Alert Logic Cloud Security Report analyze a year of security data to find insights to better help defend against latest threats.
Three interesting things found in the report are:
1. Differences between threats in the cloud and in traditional infrastructure
2. what makes a company more vulnerable to attacks
3. why having a good understanding of the Cyber Kill Chain could help take a preventative approach to cloud security
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
Cybersecurity 2020: Your Biggest Threats and How You Can Prevent Them SrikanthRaju7
The attached deck "Cybersecurity 2020: Your Biggest Threats and How You Can Prevent Them" talks about strategic and tactical attacks to watch out for in 2019 and the defensive strategies to deploy against these emerging threats.
Strategies to combat new, innovative cyber threats in 2019SrikanthRaju7
We will focus on sharing our predictions for the big new changes we expect to see in cyber attacks and attack patterns in the coming year.
Before we dive into those, we will spend a little bit of time focusing on the five newest tactical attacks we expect to see a whole lot more of in 2019. After that, we will look into the big new shifts in targets and attack strategy that will dominate
Cyberwarfare over the coming year.
After we review the tactical and strategic threats you will need to look out for next year, We will provide a look at the primary defensive strategies you can deploy to combat tomorrow’ emerging threats.
That being said, while we feel confident that these represent some of the biggest new movements in the cybersecurity landscape in 2019, we also recognize that we are not the only experts here. And that there might be some big, effective attack and defense strategies that did not make it into our presentation.So, I welcome you to please share your own views on what you think will be the key threats in the comments here.
With that being said, let’s get started!
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
We need to detect our increasing issue of data security blind spots. This includes Sensitive Data that was not found in our Data Discovery across databases and files in cloud and big data. We also need to detect failures of our deployed critical security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture and compliance to PCI DSS 3.2. This session will teach how to automatically detect and report on these data security blind spots.
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
We are living in an always-on world using different communications devices, systems and networks. As privacy and protecting one’s identity is becoming increasingly important, the task of protecting these devices, systems and networks from cyber attack is no longer an option, it is a necessity.
Cybersecurity 2020: Your Biggest Threats and How You Can Prevent Them SrikanthRaju7
The attached deck "Cybersecurity 2020: Your Biggest Threats and How You Can Prevent Them" talks about strategic and tactical attacks to watch out for in 2019 and the defensive strategies to deploy against these emerging threats.
Strategies to combat new, innovative cyber threats in 2019SrikanthRaju7
We will focus on sharing our predictions for the big new changes we expect to see in cyber attacks and attack patterns in the coming year.
Before we dive into those, we will spend a little bit of time focusing on the five newest tactical attacks we expect to see a whole lot more of in 2019. After that, we will look into the big new shifts in targets and attack strategy that will dominate
Cyberwarfare over the coming year.
After we review the tactical and strategic threats you will need to look out for next year, We will provide a look at the primary defensive strategies you can deploy to combat tomorrow’ emerging threats.
That being said, while we feel confident that these represent some of the biggest new movements in the cybersecurity landscape in 2019, we also recognize that we are not the only experts here. And that there might be some big, effective attack and defense strategies that did not make it into our presentation.So, I welcome you to please share your own views on what you think will be the key threats in the comments here.
With that being said, let’s get started!
How can i find my security blind spots in Oracle - nyoug - sep 2016Ulf Mattsson
We need to detect our increasing issue of data security blind spots. This includes Sensitive Data that was not found in our Data Discovery across databases and files in cloud and big data. We also need to detect failures of our deployed critical security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture and compliance to PCI DSS 3.2. This session will teach how to automatically detect and report on these data security blind spots.
Hewlett Packard Enterprise (HPE) ha pubblicato l’edizione 2016 dello studio HPE Cyber Risk Report, un rapporto che identifica le principali minacce alla sicurezza subite dalle aziende nel corso dell’anno passato. La dissoluzione dei tradizionali perimetri di rete e la maggiore esposizione agli attacchi sottopongono gli specialisti della sicurezza a crescenti sfide per riuscire a proteggere utenti, applicazioni e dati senza tuttavia ostacolare l’innovazione né rallentare le attività aziendali.
La presente edizione del Cyber Risk Report analizza lo scenario delle minacce del 2015, proponendo azioni di intelligence nelle principali aree di rischio, quali la vulnerabilità delle applicazioni, le patch di sicurezza e la crescente monetizzazione del malware. Il report approfondisce inoltre tematiche di settore rilevanti come le nuove normative nell’ambito della ricerca sulla sicurezza, i “danni collaterali” derivanti dal furto di dati importanti, i mutamenti delle agende politiche e il costante dibattito su privacy e sicurezza.
Se le applicazioni web sono una fonte di rischio significativa per le organizzazioni, quelle mobile presentano rischi maggiori e più specifici. Il frequente utilizzo di informazioni personali da parte delle applicazioni mobili genera infatti vulnerabilità nella conservazione e trasmissione di informazioni riservate e sensibili, con circa il 75% delle applicazioni mobili analizzate che presenta almeno una vulnerabilità critica o ad alto rischio rispetto al 35% delle applicazioni non mobili.
Lo sfruttamento delle vulnerabilità software continua a essere un vettore di attacco primario, soprattutto in presenza di vulnerabilità mobili. Basti pensare che, come nel 2014,le prime dieci vulnerabilità sfruttate nel 2015 erano note da oltre un anno e il 68% di esse da tre anni o più. Windows è stata la piattaforma software più colpita nel 2015: il 42% delle prime 20 vulnerabilità scoperte è stato indirizzato a piattaforme e applicazioni Microsoft. Colpisce poi anche un altro dato. Il 29% di tutti gli attacchi condotti con successo nel 2015 ha infatti utilizzato quale vettore di infezione Stuxnet, un codice del 2010 già sottoposto a due patch.
Passando ai malware, i bersagli sono cambiati notevolmente in funzione dell’evoluzione dei trend e di una sempre maggiore focalizzazione sull’opportunità di trarre guadagno. Il numero di minacce, malware e applicazioni potenzialmente indesiderate per Android è cresciuto del 153% da un anno all’altro: ogni giorno vengono scoperte oltre 10.000 nuove minacce. Apple iOS ha registrato le percentuali di crescita maggiori, con un incremento delle tipologie di malware di oltre il 230% anno su anno.
In depth presentation covers market trends and risks related to network security & big data analytics. The presentation was given by Matan Trogan at Cybertech Singapore.
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
Security Blind Spots
We need to automatically detect and report on security blind spots, including Sensitive Data that was not found in our initial Discovery and failures of deployed security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture.
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
Highlights of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry,
Bio: Ulf is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM.
Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of his research during the last 15 years is in the area of managing and enforcing security policies for databases, including joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
Ulf is a research member of IFIP and a member of ANSI X9. Leading journals and professions magazines, including IEEE Xplore, ISACA and IBM Journals, published more than 100 of his in-depth professional articles and papers. Ulf received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems, Ingres, Google and other leading companies. Ulf frequently gives presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association.
Globally recognized cybersecurity expert and best-selling author, Sai Huda, says the top three cyber threats that all organizations need to be on heightened alert for in 2021 are ransomware, cloud misconfigurations exploit and supply chain compromise.
Sai Huda advises businesses on cyber risk management and is a frequent keynote speaker at major industry conferences. He is also the author of the best-selling book “Next Level Cybersecurity: Detect the Signals, Stop the Hack.” In this ground-breaking book, Sai Huda reveals 15 signals that provide early tip-offs to cyberattacks and a seven step method to implement an early warning and detection system to stop a cyber attack in time and prevent loss or damage.
Sai Huda is warning businesses worldwide to be on heightened alert for ransomware, especially new variants that are programmed to scan for keywords that indicate mission critical or highly sensitive data so that critical data can be found quickly. Then the ransomware will exfiltrate a copy, then it will encrypt and lock down access to the data and demand a ransom payment. The attacker will then release a portion of the data publicly to extort the victim to pay the ransom. Phishing and unpatched vulnerabilities are the two main ways the attacker is able to insert ransomware.
