, devastating attacks are not common and are mostly limited to DDoS attacks, which do not cause permanent damage. But future attacks, if they are combined with ransom demands, may very well destroy devices intentionally or not. Most IoT devices allow a remote user to upload new firmware, which can then be used to disable the device permanently.
Exploiting dependencies on web services
Software developers have been aware of the dangers of using insecure components in software development for a while now. Modern software tends to rely on large, complex libraries, and much of it is written by just combining these libraries in new and innovative ways. But vulnerabilities in a commonly used library can affect many different software packages. If developers don't carefully track these vulnerabilities and release updates for patched components, software can remain vulnerable long after a flaw has been disclosed and fixed in a library.
With the emergence of cloud-based microservices, this problem will only become worse. Instead of including a library in software shipped to clients, the software now relies on cloud-based web services to perform certain functions. The developer and the end user depend on these services, which they do not control and have no ability to audit. A compromise of a web service may go unnoticed for a long time, and the attacked service could provide "bad data" to try to manipulate business decisions. This data modification problem is an increasing risk among cloud security threats and hard to detect.
The reliance on cloud services is also worrisome for authentication and access control decisions. An attacker who is able to identify a flaw in a popular authentication service could easily use it to access a wide range of services that depend on its integrity. OAuth, a very popular standard to authenticate to cloud services, is often implemented incorrectly and subject to phishing attacks. While two-factor authentication is becoming more popular with these services, it is still not universally implemented. Often, web services that require two-factor authentication for interactive logins provide workarounds for systems that have to connect to the service without user interaction. Web-based email services had a difficult time implementing two-factor authentication while at the same time allowing automated polling for new messages from various mail clients. An attacker who can compromise a user's credentials is often able to configure an API key, or application-specific password, that can be used to access the service well after the intrusion was identified and the primary password for the account was changed.
Modifying cloud data
But compromised cloud services can go much further. In recent years, enterprise resource planning (ERP) systems have become an attractive target for more sophisticated attackers. These attacks are either attempts to extract proprietary information from these systems or they're attempts to affect business decisions by manipulating data. The complexity of the systems, and the fact that most are one-off implementations for a company, makes it challenging to monitor and secure them. Each implementation is different, which makes it difficult to apply generic hardening guides like the ones used for commodity software, web servers and databases.
Recently, more and more of these systems either use cloud-based web services to interact with suppliers and customers or the system itself is migrated to a cloud platform. Compared to on-premises ERP software, a cloud system is typically offered using the software-as-a-service (SaaS) model, which removes expensive upfront cost and leaves most of the maintenance and security responsibility for the system with the vendor. Authentication and access control have to be correctly integrated with the SaaS provider's systems. The security practices the SaaS provider follows will in the end affect the security of the data stored in this system.
But at the same time, these vendors are now becoming an attractive target. A compromise of a vendor can provide access to data for many different companies. Such a compromise could come from insiders at the vendor. Vetting employees who have physical access to the data in data centers is now up to the SaaS provider, not the company owning the data.
Organizations need to continue to learn to detect cloud security threats and react to them faster. Large enterprises need to learn to close the loop and apply internally sourced threat intelligence quickly. Disseminating current and relevant information to IT and security operations is more important than ever.
At the same time, the network environment is changing. Servers will migrate to the cloud, and the network they connect to will no longer be controlled by the organization's security staff. Instead, more and more control devices will enter the corporate network. These devices will expect connectivity to the cloud-based infrastructure and can no longer be "air-gapped" to mitigate attacks. Interactions between different network segments will become increasingly complex. Network segmentation, which is often used to mitigate the threats from devices, will no longer be practical if radio frequency ID scanners in a warehouse need to interface with a cloud-based inventory management system or an e-commerce platform that uses a content delivery network. Whitelisting of IP addresses and designing a network with strict security zones and enclaves will become a lot more challenging.
Learn more about the biggest cloud security threats
Malware attacks launched from the internet of things
Attackers exploit security gap between enterprise and cloud providers