The story about hacked clouds.
Chances are, you already use a cloud technology as an integral part of your business and you likely didn’t read the fine print on the lengthy software service agreement, especially the part on how they’re not liable for a cybersecurity breach.
Over the past decade, we’ve seen a huge sales drive to push everyone and everything into ‘The Cloud’. The sales term is a wrapper for shared server technology that has existed since the late ’90s. The relatively recent incursions by Amazon and Microsoft into hosting these shared servers, has brought along a lot of development into this technology, but most of it has been focused around administration tools and virtualization, which made it more faceable and quicker to set up. But the premise has not changed.
The best way to explain ‘The Cloud’ is to analogize it to ride-share services like Uber and Car-To-Go vs owning, leasing, or financing your own car. There is a time an a place for it, and we at UTS utilize many different cloud offerings with nearly all of our clients, but they are not the cure-all solution that some make them out to be. Some cloud solutions, due to economies of scale, are a no-brainer for virtually every business out there. However many other offerings, such as server-less networks, are often pushed by commissioned sales people who either do not understand, or do not disclose the inherent and significant security risks that come alongside their proposals. As such, and with increasing frequency, we’re coming across technology industry articles documenting the successful hacking and exploitation of security vulnerabilities within these environments. Yet we find that the average business owners falsely believe that clouds are the best solution to address data security.
The most obvious point of vulnerability, is the fact that anything stored in the cloud, is automatically accessed by hundreds and thousands of system administrators that work for the multi-national corporations that host that environment. There are no robots, or magical AI that manages this stuff – at the end of the scripts and automation that does the routine work, there are warehouses full of nerds, mostly in India, Pakistan, Ireland and up until very recently, Russia, who have full administrative rights to the servers that hold your data. (The Russians by the way, are still there. They just packed up their laptops and relocated elsewhere to avoid the embargos – I personally know a few of them.)
A close friend of mine, working in the US, is employed by a company you’ve probably never heard of, which manages millions of cloud accounts. He shared with me that as a part of his duty, he daily opens and reviews customer files when these are flagged by their AI scanning software for malicious or illegal content. He has no effective oversight and the company he works for has legal language buried within their terms of service agreement enabling him to open whatever customer data he wants. He is a senior level administrator and one of the most honest people that I know, but company-wide, there are hundreds of people with his level of access. Similarly, friends working at Facebook have disclosed that there are no controls whatsoever and that FB employees at many departments have full access to the Messenger and all of its contents, whereas we’ve seen medical facilities that used this messenger to regularly send HIPAA-protected ePHI between employees of their office. I am actually amazed by how well this social experiment worked, given the alarmingly low (or non-existent) levels of oversight that administrators are entrusted with at these large corporations.
But the reality is that criminal operators on the Dark Web pay a lot of money for stolen data. Many American banks will issue lines of credit on nothing more than a name, address, and a SS number. Stored credit card information is another obvious target. But more nefariously than that, corporate espionage is very real! What if your competitor knew how much you pay your key employees and how to contact them? What if they knew who your vendors and customers were and what your profit margins are? What if they discovered that ‘gray area’ deduction that you took on your business taxes? We don’t hear about much of this stuff because because we’ve become numb to stolen identities and credit cards. And because the perpetrators who steal the data are technical enough to sufficiently cover their tracks and melt into the anonymity of the fact that a hundred of their co-workers could’ve technically been responsible for their misdeed. Meanwhile, the victims are often ashamed and sweep these incidents under the rug. So by trading your IT guy, or a local service firm with a dozen nerds whom you know personally, for a half-baked server-less cloud solution, you’ve just put all of your data before hundreds, thousands and maybe tens of thousands of nerds who don’t know you from Adam. And this kind of anonymity is a key factor that enables the negative sides of human nature.
The second point of vulnerability is the fact that by placing all of your eggs into a common basket with others, your data becomes much more of a target because a hacker figuring out their way into that system gains access to your records as a part of the hundreds, or thousands of entities that are hosted within that cluster. Examples of cloud systems being breached, are plentiful and increasing with frequency as more businesses are blindly trusting the cloud as if it were the answer to all of their regulatory compliance and data security needs.
On May 9th, 2022, a cloud environment datacenter hosted by HawkSoft Online, was a subject of a massive Ransomware attack1. The hosted cloud services necessitated to be taken offline and completely restored from backup. It is unclear how far the backup rolled back the data, but it took 5 days for customer connectivity to be restored. In 21 years of providing business computer support, UTS has never had a supported customer that was down for more than 6 business hours, nor have we had a supported customer undergo more than 1 business day of complete data loss – and both of those were extreme ‘perfect storm’ events.
Facebook was breached sometime before August 2019 but decided not to notify over 530 million of its users that their personal data was stolen—and shortly after that, posted to a public database—until April of 2021.2 If a data giant like Facebook can have an event like this, do you believe that AWS or Azure really bulletproof?
According to U.S. government officials, a Russian hacker team called Sunburst and working with the Russian government targeted a widely used Microsoft cloud service that synchronizes user identities. The hackers stole security certificates to create their own identities, which allowed them to bypass safeguards such as multifactor authentication and gain access to Office 365 accounts, impacting thousands of users at the affected companies and government agencies3. Remember when you got that suspicious email from someone you knew and asking you to open the attachment or click on a link? Yea – good chance it was from this attack. And because they have no way to identify all of the accounts that were compromised back then, the fallout is being felt through this day.
The third and what should be most obvious point of vulnerability however, is your PC – the one you use to access the cloud. To save costs and make their cloud offerings more cost-competitive, we see a lot of the aforementioned sales people pitch cloud solutions that remove the in-office central security authority and thus password and access management to the PCs cannot be enforced by your IT provider and users are free to use whatever silly passwords they choose. Furthermore, with the new wave of WFH and cloud accessibility, more and more of these end-user PCs are going home, where in most cases they become used for non-business personal purposes like video games, social media, movies, and yes – porn. Combined with the lack of quality password enforcement, these PCs become a magnet for an access breach and if a hacker gains control of that PC, it does not take much for them to snoop into your cloud through it. We see this a lot when performing security evaluations for non-clients and when we explain the risks, their questions lead us to believe that they were told that by just being in the cloud, they were magically immune to a data breach. By that time, they are usually locked into a multi-year contract and are facing having to make significant reinvestments into their in-house infrastructure, which in most cases far exceed the savings they anticipated from taking their data into the cloud.
The technical writers at Forbes agree with our assessment:
Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network. Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.
https://www.forbes.com/sites/hillennevins/2021/05/19/new-dangers-of-working-from-home-cybersecurity-risks/?sh=1a7a57d822fb
