Cloud Security Alliance Releases Updates to ‘The Treacherous 12: Cloud Computing Top Threats in 2016’

SEATTLE, WA – October 20, 2017 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced an updated ‘Treacherous 12: Top Threats to Cloud Computing + Industry Insights,” a refreshed release to the 2016 report that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.

“It’s our hope that these updates will not only provide readers with more relevant context in which to evaluate the top threats, but that the enhanced paper will provide them with a real-world glimpse into what is currently occurring in the security industry,” said Scott Field, partner architect with Microsoft Corp. and chair of the CSA Top Threats Working Group.

The anecdotes and examples mentioned in this document include:

  • Yahoo breach – Data Breaches
  • LinkedIn failure to salt passwords when hashing – Insufficient Identity Credential Access Management
  • Instagram abuse of account recovery – Insufficient Identity Credential Access Management
  • OAuth Insecure implementation – Account Hijacking
  • Zynga ex-employees alleged data theft – Malicious Insiders
  • Yahoo breach – Insufficient Due Diligence
  • MongoDB Mexican voter information leak – Insufficient Identity Credential Access Management
  • Dyn DDoS attack – Denial of Service
  • Dirty Cow Linux privilege escalation vulnerability – System Vulnerabilities
  • T-Mobile customer information theft – Malicious Insiders
  • MongoDB unprotected, attacked by ransomware – Insufficient Identity Credential Access Management
  • Malware using cloud services to exfiltrate data and avoid detection – Abuse and Nefarious Use of Cloud
  • Australian Bureau of Statistics denial of service – Denial of Service
  • Virlock ransomware – Data Loss
  • Zepto ransomware spread and hosted on cloud storage services – Abuse and Nefarious Use of Cloud
  • CloudSquirrel malware hosting command and control (C&C) in Dropbox – Abuse and Nefarious Use of Cloud
  • CloudFanta Malware using cloud storage for malware delivery – Abuse and Nefarious Use of Cloud
  • Moonpig insecure mobile application – Insecure Interface and APIs
  • Cloudflare/Cloudbleed buffer overrun vulnerability – Shared Technology Vulnerabilities
  • NetTraveler advanced persistent threats – Advanced Persistent Threats (APTs)

The Treacherous 12 report provides organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in the CSA community about the most significant security issues in the cloud.

The CSA Top Threats Working Group is responsible for providing needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. The CSA Top Threats Working Group is led by Scott Field, along with long-time cloud security professionals Jon-Michael Brook, a principal/Security, Cloud & Privacy at Guide Holdings, and Dave Shackleford, a principal consultant with Voodoo Security.

The CSA invites interested companies and individuals to support the group’s research and initiatives. Companies and individuals interested in learning more or joining the group can visit the Top Threats Working Group page.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Shining a Light on Shadow IT

Cisco:  15 to 25 times the number of known cloud services are purchased by employees without IT involvement.

These are just two examples of the quiet, but pervasive, existence of shadow IT in enterprises today. Although the name “shadow IT” sounds like something that might appear in an espionage novel, it is very real and very alarming, as we discovered in gathering material to write ISACA’s new white paper, Shadow IT Primer. We interviewed business and technology professionals whose responsibilities include IT operations, audit and security, and who deal with shadow IT on a regular basis. Their insights and real-world examples give the ISACA publication a perspective that is not reflected in other articles on the topic.

Shadow IT can be defined as applications and services that are used within an enterprise without having been reviewed, tested, approved, implemented or secured by the enterprise’s IT and/or information security function. Or, as one of the professionals interviewed put it: If you want to know what specific and timely functionality employees need but your enterprise is not currently providing, take a look at the shadow IT discovered in your business.

Employees are at the heart of shadow IT – well-meaning, innovative employees. They want to do a good job but are hindered by a lack (or lack of awareness) of the tools they need to do so. They are drawn to shadow IT’s usefulness, which they can generally acquire and start using in minutes by skipping the IT department’s vetting process.

This seems fairly innocuous, so why do enterprises care about shadow IT? Because those applications can enable significant data breaches, which may result in substantial financial loss. In addition to the obvious security risk, the threats associated with shadow IT include regulatory noncompliance, inadequate or unenforced policies, and reputational damage.

