Season 1 Episode 5: The so-called cloud and what it means for cybersecurity

Bastien: The cloud was originally created as a marketing term to get people to move their IT equipment from their offices and into someone else’s office. A larger office with air conditioning, electrical systems, shared internet systems, and fantastic cost savings. A whole new industry was spawned. People believed that this new industry was more secure and safer. There was an initial period when people were distrusting of the cloud, but it eventually got accepted as this cheaper, safer alternative to having the servers at your office. 

What people don’t realise is that because you can access the cloud from everywhere, the way that we go and attack these systems is very different. It’s super hard for us to go in through the front door of a cloud provider like AWS and hack through the firewall. What’s a lot easier is to go and breach the individuals who have legitimate access to that cloud. You can find out that person’s email address, some passwords that they may have used online, check the darknet, gather a library of potential systems they might be using to gain access to that cloud environment. Once we have that access the person usually doesn’t know that we have access. So we can go ahead access emails, pictures, backups, financial records – everything. People don’t adequately protect themselves or their identity from people like us. It allows us to gain access to these cloud systems no matter how well set up they are.

As an example of how well set up they are, Microsoft takes security very seriously. If you put a server on the internet and you patch it with the latest security updates, a fully patched Windows box put on the internet with no firewalls in front of it will be owned in eleven minutes! In that short time we’ll have access to the operating system, to the camera and mailing systems, everything. Anything that you do on that computer we can see, we can behave like you, and take control of it. It’s not a good state to be in. 

It shows how important these other systems that create control stacks are, or things that protect from evil entities gaining control or owning an operating system. The cloud does have all these systems in play, but all of them are negated if we gain control of your username, password, security questions, and even your two factor authentication code. Really make sure the answers to those questions aren’t out there on the web.

The reason why people think it’s safe is the same reason that they are leaving themselves usually exposed. About five hundred celebrity nude photos were leaked from their iCloud accounts. Now iCloud is usually a secure environment, a lot of intelligent people are working on the security to protect your data and information. What the attackers did was they used targeted brute force, targeted phishing campaigns, phone calls, to guess the questions and take control of email accounts. Essentially to steal the identities of individuals and then gain access to their cloud accounts, and then they distributed all these nude photos of the celebrities. That’s a good example of how people perceived the cloud environment is safe, but by losing control of your identity or your passwords, you can access these environments from anywhere in the world with a phone or a laptop. It puts you at a higher risk level and definitely gives more people access to your systems if they get control of your identity. 

We have Fergus Brooks, former head of cybersecurity for AON Insurance with us and David Kaplan, principal cyber consultant from Amazon Web Services. David, during the series we’ve been talking a lot about how cyber attacks have been increasing and becoming more professional and organised. Are you seeing data on that at Amazon?

David: Yes, that is a sad reality. For example, a fully patched Windows system on the internet will be owned by some automated scanning tool within minutes. The internet is a scary, dangerous place. There is automated scanning happening constantly and any vulnerable system will be attacked instantly.

Bastien: The statistics are amazing on that, if you’ve ever just looked at the logs on your own personal home firewall you’d be amazed to see how many attacks and scams are being propagated against your own home.

David: If you survive on the internet, which clearly many organisations do, you’re constantly dealing with that. So yes, there are more and more attacks but what’s more interesting is that the attacks are becoming smarter. Way back in the day it was literally people hacking for fun. The internet punk defacing websites and that kind of thing. Now it’s very much about stealing money or intellectual property. The statistics here are frightening, and even the run of the mill scam where an email server gets compromised or a forged email to the CFO of the company, just alone in the US lost $1.5 billion lost. That’s just at corporate level and this happens all the time to people at home. 

It happened to my dad, the bank rang him up saying they received an email requesting them to pay $40,000 to this other account. I ran an incident response on my dad’s computer and someone had hacked his webmail, I’m sure it was an automated attack. They had found a previously sent email to the bank and rewrote it, ever so slightly changing it. His arrangement with the bank is that if he makes a transfer they then have a secondary authentication where they ring him up to confirm the transfer. 

Bastien: We hear about all these amazing automated tools that help us protect our networks, but those tools can be used to attack networks as well. To scan huge swathes of data, such as emails in an email storage system to look for things like emails going out to a bank, bank transfers, and looking for opportunities for wire fraud or whatever it may be. Is that one of the reasons you think we’re seeing a big increase of attacks, because criminals are starting to automate their own processes?

David: Absolutely no doubt, and there’s no hiding from it. There’s a massive industry for organisations that literally write hacking tools and banking trojan software. You go to the dark web or some bad place on the internet and you buy a kit that enables you to do a spear phishing campaign, and you literally just type in who you want to spear phish and it will send emails to companies and individuals. The bad guys don’t even have to be that technically capable, they go and buy a SaaS hacking capability. The goal here is pretty much as I said before, money or it’s intellectual property.

Bastien: It’s quite creative too, some of the attacks we’re seeing now are using things like looking at cookies that are currently within the browser environment of an individual to explore their interests and send them a targeted spear phishing attack offering them a discount on those specific interests. They’re becoming that specific because the automated tools are becoming smarter and smarter everyday, allowing them to really tailor the attacks. It’s frightening, clever, and becoming harder to detect. 