He is also warning that cloud misconfigurations are another major threat as businesses move to the cloud but fail to configure properly all of the systems and services the cloud provider makes available. The cloud provider is responsible for security of the cloud, while the business itself is responsible for security in the cloud. Cloud configurations require specific know-how to prevent and detect a cyber attack. Otherwise, there will be many doors and windows open for an attacker to exploit and break in.
Supplier compromise is also another major threat, especially software providers, as evident with the recent SolarWinds supply chain compromise, where the attackers inserted a backdoor malware into the software update process at the supplier and with one fell swoop, as thousands downloaded the software update, the attacker gained entry undetected into thousands or organizations worldwide. So a compromise at a supplier can be the backdoor into the organization.
Regardless, there will be signals of the attackers and in his book Sai Huda reveals the signals that organizations must be on the look out for to prevent becoming victim to ransomware, cloud misconfigurations exploit or supply chain compromise.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Hewlett Packard Enterprise (HPE) ha pubblicato l’edizione 2016 dello studio HPE Cyber Risk Report, un rapporto che identifica le principali minacce alla sicurezza subite dalle aziende nel corso dell’anno passato. La dissoluzione dei tradizionali perimetri di rete e la maggiore esposizione agli attacchi sottopongono gli specialisti della sicurezza a crescenti sfide per riuscire a proteggere utenti, applicazioni e dati senza tuttavia ostacolare l’innovazione né rallentare le attività aziendali.
La presente edizione del Cyber Risk Report analizza lo scenario delle minacce del 2015, proponendo azioni di intelligence nelle principali aree di rischio, quali la vulnerabilità delle applicazioni, le patch di sicurezza e la crescente monetizzazione del malware. Il report approfondisce inoltre tematiche di settore rilevanti come le nuove normative nell’ambito della ricerca sulla sicurezza, i “danni collaterali” derivanti dal furto di dati importanti, i mutamenti delle agende politiche e il costante dibattito su privacy e sicurezza.
Se le applicazioni web sono una fonte di rischio significativa per le organizzazioni, quelle mobile presentano rischi maggiori e più specifici. Il frequente utilizzo di informazioni personali da parte delle applicazioni mobili genera infatti vulnerabilità nella conservazione e trasmissione di informazioni riservate e sensibili, con circa il 75% delle applicazioni mobili analizzate che presenta almeno una vulnerabilità critica o ad alto rischio rispetto al 35% delle applicazioni non mobili.
Lo sfruttamento delle vulnerabilità software continua a essere un vettore di attacco primario, soprattutto in presenza di vulnerabilità mobili. Basti pensare che, come nel 2014,le prime dieci vulnerabilità sfruttate nel 2015 erano note da oltre un anno e il 68% di esse da tre anni o più. Windows è stata la piattaforma software più colpita nel 2015: il 42% delle prime 20 vulnerabilità scoperte è stato indirizzato a piattaforme e applicazioni Microsoft. Colpisce poi anche un altro dato. Il 29% di tutti gli attacchi condotti con successo nel 2015 ha infatti utilizzato quale vettore di infezione Stuxnet, un codice del 2010 già sottoposto a due patch.
Passando ai malware, i bersagli sono cambiati notevolmente in funzione dell’evoluzione dei trend e di una sempre maggiore focalizzazione sull’opportunità di trarre guadagno. Il numero di minacce, malware e applicazioni potenzialmente indesiderate per Android è cresciuto del 153% da un anno all’altro: ogni giorno vengono scoperte oltre 10.000 nuove minacce. Apple iOS ha registrato le percentuali di crescita maggiori, con un incremento delle tipologie di malware di oltre il 230% anno su anno.
In depth presentation covers market trends and risks related to network security & big data analytics. The presentation was given by Matan Trogan at Cybertech Singapore.
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
Security Blind Spots
We need to automatically detect and report on security blind spots, including Sensitive Data that was not found in our initial Discovery and failures of deployed security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture.
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
Highlights of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry,
Bio: Ulf is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM.
Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. One line of his research during the last 15 years is in the area of managing and enforcing security policies for databases, including joint projects with research and development teams at IBM, Microsoft, Hewlett-Packard, Oracle, Sybase, Informix, Teradata, and RSA.
Ulf is a research member of IFIP and a member of ANSI X9. Leading journals and professions magazines, including IEEE Xplore, ISACA and IBM Journals, published more than 100 of his in-depth professional articles and papers. Ulf received Industry's 2008 Most Valuable Performers (MVP) award together with technology leaders from IBM, Cisco Systems, Ingres, Google and other leading companies. Ulf frequently gives presentations at leading security and database conferences in US, Europe and ASIA, and frequent tutorials at the Information Systems Security Association (ISSA) and Information Systems Audit and Control Association.
Globally recognized cybersecurity expert and best-selling author, Sai Huda, says the top three cyber threats that all organizations need to be on heightened alert for in 2021 are ransomware, cloud misconfigurations exploit and supply chain compromise.
Sai Huda advises businesses on cyber risk management and is a frequent keynote speaker at major industry conferences. He is also the author of the best-selling book “Next Level Cybersecurity: Detect the Signals, Stop the Hack.” In this ground-breaking book, Sai Huda reveals 15 signals that provide early tip-offs to cyberattacks and a seven step method to implement an early warning and detection system to stop a cyber attack in time and prevent loss or damage.
Sai Huda is warning businesses worldwide to be on heightened alert for ransomware, especially new variants that are programmed to scan for keywords that indicate mission critical or highly sensitive data so that critical data can be found quickly. Then the ransomware will exfiltrate a copy, then it will encrypt and lock down access to the data and demand a ransom payment. The attacker will then release a portion of the data publicly to extort the victim to pay the ransom. Phishing and unpatched vulnerabilities are the two main ways the attacker is able to insert ransomware.
He is also warning that cloud misconfigurations are another major threat as businesses move to the cloud but fail to configure properly all of the systems and services the cloud provider makes available. The cloud provider is responsible for security of the cloud, while the business itself is responsible for security in the cloud. Cloud configurations require specific know-how to prevent and detect a cyber attack. Otherwise, there will be many doors and windows open for an attacker to exploit and break in.
Supplier compromise is also another major threat, especially software providers, as evident with the recent SolarWinds supply chain compromise, where the attackers inserted a backdoor malware into the software update process at the supplier and with one fell swoop, as thousands downloaded the software update, the attacker gained entry undetected into thousands or organizations worldwide. So a compromise at a supplier can be the backdoor into the organization.
Regardless, there will be signals of the attackers and in his book Sai Huda reveals the signals that organizations must be on the look out for to prevent becoming victim to ransomware, cloud misconfigurations exploit or supply chain compromise.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Presentacion realizada en Argentina y Paraguay Durante Marzo 2014.
En Argentina por Faustino Sanchez. En Paraguay por Santiago Cavanna.
Trata sobre el problema de la presencia de vulnerabilidades en aplicaciones, el impacto que tiene en las organizaciones y la forma que se encuentra disponible para descubrirlas en forma temprana y facilitar su remediacion
Links disponibles en
http://www.santiagocavanna.com/segurinfo-2014-el-costo-oculto-de-las-aplicaciones-vulnerables/
To protect your business from cyber attack, you must understand where you are vulnerable and structure defenses to thwart attacks. This innovative study from HP Security Research brings the information you need to do that.
It provides a broad view of the 2014 threat landscape — a specter of new threats brought by new technologies on a backdrop of known vulnerabilities and exploits. Then it drills down into specific technologies you may use like open source, mobile, and the Internet of Things.
With cybercrime (like denial of service, malware, phishing, and SQL injection) looming large in our digitized world, penetration testing - and code and application level security testing (SAST and DAST) - are essential for organizations to identify security loopholes in applications and beyond. We provide a guide to the salient standards and techniques for full-spectrum testing to safeguard your data - and reputation.
The following report from IBM explores the latest Security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research.
***Project Summary***
A well established SaaS company in North America recently migrated workloads of 50,000 Virtual Servers, Five (5) petabytes of data with MySQL database backend from on-premises data center infrastructure to Google Cloud Platform (GCP) through a 'lift and shift' cloud migration methodology.
They are looking to expand their SaaS offering and customer base outside of North America and at the same time optimize cloud platform for High Availability, Scalability, and Resilience.
NETSCOUT Arbor released its 2018 NETSCOUT Threat Intelligence Report offering globally scoped internet threat intelligence together with the analysis of our security research organization. The report covers the latest trends and activities from nation-state advanced persistent threat (APT) groups, crimeware operations and Distributed Denial of Service (DDoS) attack campaigns.
To successfully adopt cloud and enable your teams to move at competitive speed, you need visibility into who is accessing your key enterprise cloud services, what activity is taking place, and how these services are being administered. You need a security partner with deep cloud security expertise and CenturyLink has you covered with Cloud Security Monitoring.
When you’re planning to move to the cloud and manage a hybrid environment, security is a top concern. But cloud is not necessarily less secure than a traditional environment. In fact, it may be possible to deliver even greater security in a hybrid cloud environment because it offers new and advanced opportunities.
In this eBook, you’ll discover how hackers are using traditional tactics in new ways to attack the cloud. You’ll also find out how the cloud can help you increase security with innovative approaches designed to detect threats long before they threaten your enterprise.
In this eBook, we will uncover the specifics of how a
hybrid cloud solution can transform IT management so
that you can become the leader your business needs.
We will compare traditional and hybrid requirements with
respect to three critical areas: how you’ll govern the
system, the management tools you’ll need, and what
your management opportunities will be.
Is your infrastructure holding you back?Gabe Akisanmi
This ebook will help you connect the dots between
today’s biggest business opportunities and the specific
technology required to seize them. You’ll get the facts
you need to identify where current components may
be falling short—and how the right investments in infrastructure
can lead to better business outcomes while
strengthening your role as a strategic consultant within
your organization.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
4. 4CLOUD SECURITY REPORT 2015
INTRODUCTION
Alert Logic provides managed security and compliance
solutions for over 3,000 customers around the globe.
As part of our cybersecurity research practice, we review threats and attacks
against our vast customer base on a regular basis, looking for insight to
share in our annual Cloud Security Report. Using the attack data we collect
across thousands of organizations and a wide variety of industries—with
IT infrastructure deployed across on-premises, hosting, and public cloud
environments—our findings are representative of the current threats and
attacks many organizations experience today.
For this report, we employed our big data security analytics engine to analyze
over one billion events and identify over 800,000 security incidents. These
incidents range in severity from “Review at your earliest convenience” to
“You are under a targeted attack; deploy countermeasures immediately.”
Unlike other security reports that offer a generalized analysis, our report is
based on real data: our customers’ data, our analysis, and our stories. We
believe that this firsthand accounting of attacks against cloud environments
can provide insight into how to better secure your IT environments, protect
your customer data, and ultimately continue to grow your business.
We hope that you find this report informative and valuable, and that it bolsters
your efforts for continually improving the security framework of your business.
- Alert Logic Research Team
CLOUD SECURITY REPORT 2015
I N T R O D U C T I O N
5. Cyber attacks are on the rise. Companies both large and small are targeted daily by hackers seeking valuable data to
monetize in the cyber underground. Recent reports show that 87% of organizations are making use of cloud infrastructure1
,
while analysts predict spending will exceed $200 billion2
in 2016. This means: 1) Organizations are making use of public
clouds now more than ever before, and 2) Hackers now have a larger attack surface to gain access to sensitive data. It is
imperative for organizations to understand the attack methods being used to compromise their environments, so they
can prepare a defense strategy when they become the target of an attack.
As cloud growth continues, our data is telling a familiar story. Our 2015 research not only reinforces our previous Cloud
Security Report findings, it also uncovers new insights that can prove valuable to organizations when building out their
security framework.
CLOUD ADOPTION REMAINS STRONG: In 2014, we continued to see an increase in attack frequency for organizations
with infrastructure in the cloud. This is not surprising—production workloads, applications, and valuable data are shifting
to cloud environments, and so are attacks. Hackers, like everyone else, have a limited amount of time to complete their
“job.” They want to invest their time and resources into attacks that will bear the most fruit: Businesses using cloud
environments are largely considered that fruit-bearing jackpot. However, attackers are not abandoning attacks against
on-premises data centers; they are simply applying more pressure to businesses with applications in the cloud. Their
hypothesis, which in some cases may be true, is that businesses have a misconception about the security they need in the
cloud. Some businesses, attackers have found, mistakenly assume cloud providers take care of all their security needs.
The reality, however, is that security in the cloud is a shared responsibility.
INDUSTRY AND CUSTOMERS DRIVE YOUR THREAT PROFILE: This year we performed industry analysis, looking for
trends in attack types. As the analysis progressed, we noted a distinct difference between businesses that primarily
service their customers online, and those that do not. This indicates a new level of sophistication in the way attackers
are approaching infiltration—a fact that perhaps appears obvious but is underrepresented in research. It is clear from
our data that of the many factors influencing a business’s threat profile, interaction with the customer plays a major
role. Businesses with a significant online presence for customer interaction are the targets of application attacks far
more than those businesses that interact with their customers by other means. For those businesses that have smaller
online presences, we find attackers are using traditional means of infiltration, such as Brute Force and Trojan attacks.
Understanding what drives your threat profile is key to determining the time and investment necessary for a successful
security-in-depth strategy.
KILL CHAIN CONSTRUCT DRIVES UNDERSTANDING: Today’s attackers are a sophisticated lot, using advanced
techniques to infiltrate a businesses environment. Unlike in the past when hackers primarily worked alone using “smash-
n-grab” techniques, today’s attackers work in groups, each member bringing his or her own expertise to the team. With
highly skilled players in place, these groups approach infiltration in a much more regimented way, following a defined
process that enables them to evade detection and achieve their ultimate goal: turning sensitive, valuable data into profits.
This year, we dive deep into the Cyber Kill Chain®3
, a construct developed by Lockheed Martin, to provide insight into an
attacker’s behavior, from initial reconnaissance activities to ultimate data exfiltration.
YOU CAN STAY AHEAD OF THE ATTACKERS: In this report, we also provide recommendations to help organizations
improve their security posture—a handy checklist that you can share with your team to start the conversation of bolstering
your security.
1
http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
2
http://allthingsd.com/20120709/public-cloud-and-telecom-to-lead-3-6-trillion-in-it-spending-this-year-garner-says/
3
http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
E X E C U T I V E S U M M A R Y
6. 6CLOUD SECURITY REPORT 2015
The Customers
We categorize our customer data into two groups: on-
premises (formerly called enterprise data center) and cloud
(formerly called cloud and hosting providers). On-premises
data center customers invest in a dedicated, in-house IT
infrastructure. Cloud customers consume Infrastructure-as-
a-Service solutions from a cloud provider.
The Data
The data used in this report is real-world incident data
detected in customer environments secured via Alert
Logic’s network intrusion detection, log management,
and web application firewall products. To eliminate noise
and false positives, Alert Logic®
utilizes our patented
correlation engine, Alert Logic®
ActiveAnalytics™, which
evaluates multiple factors to determine whether events are
relevant security incidents. Finally, the ActiveWatch™ team,
Alert Logic’s in-house security analyst group, reviews each
incident for validation, further reducing false positives.
This year, we expanded the scope of the report, including
a full 12 months of event and incident data compared to
previous reports, which were based on six-month intervals.
While the amount of overall incidents is obviously greater
in this full-year report, a comparison with past reported
results provides an interesting trend analysis.
Event vs. Incident
We categorize an event as evidence of suspicious behavior
detected via an Intrusion Detection System (IDS) signature,
log message, or web application request. We define an
incident as an event or group of events that have been
confirmedasvalidthreatsbasedoncorrelationandadvanced
automated analysis by Alert Logic ActiveAnalytics, and
verification by a certified ActiveWatch analyst.
T H E M E T H O D O L O G Y
THE METHODOLOGYHOW WE COLLECT & ANALYZE THE DATA
78%
22%ON-PREMISES
842,711 incidents over 365 days
(2308 actual attacks per day average)
• 3,026 customers
• 2387 Cloud**
• 639 On-Prem
• 16 different industries (SIC codes)
ALERT LOGIC CUSTOMER DATA SET*
* Customer data set (78/22) – Percentage of total customers by deployment
**Cloud customers include both customers whose applications and infrastructure are deployed in public cloud environments (such as AWS)
and those who have applications and infrastructure in place with a hosting provider (such as Rackspace)
CLOUD
7. The Alert Logic Security-as-a-Service solution is designed to identify threats at any point along the Cyber Kill Chain®
.
