Security (or lack thereof) in the Cloud
The case of sensitive Twitter documents being exposed due to a breach of an email account and access to the Google Documents application adds fuel the already discussion that is already approaching inferno status. I’ve heard two very different points of view on whether moving applications to the cloud will help or hinder security.
One side of the debate says that moving applications and data to the cloud is an extremely dangerous proposition. This group contends that putting applications and data in the cloud make it more accessible to the bad guys while assembling data from multiple organizations all in one place.
I absolutely see the point that moving to the cloud has certain risks and could create efficiencies for the bad guys (attacking one place instead of many).
My main worry with keeping data and applications out of the cloud is this: Having an individual instance of each organization’s data and applications sitting within each organization’s data center means the security and protection of those data and applications falls to the security employee/team of each organization. There are now millions of people/teams worldwide with the charter to protect the applications and data of their organizations. While almost all of these people are brilliant at what they do, I see a nightmare of keeping all of them up to date on best practices, system patches and updates, etc.
Taking the cloud scenario to its extreme, we see a type of efficiency that can be gained. When many organizations data and applications are all stored in one place, that place will absolutely have to be an expert at protecting that data and those applications, but it seems like it would be easier to protect a lot of things under one protocol than protecting many things, each in their own disparate environs.
My preference on this point may have something to do with my being control freak. When I think of all of the data and applications that need protecting, it’s easier for me to understand how to protect them if they are all in one place.
The debate on security of the cloud is currently raging. It would be great to hear some other viewpoints on this topic and see where my logic is flawed.
Criminal efficiencies: Fraud-as-a-Service
Software-as-a-service (SaaS) has grown in popularity as a way to minimize complexity and maximize efficiencies. Why host your own software when that means you will have to maintain it and buy hardware for it? The growing trend is that companies are willing to host their software for you. Companies are seeing that the economies around this make a lot of sense.
As I’ve said before, internet fraud seems to be run very much like a legitimate business would be run. The bad actors try to optimize return on investment (ROI) and conversion rates in the same way legitimate businesses try to optimize them. For example, just like an e-commerce company will attempt to tweak the text, images, etc. in an email to be sure that it is not caught by spam filters and customers open it, bad actors do exactly the same things with their phishing or 419 scam emails. Just like a legitimate business, the bad actors want their emails to avoid spam filters and they want their potential “customers” to be intrigued enough to both open and respond to the email.
Phil Muncaster posted an article about how the bad actors are starting to take advantage of the same philosophies behind SaaS. Phil calls this “Fraud-as-a-service” (FaaS?) and I see this as a continuation of how the bad actors mirror legitimate businesses in perpetrating their fraud. The bad actors want to make their money as efficiently and economically as possible. To do this, they have imitated the way legitimate businesses are optimizing their operations.
The examples I’ve seen of FaaS include where one bad actor will host a phish site for another bad actor, for a fee. The data collected is sent to the “customer” (and likely kept by the service as well). I’ve also seen cases where one group would collect passwords for a site and determine which are the most valuable. The less valuable userID/password pairs would be sold to other groups.
All of this is just a way to make the business of fraud more efficient. I’m sure there are other examples of bad actor efficiency. If you have some, let me know.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- December 2009 (6)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
