​Cloud is the ignored dimension of security: Cisco

A recent report from the networking giant has said cloud is the ignored dimension where enterprise security is concerned.
Written by Asha Barbaschow, Contributor

When it comes to enterprise security, the cloud is the ignored dimension, a report from networking vendor Cisco has found.

According to the Cisco 2017 Midyear Cybersecurity Report, the cloud is a whole new frontier for hackers, and they are increasingly exploring its potential as an attack vector as often cloud systems are "mission-critical" for organisations.

Hackers, the report explains, also recognise that they can infiltrate connected systems faster by breaching cloud systems.

Since the end of 2016, Cisco said it observed an increase in activity targeting cloud systems, with attacks ranging in sophistication.

In January 2017, the company's researchers caught attackers hunting for valid breached corporate identities using brute-force attacks. The hackers were creating a library of verified corporate user credentials, which saw them attempt to log into multiple corporate cloud deployments using servers on 20 suspicious IP addresses, Cisco said.

The report says that open authorisation (OAuth) -- which allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password -- is in fact creating risk, in addition to its intended purpose of powering the cloud.

"OAuth risk and poor management of single privileged user accounts create security gaps that adversaries can easily exploit," the report states. "Malicious hackers have already moved to the cloud and are working relentlessly to breach corporate cloud environments."

According to Cisco, some of the largest breaches to date began with the compromise and misuse of a single privileged user account.

"Gaining access to a privileged account can provide hackers with the virtual 'keys to the kingdom' and the ability to carry out widespread theft and inflict significant damage," the report explains. "However, most organisations aren't paying enough attention to this risk."

The average enterprise today has more than 1,000 unique apps in its environment and more than 20,000 different installations of those apps.

Cisco said its threat researchers examined 4,410 privileged user accounts at 495 organisations and found that six in every 100 end users per cloud platform have privileged user accounts, with many organisations having an average of two privileged users that carry out most of the administrative tasks.

As part of good practice, Cisco recommends administrators pay close attention to the IP addresses used to log in, with the average two users generally accessing the platform via the same handful of IP addresses.

"Activity outside those normal patterns should be investigated," Cisco said.

Another action Cisco recommends is to have administrators log out once they have completed their required tasks, as open sessions make it easier for unauthorised users to gain access and to do so undetected.

The recent phishing campaign that targeted Gmail users and attempted to abuse the OAuth infrastructure underscored the OAuth security risk, Cisco said.

The bogus Docs app used Google's OAuth implementation to request access to the Gmail accounts of targets. If users granted the app access, it sent the same phishing email to the user's contacts.

Google reported that about 0.1 percent of its 1 billion users were affected by the campaign, with Cisco "conservatively" estimating that more than 300,000 corporations were infected by the worm.

As companies look to expand their use of the cloud, Cisco urges them to understand their role in ensuring cloud security, noting that cloud service providers are responsible for the physical, legal, operational, and infrastructure security of the technology they sell, but businesses are responsible for securing the use of underlying cloud services.

"Applying the same best practices that they use to ensure security in on-premises environments can go a long way toward preventing unauthorised access of cloud systems," Cisco explained.

The company's midyear report covers multiple threat types across many vectors, with Cisco noting its security experts are becoming increasingly concerned about the accelerating pace of change and sophistication in the overall global cyber threat landscape.

Revenue generation is still the top objective of most threat actors, Cisco said, noting however that increasing is the malicious inclination to lock systems and destroy data as part of their attack process -- simply because they can.

"The breadth and depth of recent ransomware attacks alone demonstrate how adept adversaries are at exploiting security gaps and vulnerabilities across devices and networks for maximum impact," the report says.

Editorial standards