Early-adopter criminals embrace cloud computing

The adoption of cloud computing by cybercriminals is proof the technology is viable and here to stay, according to a security expert
Written by Toby Wolpe, Contributor on

Executives unsure of the viability of cloud computing need look no further than the criminal fraternity for a ringing endorsement of the technology, according to a security expert.

Cloud computing has been enthusiastically taken up by criminals for a range of activities, Rik Ferguson, senior security adviser at security firm Trend Micro, told delegates at a Westminster eForum on Wednesday.

"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time.

"We already see customers of Google, customers of Amazon, who are criminals and who use those services, among others, to run command-and-control services for botnets, to launch spam campaigns and to host phishing websites. They see the power, the scalability, the availability and, for them, the anonymity that is possible through cloud services and they are using it to its fullest extent."

Ferguson told ZDNet UK that this development was part of a shift in the criminal methodology. "Even 12 months ago it was true to say that, if you had a number of PCs in your organisation going to twitter.com/profilename several times a day, that was not a security concern unless you were blocking social networks. But that kind of stuff is now no longer necessarily normal. It could be an indicator of malicious behaviour," he said.

This change in approach must be met with an alteration in the way organisations detect suspicious activities, according to Ferguson. "We have to change our security policies to take account of the fact that criminals are trying very hard to lose themselves and their activities in the general white noise of the internet," he said.

"You used to say, 'Right, I'm going to look for IRC [internet relay chat] outbound from my network because that's definitely suspicious. I'm going to block access to all the known command-and-control IP addresses for botnets because I don't want them to be able to phone home'," Ferguson added.

"But now that criminals are moving into cloud services, what are you going to do? Block EC2 [Amazon Elastic Compute Cloud]? It becomes very much more difficult and I think that is an area that security companies and security professionals need to focus on."

He said organisations need to rethink their security models, which have traditionally been "outside-in" and focused on stopping intruders entering networks. "When we become consumers of cloud we have to change the way we think and focus on inside-out security," he said.

Ferguson recommended that in an age of mobility, virtualisation and cloud, firms should focus on the core. "Start with your data and make sure your data is secure, wherever it is, and then make sure the systems handling the data are self-defending wherever they are," he said.

Editorial standards