In our last post, we discussed how large numbers of users aggregated by cloud services make them attractive to cyber-criminals. We also showed how the increase in data breach incidents (like the recent DNC break-in) is closely correlated with the growth of cloud computing.
The massing of data in centralized stores actually creates two problems – the reward is far larger than that of a single user, and it creates a single point of failure. Where the first scenario is mainly about data and credential theft, the second exposes an enterprise to the high costs of large scale outages. Bad actors have been exploiting this vulnerability since the 1990s through distributed denial of service (DDoS) attacks and more recently, with ransomware.
The conventional wisdom about DDoS attacks can be described as “safety in numbers.” Large sites have so many front doors, it’s virtually impossible to tie up all of their ports. That was mostly true until last week’s attack on Dyn. With hundreds of thousands of connected devices like DVRs marshaled by attackers, even the largest public and private clouds are newly vulnerable.
The core of this terrifying problem is the overwhelming advantage enjoyed by attackers. They can throw thousands of attacks at the same target over a short timeframe. It only takes one success to create a breach or to commandeer a key system. And with millions of erstwhile innocuous connected devices like thermostats, cable modems and even auto-based sensors capable of executing malware, DDoS is back in the spotlight.
Does this mean it’s curtains for cloud computing? Not really. But a distributed system does create a large number of attack points, making DDoS attacks far less effective and data theft far less interesting. There are many applications that don’t require the intermediate storage of a cloud. When comparable (if not better) distributed alternatives are brought to market, they will be welcomed by users anxious to reduce their attack surface.
The fact is, software is already populating the full spectrum between centralized and distributed approaches. The best example of this is in mobile, where full-fledged applications are often running entirely on the user’s device. We also believe that there will be a surge of interest in highly distributed approaches like peer-to-peer and the blockchain because the tides are not going to turn against the bad guys any time soon.
Decentralization and the Security Crisis
November 5, 2016 - posted by Nexo
Cybercrime and the Cloud
October 12, 2016 - posted by Nexo
During Cloud Mania – roughly the decade between 2000 and 2010 – it was virtually impossible for start-up ventures to get funding unless they were cloud-based. Sixteen years on, most modern offerings are in the cloud – and that’s certainly the case for file sharing. Public cloud services are incredibly enticing to cyber-criminals because they’ve conveniently gathered millions of users for them at one attack point.
Before Cloud Mania, bad guys had to go after each person or company one at a time and the number of data loss events was barely newsworthy. But the ability to get access to millions of users' information for a little extra effort makes the decision a no-brainer.
The white line in the chart above shows the alarming increase in “data loss events.” A subset of security events, these occur when cyber-criminals successfully extract corporate data, including the IDs and passwords of registered users. There were 2,100 reported in 2014, and for 2015 Verizon recently reported that number has soared to 3,141 (source, Verizon's annual Data Breach Investigations Report).
The orange line shows the growth in the public cloud market in $B. What is stunning about this is the undeniable correlation between the growth of cloud computing and that of cyber-crime.
You've probably heard John Chambers' quip about cyber-crime: "There are two kinds of companies - those that know they've been breached, and those that don't." Nothing proves this more than the recent discovery by Yahoo! of a 500 million account breach that occurred more than two years ago. (Note: 500 million is essentially all Yahoo! accounts.)
We're not the only ones that see problems with the cloud. In a recent conversation with a knowledgeable source, we learned that no government intelligence agency is allowed to use cloud-based file sharing – they only consider peer-to-peer to be secure enough. As the figure above shows, we are losing the battle with cyber-criminals, and security will become the top criterion for product selection, putting any cloud-based service at a significant disadvantage.