Many organizations have found that a range of approaches to address the risk is more effective than a single solution. A few of the controls used by the professionals interviewed for ISACA‘s publication include:

  • A shadow IT policy that outlines expected behaviors
  • Transitioning the IT department from detection and punishment to acceptance and protection
  • Using IT budgeting and procurement controls to shut down unapproved purchases
  • Restricting users’ ability to freely install applications
  • Educating users about the potential risk of shadow IT and the existence of an approval process

In ISACA’s white paper, these controls, and others, are fleshed out with implementation criteria and assessment methods.

Control does not necessarily equate to elimination of risk. In fact, many organizations are taking an “embrace” rather than “eliminate” approach to shadow IT. Of course, sometimes it is necessary to pull the plug. No matter how beneficial an application may appear, if it shows potential to harm the enterprise, it must be shut down immediately. The risk is too great to do otherwise.

But, even in an “eliminate” situation, there is room to “embrace” as well. A progressive approach entails realizing that, although a particular application needs to be dismantled, there is benefit in considering the problem the application is attempting to solve and empowering the IT function to find or build a safe and secure replacement – right away.

It is reasonable to assume that every enterprise contains shadow IT, given the ease and relative affordability of acquiring it, coupled with employees’ desire to fill needs or leverage opportunities with minimal delay. Savvy enterprises recognize this and mine the potential benefits, while managing the associated risk.

Jane Seago, Business Writer, and Terry Trsar, Business Consultant

[ISACA Now Blog]

CISO VS. CIO: TURF WAR CASTS SHADOW CYBERSECURITY

By David Shearer, CISSP, CEO (ISC)² 

I was recently reading an article by my colleague, ISACA CEO Matt Loeb, that got me thinking. In his piece, Creating cyberculture, Matt creatively reworks the “cybersecurity is everyone’s responsibility” mantra with his seatbelt analogy. While I certainly applaud any effort to create an inclusive cybersecurity culture – and Matt has some great suggestions on how to do so – I believe most organizations simply are not ready. To build on Matt’s seatbelt analogy, we’re buckling ourselves into a car seat that’s not yet bolted to the frame.

Let me explain. We still have a great deal of work to do at the operational levels of most organizations that stems from a fair of amount of US vs. THEM within IT/ICT and cybersecurity teams often fueled from top-level conflict between CIOs, CTOs and CISOs.

There I said it. I don’t draw attention to it easily or carelessly. I say this based on my own experience and the experience of those I have mentored over the years. In far too many organizations, cybersecurity remains a poorly defined discipline with unclear boundaries and areas of responsibility. Despite these organizational headwinds, IT/ICT and cybersecurity professionals are doing their best every day to keep businesses moving, minimize risk and secure their data. I like to call this unofficial collaboration at the operational levels Shadow Cybersecurity.

While the concept of Shadow IT is by and large interpreted negatively, I view Shadow Cybersecurity in a positive light. Throughout my career in IT leadership positions, I was no stranger to hunting down rouge IT efforts in the shadows of the organization that ran counter to our enterprise architecture, policies, standards and procedures. These Shadow IT challenges remain today, and frequently occur when IT is viewed as unresponsive or not fast enough in delivering on business and mission requirements. This is not unlike the perception that cybersecurity slows progress and too frequently says ‘no.’ IT/ICT and cybersecurity face the same challenge in that they are often viewed by others in the organization as inhibitors vs. enablers.

Admittedly, I’m a bit old school. I came up during a time when cybersecurity was under the umbrella of Information Assurance, along with information security versus the all-encompassing definition of cybersecurity that’s evolving today. However, contrary to what my wife might say, I’ve learned to adapt to the perpetual naming convention changes. So at the risk of demonstrating unbounded hypocrisy, I’d like you to consider the concept of Shadow Cybersecurity.

Those of us who came up through the Information Resources Management (IRM), CIO and CTO ranks had some level of cyber, information, software and infrastructure security responsibilities that were inherent to our area of responsibility. Today, the IT/ICT workforce still retains what I’ll refer to as collateral cybersecurity responsibilities. IT/ICT staff are still responsible in many organizations for hardening mobile devices, laptops, storage devices and servers that are on premise and in the cloud under Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud deployments. IT/ICT workers may never be interested in or consider themselves cybersecurity professionals, but it’s likely for the foreseeable future that IT/ICT workers will continue to be the unofficial force multiplier for the CISO function. They often turn the nuts and bolts of the organization’s cybersecurity policy, standards and procedures, whether they get credit for it or not.

For the purposes of this discussion, I’m referring to this type of workforce multiplier effect that IT/ICT can have on enterprise cybersecurity as Shadow Cybersecurity. In this case, these IT/ICT workers have not gone rogue working in the shadows without oversight. They represent a hardworking community that cannot be overlooked by CISOs. The may never work for the CISO; they may never consider a pure play cybersecurity position, but they can and often are contributing in positive ways to the overall enterprise security posture.

Providing serious education and certification opportunities for these individuals can help establish a lexicon of understanding and best practices that build bridges and can lead the operational areas of an organization toward the cybersecurity culture Matt describes. In my view, IT/ICT has and will continue to cast a long shadow. With the right leadership and unified perspective, these resources can have a very positive effect and compounding impact on securing the enterprise.

Whether you’re an IT/ICT professional or pure cybersecurity professional, I believe we all hope for the cybersecurity culture that Matt describes. However, I think we tend to focus too much on getting upper management, the C-suite and the board of directors onboard. We still need to continue to actively improve the relationship between CIO and CISO functions. Granted, sometimes the CISO works for the CIO, and I have heard of arrangements that are working. More often than not, I hear there’s still relationship management and turf challenges. Do we really find that surprising? Was it surprising when the CIO positions started to emerge in organizations in the 1990s and the challenges of getting the right line authority surfaced? Are we surprised that the CISO role is still often too far down the organizational chart to have the authority needed? Will the CISO ever have the type of carte blanche authority they feel they need? Arguably not; so like the evolution of the CIO, the CISO needs to build rapport and find ways to advance the organization’s cybersecurity program. It may happen in some organizations, but it’s unlikely in my view that the CISO will ever have line authority over all IT/ICT resources. Consequently, the concept of Shadow Cybersecurity is one a CISO should consider embracing and leveraging. Doing so can provide for the force multiplier effect that I’ve described. Granted, some organizations are already on their way, but others are just scratching the surface.

That’s my attempt to shine some light on the concept of Shadow Cybersecurity as an organizational dynamic that, if treated properly, can have a positive impact on an organization’s cybersecurity operational readiness and culture. Establishing a common lexicon and best practices between CISO and CIO resources is paramount. For practitioners, working in the shadows isn’t always a bad thing. Sometimes it means you’re providing complementary, but sometimes unrecognized contributions to something inherently bigger than self like cybersecurity. To all the IT/ICT professionals providing Shadow Cybersecurity in accordance with best practices, thanks for your contributions to a safe and secure cyber world.

Please stay the course, but until we address these issues, you may need more than a seatbelt for this thrill ride. Sometimes it takes someone to call out the “elephant in the room” issue to evoke positive change. That’s my hope.

[(ISC)² Blog]

Five Questions With National Security Expert and CSX North America Keynoter Matt Olsen

Editor’s note: Matt Olsen, national security expert and co-founder of IronNet Cybersecurity, will deliver the opening keynote address at CSX North America, which will take place 2-4 October in Washington, D.C., USA. Olsen, who says ‘no company should go it alone in cyber space,’ visited with ISACA Now about the role of cyber professionals in counterterrorism, evolving forms of attacks and sharing of threat information. The following is an edited transcript:

ISACA Now: How would you characterize your experience with the National Counterterrorism Center? What components of your work did you find most fulfilling?
The National Counterterrorism Center, or NCTC, was established after the terrorist attacks of 9/11. The mission of NCTC is to integrate and analyze all sources of terrorism intelligence, and then to share that information with partners across the federal government and with state and local law enforcement. The creation of NCTC was one of the primary recommendations of the 9/11 Commission and has fundamentally reformed the way the federal government approaches counterterrorism.

I was fortunate to lead NCTC at a time when its role was firmly established in the nation’s counterterrorism efforts. The most rewarding aspect of working at NCTC was its exemplary workforce of analysts, operators and policy experts. All of the officers at NCTC were committed to protecting the country and, despite many career options, had chosen to dedicate their professional lives to national security.

ISACA Now: What are the most impactful ways that cyber security professionals can make their mark on counterterrorism?
There is a close relationship between cyber security and counterterrorism. We have seen terrorist groups seek to obtain sophisticated cyber tools to carry out destructive attacks against the United States. Cyber security professionals can help defend against these efforts generally by hardening their networks and by adopting industry best practices for cyber security.

