Inside Cloud Security Threats and Attack Vectors – An Interview with the Authors of the latest book in the Attack Vectors series
The shift to the cloud in enterprise computing has contributed to an evolution of the cybersecurity landscape—one that has pushed it well beyond the boundaries of the traditional perimeter. Work from anywhere, shadow cloud IT, overextended VPNs and remote access—these new challenges are all contributing to a continuous and exponential increase of attack vectors that are adding to the threats organizations have been battling against for years.
Cloud Attack Vectors, co-authored by Morey J. Haber [MH], Brian Chappell [BC], and Christopher Hills [CH], is the fourth book in the Attack Vectors series. In it, the co-authors look across the cloud stack, with an IAM-centric eye, to discuss the risks and associated risk mitigation strategies that will help organizations stay ahead of cyberthreats and meet compliance mandates. “Our current state seemed unthinkable even 10-years ago,” says Brian Chappell, Chief Security Strategist at BeyondTrust and co-author Cloud Attack Vectors. “The cloud is a brave, new (well, sort of new) world that many are running headlong into with a sense of urgency that’s, frankly, astonishing. For many, the cybersecurity problems of their on-premises environments are not fully addressed, which makes understanding the attack vectors in the cloud vital for both environments. Everything you learn in this book, look back to your on-premises systems and see how they apply there, too.”
“This book is for beginners in cyber security and readers of the other books in the attack vector series,” explains Morey J. Haber, Chief Security Officer at BeyondTrust and co-author of Cloud Attack Vectors. “It will help any new security professional balance and prioritize risks in the cloud and help them formulate a strategy for risk acceptance and risk mitigation that is acceptable for compliance and the business.”
“The book can also be used to establish a foundation (along with the other titles in the series) for a cybersecurity strategy—a useful reference for new and experienced team members so they are aware of the scope of the operation of your team.” adds Chappell.
“Education and awareness are the fundamental grounds in which people need to make security-conscious decisions,” says Chris Hills, Chief Security Strategist at BeyondTrust and final co-author of Cloud Attack Vectors. “Without bringing awareness and educating people on the various pitfalls that might be associated with cloud, how can we expect organizations to make security-minded decisions? We constantly refer to the phrase, ‘We don’t know what we don’t know.’ This book helps fill the gap in that statement to better empower organizations with what they do know.”
Read on for a conversation with the authors as we explore the thought process that went into the writing of the book.
Click here to learn more about the Attack Vectors Series:
Q: What fueled the decision to write Cloud Attack Vectors?
[MH] The cybersecurity landscape has evolved from threats on-premises to the cloud. While attack vectors can be associated with privileges, assets, and identities, the cloud requires a rethinking of how to handle traditional security disciplines in order to formulate an effective strategy. As the fourth book in the attack vector series, tackling this problem felt like a natural extension to the topics that have already been covered, and a steppingstone into future topics.
[BC] The cloud is both familiar and strange in equal measure, causing users to make assumptions based on their understanding of the same, or similar technologies to those they have on premises. This often results in a level of complacency that generates significant risk. On top of this, the volume of information that users are bombarded with constantly makes it easy to lose sight of what’s actually important. There is lot of noise to think through, and users need the facts laid out in an easily accessible way.
[CH] The cloud has proven to be the new shift in landscape, which allows businesses to digitally transform. Unfortunately, due to the speed in which the cloud has grown and been adopted, it has created a new threat landscape for threat actors to take advantage of businesses because new users of the cloud are unaware of security best practices to protect the cloud.
Q: Why are cloud attack vectors different than those we’ve seen before, or that organizations may be used to securing against?
[MH] Cloud attack vectors are the same attack vectors every organization has seen before based on identities, vulnerabilities, and privileges. The differences are the changes in the risk surface and ownership of the assets targeted in the attack. It conjures the notion that “the more things change, the more they stay the same”. This is a key message in the Cloud Attack Vectors book, where it is dissected by security discipline to understand how key mitigation strategies differ from on-premises to the cloud and what new technologies are available to address them.
[BC] It goes without saying, the attack vectors are the same, but the context and mindset of solutions must change. The context includes how those attack vectors are available to the attackers, how easy it is to reach them, and the scope of the impact of their exploit. Bank robbers don’t target banks because they are easier to break into than private homes. They target them because there’s a collection of wealth in one place offering a higher payout in relation to effort.