David: People sometimes are their own worst enemies. Just look at someone’s Facebook, LinkedIn or Instagram profiles and their likes. I’ve got young kids, one of them just got a phone and set up Instagram and made his account public. I had to tell him to make it private and just share with friends. But he didn’t know, he only knows that there is this thing called Instagram and he wants to share photos. There is a lot of information out there, and it’s very much everyone’s responsibility to protect themselves. But it’s hard, I’ve been doing this for twenty four years and every single day of my life I’m learning new and different things about security and how to defend organisations. 

Bastien: In CTRL Group we have a red team and they are attacking and breaching organisations as they are paid to do so ethically. We also have a blue team that is trying to come up with technologies, processes, ideas, and policies to stop these things from happening. Are there any technologies at the moment that AWS is working on that could end the red team reign? Something like quantum computing or the implementation of end-to-end blockchain? 

David: Some of the things that are generally available now include AWS GuardDuty, a service that is effectively an intrusion detection system for the cloud. Super easy to use and operate, you don’t need to have specific security staff. You switch it on and know all your environments and it’ll tell you if someone’s trying to break into your system.

Bastien: I’ll play devil’s advocate here. So you have GuardDuty turned on but I’ve managed to jump onto an on-premise environment in an office and installed a keylogger and I have complete access to the terminals, the IP, the user. I can probably interject two factor authentication and mimic the person’s behaviour. How would GuardDuty stop that?

David: So GuardDuty wouldn’t because what would actually stop that is good security processes. The thing with security is that it’s the vector. The red team people are always looking for the weakest link. Even in physical security people aren’t going to try and break into your big front door, they’re going to sneak around the back and look for the unlocked door or window that hasn’t got bars on it. Security is very much about the weakest link, that’s true of cloud and on-premise physical security. 

One of the most important things about achieving better security posture is actually testing. A lot of what I do for my customers is run incident response game dates. It’s heaps of fun but it’s super valuable too. What you have even in a small organisation is multiple people with multiple bits of responsibility. This concept of testing security starts with the mindset that someone is going to be able to break in, so how are you going to respond to it? So on incident response game day we sit with the organisation and meet all the people responsible for security. When it’s really fun we let synthetic or semi-real attacks out in the organisation and work with the various teams to detect and respond. At what point do you call in a third party incident response specialist, or escalate to the vendor? AWS has a security team and when our customers have a bad day they call us and we do everything we can to help them remediate.

Bastien: We call them threat simulation days, but I really like the way you call them incident response game days. They are a lot of fun and it’s interesting to see organisations go from the first one, running around not knowing what to do, as opposed to a mature organisation knowing how to detect and take actions. 

David: When you think about the top end of town such as regulated entities in the commercial sector, say banks that are APRA regulated, in the government space it’s the Australian Signals Directorate and government organisations need to meet the requirements of the information security manual. When a bank goes to APRA they have to demonstrate how they are managing and if they understand the risk that they are presenting. That goes down to what their governance processes are, how they are proactively testing their security, how they can validate their best practices to us across their entire environment. 

Bastien: It’s funny you mentioned the top end of town in Australia, a recent report by Rapid7 indicated that within the average ASX 200 companies there were 29 servers and devices with exposed vulnerabilities, some as many as 200-300 systems and devices exposed. It’s hard sometimes to say to an SME that they need to take security seriously when those kinds of statistics are available from ASX listed companies. 

David: It’s easier to get security wrong, so an organisation like Rapid7 produces fine tools for assessing these kinds of things. It’s not hard to scan your environment, but is it hard to patch all your servers? It clearly is, because no one is getting it right. That’s why I’m excited about how my customers can architect solutions which don’t have operating systems which need to be patched. 

Bastien: There’s obviously so many technologies out there and it’s frustrating from your point of view because you can see all these services that are available to businesses and the take up is maybe not as fast as it should be. In the case of something as simple as a phishing attack, Rapid7 reported that in 67% of the cases there were no anti-phishing defences. Something as simple as setting up a DMARC record.

David: It’s another thing where you need to defend yourself against phishing with technical controls as well as educating your employees. I’m sure I got done by a PayPal phishing attack 15 years ago. A week later I got an email that looked solidly like PayPal saying my password needed to be changed. I had a backup mechanism where there was no money in the account or linked credit card. But it’s hard if you’re a non-security person, it’s really hard to train people to not fall for phishing attacks. The overall mantra is: keep the people away from the data, keep the people away from the systems, and use automation. People are scarce resources and they’re expensive. When you can get good security people, which isn’t easy, use them to do good interesting stuff. Get them to think hard about how to secure a system and then automate that process. Then they can go and spend time working out ways to keep attackers out. 

Bastien: Overall the cloud has been a hugely positive step in the right direction for businesses to be able to easily scale and create these amazing ecosystems of services and products that they can rapidly get out to the community. The cloud providers for the most part have done an amazing job of providing intelligent and easy to use security products that are baked into it from the start. The message is: educate yourself about the cloud platforms that you’re using and understand the security features that these platforms offer and utilise them. Be sensible about the way you use them and understand your rights. Make sure that you understand the shared responsibility model and that you think about security from day one rather than bolting it on. 

Apart from that, go out and build your amazing businesses!