Cyber-criminals are attacking virtualized data center systems and taking advantage of cloud environments as they come up with new threats in the cloud.
NEW YORK-Cyber-criminals are
simultaneously taking advantage of the cloud's benefits to launch attacks as
well as targeting organizations' cloud services, security experts said.
As organizations increasingly
virtualize their data centers and move their applications to the cloud,
attackers are beginning to think, "Let's attack here," Allen Vance, director of
product management of the data and applications security group at Dell
SecureWorks, told attendees at Cloud Expo during a session on cloud security on
June 6. Organizations have to put in measures to handle threats to their
virtualized environments when considering a cloud deployment because the
environment amplifies the risks, Vance said. Cloud Expo is running from June 6
to June 9 here.
"We are in the middle of a war," Terry
Woloszyn, CTO of PerspecSys, told attendees in a different session on cloud
security. He compared the current security climate to an "arms race" as
cyber-attackers are continuously developing new attack vectors and modifying
existing threats, leaving vendors and businesses to play catch-up.
Nowhere is this more evident than the
recent game of whack-a-mole Apple has been playing with malware developers
behind the fake MacDefender antivirus scam and its many variants over the past
A new MacDefender variant appeared
within 24 hours after Apple released a security update on June 1 that included
the malware definition in the Mac OS X File Quarantine list. After Apple
updated definition files to cover the new variant on June 2, yet another one
popped up that bypassed the quarantine hours later.
Vulnerabilities reported in virtualized
technologies have "nearly doubled" between 2008 and 2010, according to data
compiled by Dell SecureWorks Threat Intelligence and Intrusion, Vance said.
Dell SecureWorks found that security "events" detecting attacks against virtual
environments increased by more than 500 percent over the same period.
Cyber-attackers can try to steal
credentials related to cloud providers, such as the organization's username and
password for Amazon Web Services and the certification and private key used,
Dell's Vance said. Malware is increasingly sophisticated enough to exploit
vulnerabilities and use hyper-escalation to compromise cloud platforms, Vance
Hyper-escalation refers to what happens
when malware exploits a vulnerability in the hypervisor to break out of the
virtual machine and gain root privileges on the actual server hardware. This
would give attackers complete control over all the other virtual machines
running on that machine, a serious threat in a multi-tenancy environment. When
organizations are sharing network infrastructure, databases, data storage and
computing resources, risks are aggregated, Vance said.
It's not just "script kiddies" that are
breaking into networks and writing malicious code, according to Woloszyn.
Attacks are originating from "sophisticated nation-states with cyber-commands"
as well as from organized crime. Cyber-attackers are using "strategic
multi-pronged" attacks, such as compromising RSA Security first and then using
the stolen data to break into defense contractor Lockheed Martin, according to
Stuxnet was a "cyber cruise missile,"
which was "stunning" in the way it targeted highly specialized systems,
according to Woloszyn. "Who's to say the next targeted attack won't be against
the cloud?" Woloszyn asked attendees.
Another threat against cloud services is
in the APIs used to connect applications and services, according to Dell's
Vance. There are "thousands" of Web-based APIs, and 10 to 15 new ones are being
created each day. If they are not built or implemented correctly, organizations
are vulnerable to man-in-the-middle campaigns, identity spoofing, accidental
leakage of confidential data and even denial-of-service attacks.
In the event of a breach, forensic
analysis is also more difficult in the cloud, Dell's Vance said. The fact that
the environment is maintained by a third party may actually slow down initial
incident response as well as the time required to remediate vulnerabilities.
One reason for the delay may be because the cloud provider's first priority is
often in making sure other customers are unaffected.
Both Vance and Woloszyn noted that
cloud environments are vulnerable to malicious insiders, who may decide to
abuse their privileges.
Vance emphasized the importance of
organizations monitoring cloud logs. Just because they are giving up
operational control doesn't mean IT departments can't monitor the host, the
guest virtual machines and other security services. Woloszyn said organizations
should also consider implementing a zero-trust environment in the cloud so that
only the exact information the user needs is revealed and nothing else. Layers
of access, where some people have higher levels of trust than others and only
anomalies are tracked, mean attackers just have to figure out a way to escalate
privileges to gain unfettered access to data.
Traditional security techniques have
limited effect in the cloud, Vance said, noting that organizations need to look
at "old problems" and consider them in a new context.