Recently, Mat Honan. A seasoned technology writer had his digital life dissolved by hackers. All it took was a call to Apple to have them reset his password, hack his Gmail account and then wipe all of his apple devices remotely. The hackers also accessed his twitter account and sent racist and homophobic messages to his followers. Access to the Apple account was granted via Social Engineering – an art of manipulating people into providing sensitive information. What this highlights for both consumers and enterprises is that access to data is only as secure as the weakest link, all the encryption in the world will not help if the intruder has your password. It also brings to light that what one provider considers sensitive information may not be relevant to other providers.
While this may seem elaborate, it all started by hacking an Amazon account. Because Amazon provides (like many other on-line retailers) the last 4 digits of the credit card, the hackers were then able to call Apple and provide the last 4 digits of the credit card which is needed to release certain information about your apple account. Once the Apple password was reset, they accessed the Gmail account and now had access to Mr. Honan’s cloud data and remote wiping options.
As technology becomes more integrated, the need for tighter controls have to increase. In this case the hackers used Mr. Honan’s Apple account to remotely wipe all of the data on his iPhone, iPad and MacBook. Even with proper backup, most people would have lost substantial amounts of data. And with a major push for consumers to move more to the cloud, it would not be surprising to see this type of behavior occur with more frequency.
One may interpret my articles to be anti-cloud, in fact I am very much pro-cloud, however, having worked for multiple cloud service providers that supported consumer and enterprise level businesses, I know the transition from supporting consumers to enterprises is not an easy process. My objective is to have the enterprise make sure their cloud providers are in fact providing best-in-class security. In terms of Social Engineering, you should employ social engineering techniques to test on a regular basis any cloud provider that is hosting your data, As an organization your security department should train and deploy preventive social engineering techniques.
The reality is that the Cloud is here to stay and will only expand over time, but as with anything, evolution requires hard work and a strong focus and delivering quality and security in the cloud is a must. In the end, if we push for the right behaviors now, we will have one less concern to address in the future.
Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for EasyLink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.
No comments:
Post a Comment