[CH] Based on my previous experience at a major financial institution, attack vectors in the cloud, for the most part are the same, but businesses have been protecting assets within the confines of their own business network. The cloud truthfully takes an on-premise approach of having your outer network protecting your internal assets and extends that outside of your control and ownership. You are now sending data that would typically be contained within the security of your raised floor data center to the galaxy that is now the cloud. You rely on other assets, resources, vendors, configurations, and people that you wouldn’t typically deal with when your data was within your facilities. This makes for a very lucrative threat landscape for threat actors.
Q: What are the security implementations that organizations will need to rethink because of these differences?
[MH] Organizations need to start with revisiting their identity management strategies for federated and unfederated access into the cloud. Once a solid identity model has been established, privileged access can be managed as a subset use case. In parallel, disciplines like vulnerability, patch, and log management must all be implemented to monitor and remediate the risks of traditional attack vectors.
[BC] I know I sound like a broken record at times, but it’s the basics—the foundational cybersecurity strategies—that need the most attention, this is especially true in the cloud where the level of exposure is so much greater. There’s an old adage that prevention is better than the cure, and that’s exactly how we need to think about cybersecurity. Prevention starts with the basics as we actually can control those.
[CH] Doing nothing, or even claiming you didn’t know and putting the burden on your cyber insurance, is not acceptable. We all can do a better job with security, and we should strive to do so. Relying on a Plan B strategy like cyber insurance is no excuse for doing the job right the first time.
Q: What are the questions organizations aren’t asking that are leaving them vulnerable to threat actors?
[MH] The biggest risk to any organization is the cloud washing of critical infrastructure to the cloud. Infrastructure, like directory services and authentication, does not have a one-to-one translation to the cloud. If compromised, it could be an "game over" event or any organization. This requires a new approach to solve the same problems, and it can include the use of technology, like cloud-based identity governance, multi-factor authentication, behavioral analytics, etc., to mitigate the risks in the cloud.
[BC] The biggest question that I feel is being missed is, “how is this different?” Even when asked, the answers are apparently not digging deeply enough, and that’s due to the amount of pressure that is on the teams to deliver. The cloud is seen as simple because much of the infrastructure management is lifted from the internal teams, but that makes understanding the risks harder. As a result it technology and security professional's should endeavor to understand the differences. If they do not, the results could be devastating.
[CH] I feel most organizations do ask the right questions, although many not be due to the lack of expertise. More importantly, I feel organizations do not want to invest financially into having expert personnel in cloud help them ensure they are secure on all fronts. Instead, they believe what they do on their own is right or good enough. So, for me, I truly feel they ask the right questions, but they don’t seek the right experts in some cases due to cost or arrogance.
Q: Where are the biggest and most common gaps that can lead to a cloud breach?
[MH] The biggest and most common gaps in cloud security vary based on cloud service provider and vertical industry served. There is not one reference that stands out for everyone. However, one underlying theme covers all of them – the lack of proper visibility. It is a security basic to have a detailed asset inventory of all systems under your management. Since the cloud “is not your computer”, having comprehensive information for all assets in your cloud workflows generally leads to gaps in core security disciplines, like privilege, vulnerability, and identity management. Managing this gap is a first step to mitigating any type of risk. If you do not know what assets you have in the cloud, you have no idea how to protect them, nor how they can be leveraged in an attack.
[BC] The biggest gap on cloud security is not understanding what you are buying and ultimately what you are licensing to run your business. It’s not your computer. In reality, it’s not even someone else’s computer. It’s a service, a black box. Knowing what’s inside the box to assess risk is the wrong approach. You need to accept the black box for what it is and focus on the interfaces and how you secure your access to them. Don’t get distracted by detail when you cannot control it and take the time learn what you are buying. As a simple reference, it is like reading the owner’s manual for a new car versus just placing it in the glove compartment.
[CH] For me personally, one of the biggest gaps organizations face is thinking they have done enough to secure their organization. Unfortunately, its those organizations that typically fall victim to bad actors or think they won’t be compromised. At the end of the day, every single breach involves some type of identity and some type of privilege associated with that identity. Some of us are stuck in thinking that an identity or privilege needs to be human, and that couldn’t be further from the truth. Managing Identity and Privilege are the most critical first steps to preventing a breach.