ISACA Now: What type of attacks do counterterrorism professionals need to be best prepared for going forward?
Counterterrorism professionals need to be prepared for a wide range of attacks from terrorists today.  The most likely type of international terrorist attack here in the United States is an assault by a lone wolf who has been radicalized by terrorist groups overseas, such as ISIS. Such an attack is likely to be unsophisticated, but difficult to prevent.

We also need to be concerned about more sophisticated attacks, such as the deadly assaults in Paris and Belgium, which were extensively planned and coordinated by ISIS. Finally, we suspect that al-Qaida remains interested in aviation targets, and has plotted repeatedly to plant a bomb on a plane headed for the United States.

ISACA Now: From your personal experience, how challenging is it to find qualified cyber security professionals who can handle complex threats?
In my experience, we face a significant challenge in finding cyber security experts to fill positions across the private and public sectors. By some estimates, there will be more than one million unfilled cyber security jobs in the United States by 2020. Meanwhile, there’s no shortage of adversaries and bad guys trying to hack into our networks. We need to work hard to ensure that educational opportunities exist to train the next generation of cyber security experts.

ISACA Now: What steps can or should governments take to be more effective at sharing threat intelligence information?
The effective sharing of cyber intelligence and threat information is essential to improving our cyber security. The government should take the lead in ensuring that our laws, regulations, and policies promote and facilitate the sharing of information among companies, and between companies and the government. For their part, companies should take advantage of legal changes over the past few years to enter into sharing arrangements with other companies.

Today, it is feasible for companies to share threat information and gain situational awareness in real time across economic sectors. No company should go it alone in cyber space. Only through a “common defense” approach to cyber security can companies gain the visibility and access to expertise on a widespread basis. This will lead to better cyber security for all.

[ISACA Now Blog]

How to Hack Neural Networks

If only neurologist Oliver Sacks, who wrote The Man Who Mistook His Wife for a Hat,” were still alive! He would find today’s neural networks (the hot new trend from the artificial intelligence community) extremely amusing.

His book describes a man whose brain damage results in the man thinking his wife’s head is a hat. Maybe there are more parallels between the brain and artificial neural networks than what meets the eye (no pun intended).

Neural networks are being leveraged increasingly often in information security to provide a higher level of protection, including against zero day attacks. However, what if the adversary targeted the neural network/machine learning algorithm itself?

In a recent article, Adam Geitgey describes an algorithm and even provides code for tricking a neural network-based image recognition system into identifying a photo of a cat as a toaster:

  1. Feed in the (cat) photo that we want to hack.
  2. Check the neural network’s prediction and see how far off it is from the answer we want to get for this photo.
  3. Tweak our photo using back-propagation to make the final prediction slightly closer to the answer we want to get.
  4. Repeat steps 1–3 a few thousand times with the same photo until the network gives us the answer we want.

Note that knowledge of the neural networks is required in order to leverage back propagation. However, this approach is not new and other examples of misleading input causing machine learning to fail are known, such as the case of defacing a stop sign resulting in autonomous vehicles not recognizing the sign.

Let us make the algorithm more generic so that it can apply to a Data Loss Prevention (DLP) system.  Assume we use a simple example that is well defined: DLP via Domain Name System (DNS) queries.  Instead of a photo being analyzed, individual fields in protocol messages are analyzed to determine when malicious actors are trying to exfiltrate sensitive data, so in the algorithm we replace “photo” with “set of DNS queries”:

  1. Feed in the set of DNS queries we want to hack.
  2. Check the neural network’s prediction and see how far off it is from the answer we want to get for that set of DNS queries.
  3. Tweak our set of DNS queries using back-propagation to make the final prediction slightly closer to the answer we want to get.
  4. Repeat steps 1–3 a few thousand times with the same set of DNS queries until the network gives us the answer we want.

With such methodology, the adversary can successfully bypass such a Data Loss Prevention (DLP) system and imagine even tampering with valid data (e.g., an organization’s valid traffic) to cause the DLP to trigger a false positive.

What can security vendors do to prevent such hacks? Obviously the more the adversary knows about the neural network algorithm, the quicker he can successfully generate hacked input that will cause the system to fail. So, algorithm details must be protected. Geitgey recommends the use of ‘Adversarial Training’: include lots of hacked images or data created using back propagation, and include them in your training data set.

So, the question arises: are we building enough security into our security systems?

Editor’s note: ISACA’s recent tech brief on artificial intelligence is available as a free download.

Claudia Johnson, Cloud Technologist, Oracle

[ISACA Now Blog]

English
Exit mobile version