Major Security Issues with Cloud Computing Being Ignored
By David Gilbert | February 1, 2013 2:05 AM EST
A security expert believes that organisations aren't even aware of the security problems facing them as they move to the cloud, following the attack on Yahoo last month.
Businesses are completely ignoring a growing problem facing their organisations as cyber criminals look to target increased security flaws as operations move to the cloud.
Cloud computing was one of the buzzwords of 2012, gaining widespread adoption among individuals, SMEs and major corporations all around the world. It is going to make our lives easier while saving us millions of pounds at the same time.
However, one issue which is being ignored by the vast majority of organisation is security, with a Pricewaterhouse Coopers survey from last year showing that more than three quarters of respondents across a range of companies believed cloud computing did not increase their security risk.
A belief shattered by a report published this week by security firm Imperva which highlights just how easy it is for even one of the world's largest online companies to be hacked and have sensitive consumer data stolen.
"More than 75 percent of businesses don't see a problem by moving an application to the cloud. For me this is the big story, this is the big problem," Barry Shteiman sector security strategist with Imperva told IBTimes UK this week.
The Hacker Intelligence Initiative report (PDF) details an attack on online giant Yahoo, which took place in December of last year. It shows just how easy it was for a hacker to breach Yahoo's security as a result of poor security measures which didn't take into account insecure third-party code.
Shteiman believes that companies are not aware that, in the cloud, if you are trading information with another application, especially if it is sensitive customer and financial information, then the other app needs to be as secure as you are.
The attack on Yahoo took advantage of one of the most widespread vulnerabilities on the web, using what is known as a SQL injection attack.
These types of attack see hackers exploit web application vulnerabilities in order to access the organisation's data in an unauthorized manner. It is a relatively unsophisticated type of attack and simply involves typing computer code into the fields of a website form. For example, instead of typing in a credit card number or a last name, a hacker types in some code.
An attack like this, which is all the more common now that organisations are moving services and resources online, is potentially hugely damaging for your company. As well as gaining access to your customer database and their personal details, the attacker could steal the site administrator's password and username, giving them full control of your website.
The hacker may also plant malicious code, known as malware, which would then be automatically downloaded onto the PC of every user who visits the site - known as a drive-by-download attack.
In the Yahoo attack, the hacker didn't target any of the company's own apps, knowing they would be likely to be better protected. Instead he targeted an app called AstroYogi.com, which wasn't created by Yahoo staff or even hosted on Yahoo servers.
Because the code was written by a third party, and Yahoo did not ensure it was secure, the hacker was able to infiltrate Yahoo's database, as Yahoo shared user information with AstroYogi.com.
Shteiman believes this is a huge problem for organisations, who are simply unaware of the problem: "If I have my application and you have your application and we transact with each other the information of our users then you have to maintain the same security level that I do. Because people are not aware of that problem they don't enforce it."
As well as a lack of awareness there is also a lack of regulation a lot of the time because the information being transacted is not credit card numbers or bank details and therefore doesn't come under the scrutiny of anyone in particular.
However emails, passwords, home addresses and phone numbers can be just as valuable to hackers as credit card numbers.
"If you look at application security, anything in security, it is all about awareness. You are looking at a space where companies who have spent millions in security equipment haven't even looked at, or are not focused on, or understand that [moving to the cloud] promotes problems," Sheitman continues.
While Imperva has reverse engineered the attack based on information the Egyptian hacker ViruS_HimA - who claimed responsibility for the attack - released and is "certain" that this was how the attack was carried out, Yahoo continues to say nothing about the attack, having never publically acknowledged it ever took place.
IBTimes UK contacted Yahoo for a comment in relation to this article and the publication of Imperva's report but it declined to comment.
Because Yahoo didn't disclose anything it's impossible to know for sure what information was disclosed during the hack. ViruS_HimA, who carried out the attack is, according to Shteiman, known for hacking into systems in order to show up their vulnerabilities rather than for financial gain.
The refusal to disclose any information about the attack is not going to help Yahoo in terms of its reputation among internet users. Shteiman believes it was not a good idea to deny the attack, causing the company more damage rather than less:
"Look at banks. It makes you trust them, even if you're bank gets breached, you feel scared for a while but if [they] disclose it, come clean and say this happened, you safe now and we can control it, your reputation is intact. In my eyes hacks should always be disclosed, regardless of the company."
With such a viable and constant threat out there, organisation need to take notice and become aware of the problem. Once they do, putting a web application firewall in place is the first step they need to take.
However a firewall is only the first step, with Imperva adding that organisation then need to concentrate on making sure any third-party code they are using is up to the same security standards as their own code and actively test their systems to see how vulnerable they are.
To contact the editor, e-mail: