Clouds of pollution – the scourge of cloud-only malware
Thank goodness for cloud applications. Compared to the old ways of sharing information across organisations and between virtual teams, cloud apps have undoubtedly liberated extra productivity and fostered greater innovation.
To gain maximum benefit, however, keeping on top of cloud application security is a key consideration and one that demands both visibility and control of usage, right down to the function level of each app, by each user. This is explored in more detail in our earlier post: Why cloud visibility and discovery are no longer enough.
The other aspect of cloud app security, and the subject of this article, is the scourge of cloud-only malware; malware written especially for the cloud.
When sharing isn’t caring
Cloud-only malware has an entirely different modus operandi to traditional malware, and one that users in particular find entirely unexpected. Rather than concentrating its efforts upon infecting the maximum number of endpoints (e.g. desktops, laptops), this malicious code is written to propagate across cloud shares.
Logically then, whatever is understood about dealing with unscrupulous email attachments and dodgy phishing links, must be applied to files we interact with on our favourite cloud apps.
Censornet has seen instances of cloud-only malware skyrocket in the last 6-12 months, as more cyber criminals take advantage of this comparatively new threat vector. Among the highest profile is Virlock, which uses cloud storage apps to spread itself across organisations. Other examples include RanSerKD; a kind of crypto-ransomware that uses Dropbox, weaponised Word documents and image-sharing service Imgur.
The problem of unquestionable trust
Arguably, what makes cloud-only malware so dangerous is the extremely high level of implicit trust invested in cloud applications. Whereas users are generally well educated about the risks of opening unsolicited or unfamiliar emails, or downloading materials from unknown sites (though it has taken decades to reach the current, imperfect level of user vigilance), there seems to be a blind, uniform acceptance that all content held within an application is ‘safe’ and/or ‘genuine’.
This is for two reasons. Firstly, users have a tendency to view all applications (particularly those deemed ‘professional’ enough to be used among work colleagues) as safe, once the required login process has been completed. In essence, application users view themselves as being within the secure confines of a protected environment. This is quite apart from the email/URL risk paradigm where users recognise that vigilance should be exercised whenever (a) receiving something sent from the ‘outside’, or (b) venturing ‘outside’ to retrieve information.
The second reason is that organisations themselves either officially or tacitly allow the use of cloud applications for productivity purposes. This ‘seal of approval’ (whether real or inferred) inspires a certain level of confidence that using the app ensures security and compliance. Even when organisations ban the use of cloud applications, there is plenty of evidence that users either ignore the instruction altogether or find alternative means of using cloud apps.
The reality is that cloud-only malware benefits enormously from the fact that users do not adopt a vigilant stance with app-hosted files; or at least not the same levels of vigilance as with email attachments and web links.
All of this is crucially important in the response to cloud-only malware because, as with all cyber threats, protection ultimately starts with the user. At the very least, organisations should be alive to the growing issue of cloud-only malware and be developing education campaigns to maximise user awareness and alerting.
Users are important because cloud application authors cannot be relied upon to provide a 100% secure service. Well-known cloud share platforms clearly wish to avoid significant cyber exploits from blighting their brands, and are likely to take proactive steps with their security policies, particularly for the premium end of their customer bases. There will be significant challenges in accomplishing this, as the platforms will be keen to avoid inadvertently damaging the integrity of their customers’ files, and to ensure that application performance/responsiveness is unhindered by added security layers.
In any case, users on the standard ‘free’ packages should expect to be last in the queue for the best security protection on offer.
So add control to cloud app visibility!
Cloud Access Security Broker
Discover, analyze, secure and manage user interaction with cloud applications - inline and using APIs.
All this returns us neatly back to a defining theme of cloud app security in 2018: the need to establish both visibility and control of cloud application usage. As detailed in the earlier blog, a lot of this control rests upon the intelligence garnered from the visibility and discovery process; feeding back into a system of assigning risks to individual actions within applications and monitoring/restricting these actions for specific users, rather than blocking entire apps arbitrarily.
At the most basic level, cloud-only malware risks can be mitigated by focusing attention on the kinds of applications most likely to be exploited by this new approach. And yet again this shines the spotlight on cloud storage, team working apps and messaging platforms – even cloud CRM systems.
One way to get proactive is to treat cloud uploads in the same way as outbound email file attachments i.e. scanning for malware and implementing more in-depth analysis, such as DLP-style scanning, to identify sensitive content in the uploaded files. Within a given industry, the use of templates that specify keywords and phrases that suggest confidential information or intellectual property – or that are based on regulations such as PCI DSS and HIPAA – are proving a helpful strategy.
Some IT budget holders will be concerned that a full proxy approach to cloud application security may be prohibitively expensive, as well as causing extra latency, delay and frustration. However, there are now more sophisticated solutions available, with flexible deployment options that avoid impacting the user.
Whatever your response, you can see the clouds gathering. It’s time to take control before the storm strikes.