Understanding cyber attacks, how to avoid itAndika Pratama
Cyber attack was the word on the mouths of many Singaporeans this week when 1.5 million patient data from Singapore Health Services (SingHealth) were hacked. The 1.5 million patients had visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well.
The attack follows last year’s Malaysia telco hack which involved 46 million user data. Other recent high-profile cyber attack includes the Time Warner hack with 4 million subscribers exposed, the Equifax data breach which affected 143 million records and not forgetting the infamous WannaCry ransomware which halted the National Health Service hospitals in England and Scotland as well as major organisations around the world including Honda, Boeing and FedEx.
How are cyber attacks carried out?
There are many ways to carry out a cyber attack and hackers are constantly working on developing more sophisticated ones. However, becoming aware of at least the most common will help cloud developers design more secure solutions.
Malware injection attacks are done to take control of a user’s information in the cloud. For this purpose, hackers add an infected service implementation module to a SaaS or PaaS solution or a virtual machine instance to an IaaS solution. If the cloud system is successfully deceived, it will redirect the cloud user’s requests to the hacker’s module or instance, initiating the execution of malicious code. Then the attacker can begin their malicious activity such as manipulating or stealing data or eavesdropping.
Hackers can use cheap cloud services to arrange DoS and brute force attacks on target users, companies, and even other cloud providers. For instance, security experts Bryan and Anderson arranged a DoS attack by exploiting capacities of Amazon’s EC2 cloud infrastructure in 2010. As a result, they managed to make their client unavailable on the internet by spending only $6 to rent virtual services.
An example of a brute force attack was demonstrated by Thomas Roth at the 2011 Black Hat Technical Security Conference. By renting servers from cloud providers, hackers can use powerful cloud capacities to send thousands of possible passwords to a target user’s account.
DoS attacks are designed to overload a system and make services unavailable to its users. These attacks are especially dangerous for cloud computing systems, as many users may suffer as the result of flooding even a single cloud server. In case of high workload, cloud systems begin to provide more computational power by involving more virtual machines and service instances. While trying to prevent a cyber attack, the cloud system actually makes it more devastating. Finally, the cloud system slows down and legitimate users lose any availability to access their cloud services. In the cloud environment, DDoS attacks may be even more dangerous if hackers use more zombie machines to attack a large number of systems.
A side channel attack is arranged by hackers when they place a malicious virtual machine on the same host as the target virtual machine. During a side channel attack, hackers target system implementations of cryptographic algorithms. However, this type of threat can be avoided with a secure system design.
A wrapping attack is an example of a man-in-the-middle attack in the cloud environment. Cloud computing is vulnerable to wrapping attacks because cloud users typically connect to services via a web browser. An XML signature is used to protect users’ credentials from unauthorised access, but this signature doesn’t secure the positions in the document. Thus, XML signature element wrapping allows attackers to manipulate an XML document.
For example, a vulnerability was found in the SOAP interface of Amazon Elastic Cloud Computing (EC2) in 2009. This weakness allowed attackers to modify an eavesdropped message as a result of a successful signature wrapping attack.
During this type of attack, hackers intercept and reconfigure cloud services by exploiting vulnerabilities in the synchronisation token system so that during the next synchronisation with the cloud, the synchronisation token will be replaced with a new one that provides access to the attackers. Users may never know that their accounts have been hacked, as an attacker can put back the original synchronisation tokens at any time. Moreover, there’s a risk that compromised accounts will never be recovered.
An insider attack is initiated by a legitimate user who is purposefully violating the security policy. In a cloud environment, an attacker can be a cloud provider administrator or an employee of a client company with extensive privileges. To prevent malicious activity of this type, cloud developers should design secure architectures with different levels of access to cloud services.
Account or service hijacking is achieved after gaining access to a user’s credentials. There are various techniques for achieving this, from phishing to spyware to cookie poisoning. Once a cloud account has been hacked, attackers can obtain a user’s personal information or corporate data and compromise cloud computing services. For instance, an employee of Salesforce, a SaaS vendor, became the victim of a phishing scam which led to the exposure of all of the company’s client accounts in 2007.
APTs are attacks that let hackers continuously steal sensitive data stored in the cloud or exploit cloud services without being noticed by legitimate users. The duration of these attacks allows hackers to adapt to security measures against them. Once unauthorised access is established, hackers can move through data centre networks and use network traffic for their malicious activity.
How to ensure the security of cloud-based solutions
The dynamic nature of cloud services breaks the traditional security model used for on-site software. It’s obvious that a cloud service provider is unable to ensure total security in the cloud. Part of the responsibility also lies with cloud users. While the best way to protect user data in the cloud is by providing a layered security approach, cloud service providers should implement industry best practices to ensure the utmost level of cloud security on their side.
When providing cloud services, software vendors should limit the scope of their responsibility for protecting user data and operations in the cloud in their security policies. Inform your clients about what you do to ensure cloud security as well as what security measures they need to take on their side.
Stealing passwords is the most common way to access users’ data and services in the cloud. Thus, cloud developers should implement strong authentication and identity management. Establish multi-factor authentication. There are various tools that require both static passwords and dynamic passwords. The latter confirms a user’s credentials by providing a one-time password on a mobile phone or using biometric schemes or hardware tokens.
To increase the security of services, cloud developers should let cloud users assign role-based permissions to different administrators so that users only have the capabilities assigned to them. Moreover, cloud orchestration should enable privileged users to establish the scope of other users’ permissions according to their duties within the company.
Data in the cloud environment needs to be encrypted at all stages of its transfer and storage including at the source (on the user’s side), in transit (during its transfer from the user to the cloud server) and at rest (when stored in the cloud database).
Data needs to be encrypted even before it goes to the cloud. Modern data encryption and tokenisation technologies are an effective defence against account hijacking. Moreover, it’s important to prove end-to-end encryption for protecting data in transit against man-in-the-middle attacks. Using strong encryption algorithms that contain salt and hashes can effectively deflect cyber attacks. Data stored in the cloud is also vulnerable to unintentional damage, so you can also ensure its recovery by providing a data backup service.
Provide your cloud-based solution with a fully managed intrusion detection system that can detect and inform about the malicious use of cloud services by intruders. Use an intrusion detection system that provides network monitoring and notifies about the abnormal behaviour of insiders.
Cloud developers should be sure that clients can access the application only through secure APIs. This might require limiting the range of IP addresses or providing access only through corporate networks or VPNs. However, this approach can be difficult to implement for public-facing applications. Thus, you can implement security protection via an API using special scripts, templates, and recipes. You can even go further and build security protection into your API.
Limiting access to cloud services is necessary to prevent attackers from gaining unauthorised access to a user’s operations and data through weaknesses in cloud services. When designing cloud service architecture, minimise event handler permissions to only those necessary for executing specific operations. Moreover, you can restrict security decisions to only those cloud services that are trusted by users to manage their data security.
Cloud computing technology is extremely popular among users due to its many advantages. However, this technology also introduces vulnerabilities that can become new vectors for cyber attacks. By understanding how cybercriminals perform attacks on cloud computing, cloud developers can better protect their products.
Existing G Suite customers should implement the security features available to them in order to keep them safe from cyber attacks. Prospective customers could also talk to our cloud consultants to know more about the security measures that can be deployed for your businesses.