Lockheed Martin’s Computer Incident Response Team developed the Cyber Kill Chain®
to describe the different stages
of an attack, from initial reconnaissance to objective completion. This representation of the attack flow has been widely
adopted by organizations to help them approach their defense strategy in the same way attackers approach infiltrating
their businesses. As malicious activity continues to threaten sensitive data—whether it is personal data or company-
sensitive data—one certainty remains: Attackers will continue to infiltrate systems. The best opportunity to protect all
types of sensitive data is to understand how attackers operate.
In order to better understand the 2014 data presented in this report, as well as how attacks operate, the following fictional
case was created to map out an attack, categorizing each attack activity in the context of the Kill Chain. The fictitious
company in this case is known as XYZ, Inc. XYZ sells its products to consumers in brick and mortar stores as well as
online and via mobile apps. XYZ has experienced explosive growth since the introduction of its latest product, and has
expanded its data center footprint into the cloud to make ordering products easier for customers.
The hacker group, EchoBravo (EB), has been tracking XYZ for quite a while. XYZ’s growth and significant online presence
makes the company a desirable target for EB, with valuable data that could net a sizable profit from its sales in the cyber
underground.
IDENTIFY & RECON INITIAL ATTACK DISCOVER / SPREAD EXTRACT / EXFILTRATECOMMAND / CONTROL
IMPACT
The Analysis: Cyber Kill Chain®
Approach
FINANCIAL LOSS
EMPLOYMENT CHANGES
SCRUTINY FROM
REGULATORS
8. 8CLOUD SECURITY REPORT 2015
EXAMPLE ATTACK: HOW ECHOBRAVO TAKES DOWN XYZ, INC.
STEP 1: IDENTIFY AND RECON EB begins by scanning XYZ’s public-facing websites, gathering as much
information about the sites as possible. Simultaneously, EB performs scans against the XYZ internal network,
looking for possible vulnerabilities and/or holes in its perimeter protection. Lastly, EB scours popular social
media networks, learning as much as possible about XYZ’s employees, partners, suppliers, and employees’
families and friends, which can be utilized for the purpose of social engineering. After several months of
monitoring, EB has identified multiple potential entry points into the XYZ network and is now primed to
initiate the attack.
STEP 2: INITIAL ATTACK EB will be using several attack vectors, deployed from different regions of the
world to gain access to the XYZ network. Based on the reconnaissance findings, EB will attempt to execute a
targeted, sophisticated attack against XYZ’s e-commerce site. EB will also attempt to distribute malware via
phishing emails and social engineering with the intent of misleading an employee to click a link that permits
malware to enter the network. Finally, EB will attempt a Brute Force attack to gain access to the XYZ network.
Using different IP addresses and a significant number of computers, EB hackers will kick off an automated
dictionary attack. After only a few short days, EB’s campaign is successful and malware is installed on the
victim’s computer.
STEP 3: COMMAND & CONTROL With the malware in place, EB now begins a “low and slow” in-
depth recon against the internal network. With command and control over the victim’s computer, EB disables
several security controls on the machine, attempts to escalate privileges on the victim’s account, and creates
a new user account with privileged access.
STEP 4: DISCOVER AND SPREAD With unfettered access to the network, EB begins to spread
malware across XYZ’s environment through network shares, unsecured servers, USBs, and network devices,
while simultaneously creating a detailed map of the company’s network, security controls, and new public
cloud data center. EB now has a significant presence in XYZ’s network. So EB waits, making detailed asset
maps, noting employee patterns and other information that can assist in the data theft.
STEP 5: EXTRACT AND EXFILTRATE After a suitable amount of time has passed, EB begins to siphon
data out of the XYZ environment. EB moves the targeted data to a remote server, taking additional steps
to prevent a trace of the data’s location. After several months of siphoning data, EB ends the campaign.
However, before exiting, EB makes several network modifications that will enable the group to return at any
time in the future.
The final step not represented in the Kill Chain—but a significant step nonetheless—is when XYZ finally discovers the
compromise. Recent reports show that on average it takes more than 200 days to detect a breach1
, and the majority of
breach notifications come from an outside party. This is exactly what occurs for XYZ. Several months after EB’s campaign
is completed and XYZ’s data is converted to cash—or Bitcoin—XYZ is notified by government officials that some data
linked to the company was purchased by an undercover operative on a popular dark website. XYZ then goes into recovery
mode, kicking off many costly (both in terms of real dollars and reputation) actions to restore its network security posture
and protect its customer data.
In this example, XYZ did not have the tools, technology, or expertise in place to detect EB’s activities at any point across
the Kill Chain. Fortunately, many organizations do have at least some form of defense. While some defense is better
than none, it’s imperative that organizations approach securing their environments with the mindset of the attacker. This
perspective will help uncover the weak spots in any framework and keep organizations one step ahead of attackers.
T H E M E T H O D O L O G Y
1
M-Trends®
2015: A View from the Front Lines
9. THE FINDINGS
Environment Analysis
This report generates insights based on over 800,000 verified security incidents, derived from over one billion events
observed between January 1 and December 31, 2014. This data was collected from over 3,000 organizations across
multiple industries from around the world. For a full list of the partners included in this report, see Appendix Figure D.
Cloud vs. On-Premises
For the calendar year of 2014, we analyzed customer data across cloud and on-premises environments, and the overall
trends determined from this data tell a familiar story. As we continue to see organizations take advantage of new options
for housing their most sensitive data, attack vectors are continuing to converge. As is evident with the growth reported
by public cloud providers—such as Amazon Web Services (AWS)—it is clear that organizations of all shapes and sizes
are making use of the more affordable and efficient cloud infrastructure. Attackers are seeing this trend as well and
are making concerted efforts to infiltrate businesses making use of cloud environments, just as they previously did with
physical data centers.
Internal applications (ERP, CRM, Databases, etc.) are the backbone of most organizations, making them desirable targets
for the motivated attacker. Attackers will resort to virtually anything to take control of an asset that:
• Has been integrated into many other applications for support, data, and notifications
• Is typically used for many years with very little maintenance or patching of known vulnerabilities
• Is accessed by all employees, providing a rich set of credentials that can be comprised
If an attacker penetrates a network and installs a key logger, the attacker can then capture the keys to the kingdom: user
credentials. With credentials in hand, the attacker has unfettered access to an organization’s application and the valuable
data it can access. The attacker, understanding the security framework, can then work to evade detection and slowly
siphon sensitive data for days, weeks, months, or even years. The end result, unfortunately, could be significant long-term
damage to the business’s reputation, resulting in a costly investment to determine the extent of the breach and protective
measures.
It is vitally important to secure and monitor internal applications for malicious activity, similar to securing a customer-
facing application. It is imperative to not be lulled into a false sense of security simply because internal applications are
not intended for customer interactions. Internal applications require the same level of protection as external applications.
ABOUT APPLICATION ATTACKS IN ON-PREMISES ENVIRONMENTS
Stephen Coty, Chief Security Evangelist
10. 10CLOUD SECURITY REPORT 2015
T H E F I N D I N G S
CLOUD
CLOUD ENVIRONMENTS
45% INCREASE45% INCREASE 36% INCREASE36% INCREASE 27% INCREASE27% INCREASE 3% INCREASE3% INCREASE 1% INCREASE1% INCREASE 6% INCREASE6% INCREASE
YEAR-OVER-YEAR COMPARISONSYEAR-OVER-YEAR COMPARISONS
PERCENT OF CUSTOMERS IMPACTED
AVERAGE NUMBER OF INCIDENTS PER IMPACTED CUSTOMERAVERAGE NUMBER OF INCIDENTS PER IMPACTED CUSTOMER
11. App Attack
Suspicious Activity
Trojan
Recon
Brute Force
ON-PREMISES TOP INCIDENTS
24%
45%
17%
8%
6%
On-Premises
Overall, the attacks we detected for our on-premises customers did not vary materially from previous years, with
applications remaining a high-value target for attackers. Brute Force attacks in on-premises environments were
less frequent than in 2013. Of this incident type, the top three attack vectors were WordPress, SSH and SMB,
together comprising 79% of the total Brute Force attacks. (WordPress, in particular, is a popular open source content
management system that, according to Forbes, is used by more than 60 million bloggers sites1
.)
