SAN FRANCISCO –New cyber-attack techniques are evolving that threaten computer systems that IT security administrators may have considered relatively safe. That was the message of a panel of SANS Institute cyber-security experts at the 2018 RSA Conference.
For example, cloud computing is often lauded for its security and a way for companies to offload the infrastructure and investment costs of owning and maintaining on-premises data centers.
But SANS Institute’s Ed Skoudis said storing data offsite doesn’t ensure security.
“There is leakage when you have data stored in the wrong repositories or not stored correctly,” said Skoudis, a fellow and lead instructor at SANS Institute, which specializes in IT training and security services.
“There have been many attacks, Verizon twice, Time Warner and Uber and the U.S. Army leaked over 100 gigabytes of data because of a bug in an Amazon S3 storage bucket.”
Skoudis said organizations have focused on protecting their computer systems, but it’s time to think more broadly.
“If I ask a company if they manage and secure their computer systems they say yes. But when I ask about securing their data assets they say, ‘What are you talking about?’ It’s important to protect your computer systems, but if you don’t know what your data assets are and you’re putting them on systems you have no control of, you’re going to be in trouble,” he said.
Skoudis said companies should consider hiring or assigning a “data curator”, a relatively new type of IT administrator, to track and manage data assets. He also said cloud providers offer services that scan customer’s data using machine learning and artificial intelligence to spot irregularities. He also advised companies to regularly review access logs associated with their data assets stored in the cloud.
Some cloud providers let customers do a penetration test to make sure their assets are secure, but some cloud providers will only do the tests themselves. Skoudis said another approach companies can take is to run penetration tests on their end systems that access the cloud services to make sure they are secure.
Ransomware was a big topic at RSA 2017, and this threat has only gotten more sophisticated. “Last year I said no one wants your data because they have it all and sold it back to you as ransomware,” said Johannes Ullrich, the Dean of Research at SANS Institute. “Now they’re stealing your customer’s processing power.”
These so-called “crypto-currency miners” figure out ways to siphon off processing from a company’s computer systems and resell it, Ullrich said, with some reaping tens of thousands of dollars a month.
The scheme is often carried out by company insiders with access to the data center. In one case Ullrich said someone installed a specialized server under the data center’s raised floor where it went unnoticed until the processing drain affected network performance. Ullrich suggested companies might also install infrared cameras to spot higher temperature changes in the data center.
While we think of malicious hackers as exploiting software, Ullrich pointed out that hardware can be exploited as well, noting the most recent examples of the Meltdown and Spectre flaws that affected the majority of the world’s CPUs.
“Maybe protecting data has to move inside the system, not just the network,” said Ullrich. He recommends that companies encrypt data wherever possible, though he also noted that keeping data at rest encrypted “is one of the hardest things to do correctly.” Data at rest refers to data in persistent storage such as a disk or tape drives.
“There needs to be more focus on data as an asset,” Skoudis said during a Q&A session wrapping up the panel discussion. “And there needs to be an increased focus on privacy and corporate governance both working together.”