The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. In 2016 CSA released ‘Treacherous 12: Top Threats to Cloud Computing + Industry Insights’ article to provide readers with a real-world glimpse into what is currently occurring in the security industry. InstaSafe has refreshed release to the 2016 article that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.
“It’s our hope that these updates will not only provide readers with a more relevant context in which to evaluate the top threats but that the enhanced article will provide them with a real-world glimpse into what is currently occurring in the security industry.
Vulnerabilities – within an operating system (OS) or an application – can result from:
- Program errors: Whereby an error in the program code may allow a computer virus to access the device and take control
- Intended features: Legitimate, documented ways in which applications are allowed to access the system
If vulnerabilities are known to exist in an operating system or an application – whether those vulnerabilities are intended or not – the software will be open to attack by malicious programs. The attackers can use to infiltrate a computer system for the purpose of stealing data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system – kernel, system libraries and application tools – put the security of all services and data at significant risk.
This type of threat is nothing new; bugs have been a problem ever since the invention of computers; they became exploitable remotely when networks were created. With the advent of multitenancy in cloud computing, systems from various organizations are placed in close proximity to each other, and given access to shared memory and resources, creating a new attack surface.
Of Course, it’s possible to mitigate the risk with Regular vulnerability scanning, following up on reported system threats and installation of security patches or upgrades go a long way toward closing the security gaps left open by system vulnerabilities. It can also be avoided by designing an OS in a way that prevents new or unknown applications from gaining reasonably broad or complete access to files stored on the disk – or getting access to other applications running on the device. In effect, this type of restriction can boost security by blocking all malicious activity. However, this approach will also impose significant restrictions on legitimate applications – and that can be very undesirable.
4.2 Business Impacts
The impact of unpatched system vulnerabilities on information system security is profound and costly. Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more common types of cyber attack on systems that are exposed to the Internet. Operating system vendors acting on information from the threat research community offer free patches, usually within days of announcements of common vulnerabilities and exposures (CVEs).
Organizations that are highly regulated (e.g. government and financial institutions) need to be capable of handling patching quickly and, when possible, in an automatic recurring fashion. Security management must put in place a threat intelligence function, to fill the gap between the time a vulnerability is announced (known as ‘0-day’), and the time a patch is provided by the vendor. They should have proper change management processes in order to address the issue by proper handling the threat, such as elimination, transference, or acceptance, that could also be documented and tracked.
4.3 Anecdotes and Examples
Meltdown and Spectre: ‘worst ever’ CPU bugs virtually affects Everything starting from all computers to smartphones. Cloud computing affected by major security flaw found in Intel and other processors – and the fix could slow devices
Google and the security researchers it worked with said it was not known whether hackers had already exploited Meltdown or Spectre and that detecting such intrusions would be very difficult as it would not leave any traces in log files.
On another hand, Drupal has issued an alert for users to patch a highly critical remote code execution vulnerability within multiple subsystems of Drupal 7.x and 8.x.
The Treacherous 12 – Cloud Computing Top Threats in 2016
Exploits and Vulnerabilities
Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers
Drupal issues patches for the highly critical vulnerability