Additionally, I truly believe people have a misconception about cybersecurity and incidents related to it. Just because it’s not in the news, mainstream media, or social media doesn’t mean it hasn’t happened. It’s happening all over the world on an hourly basis. Obviously, some incidents are more high-profile than others, and those are the ones you typically hear about—but what about the private commercial landscape design company that has 12 employees and uses the cloud exclusively for all the landscape design CAD drawings that got ‘ransomwared’ Thanksgiving week? We didn’t hear about it.
Q: In your LinkedIn Live roundtable, “Securing Cloud Identities,” you mentioned that one of the most important things is to know how many identities, accounts, resources, etc. you have in your organization so you can know how and what to secure. How can an organization ‘know that it knows’ all its identities, especially now that the cloud is introducing further complexity into the mix?
[MH] Discovering identities in the cloud is a real challenge. In fact, performing a reliable asset inventory in the cloud is just as foreboding if you consider ephemeral assets and serverless infrastructure. Therefore, using a traditional asset and identity discovery tool is insufficient. A modern tool that recognizes and can account for nuances in the cloud is key to a successful identity inventory. Surprisingly enough, it does not use port scanning or agents; it should be API based.
[BC] Ephemeral (including serverless) assets is a unique concept that makes the cloud differ from traditional technology. Systems are built and stored ready to be spawned in their thousands when demand requires, and then to evaporate when that demand passes by. Every one of those systems offers an access point for the duration of their life. As these systems are often identical every time they are instantiated, it’s not their individual lifespan that’s of interest; it’s the cumulative lifespan of every instance, ever. When you have that kind of sporadic exposure, having a very active approach to managing identities becomes all the more important. The process of spinning up new instances and spinning them down needs to include the API calls to add and remove the contained identities to the management system. Again, it’s important to understand what you’ve bought and how you are using it, and then to ensure it’s being managed appropriately. Ephemeral assets can exist in the blink of an eye and, if you don’t understand that, you cannot manage them.
[CH] An important aspect of assets in the cloud is that they not only need to be managed, but also discovered and this includes all the identities and accounts associated with them. This can be managed with solutions like CIEM (Pronounced “KIM") which we have not mentioned yet- “Cloud Infrastructure Entitlements Management. Similar to what happened with Zero Trust when it was first introduced, CIEM is a new acronym taking cloud by storm to solve a real problem based on traditional security disciplines using discovery, asset inventory, and least privilege management. While the term CIEM still means a lot of different things to many people, we look at CIEM as the cloud version of what IAM was to the on-prem world. I look forward to helping develop what makes up CIEM through various outlets, such as Identity Defined Security Alliance (IDSA), Cloud Security Alliance (CSA), and possibly the Cybersecurity and Infrastructure Security Agency (CISA). This is a personal mission of my own to give back to the community.
Q: How do organizations start to build a security infrastructure that can secure against today’s threats while also being able to scale for tomorrow’s threats?
[MH] For organizations embarking on a digital transformation to the cloud, the key to mitigating risk is stop, think, plan, and execute versus a leap of faith. Companies should build a strategy, ask questions, and remain consistent in decisions when working in the cloud to ensure that responses, workflows, and monitoring can all be managed.
[BC] The cloud is not a panacea; it’s not perfect and it doesn’t relieve organizations of their responsibilities. With that in mind, understand what you are buying. There’s nothing wrong with a short-term purchase, if you know and understand what that means. I say that to highlight that a ‘leap of faith’, isn’t the only option. Your key objective is to enable your organization to do business resiliently. Make security part of the fabric of your business early and it’ll be second nature as complexity increases.
[CH] I believe finding the right framework that suits your business vertical and model will provide the correct guidance when it comes to securing an organization. I also believe seeking the right security professionals in the various disciplines of cloud can be a very effective approach to ensuring your organization is secure. Do not skimp on the investment for personnel resources. Ultimately, they will be the ones that help design and implement the protection strategies to secure your organization.
Laura Bohnert, Content Marketing Manager
As a content marketing manager at BeyondTrust, Laura Bohnert applies a multifaceted, tech-centered marketing skillset to help drive SEO, blog, PR, and product marketing in support of BeyondTrust’s demand generation and sales enablement initiatives. She has a diverse background in product marketing, brand marketing, content writing, social media, event coordination, and public relations. Outside of the tech world, she has a passion for literature, with a BA, MA, and PhD Candidacy in English Literature, and she can either be found beekeeping, restoring her historic haunted house, or continuing her dissertation on the psychological interpretations of ghosts in gothic and horror fiction.