January 30, 2021 | Karolinn Fiscaletti

An easily-compromised virtual server could be your organization’s weak link.

Recent years have seen a dramatic increase in cloud security breaches – from the much-publicized Equifax incident to major breaches at Adobe, Canva, eBay, LinkedIn, Facebook, Instagram, and Marriott. Verizon’s Data Breach Investigation Report (DBIR) indicates that data security control errors, stolen credential hacking, ransomware, and phishing attempts are only going to increase.

Why the uptick? Is there something inherently more dangerous about storing data in the cloud? Not exactly.

Simply put, we’re hearing more about cloud security mishaps because the cloud has become the default method for storing data in almost every industry.

While the blame for most data compromises may fall on system vulnerabilities, glitches, or misconfigurations, cloud-based data breaches are often the result of user error.

What is the Cloud?

“The cloud” is a blanket term for servers that are accessed via the internet (as opposed to locally on a computer), along with the software, databases, and other services that run on these servers. Cloud computing works through virtualization, the creation of a simulated, virtual computer that behaves just like a physical computer.

Familiar examples of cloud-based services or data storage include social media sites, Dropbox, Salesforce, G Suite, or Office 365. Even credit bureaus and cell service providers use the cloud. It’s everywhere.

As internet access and reliability have increased, the cloud has become more and more popular, and it’s easy to see why. Companies and individuals that use the cloud don’t have to maintain their own servers, which can be costly and time-consuming. Plus, they can access all of their files and applications from anywhere there is internet, using either a browser or an application.

Cloud deployments can range from private clouds dedicated solely to one organization to public clouds shared by more than one organization – or hybrid clouds, which are a mixture of the two. There is even such a thing as a multicloud, which involves the utilization of several public clouds.

How is the Cloud Compromised?

Cloud vulnerabilities are often the direct result of misconfiguration or noncompliance. In 2019, serious Facebook and Instagram breaches occurred when business partners left an AWS server unsecured and exposed an AWS database.

That same year, Capital One saw 80,000 bank account numbers and more than 1 million government ID numbers breached when a former Amazon software engineer used a server-side request forgery attack to gain credentials for a secure role.

Better cloud workload visibility, better analysis of AWS CloudTrail logs, a better host-based intrusion detection system, and better cloud configuration compliance all could have prevented these situations.

In addition to finding back doors through noncompliance or flaws in configuration, hackers also attempt more direct methods aimed at tricking end users, and a phishing attack is probably one of the first things they will try. In fact, it’s one of the most likely ways an organization will be breached.

As we detailed in previous articles on phishing, this particular cybercrime “targets individuals by email, telephone, or text message and poses as a legitimate institution to lure individuals into providing sensitive data or personal information” – in most cases, credentials like usernames or passwords.

What Can I Do?

Better cloud security involves more than just a single organization’s practices. Cloud providers already know hackers are going after servers that haven’t been set up correctly. In fact, recent research also indicates that virtually all IT professionals believe that human error could result in a breach of their cloud data. But that same research indicates that the majority of IT professionals have a hard time monitoring and maintaining security in the cloud.

That’s probably because compliant cloud configuration is growing more and more complex. For instance, Amazon’s popular S3 storage system has a 130-page instruction guide for configuration – a daunting prospect for some IT teams that may be working under pressure to implement systems as quickly as possible. Lasting, end-to-end security can only be achieved if IT teams have the resources they need to reach and maintain compliance.

That said, whether you have an in-house IT team, or you outsource your technology services to third-party providers, there is a lot you can do to ensure your organization’s security when cloud computing:

1. Choose good providers

A good vendor will have a good reputation, adhere to security guidelines, and have data available about the number of attacks they have seen and defeated.

1. Limit access

Many data breaches boil down to data that is left unprotected or too accessible. You can reduce this risk by only granting employees access to data that they really need. Consider separating duties so that no one user has access to the entire range of permissions. When an employee leaves your organization, delete or deactivate all of their accounts with your organization. You can also implement rigorous identity verification tools like multi-factor authentication.

1. Use secure communications and connections

When exchanging private data, it’s important to use secure methods of delivery, such as encrypted email. Now that many employees are working remotely, it’s also well worth your while to invest in a reputable VPN (virtual private network) to encrypt data sent between Wi-Fi access points and your organization’s network.

1. Consider cloud security services like firewalls

While traditional firewalls filter out malicious traffic between a trusted internal network and an untrusted network (for example, between a private network and the internet), cloud firewalls form a barrier between trusted cloud assets and untrusted internet traffic.

1. Educate end users

Probably the most important thing you can do for end users is to educate them on how to protect their credentials and your company’s information. Phishing awareness, email encryption, and password security should all be standard training topics for your organization. Users should be taught to use complex, unique passwords that are changed often, and should be able to spot a phishing attempt from a mile away.

Additional Resources

As your risk partner, we care about your district’s information security standards. If you think you network could use a checkup, a good first step is a health assessment from our partner, NetDiligence. For full details, including information on grants, turn to page 24.

If you’re interested in providing your employees with a phishing awareness course, you can register for our custom phishing course (which qualifies for the training credit) through TargetSolutions.

If your employees are already experts, put their skills to the test in eRisk Hub, a free member-resource that provides ransomware and phishing stress testing. More info on what’s new in eRisk Hub for 2021 can be found on page 23.

Still looking for more? Check out our three-part webinar series from security expert Michael Bazzell, who emphasizes the need to regularly change passwords and maintain a recommended level of complexity. These videos demonstrate – in real time – just how easy it is for hackers to obtain almost any password.

To take advantage of these resources, or if you have any questions related to your coverage, contact us at info@csdpool.org.