Most of these failed attempts to log into devices came from scripts running on other compromised devices. The
majority of these exploitations occur through vulnerable plugins and themes.
Our data also revealed a downturn in the various forms of Trojan activity in the on-premises environment. Redkit—a popular
but not widely distributed exploit kit that efficiently allows you to distribute malware—was the most utilized malware in
Trojan incidents. This particular malware usually redirects targets to the malware kit when browsing compromised sites.
In the last year, several media sites were compromised to deliver variants of the malware kits, which in turn delivered
more malicious code, such as credential stealers or remote access Trojans. This relatively flat 2014 trend, in regards to on-
premises data center attacks, is not surprising. Attackers understand how to penetrate these environments and continue
to use what they perceive to be effective attack vectors. Since on-premises data centers are certainly not becoming
obsolete in the foreseeable future, it is important that organizations continue to invest in their security framework for all
of their physical data centers, applications, and mission-critical infrastructure.
Cloud Environments
2014 was quite a year for public clouds. Competition between the major providers heated up, leading to a wide array of
affordable options for businesses taking advantage of cloud. With such attractive options, we saw a continued increase
in infrastructure migration to the cloud, resulting in a direct increase in attack percentages detected for our customers
using cloud environments. Application attacks remain the prevalent mode of attack for organizations using the cloud.
Reconnaissance increased significantly in 2014. Some of the most common scans we detected included ZmEu, Morfeus,
VNCScan, and Nessus scans, as well as multiple generic scans. Suspicious activity increased slightly as well, indicating
more unknown or unfamiliar activity around our customers’ environments. While some of this activity included legitimate
penetration testing and security audit tasks, there was certainly more activity by suspicious actors in search of an effective
means for compromising our customer environments.
THE FINDINGS
1
Source: http://www.forbes.com/sites/jjcolao/2012/09/05/the-internets-mother-tongue/
12. 12CLOUD SECURITY REPORT 2015
T H E F I N D I N G S
Threat Vector Analysis
Among the one billion events and 800,000 security incidents
identified in 2014, we detected almost every type of attack
imaginable. A holistic review of the data revealed the prevalence of
particular attack types, which we examine below.
Reconnaissance
As mentioned, the first step in a well-coordinated attack is
reconnaissance—the process of building a picture of the business’s
environment an attacker plans to infiltrate. This reconnaissance
process allows the attacker to determine which applications, services,
and vulnerable products may exist before launching an attack.
Reconnaissance, as this year’s data reveals, has become more
prevalent across all industries. This change speaks volumes to the
motives and objectives of today’s threat actors. Today, attackers are
not interested in a smash-and-grab approach to compromise. Rather,
they are playing the “long con” game. When attackers identify their
targets, they work to gather as much knowledge as possible before
launching an assault.
To gain a full picture of an organization’s environment they intend
to exploit, attackers must invest time and effort into “casing the
joint.” Not unlike the bank robbers of the past who frequently
visited their targeted banks for days, weeks, even months before
the actual robbery, attackers will monitor a targeted organization’s
environment for extended periods of time. The thorough attacker
will take note of all external-facing websites and applications, the
ports accessible via the Internet, and any vulnerability that may exist
in the network infrastructure. With this information, the attacker can
construct a plan to quietly infiltrate the environment.
Detecting recon activity is a first line of defense and is essential
to staying ahead of an attacker. Every industry is susceptible to
recon activity. According to our data, no single industry was more
susceptible than another. It is only after recon is complete that attack
vector variances from industry to industry can be identified.
After comprehensive recon is complete, an attacker will know which
type of attack vector will be the most effective. From our data,
there are three primary attack vectors seen across many industries:
application, Trojan, and Brute Force attacks.
Crackers. Hackers. Bad Actors. You wouldn’t invite
any of them into your home. But they often show up
uninvited. Every day, we observe targeted attacks.
Some are relatively sophisticated, while others employ
a combination of commercial malware with a cleverly
crafted email. One recent, more sophisticated attack
leveraged seemingly benign public posts through
Microsoft TechNet forums. APT17 used crafted
malware to poll these posts and searched for the
specific tags “@MICR0S0FT” and “C0RP0RATI0N,”
which they used to publish the attackers’ Command &
Control [C2] addresses. The collected data was then
encapsulated within an image file and delivered to
the specific C2 resource. This method was previously
employed on Twitter and Facebook; it allows public-
facing infrastructure to be repurposed for malicious
use, generally unbeknownst to the victim.
APT17 is a group of Chinese actors tasked with what
we believe to be specific targeting and intelligence-
gathering missions. This group often relies on the
end user to create the initial infection vector;
this is generally achieved through phishing or spear
phishing emails. Once an attacker has cemented
access into a compromised environment, he/she
will begin to monitor and analyze the environment,
perform lateral movements, and then ultimately carry
out the exfiltration of data. This supports the attacker
in various ways—credential harvesting, information
leakage, confidential data theft, and personal data
theft. Attackers can then move on to the marketing
element: Advertise the data, sell the data, and reap
the financial gains.
End users should always be wary of opening email
attachments from unexpected senders, clicking links
on unknown websites, and using software, codecs,
and programs from unknown sources. Where possible,
users should review access requirements with IT to
ensure they are secure. As with most malware, we can
seek out specific information to aid us in detecting
attacks. This is normally linked to the C2 addresses,
the type of malware, the email sender, the connecting
infrastructure, or even hard-coded information within
the malware. However, detection and protection
against the most sophisticated attacks can be
troublesome, so users should ensure they are up to
date with vendor patches for their operating system
and software. They should also consider whitelisting
connectivity requirements and adhere to a least-
privilege method of access to decrease opportunities
for malware to take control. It could be the difference
between a successful and unsuccessful exploit.
INFOCUS: APT17
Cybercrime Research Team, ActiveIntelligence
13. Application Attack: Tried and True for a Reason
Application attacks are by far the most common threat we detect in our customer environments. This isn’t necessarily
surprising, since applications—whether internally or externally facing—provide the gateway to sensitive data. That said,
an industry-by-industry analysis shows application attack frequency varies by industry sector. For instance, application
attacks are frequently detected in Transportation & Public Utilities sector customers. In fact, over 80% of all attacks
detected for these customers are application attacks. Conversely, application attacks account for only a small portion
of attacks against our Mining, Oil & Gas customers, due to the limited customer-facing applications deployed in that
industry.
These results reinforce the conclusion that customer interaction dictates attack type. The vast majority of our Transportation
& Public Utilities sector customers have extensive external-facing application deployments. The applications vary from
traditional websites to mobile applications and everything in between. Attackers are aware of this and take every
opportunity to uncover vulnerable applications that will provide access to a wealth of customer data.
The Real Estate industry, which historically thrived on paper, postal service, and telephones, has now moved many of its
services and applications to the cloud, providing easier access for their customers. Today, everything from conducting an
initial home search to finalizing a home purchase can be completed online, largely due to the industry’s recent embrace
of new Software-as-a-Service (SaaS) applications. This is
clearly reflected in the Real Estate industry attack profile;
over half of the malicious activity we uncovered was
comprised of application attacks.
Real Estate and its associated businesses offer enticing
data for attackers, which can be sold in underground
markets to facilitate identity theft and fraud. Consumers
purchasing homes provide a variety of personally
identifiable information (PII), such as name, address,
phone number, government-issued identification, email,
and financial information (both earnings and spending
habits), which represents a windfall for attackers. This
information, purchased in the underground, allows
someone to establish fraudulent credit and run up large
APPLICATION
ATTACK
An attempt to exploit an application to harm, destroy,
or access the data stored in the application. Examples
of application attacks include SQL Injection and the
HeartBleed exploit.
