The interesting part about all of this, is that the threat actor for the attack is supposed to be an APT (Advanced Persistent Threat.) When you look at the big picture, it seems that an APT would have patched all systems after obtaining access in order to prevent other APT’s from conducting similar attacks. Being discovered this late into a hack may be an indicator of greed or laziness for the attackers.
When it comes to securing data in a cloud environment, the responsibility for security can be a bit cloudy. While cloud providers do clearly state who is responsible depending on the level of service, ultimately the responsibility should be shared by all parties involved. Albeit in storage, transfer, or process, data security should be managed with a holistic approach with the understanding that safeguarding of sensitive data is a primary function, not a secondary afterthought.
Recently in a conversation with AWS certified Bruce Elgort, the thought process for using auditing tools provided by Amazon as being sufficient was revealed. This train of thought puts the responsibility on the team configuring the S3 buckets, shifting responsibility of risk away from the vendor. A point was raised in response, indicating that it may be the governing bodies responsibility to safeguard data of its citizens.
When looking at the bigger picture it is revealed that many different parties share different parts of the responsibilities being discussed here. In cybersecurity it is well known that compliance drives spending for regulatory controls, however; compliance and security are not necessarily a tandem achieved when either one is carried out. Ultimately, the sector of business dictates what compliance standards are applied. Is it possible that more regulation is needed for cloud vendors?
BYON: The Next Big Security Risk
Bring Your Own Networking (BYON) appears to be the newest “Bring Your Own” fad given the drastic increase in remote work. When one looks around there is not a lot of information out there. It is no wonder when considering how similar BYON and BYOD (Bring Your Own Device) are. They both can boost productivity, cut cost, and spread the need for network resources out to include outside networks. Just as BYOD has its own unique challenges, so does BYON. NIST SP 800-124, section 2.2.3 indicates that “…organizations should plan their mobile device security on the assumption that the networks between the mobile device and the organization cannot be trusted okcupid.”
Through PT Network Attack Discovery, Positive Technologies disclosed that 97% of sample networks showed suspicious activities and 94% of networks were out of compliance with IS policies
BYON can expose an enterprise network to risks that it would not face otherwise. Let’s go over an example of one situation a company could face. Employees are working from home and can connect to corporate resources using multiple connections. This could be a home broadband network, a company VPN connection, or a mobile hotspot. What this allows an employee to do is work in three different realms at once. While this is allows for greater productivity, Michael Tucker believes that it may be exposing companies to new risks. An employee can open a document on one connection, work with a database on another connection, and be manipulating cloud data on the other. The problem with this scenario is that external networks with limited controls are difficult to secure.
By using multiple connections, a security incident is of higher likelihood when network traffic and computing resources are not properly secured. Imagine if an employee or vendor is downloading confidential data over an insecure network. There is a possibility that someone unauthorized is listening to your traffic and could steal or alter the data in transit. The corporate network is also more susceptible to viruses and malware that might be contracted during communications on an external network. This could spread the malware from all devices connected to the unsecure network to the enterprise network itself.