The Cloud Is More Vulnerable Than You Think

-


 Considering the growth in the Internet-of-Things (IoT), perhaps one of the most concerning items on our list of cyber security facts involves the vulnerabilities of cloud computing. Nearly half of all data breaches (45%) occur in the cloud, but organizations with a hybrid cloud model which is a mixed computing model that combines public and private clouds had lower average costs per breach, at $3.80 million, than those with public ($5.02 million) or private ($4.24 million) cloud models. 


Types of Cloud Computing Vulnerabilities

Now that you understand what a cloud vulnerability is, let’s cover the different types of vulnerabilities out there.

Misconfigured Cloud Storage

Organizations use the cloud to store all kinds of corporate data, such as customer records, employment contracts, receipts, invoices, and intellectual property. For this reason, cloud storage is a goldmine for cybercriminals. Once they gain access to corporate cloud accounts, they could steal sensitive corporate data, and then sell it on the Dark Web (hard-to-find websites and forums that require a special web browser to access) or use it as blackmail.

To help prevent a data breach, review your cloud security settings. Make sure that your cloud storage buckets, or containers, are set to ‘Private’ and not ‘Public.’ This way only permitted individuals will have access to your corporate cloud storage, and it will not be open to the general public. While some cloud object storages are set to ‘Private’ by default, such as Amazon S3, this is not a guarantee for all.

Make sure that cloud encryption is enabled, too. Before any data is transferred and stored in the cloud, it is transformed from its original plain text into an unreadable form, so that it cannot be intercepted by cybercriminals.

Insecure APIs

An API (Application Programming Interface) is a software intermediary, one that lets two unrelated software applications communicate with each other. The term ‘Interface’ refers to the contract of service that exists between two unrelated software applications, which determines how the two share information with each other; specifically, how they submit requests and respond to those requests. An example of an API is the one Google uses to display weather snippets on the search results page.

For APIs to securely transfer data between applications, they need access to sensitive software functions and data, making them prone to cyberattacks. The use of tokens is an effective way to allow information to be accessed by third parties, without the risk of exposing user credentials. After a user successfully authenticates their account, they use their access token as a credential to access the API and perform whatever actions the API allows them to do.

All APIs should be tested with penetration testing, too. Penetration testing involves simulating the kind of external attacks that a cybercriminal would use. By doing so, they can identify areas of weakness in the API security and remedy those issues before release.

Poor Access Management

Also known as identity management, access management outlines the steps a user takes to access software and cloud applications. This includes inputting an email/username and password and, if MFA (Multi-Factor Authentication) is enabled, providing a third proof-of-identity, through a unique code sent via SMS or email. These days, most software and cloud applications require users to create strong passwords, which must be a certain character length, and use a combination of uppercase and lowercase letters, numbers, and symbols.

Cloud applications without these access management systems in place are at risk of data breaches. For this reason, it is vital that modern access management solutions, such as MFA and minimum password requirements, are in place. Another effective measure is to adopt company-wide policies of least privilege or zero trust. This means that users have access to only the functions and services that they need. As a result, they can only use the app the way it was designed, as determined by the software development team and client.

Studied and taken from internet.

Comments

Post a Comment

Popular posts from this blog

Nest js

-
Image
The article is Written by Md Tareq Shah Alam .  Feel free to share.. Nest js is a progressive node framework. It doesn't give you a lot of structure. This is efficient when you have already a lot of sturcture in the backend. The syntax or the structure is very similar to Angular. To install nest, you will be needed node js into your system at first as it is a node framework. The installation process is here.... In the structure of the nest project, you will see that it uses typescript in the source folder.  To see the structure, first follow the documentation from the given link, install nest into your system. Now, you have nest and the project into your system. img: Nest structure In the src foleder you will get the ts files where you will do your project. You should install controller into your project by this command: $ nest g controller items  Then you will get this folder: img: Controllers To run the server, you can use - $  npm start. If you will use this comma...
Read more

Malware Analysis

-
Image
  Malware analysis is the process of studying a malware sample to determine the origin of malware, it's functionality and potential impact. This is one of the major part of the cyber security field. When you will detect malware, you must need to analyze this so that you can protect your system from this malware. You will get several malwares for analysis on the internet. I will share some sample sites for you. Remember, this can be dengerous for your system, so do analysis into virtual machine.  The sites are:  - github.com/vxunderground/MalwareSourceCode/ - Virustotal.com (accessing samples requires a VT Enterprise subscription) - Malware-traffic-analysis.net - zeltser.com/malware-sample-sources/ Techniques in Malware analysis: There are three types of malware analysis. Static analysis, Dynamic analysis, Hybrid analysis. Static Analysis: This is also known as code analysis. You can analyze this without running by this method. - Analyze binaries without actually running t...
Read more

Internet Computer (ICP) - Blockchain

-
Image
  ICP What is ICP? Internet computer or ICP is a secured and transparent blockchain based network that can be used to host data and programs. The programs and data both are being hosted on chain on the internet computer and they're often  reffered to as decentralized applications. DAPPs are created by the development smart contracts, which on the internet computer are known as canisters. It aims to create a decentralized internet where applications can run without traditional servers. The cannisters contains programs codes and state. Lets dive into deep: Purpose: To extend the functionality of the internet, enabling it to host smart contracts and decentralized applications (dApps) at scale. ICP Tokens Utility: ICP tokens are used to pay for computation and storage on the Internet Computer network. Staking and Governance: Holders can stake ICP tokens in neurons to participate in governance and earn rewards. How ICP Works It basically works on two things. Canisters and Cy...
Read more