Originally seen on: TechTarget
Cloud cryptomining as a service is a security risk to users. Expert Frank Siemons discusses cloud mining service providers and what to look out for if you use one.
One of the more interesting news stories over the last year has been the rise — and, currently, the fall of cryptocurrencies.
Bitcoin is the best-known variety, but other cryptocurrencies, such as Litecoin, Ripple and Ethereum, also saw dramatic increases in their worth during 2017. While some of this value dropped off in the first few weeks of 2018, there exists significant value in these currencies.
These virtual coins or their transactions can be mined for a fee, though some coin varieties are more profitable than others. Bitcoin, for instance, has passed the stage where mining at home returns a profit. The complexity and the mining workload have increased so much that the generated electricity costs far outweigh the value of the mined coins.
To avoid individual initial setup costs and to benefit from some of the efficiency increases that large specialized clusters bring, prospective miners can sign up with a cloud mining service provider.
Cloud mining service providers
The main benefit cloud cryptomining providers offer is their economy of scale. Primarily, these providers operate large data centers filled with specialized mining rigs. Everything from purpose-built hardware and software to power consumption is built around gaining maximum efficiency for cryptomining operations.
This significant investment has already been made, and the customer rents a small part of the processing power — expressed in mega or giga hashes per second — based on their expectancy that the currency will be at a certain price point during the rental period.
Security concerns for cloud cryptomining
The mined virtual coins need to be stored in a digital wallet eventually. Home miners are advised to store this wallet on an encrypted offline medium, such as a detachable USB drive, or to use a secure online digital wallet service.
However, both options carry the risk of losing the stored cryptocurrency. This could be due to the theft or loss of the USB drive, a compromised computer, or a hack or bug within a digital wallet service, for instance.
A cloud cryptomining provider is not bound by the same regulations as a traditional bank. This lack of regulation brings with it significant risk. The providers potentially hold a significant amount of value in the form of virtual money, which makes them an attractive target for cybercriminals.
Some research into where data centers are located and under which jurisdiction they fall is fundamental. After all, technically these data centers could hold a significant investment in their virtual vault. Even physical security is an essential factor to consider.
Because cloud cryptomining services depend on distributed networks and require access to the internet, fully air-gapped storage is not possible in a cloud system. This opens up an entry point for external attackers, which is what the NiceHash hackers exploited when they stole an estimated $64 million worth of bitcoin in 2017.
The attackers gained access to a corporate machine through an engineer’s VPN account and started making transactions via NiceHash’s payment system. This simply could not have happened if an offline wallet was used, as is often the case in smaller, individual setups.
Of course, attacks do not need to come from the outside. When relying on a company that is located in another country, the risk of internal fraud is high because it is handling a large amount of money without the protection of banking regulations. Several cases have been reported where either a staff member ran off with a significant amount of virtual currency or the entire cloud mining company was based on a scam.
Several provider comparison sites exist that discuss the reputations of cloud cryptomining companies. It is also advised to check online forums and social media channels before committing to any investment. Research is critical.
Where there is money, there is crime. The substantial increase in cryptocurrency investments and their meteoric rise in value over the recent months have paved the way for many scams and breaches that are traditionally linked to banks and investment schemes.
Does this mean cloud cryptomining is always unsafe? It does not, but it is essential to look at the providers with at least the same amount of scrutiny as one would use when looking at a more traditional investment firm.
Probably even more scrutiny should be applied because of the lack of proper regulation at this point. As always, technology has outpaced policy.
Originally seen: December 2017 on Tech Target
Cloud environments are no less susceptible to ransomware than other environments. However, they have properties that can make response and preparedness different. For example, they might employ different notification and communications channels, they might involve different personnel, and there may be a different control set in use. It can behoove organizations to think through ransomware in the cloud the same way they prepare for ransomware for internal systems and applications.
Ransomware in the cloud
Using an infrastructure as a service (IaaS) platform gives the cloud customer more visibility into the underlying OS than other cloud models, but this, in turn, means that issues, like patching — particularly in the case of legacy or special purpose systems — are just as complex as in other environments, and therefore may take longer than one might like.
The issue is that an IaaS environment might be susceptible to ransomware. What is different with IaaS, though, is how the organization discovers the ransomware, how it responds and how it protects against the threat. As a practical matter, different personnel are often responsible for direct oversight of IaaS workloads compared to other technology.
For example, cloud is conducive to shadow IT. It can be hard for enterprise security teams to identify and manage shadow cloud applications used by employees and lines of business across an organization. Will a development team, business team or other non-IT organization plan for — and be ready to remediate — ransomware in the cloud to the same extent as the technology organization?
Even if shadow IT isn’t a factor for an organization, initial notification of a ransomware event might come through a different channel than expected. For example, notifications could come from a relationship manager for larger deployments; a defined escalation channel with the service provider, which might be a business team; or through a provider-maintained service portal.
Also, keep in mind that both the resolution and implementation of specific countermeasures might need to be done through different channels. As an example, if a key activity in response to a rapidly proliferating ransomware, like WannaCry, is to proactively patch, the manner in which you affect this might vary for the cloud — an enterprise might need to schedule a maintenance window with its provider, for instance.