14. 14CLOUD SECURITY REPORT 2015
sums of debt that will never be repaid. The impact on these fraud victims can be far-reaching and long lasting, requiring
consumers to complete extra verification steps each time they need to establish new credit.
Looking at the industry verticals as a whole within our cloud customer environments, we see that almost all sectors
are experiencing application attacks. This confirms the reality that the demand for public-facing infrastructure, such as
web services or applications, continues to grow. Regardless if it is online banking, shopping, review research, health,
or insurance, the public wants easily accessible services and applications. Malicious actors know this, and will carry out
premeditated attacks to specifically compromise these applications.
Trojan
Trojan malware, or non-replicating malicious code that executes a specific task, can be inadvertently downloaded from
compromised legitimate websites, or sent by emails applying social engineering techniques. This makes the Trojan attack
an effective option for intrusion by malicious actors.
With the varied means by which they can be injected into an environment, as well as the damage they can cause once
they penetrate and execute, the Trojan infection and subsequent rogue activities it initiates can leave an organization in
shambles. We detect numerous Trojan attacks daily across many industries, particularly with our Agriculture, Forestry, &
Fishing industry customers. Since there is little customer interaction required online, our customers in this sector deploy
few public-facing applications, making application attacks a poor choice for the attackers. However, the distributed nature
of the Agriculture, Forestry, & Fishing industry—with its many remote outposts and employees accessing high-value
information—makes it a perfect target for a Trojan attack.
In a global industry like Agriculture, with so many cost pressures, knowledge of innovative techniques to reduce costs and
increase yields, as well as indicators of future price changes, are extremely valuable to competitors. Trojan malware is an
ideal technique for attackers to gain a foothold in an organization, allowing them to take control of the infected system
and reach their ultimate goal: turning your data into profits in the underground.
THE FINDINGS: THREAT VECTOR ANALYSIS
T H E F I N D I N G S
15. Potentially any industry is at risk of this attack type, but the presence of valuable information to steal, and the difficulties
ensuring security across distributed organizations, leaves industries like Agriculture at a particularly high risk.
Brute Force Attacks
A Brute Force attack can be an effective way to compromise a network, given the ease at which it can be executed
by attackers. With simple tools and computing power, an attacker can bombard a network with username/password
combinations from different IP addresses. Unfortunately for organizations, the IP addresses constantly change, making
it difficult—if not impossible—to block this type of attack.
Additionally, businesses are sometimes unable to simply lock
out usernames after failed login attempts, since doing so
could wreak havoc on normal business operations. If a Brute
Force attack is successful, the attacker will gain access to the
network, application, or other asset. With this access, the
attacker can begin making lateral moves within the network to
establish a footprint for continuing and ultimately completing
the attack campaign.
We see Brute Force attacks across most of our customers;
however, the highest occurrence of this attack type is within
Computer Services, Transportation & Public Utilities, and
Service Businesses. This makes sense, because our customers
in these industries have a significant number of employees
who work exclusively on computers, meaning these businesses
employ large numbers of applications, servers, and systems. These are target-rich environments for attackers.
BRUTE
FORCE
An attempt to gain access to a system by
repeatedly trying different users names and
passwords or cryptographic keys until the correct
username/password combination or correct key is
found. An example would be a dictionary attack
against an ftp or email server.
- -
16. 16CLOUD SECURITY REPORT 2015
While reviewing attacks by network type revealed certain trends in 2014, we also uncovered an even wider divergence of
threats—as compared to previous reports—when categorizing incidents by industry type. The result: Threats vary greatly
on a variety of industry-specific factors, including:
• Online Presence
• Customer Interactions
• Employee Activities
• Security Controls and Effectiveness
• Business Sector
The largest influencers in attacker threat vectors are a business’s online presence and how it interacts with customers.
Taking a closer look, we reached a conclusion: The amount of online interaction a business has with customers determines
the attack vectors that were most widely used against it, more so than the type of IT infrastructure they use. This makes
perfect sense, once you examine the evidence behind this statement.
Consider a business that sells to consumers online (e-commerce). To be successful, that company would ensure multiple
routes for online customer interactions via mobile devices. The business would also process thousands of transactions a
day, making it an enticing target for attackers in search of credit card data to sell on the cyber underground.
Conversely, consider a business that has limited online customer interactions, such as a heavy equipment manufacturer.
These businesses engage in significantly fewer online transactions—many of their sales come after a number of person-
to-person interactions. In some instances, where the industry’s products are large and take multiple months to deliver,
there may be very little data of value accessible via external web applications. Because of this, attackers targeting this
industry would search for ways to infiltrate the organization’s network to capture company-sensitive data, such as product
designs, financials, and proposal information. This data, while not desirable to the identity thief seeking information in the
cyber underground, would be very valuable to the company’s competitors.
The takeaway here is simple: Businesses with a large volume of online customer interactions are targets for web application
attacks to gain access to customer data. Businesses with few online customer interactions are more likely to be targeted
for their proprietary company data, not their customer data, using vectors such as Brute Force or phishing attacks.
With customer data from dozens of industries at our disposal, we selected three industries for a detailed analysis: Mining,
Oil/Gas & Energy, Retail, and Financial Services. These industries exhibit interesting attack profiles that can provide
insight into the state of cloud security today, not only for those in these industries, but for everyone.
I N D U S T R Y A N A LY S I S
INDUSTRY ANALYSISINDUSTRY MATTERS, BUT ONLINE PRESENCE REALLY MATTERS
17. ADVERTISING ACCOUNTING / MGMT
COMPUTER SERVICES MINING
FINANCIAL REAL ESTATE
HEALTHCARE RETAIL
MANUFACTURING TRANSPORTATION
APP ATTACKS BRUTE FORCE
APP ATTACKS TROJAN
BRUTE FORCE APP ATTACKS
BRUTE FORCE APP ATTACKS
APP ATTACKS APP ATTACKS
54%
48%
46%
37%
79%
55%
45%
71%
TOP TEN INDUSTRY ATTACKS
33%
39%
18. 18CLOUD SECURITY REPORT 2015
I N D U S T R Y A N A LY S I S
Mining Analysis
The Mining, Oil/Gas & Energy industry is a prime target for cyber attacks primarily due to the value of its data in the
world market. Protected information includes valuable geophysical data, like measurements of the earth’s gravity and
magnetic fields to determine the geometry and depth of subsurface areas where oil and gas are located. Companies
spend significant sums to gather this research, and their findings typically dictate their strategy for years to come. It
is understandable why attackers seek this information. There are those willing to purchase this valuable data in the
underground to gain a competitive advantage.
It is no coincidence that the vast majority of attacks against the Mining, Oil/Gas & Energy industry were related to Trojan
activity. Most Trojans create backdoors that contact offsite servers to send stolen information or collect victims’ keystrokes
using key logger software. Trojans are not easily detected and indicators of compromise are not always the same. Remote
access Trojans (RATs), built for espionage and intellectual property theft, are comprised of highly destructive malicious
code.
Brute Force attacks account for a small number of the incidents we observed against this industry in 2014. As discussed,
given the relatively low number of “computer workers” and external web applications in this industry, attackers do not
frequently use this vector in this particular industry.
The least frequent types of attacks we identified within this industry were application attacks and reconnaissance. Of
the application attacks, a commonly used target was Apache Struts. This is an open source web application framework
for developing java applications; multiple vulnerabilities have been uncovered throughout its lifespan. Looking forward,
Apache Struts will continue to rely on the community for future patches.
In April 2014, the Apache Software Foundation (ASF) (http://www.apache.org) released a warning to its customer base that a
patch issued in March for a zero day vulnerability in Apache Struts up to version 2.3.16.1 did not fully patch the vulnerability,
which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).
19. Financial Analysis
With the growing demand for consumer applications that provide
ease of use and access, the Financial Services industry has
engaged in the widespread adoption of Internet-enabled financial
services. These now include website access, mobile banking via
applications, SMS/Text message banking, and numerous email-
based services.
