Thought leadership. threat analysis, news and alerts.
Modern Threats Organizations Face in the Cloud
COVID-19 has made remote working the new normal. A recent report from McAfee showed that as more people worked remotely as a result of the COVID-19-induced shelter-in-place order, the use of collaboration cloud services has grown, replacing the now empty office computer desks and conference rooms.
The New Normal
Twitter recently announced that its employees can work from home forever. "The past few months have proven we can make that [work from home setup] work," Jennifer Christie, Vice President for People at Twitter. "So if our employees are in a role and situation that enables them to work from home and they want to continue to do so forever, we will make that happen."
In Canada, a report from Statistics Canada showed that workers in industries where close contact with others is less necessary tended to do their job from home in April of this year and have experienced relatively fewer employment losses since February of this year and may find it easier to resume full activity through continuing work from home.
Collaboration Cloud Services Security Risks
As collaboration cloud services adoption increases, McAfee reported that the amount of threats from external actors targeting cloud collaboration services also increases. In the "Cloud Adoption and Risk Report", McAfee reported that from January to April 2020, overall cloud service usage increased by 50% across all industries.
The report also highlighted that for the same period, the use of collaboration cloud services has more than doubled, with Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%) seeing some of the huge gains. While Zoom hugged the limelight in recent months, the report showed that Cisco Webex – another collaboration cloud service offering web conferencing and videoconferencing applications, experienced a 600% increase in usage during the same period.
The McAfee report found that from January to April 2020, the number of threats from external actors targeting cloud services increased by 630%, with most of the attacks concentrated on collaboration cloud services. McAfee defines external threats into two categories: excessive usage from anomalous location and suspicious superhuman.
Excessive Usage from Anomalous Location
McAfee defines excessive usage from anomalous location as a login attempt from a location that hasn't been previously detected, and the initialization of high-volume data access and/or privileged access activity. Suspicious superhuman, meanwhile, is defined as a login attempt from more than one distant locations that's impossible to travel to within a given period of time, for instance, a user attempts to log into Microsoft Office 365 in Singapore and same user logs into Slack in the U.S. five minutes later.
The McAfee report said it derived its data from "aggregated and anonymized" cloud usage data from more than 30 million McAfee MVISION Cloud users worldwide from January to April 2020. Compared to external threats, the report showed that the number of internal threats flatlined. Most of the attacks on the cloud are external, the report said, targeting cloud accounts directly.
Spraying Cloud Accounts
According to the report the excessive usage from anomalous location and suspicious superhuman are likely opportunistic "spraying" attacks. In spraying attacks, attackers use past stolen credentials in guessing the correct username and password combination.
Spraying attacks rely on the human weakness of reusing usernames and passwords. Attackers have easy access to these past stolen credentials. In January 2019, a total of 2.2 billion unique usernames and associated passwords was distributed for free on hacker forums and torrent sites.
Reliance on the Traditional Username and Password
Even prior to the onset of the COVID-19 pandemic, many organizations had put in place a safety net in the way workers access corporate cloud services, particularly collaboration cloud services, through virtual private network (VPN). In today's new normal, the work from home setup, has brought about the increased usage of VPN in allowing remote workers to access corporate networks and corporate collaboration cloud tools such as Microsoft Office 365.
One of the reasons cited by McAfee in the "Cloud Adoption and Risk Report" for the continued reliance of the traditional username and password authentication when accessing collaboration cloud services is the ease of use of this traditional authentication method. "In reality, employees will do whatever is easiest and fastest," McAfee said. "They will turn off their VPN and access applications in the cloud directly."
Cybersecurity Best Practices in Protecting Collaboration Cloud Services
Here are some of the best practices in protecting collaboration cloud services from external threats:
The use of multi-factor authentication, an authentication method that grants a user access to a computer or a collaboration cloud service only after successfully presenting two or more proof, such that, in addition to the usual logging of username and password, an additional proof is necessary to gain access.
In the blog post "One simple action you can take to prevent 99.9 percent of attacks on your accounts", Melanie Maynes Senior Product Marketing Manager, Microsoft Security said that 99.9% of attacks can be blocked with multi-factor authentication.
It's important, however, to supplement multi-factor authentication with other security measures as there have been documented cases whereby multi-factor authentication can be bypassed.
One of the security measures in protecting your cloud's data is by limiting users' access to sensitive data. Privilege access to sensitive data that isn't required to the remote workers' line of work is a risk to your organization's online security. Remote workers especially those using their personal devices to access corporate collaboration cloud tools should be given only conditional access to sensitive data in the cloud.
Steve E. Driz, I.S.P., ITCP