Hackers, like security vendors, are embracing the cloud; can you?

December 1, 2011 Off By David
Grazed from CSO.  Author: David Braue.

Large-volume hackers have become cloud pioneers, utilising public infrastructure to threaten companies that often effect ambitious but poorly-considered cloud-computing strategies, a security industry technologist has warned.

Noting the growing reliance on virtualisation and the increasing trend towards pushing virtual machines into public cloud services to cut infrastructure costs, Raimund Genes, global chief technology officer with security firm Trend Micro, warned that too many companies are just moving their security and reliability problems from one infrastructure to another.

Redundancy, for example, must be catered for: while cloud services from Amazon, Microsoft and others allow servers to be spread across servers in multiple geographies to minimise downtime, many companies simply move their existing systems into cloud-hosted virtual machines. This leaves them vulnerable to data and systems loss in the event of even a partial cloud collapse…

Online streaming-video giant Netflix has worked around this issue by spreading its assets across many parts of the Amazon Web Services (AWS) cloud — and using purpose-built code called Chaos Monkey to randomly disable parts of its infrastructure. If it can’t survive the monkey’s depredations, the architecture won’t survive a real attack either.

Failure to rearchitect applications is also restricting the flexibility to effect bring-your-own-computing (BYOC) policies that increasingly require companies to deliver cloud-hosted applications and services to a broad range of devices. “I have seen some companies that have failed badly because they just took their current applications and processes and put them into the cloud,” Genes explains. “You really have to do an assessment on your applications to see if they’re cloud ready.”

Such assessments need to consider not only redundancy, but architectural choices often made many years ago. Each carries its own limits on user access and its own security implications, Genes warns: “If you’re still using ActiveX or still rely on .NET for Web services, forget about it; you need to be ready to deliver on the iPad, BlackBerry, and any other device. You just can’t avoid it anymore.”

Yet supporting such devices brings its own risks: the reported explosion in Android malware, for example, opens up the very real possibility that users could inadvertently bring malware into the enterprise, from which it can work to its nefarious ends under cover of the network. With new app stores blossoming and offering customers direct access to potentially malware-ridden apps, companies must be particularly vigilant in monitoring mobile devices.

Without taking a broad-brush approach to security and business availability, this is likely to spell disaster for more than a few companies that fail to devote enough thought and resources to security.

“A lot of companies do the sums, then do the bare minimum” to protect themselves, Genes says.

“If something happens they have unlimited budget to fix it, but by then it’s too late. Think about what happened to [hacked two-factor authentication provider] RSA; would you ever buy a token from RSA again?”

Avoiding such hacks, and the reputational damage they can cause in an instant, requires rejection of the notion — often perpetuated through marketing materials of some vendors — that it’s possible to get 100 percent security protection just through software. Conventional malware filtering approaches are “just not working anymore, and we have to accept that,” Genes explains. “The original concept was to filter as much as possible before it gets to the desktop. But if they want to get in, they get in.”

From the inside out. Even when companies install strong border-protection systems and they repeatedly pass proactive pen testing, some are finding that installed spyware or other malware is sending data out from the company. Many firms, however, spend all their effort monitoring incoming traffic and have no way to notice large volumes of data leaving their company — which a classic hallmark of a data breach.

“It’s all been outside-in protection, but nobody ever thought of inside-out protection,” says Genes, noting that the signatures are often quite obvious to those who are looking for them.

“It’s often easier to recognise data getting out of the company than getting in.”

Genes cited the example of Sony, whose online gaming services were hacked and 100 million user identities stolen earlier this year. That attack would have taken a significant amount of time, Genes said — so why didn’t anybody at Sony notice the flood of outgoing data?

“This was going on for weeks,” he explains.

“You need a system that learns normal behaviour and then detects anomalies. You’re moving from outside-in protection, to a more inside-out, data-centric approach.”

One local Trend Micro customer, Genes says, felt its regular pen testing was enough to ensure it had an adequate security perimeter. But when the company went in and analysed its outgoing connections, it was revealed that its outgoing link was 80 percent saturated on a regular basis. Not only had the company not known this, but it didn’t know what the traffic was.

Regular searches for new destination IP addresses on outgoing packets is one way to spot anomalies, particularly when large numbers of packets are being sent to them on a regular basis. This, ironically, is both a strength and a weakness of a cloud-computing model that Genes says is outpacing conventional cloud-based models — including Trend Micro’s own attack analysis cloud infrastructure, which handles 71 billion requests per day using a highly-scalable cloud environment.

“To get code into a company, hackers test it against all the analysers and target it against a company or person,” he explains.

“But once it’s going outwards, it needs a reliable connection to a command and control server; interestingly enough, the bad guys are using the same infrastructure over and over again. They rely on constant communications.”

Ironically, this has made hackers pioneers in cloud computing, Genes warns: like legitimate corporate customers, hacker groups are renting virtual server space from AWS and others, then using it to build up command and control architectures from which they can launch massive distributed denial of service (DDoS) and other attacks.

“They’re moving data around all the time so law enforcement can’t keep up,” Genes laughs. “They’re building reliable and resilient networks; these guys have perfected cloud computing and they’ve known how to do it for years.”