by Corey
Nachreiner, Chief Technology Officer, WatchGuard Technologies
Cloud technology has had an incredible impact
on the business landscape over the last five years. Public infrastructure-as-a-Service
(IaaS) platforms like Amazon’s AWS and Microsoft Azure, in particular, are
growing at incredible rates – even among small businesses. According to
RightScale’s 2016 State of the Cloud report, 71 percent of small and medium businesses (SMBs) are running at least
one application in AWS or Azure. It’s clear that IaaS solutions provide a ton
of business opportunities for organizations, especially those without the
financial or personnel resources necessary to manage physical network
infrastructure.
However, as the public cloud becomes more
engrained in the fabric of everyday business operations, it has also become a
serious target for hackers. The question: How safe is it really? With so much
valuable customer, financial and healthcare data stored in one place, and
managed by a third party, it’s easy to see why criminals have begun to focus
their efforts on IaaS.
In the past, we’ve seen threat actors target
or infect servers running in public cloud services. For example, there have
been cases where hackers take over servers running in Amazon EC2—the
virtualized compute portion of Amazon AWS. Remember, servers you spin up in EC2
are no different from servers on your premises. If you leave a port open,
without a firewall or access control rules, hackers can attack it in the same
way they attack physical servers. To illustrate this, a honeypot organization spun up some fake SSH
servers in Amazon EC2 to see whether they’d get targeted. Even
without publishing the servers’ IP addresses, or attaching them to a domain,
attackers found and started brute-force attacks the IaaS-based honeypots within
10 hours.
We’ve also seen criminals target IaaS
customers through their cloud credentials. An Amazon AWS account is powerful.
Customers can spin up almost endless servers, as long as they are willing to
pay Amazon for the compute power they use. In 2014, one AWS customers had a
very costly AWS credential breach. Some
criminal learned his AWS credential, and used its administrative powers to spin
up more EC2 server instances, which he used to mine bitcoin. This credential
leak (due to the victim accidentally leaving credentials in a Github project),
almost cost the victim over $5000 in AWS bills.
In short, without the proper protections,
attackers can hack servers in the public cloud just as easily as the ones on
your premises. As we move more and more of our data to IaaS servers, you can
expect criminal hackers to follow.
Iaas doesn’t only make a good attack target,
but also provides a powerful attack platform. We’ve seen cybercriminals leveraging
these robust virtualization cloud platforms to build their attack
infrastructure. For instance, criminals started putting their botnet command
and control (C&C) servers in Amazon EC2 shortly after its launch, one example being the
Zeus botnet. Despite increased monitoring and security
from Amazon, attackers still use AWS infrastructure for attacks.
More recently, a web security company did a
study of all the web application attacks launched on the Internet, and found that 20 percent
of these attacks from AWS’s IP addresses. This comes
as no surprise, since public IaaS services can provide single individuals with
more scalable compute and network power one person could easily harness on
their own. As long as public clouds offer impressive distributed computing
capabilities to customers, hacker will search for ways to exploit these powers
for evil.
In 2017, I expect to see attackers increasingly leverage public IaaS
both as a potential attack surface, and as a powerful platform to build their
attack networks. It’s highly likely there will be at least one
headline-generating cyberattack either targeting, or launched from a public
IaaS service next year.
So what can businesses to do protect their IaaS properties from being
attacked in 2017?
In short, extend your existing network
perimeter security tactics to the public cloud. There are a number of simple best
practices I’d recommend to proactively protect your IaaS credentials and
business critical data:
·
Properly implement IaaS’s
existing access controls: IaaS services like AWS and Azure have built-in security tools you
can use to protect your cloud servers in the same way you do physical ones.
While cloud services don’t offer Unified Threat Management (UTM) or Next-generation
Firewall (NGFW) services, they do have basic stateful firewalls. At the very
least, make sure you firewall your cloud servers, and only expose the network
services you really need to.
·
Use strong authentication
or two-factor authentication (2FA) whenever possible: Passwords are not perfect. They can get stolen, or you might
accidentally leave them in a Github project, like the victim mentioned above.
If you’re only using a password to authenticate to your IaaS service, a lost
password gives attackers everything they need to take over your account.
However, most public clouds offer two-factor authentication (2FA), where you
can pair your password with some other authentication token, such as a secure
code delivered to your mobile phone. With 2FA enabled, cybercriminals won’t be
able to access your IaaS account even if they compromise your password.
·
Bring your on-prem
security to the cloud: Most organizations protect their premise
servers with UTM and NGFW appliances that combine many different security
controls into one easy to manage appliance. Luckily, you can now bring these
advanced premise security solutions to IaaS as well. Search your IaaS
marketplace for your favorite security solution and you might find it.
·
Check out your IaaS
provider’s security best practices: Frankly,
there are more security tips and practices to protect your cloud servers that I
can share in one short article. The good news is your favorite IaaS provider
may already have you covered. For instance, AWS users can find a white paper on
all Amazon’s best practices in this PDF.
Business will continue to boom for the IaaS
industry. According to the latest market study by International Data
Corporation (IDC), worldwide spending on public cloud services is expected to
reach upwards of $141 billion by 2019, up from nearly $70 billion last year.
With the sustained growth and prevalence of IaaS, organizations need to
constantly educate themselves on new ways cybercriminals are leveraging it and
focus on effectively extending their network security into the public cloud.
About the Author
Corey Nachreiner is Chief Technology Officer of Watchguard Technologies.
Recognized as a thought leader in IT security, Nachreiner spearheads WatchGuard's technology vision and direction. Previously, he was the director of strategy and research at WatchGuard. Nachreiner has operated at the frontline of cyber security for 16 years, and for nearly a decade has been evaluating and making accurate predictions about information security trends. As an authority on network security and internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, eWeek, Help Net Security, Information Week and Infosecurity, and delivers WatchGuard's "Daily Security Byte" video on Facebook.