Adding these new delivery models to their cloud environments
resulted in an increase of attackers attempting to steal financial
data—credit card numbers as well as personal information to
fuel financial fraud and insider information to facilitate insider
trading. For example, the FIN4 group used their attacks on the
financial industry to gain confidential information related to the
pharmaceutical and healthcare industries. This insider knowledge
allowed FIN4 to successfully trade on the stock market and earn
millions of dollars.
Application and Brute Force attacks comprise the majority
of malicious activity within our Financial Services industry
customer base, signaling a clear determination of attackers to
gain access to these organizations’ valuable data. These attack
types are indicators of the intent to obtain data—application
attacks will allow the leaking of information from databases and
backend systems, and Brute Force attacks will grant access to
internal systems, usually resulting in lateral movement within the
organization to build a starting ground for a more sophisticated
attack. Coupled with reconnaissance activity, 70% of attack types
COMPANY PROFILE
Alvarez & Marsal (A&M) provided incident response
support for a Financial Services executive who was
targeted by cyber attackers through a family member.
THE ATTACK
A Financial Services company—where the executive was
employed—contacted A&M and requested incident
response assistance in order to determine if the cyber
attack on the executive’s home network (which consisted
of bundled Cable, VOIP, and Internet services) had
impacted the corporate network.
The response by A&M was to determine if the cyber attack
originated through a phishing email to the corporate
executive’s teenage son containing an offer to beta test
a new game. The son’s system was compromised through
malware installed on the home computer, as the result
of the phishing email. Once the cyber attackers had
access to the home network, they were able to breach
the corporate executive’s computer. The cyber attackers
identified and captured the executive’s credentials
attached to his personal banking account. The attackers
used this information to log into the executive’s account
and change his email contact notification. They then
initiated a wire transfer from the executive’s personal
account.
Interestingly, the bank had a notification requirement: To
complete a wire transfer over a defined amount, the bank
must first contact the authorized user of an account to
confirm the transfer of funds. While the cyber attackers
intercepted the bank call to the executive’s home and
routed it to their own phone number, the bank teller that
placed the call realized that the person authorizing the
transfer was not the executive. The teller terminated the
wire transfer and notified the executive via an alternate
method. The executive was concerned that the cyber
attackers might also gain access to his corporate network
through the breach, so he notified his company of the
event. Social engineering cyber attacks continue to be
successful due to the resourcefulness of criminal groups.
The negative impact of the breach could have been
prevented or mitigated if the following best practices
had been in use:
• Be cognizant of the personal information that is
posted on social media sites.
• Dependent on users on a home network, consider
the possibility of segmenting the network to
protect information where sensitive data is
managed or processed.
INFOCUS: FINANCIAL ATTACK
Art Ehuan, Managing Director, Alvarez & Marsal
20. 20CLOUD SECURITY REPORT 2015
I N D U S T R Y A N A LY S I S
we identified in the Financial Services industry are focused on either
gaining access or obtaining data.
Unsurprisingly,Trojanactivitywasalsousedtofurtherattackers’quests
for internal access. Generally using spear phishing with malicious links
and attachments, this technique is used to lure in less technically
minded employees in order to gain a foothold within the environment,
typically an on-premises data center. Cloud-based systems suffer less
with this type of activity due to the nature of deployment, reducing
the threat opportunity to these systems. Financial organizations are
often viewed by malicious actors as challenging targets, due to the
industry’s large budgets, strong compliance and regulatory concerns,
and heavily appointed security teams dedicated to focusing on day-
to-day activities. In spite of these challenges, however, sophisticated
attack groups still focus on the exploitation of these organizations,
due to the financial return that could result in the event of a successful
breach.
Retail Industry
The Retail industry is a favorite target for attackers. Customer
financial information held by retailers—like credit card data—can be
obtained and sold by attackers through a readily available secondary
market of criminals specializing in credit card fraud. Retailers have
heavily invested in digital systems to reduce costs at the point of sale.
However, security budgets have often failed to keep track with the
deployment of digital point of sale (POS) systems, giving attackers
the ability to exploit vulnerabilities discovered on these systems. This
environment has led to many high-profile breaches where attackers
have been able to infiltrate networks, install specialized malware on
POS, and steal tens of thousands of individuals’ financial data.
Retail customers were targeted by a significant number of application
attacks. Legacy e-commerce systems may be missing modern
security features, and even recent systems may not be fully resistant
to all application attack techniques. Attackers launch multiple probes
against these systems, searching for weaknesses that can be exploited
to gain access. Access to systems serves as a point of ingress for further
attacks, giving attackers a means of stealing financial information, or
as a way to obtain goods without payment.
INDUSTRY ANALYSIS
Disclosure of sensitive data—such as cloud
credentials, security keys, and API keys—is a growing
problem. As cloud-based tool development for
storing, building, and deploying services increases,
so will accidental disclosure of sensitive data. Hackers
are aware of these disclosures and are always on the
lookout for this sensitive data.
Hackers might employ bots specifically written to scan
for this sensitive data in public code repositories such
as GitHub and Bitbucket. Bots perform automated
and repeatable tasks over the Internet at a much
faster rate than any manual activity.
Once a malicious actor is able to obtain a user’s
sensitive data, like cloud credentials, the attacker can
perform any manner of activity in the context of the
user. The elastic nature of cloud computing means that
attackers have access to large amounts of resources
from compromised accounts, far more than the
account may normally use. For instance, an attacker
could steal computing resources to mine Bitcoin, or
use compromised storage to store and distribute
illegal content. It is also possible that attacks may be
conducted against third parties by stealing network
resources and launching denial of service attacks.
It is extremely important that all sensitive data is kept
in a secure location and never stored in a public forum
or code repository. Additionally, if any credentials,
security keys, or access tokens are accidentally
publicized, they should be considered compromised.
Any compromised credentials must be removed and
replaced on all systems. This is a critical rule to follow,
because data from honeypots shows that attackers
are continuously conducting Brute Force attacks
against cloud services in order to guess usernames
and passwords, and search for default passwords that
have not been updated.
Administrators can use cloud identity and access
management tools to control access to their cloud
services. Tools that collect and report activity within
environments should be included in the security-in-
depth strategy for cloud deployments. Any recorded
activity can facilitate the reviewing of logs to find and
report on suspicious activity.
INFOCUS: STEALING PUBLIC
CLOUD CREDENTIALS
Sean Jones, Cybercrime Researcher, ActiveIntelligence
21. Developing e-commerce applications is resource intensive.
Ensuring the security of the application is often a low priority,
compared to delivering a positive customer experience.
This lack of attention to security features coupled with an
increase in investment by attackers means that application
attacks are likely to remain a significant risk for the Retail
industry in the future.
Brute Force attacks are likely evidence of similar activity,
where attackers attempt to guess system usernames and
passwords. All too often, systems are deployed with default
usernames and passwords, or replaced with insecure
passwords that offer little protection against systematic
password guessing programs. Reconnaissance and
suspicious activity attacks are evidence of attackers probing
systems and networks, searching for potential vulnerabilities
that can be exploited to gain access. Once an attacker gains
access to a system, he can launch further attacks to escalate privileges until he obtains full control of the system to plunder
information at will.
Trojan activity detected within the Retail industry encompasses malware that has infiltrated networks and is attempting
to spread, or seeking to communicate with attackers to obtain further instructions. The Retail industry faces a challenging
threat environment. By processing large amounts of financial data, the Retail industry will continue to attract the attention
of malicious actors. Investing in and maintaining security systems to combat attackers and their continued innovations are
vital to protecting systems and the valuable information they hold.
22. 22CLOUD SECURITY REPORT 2015
2014 was a banner year for high-profile breaches. More than 85 million records were lost via data breach, both from
internal and external attackers. Whether you were an entertainment company releasing a controversial movie or a big
box retailer whose POS systems were vulnerable to compromise, attackers had a virtual field day swiping sensitive data
and converting that data into millions of dollars, euros, and pounds, causing significant brand impact. The good news
for those responsible for securing IT infrastructure: Boardrooms around the world can no longer turn a blind eye to their
aging security framework, especially when moving to the cloud. Increases in security tool and technology investments are
expected to continue, giving organizations a more proactive stance in the ongoing battle to secure their data and protect
their business.
