Challenges that incident handlers face in identifying incidents when resources have been moved to a cloud environment.
Trials of incident handlers when switching to cloud structure became quite the interesting topic, reading the SANS Institutes paper “Following Incidents into the Cloud” surprising. SANS Institute InfoSec Reading Room(link to PDF whitepaper- *see footnote) It was extremely informative listing challenges that I do not think would have come to my mind.
In fact thought process of cloud computing is a major challenge. Many including CEOs and other corporate managers do not give it much thought at all. Seems this is especially true when outsourcing the cloud infrastructure. Not realizing that just because the service provider is handling storage and some pay-per-use abilities, does not mean they are securing the data. The article mentions a “we sign a contract for them to provide security that is enough” without knowing what the security provisions include.
Though the paper focuses on mostly integration problems using a cloud service provider it did mention that many of the problems should be reviewed for in-house. By doing so it will give the Incident Handler Team (IH) things to watch for as they build the cloud infrastructure. One problem that I do not think is actually just for them, however, SANs highlighted for the IT department building an in-house cloud, was not being given enough time.
Seems, to me, the problems are in two groups, the blending of two companies and how the cloud works. I’ll do my best to summarize what was provided in great detail. Though I strongly encourage all my fellow cyber-security students to read through it.
Blending companies goes right to the core of a company, its policy and mission statement. Do these line up between your company and the service provider. Will they view your customer the same as you? It is mentioned that a service provider might put their own reputation ahead of your customer. If something happens and your customer does something they deem strange, they might terminate the access. Do you have a contingency?
Do you know where your data is at all times? Depending on the physical storage location do you know the law of the area? Your data could be on systems across state lines or maybe another country. We just had in the news about a bank that has main systems in Canada, so data from the American branches crossing over to the main server. Later the bank started outsourcing, some work over to India, seems my data travels more than I do.
Staying with the law for a moment, what happens after an incident? What legal jurisdiction, is in charge? It could be more than one. How about your access? Is the service provider going to get you any and all information needed for an investigation? During an attack, will you be able to do live tracking of the incident? The amount of control you have must be worked out before any problem occurs. I especially like the point when a legal agency seizes equipment. If all your equipment does that include what you use that belongs to the provider? Or the other way if them how much of your equipment is lost, and how will you access the data?
One I already mention (kind of touches both sides) is the location for the server or data storage, and if it is spread across multiple systems. Dealing with problems and access. Security of digital encryption keys, as well as what employees outside of your company can access your customer’s personal data.
I’ll finish, by mentioning something that probably has not occurred to many beginner incident handlers — virtualization. This could be a major security risk, and the SANs Paper mentions several security problems with this cloud technique. However, I thought that one scenario deserved to be quoted since for me at least, taught how other companies can harm you because of their failure to implement good security.
A Quoted Section
“Consider the following scenario. A larger or more experienced organization X has its resources
deployed into a cloud provider’s virtualized environment. A smaller or less experienced company Y
deploys onto the same virtualized environment, on the same hypervisor. Although company X has
thorough controls and processes for protecting their perimeter and even encrypting their local
files, company Y does not. A hack through the hypervisor can make company X’s protections moot.
Company Y’s posture now puts Company X’s environment at risk.”
Incident handlers jobs become difficult and ethical when law enforcement becomes should become involved.
Hide N’ Seek
Being embarrassed affects everybody and I’ve never met anyone who likes to admit to a mistake. Put these two human characteristics together add money, and job security you have the formula for a “cover-up”. It is apparent that this situation has been happening and is still going on, as laws had to be created for companies to report such incidents. Yet it seems there is a lot of leeway in these laws so companies can still bend the rules and try hiding
One other reason that, of course, I did not think of but I am happy to quote from the article “Why Most Companies Won’t Admit They Were Hacked” from Mashable. “Some of the targets are human-rights organizations and freedom-of-speech organizations,” he said. “They might be simply afraid.”
Companies That Did Not Tell
One of my shortcomings is remembering names, and though I knew there had been quite a few breaches, the companies’ names just alluded me. Now I am embarrassed because after looking them up, four of them affected me personally. No, not the Adult Friend Finder, but I did get some new credit cards and changed an email address and some passwords. Feel free to check out “The 17 biggest data breaches of the 21st century” from CSO.
Now, these are just a sample of the events that become public it seems there are many that are able to remain hidden. An article found at the IT Governance USA Blog shows this fact, it is entitled “20% of security professionals say their company has hidden or covered up a breach”. So besides everything else now incident handlers have to deal with a matter of morals, ethics and who they need to be loyal too.
After all this bad news I thought I would end with some good. Here is an article from Symantec that has helpful strategies for dealing with incidents and working with law enforcement. It is titled “Incident Management with Law Enforcement”. Biggest point build a positive relationship with law enforcement.
*Is it OK to post information from the SANS website on my own website?
Information posted at the SANS web site is protected by copyright and is not to be reproduced at other websites, except where noted otherwise. If you wish to share information from the SANS website with students, employees or others, you may post or link the URL where the information is found.