Aside from IaaS, other cloud models can be impacted, as well. Even SaaS isn’t immune — consider storage such as Dropbox, Google Drive, etc. Typically, these services work by syncing local files to the cloud; for a small organization, this might constitute its primary storage, backup or data sharing mechanism. What happens when the local files are encrypted, deleted, overwritten with garbage or otherwise compromised by ransomware? Those changes will be synced to the cloud.
Mitigation strategies for cloud ransomware
What can organizations do to prepare for ransomware in a cloud environment? There are a few things that can make response significantly easier. Probably the most effective thing organizations can do — for both cloud environments and for any other environment — is to specifically exercise response and escalation procedures.
For example, a tabletop exercise can be very helpful in this regard. A tabletop exercise defuses the primary question: will you pay the ransom? Invariably, someone will suggest paying it regardless of law enforcement and others arguing against it — discussing this specifically ahead of time helps clarify pros and cons when adrenaline levels aren’t off the charts.
Secondly, working through alert and response scenarios ahead of time means you get answers to key questions: how will you be notified of an event? Who will be notified, and what notification pathways correspond to specific cloud relationships? Also, what is required to take responsive action in each of those channels?
It’s also a useful idea to undertake a systematic risk assessment specifically for ransomware. You might, for example, look at backup and response processes to ensure that, should data be specifically targeted by ransomware that seeks to render it inaccessible, the organization has thought through protection and recovery strategies at the technical level.
For an IaaS relationship, think through and test backup and response services that service providers might offer, technical controls that they offer and the countermeasures the organization already employs. This level of risk analysis is probably already done for the enterprise as a whole, but you should take measures to specifically extend that to cloud relationships. This can be somewhat time-consuming for organizations that have numerous service provider relationships in place, but this effort can be folded into a broader activity that has value beyond just ransomware — for example, malware mitigation more generally, data gathering about cloud relationships, threat modeling, cloud governance or other activities that involve the systematic analysis of cloud relationships.
The arguably harder situation in the event of ransomware in the cloud is the intersection of SaaS and smaller organizations — specifically, the possibility of corruption of cloud storage through synchronization of ransomware-impacted files to a remote storage repository. Specific measures to prevent this are available, such as keeping a manually synced or time-initiated mirror of data at another repository, assuming that the volume in question isn’t such that this is prohibitively expensive.
Alternatively, backup solutions that keep prior iterations of data can provide a means of recovery even if the primary storage location is compromised. Regardless of what method an organization employs, though, the most important thing is to think through it in advance and view protection measures critically.
Chime in and let us know what you are doing to stay proactive.
Article By: Rob Shapland of First Base Technologies LLP
The Cloud Security Alliance recently released its 2017 report on “The Treacherous 12,” a detailed list of the most significant cloud security threats. The list was compiled by surveying industry experts and combining the results with risk analysis to determine the threats that are most prevalent to organizations storing data in the cloud.
An interesting observation is how similar cloud security threats are to the risks of storing data anywhere else. The data in the cloud is still stored in a data center, and it can still be accessed by hackers via many of the same methods they have always used, such as email phishing, weak passwords and a lack of multifactor authentication.
There seems to be a general opinion among many organizations that storing your data in the cloud — specifically in infrastructure as a service — outsources the security completely, with an almost out of sight, out of mind attitude. However, as cloud service providers will point out, there is a shared responsibility model that means although the cloud provider may be in charge of the underlying infrastructure, your organization is responsible for the security of the applications and data that reside on that hardware.
The top cloud security threats
The key cloud security threats worth highlighting from “The Treacherous 12” report are the insider threat, the risk of data loss and insufficient due diligence. They demonstrate the casual attitude many organizations have about the use and management of cloud services.
There are many cases where organizations use cloud services as a way of bypassing what is seen as an overly restrictive IT department, whereas, in reality, the IT team is trying to protect the data. By bypassing the IT team and signing up for cloud services without their consent, the business can think it’s becoming more agile in its approach, but, in reality, it is circumventing restrictions that were designed to reduce the risk of a data breach.
There are many different SaaS providers offering tools and services to organizations with slick marketing and promises of positive ROI. However, the due diligence that is done on these services is lacking, which may be surprising.
For example, if your organization outsources its HR data to a small SaaS company, performing security due diligence on it should be a key prerequisite. That company may spend only a fraction of what your organization spends on security, and it may be a very attractive target for hackers because of the data it stores. Your organization’s data may be far more likely to be stolen through that third party.
You also may be reliant on that organization’s backups to prevent data loss; storing critical data on another company’s network leaves your organization at even greater risk. There is also the added risk of insider attacks; the employees of the SaaS company have not been through your vetting procedures, and its processes for monitoring staff may not be as robust as yours.
Overall, the Cloud Security Alliance’s report successfully highlights the key cloud security threats and just how similar those risks are to storing data anywhere else. It provides a timely reminder to ensure that enterprises treat the data they store in the cloud with the same care and attention that it would if it were storing it on premises.
Are you convinced yet? Our MSS services are a proactive and detective service to reduce security risks. Call us today to find out how we can help prevent the inevitable 518-479-3881.