The Edge of Risk Menu Search
New thinking on corporate risk and resilience in the global economy.
Technology

The Threat from the Cloud: How Cyber Intruders Exploit Third Parties

Founder and Principal at NewStreet Global Solutions, LLC CEO and Expert Witness of David X Martin, LLC

There’s growing concern within intelligence communities that hostile governments could cyber-invade financial institutions, not to steal money — but to pollute, destroy and manipulate data.  

Data manipulation is difficult to detect, and hackers might even target data in backup storage to ensure that recovery is impossible. Cyberattacks that create chaos in record keeping, transaction precision and currency valuations could corrode public trust to such an extent that it threatens the stability of the financial system.

The Cloud As a Point of Entry

One of the biggest exposures lies in the cloud. As supply chains become ever more complex, financial institutions are relying on third parties to provide scale and agility.  

However, third-party providers are often the vector that cyber intruders exploit in order to reach the intended target. This dramatically increases the attack surface that companies have to worry about. Trusting that third parties will attend to your security needs in the manner you would is not a prudent strategy.

If you rely on a weak set of interfaces to interact with cloud services, security issues can arise concerning confidentiality, integrity, availability and accountability. A few examples: Attackers now have the ability to use your (or your employees’) login information to remotely access sensitive data stored on the cloud; falsify and manipulate data through hijacked credentials; or inject malware, which gets imbedded in the cloud servers. And, if operating in tandem, attackers can eavesdrop, compromise the integrity of sensitive information and even steal data. 

The Vulnerability of APIs

Secondly, the services provided are elastic in that there are different degrees or levels of service and security. This fosters an inconsistent security model. Application programming interfaces (API) give users the opportunity to customize features of their cloud services to fit business needs — but also allows users to authenticate, provide access and effect encryption, which can create vulnerabilities. The biggest vulnerability of an API lies in the communication that takes place between applications — creating exploitable security risks and new attack surfaces.  

Case in point: In January of this year, researchers revealed a design feature common in most modern microprocessors that could allow content — including encrypted data — to be read from memory using malicious Javascript code. Two variations of this issue, called Meltdown and Spectre, permit side-channel attacks because they break down the isolation between applications. 

Employees Can Access the Cloud

In addition, data stored on a cloud provider’s server could potentially be accessed by an employee of that company — and you have none of the usual personnel controls over those people.

In a recent breach of an online bank, the attacker was a former employee of the web-hosting company involved and allegedly used web application firewall credentials to obtain privilege escalation. 

Data on cloud services can also be lost by an erroneous data wipe by the service provider — as happened recently at a large online retailer. Making matters worse, most businesses do not have recovery plans for data stored on the cloud. 

The bottom line is that companies need to take ownership of their risk all the way down the line. 

Threat-aware companies build cybersecurity environments similar to the immune system of the human body.

Develop a Data-Centric Approach

It is important for business leaders to develop strategies that are tailored to their institution’s unique imperatives and seek the highest level of risk mitigation reasonably achievable. Most businesses think of cybersecurity as protection of the digital environment encompassing networks, servers and applications. The problem with this paradigm is that the security deployed is not necessarily related to the data it’s trying to protect.

Security that focuses on protecting crucial data asks: “What is our most important data? What people, processes and technology, if any, are deployed to protect the data? What would be the impact of a specific breach of this data on the organization, and how would we respond?”

Consider the use of data loss prevention solutions that can encrypt your important data with high assurance; provide automated backup and accurate audit information regarding the movement and handling of sensitive data; and even block the transfer or delete the data when found on unauthorized endpoints. 

Perimeter security without data security is false security.

Strengthen Your Immune System

Threat-aware companies build cybersecurity environments similar to the immune system of the human body.

When a germ breaches the body’s natural barriers, the immune system mounts a three-step defense: It sounds the alarm, attacks the problem and then recovers and remembers. 

These are challenging times happening at the speed of technology. Managing the very real risks to critical infrastructure like our financial systems will take determined, strategic effort — largely by the private sector.  

For the first time in recent history, the U.S. and other governments are unlikely to be able to provide an effective deterrent to a significant criminal threat. Don’t expect the government to come to the rescue when your company experiences a cyberattack. Instead, the best place to find a helping hand is likely to be within your own company.

Kevin R. Brock

Founder and Principal at NewStreet Global Solutions, LLC

Kevin R. Brock is a former assistant director of intelligence for the FBI. He was an FBI special agent for 24 years and principal deputy director of the National Counterterrorism Center (NCTC). He currently consults on cybersecurity strategies through his firm, NewStreet Global Solutions, LLC.  

David X Martin

CEO and Expert Witness of David X Martin, LLC

David X Martin is a cyber risk management advisor to business leaders and corporate boards. He also provides expert witness testimony in cases involving cybersecurity breaches. His 40-year career as a senior financial executive includes senior positions at PwC, Citibank and AllianceBernstein. Visit DavidXMartin.com to learn more.

For optimal delivery, please select your region:
Please enter a valid email address.
Success! Thank you for signing up.