WHAT TO CONSIDER WHEN ADDRESSING YOUR SECURITY FRAMEWORK
Cloud security means different things to different people, but an inclusive approach to securing your environment will be
the most successful one. When thinking about security, there are many dimensions to consider. First among them is user-
based security specific to Software-as-a-Service (SaaS) versus securing Infrastructure-as-a-Service (IaaS) and its associated
applications and data. Both are important, but for different reasons: User-based security centers on visibility—knowing
which SaaS applications your employees access, and the governance of those applications, as well as what data is being
shared and how to control the flow of that data in SaaS applications. Securing IaaS is what protects you from the attacks
we outlined in this report. You are securing the applications and underlying infrastructure in order to defend against
today’s threat landscape. Respecting both of these security dimensions, and considering the best approach to address
both, will result in the most effective security posture.
Understand the shared security model.
While not a mystery, many companies are still learning where the lines of demarcation are drawn between what areas
cloud providers address and what areas are a customer’s responsibility. Cloud providers such as AWS, Microsoft Azure,
IBM SoftLayer, Google, and Rackspace all provide security controls that typically include physical, perimeter network, and
the hypervisor layer. They invest heavily in their areas of responsibility to ensure that they are fully secure and hardened.
Customers carry the responsibility of protecting the applications, data, and network infrastructure on which the
applications and data reside. What this means for you: Your area of responsibility requires that you have technology,
process, and expertise capable of delivering network threat detection, log analytics, application layer protection, and
C O N C L U S I O N
CONCLUSIONHOW THE GOOD GUYS CAN WIN
23. access management, among other areas of security.
Understand your threat profile.
As discussed in this report, your industry, the applications you run, and the data you retain drive the attraction of attackers.
Maintaining a solid understanding of the application types deployed, the type of data maintained, and the associated
compliance mandates (such as PCI, HIPAA, SOX, etc.) will help to drive the types of security controls and solutions you
need to deploy.
To fulfill your part of this shared security model, you must formulate a plan that includes technology, information, people,
and processes.
WHERE TO BEGIN
• IT’S ABOUT THE DATA: When developing your security framework, do not start with technology selection.
Take a step back and think about the type of data and applications you will be using in the cloud. There may be
different approaches to security required for different types of data and applications.
• BUILD THE PROCESS FIRST: With an understanding of the data you are protecting, begin building your
process playbook. This will include responsibilities, stakeholders, incident response plans, as well as contingency
plans for when something goes wrong.
• NOW BUILD YOUR SECURIT Y TOOLKIT: No single piece of software is going to fulfill every security need.
To prepare for the unexpected, it is crucial to have all of the necessary tools primed and ready within the security
arsenal.
• CREATE ACCESS MANAGEMENT POLICIES: Logins are the keys to the kingdom and should be treated
as such. Protecting these means putting in place a solid access management policy, especially for those who
are granted access on a temporary basis. Integration of all applications into a corporate AD or LDAP centralized
authentication model will help with this process.
• ADOPT A PATCH MANAGEMENT APPROACH: Unpatched software and systems can lead to major issues
for any organization. Securing an environment includes outlining a process to update systems on a regular basis.
All updates should be tested to confirm that they do not damage or create vulnerabilities before implementation
into a live environment.
• REVIEW LOGS REGULARLY: Log review should be an essential component of any organization’s security
protocols. It is absolutely necessary to take the time to review logs—they might uncover something significant.
• SECURE YOUR CODE: Hackers are continually looking for ways to compromise applications. Code that has
not been thoroughly tested and secure makes it easier to do harm. By testing libraries, scanning plugins, etc.,
organizations can take an offensive stance against future attacks.
Cyber attacks are going to happen. Vulnerabilities and exploits are going to be identified. Having a solid security-in-depth
strategy, coupled with the right tools and people that understand how to respond, can ultimately put you in a position to
minimize your exposure and risk.
24. 24CLOUD SECURITY REPORT 2015
A P P E N D I X
APPENDIX: THE DATA
Attack Type Jan-Apr May-Aug Sept-Dec Total
CLOUD ON-PREM CLOUD ON-PREM CLOUD ON-PREM CLOUD ON-PREM
Application Attack 35% 16% 37% 17% 39% 24% 37% 20%
Brute Force 28% 24% 27% 38% 23% 42% 25% 36%
Recon 19% 12% 10% 8% 7% 7% 10% 8%
Suspicious Activity 16% 17% 18% 11% 15% 9% 16% 12%
Trojan Activity 3% 31% 8% 26% 17% 17% 11% 24%
Attack Type Cloud On-Premises
Occurrence Frequency Occurrence Frequency
Application Attack 70% 118 52% 98
Brute Force 56% 101 47% 201
Recon 57% 40 48% 46
Suspicious Activity 53% 68 50% 60
Trojan Activity 37% 68 57% 108
CLOUD VS. ON-PREMISES: INCIDENT OCCURRENCE AND FREQUENCY
INCIDENT METRICS
INCIDENTS OVER TIME Fig. B
Fig. A
Incident Occurrence
Percentage of customers
experiencing a specific class
of incident at least once
during the study period.
Provides a view of the
probability of attack.
Incident Frequency
Average number of incidents
of each type per impacted
customer. Provides an
understanding of attacker
persistence and tenacity.
25. APPENDIX: THE DATA
Attack Type Jan Feb Mar Apr May Jun July Aug Sept Oct Nov Dec Total
Application Attack 20% 27% 28% 39% 28% 31% 28% 34% 41% 66% 39% 39% 39%
Brute Force 25% 25% 34% 26% 37% 29% 31% 25% 24% 14% 23% 24% 25%
Recon 12% 14% 20% 17% 14% 14% 17% 19% 19% 8% 11% 9% 13%
Suspicious Activity 8% 8% 11% 13% 12% 16% 14% 14% 9% 8% 21% 21% 14%
Trojan Activity 35% 26% 7% 6% 9% 10% 10% 7% 7% 3% 6% 6% 9%
MONTH-TO-MONTH ATTACK SPREAD Fig. C
PARTNERS INCLUDED IN STUDY*
PARTNER PARTNERWEBSITE WEBSITE
2nd Watch
Amazon Web Services (AWS)
CyrusOne
Datapipe
Dimension Data Cloud Solutions
Google Cloud Platform
HOSTING
Hostway Services
Internap
Latisys
Logicworks
Microsoft Azure
MegaPath Networks
NaviSite
OneNeck IT Solutions
PEER 1 Dedicated Hosting
Pulsant
Rackspace Managed Hosting
Sungard Availability Services
VMware vCloud Air
Windstream Communications
2ndwatch.com
aws.amazon.com
cyrusone.com
datapipe.com
dimensiondata.com
cloud.google.com
hosting.com
hostway.com
internap.com
latisys.com
logicworks.net
azure.microsoft.com
megapath.com
navisite.com
oneneck.com
peer1.com
pulsant.com
rackspace.com
sungardas.com
vcloud.vmware.com
windstreambusiness.com
*This partners list is representative of our top partners, but is not an exhaustive list of our entire partner network.
Fig. D
26. APPENDIX: THE DATA
INCIDENT CLASSIFICATIONS
APPLICATION ATTACK
An attempt to exploit an application to harm, destroy, or access the application or data stored in the
application. Examples of application attacks include SQL Injection and the HeartBleed exploit.
BRUTE FORCE
An attempt to gain access to a system by repeatedly trying different users names and passwords
or cryptographic keys until the correct username/password combination or correct key is found. An
example would be a dictionary attack against an ftp or email server.
SUSPICIOUS ACTIVITY
This activity has not been confirmed as malicious but it needs to be reviewed to confirm or invalidate
malicious activity. The activity may include vulnerability scanning or some types of IRC activity.
RECON
This activity involves an attacker scanning for particular ports or searching for particular applications
or vulnerabilities. This would include an attacker using a ZmEu to search for vulnerable PHP
implementations or using NMAP to perform a port sweep.
TROJAN ACTIVITY
Unwanted and malicious code that is not self-replicating. This code may cause harm to the system, data
to be lost or stolen or provide remote access to a malicious user. Some notable Trojans are Kazy and
Superfish.