How are businesses facing the cybersecurity challenges of increasing cloud adoption?
Cloud services serve core functions essential to all aspects of business operations, but getting cloud security right is still a challenge for many organizations, the 2019 Cloud Threat Report by Oracle and KPMG has shown.
The two companies have asked 450 cyber security and IT professionals from private and public-sector organizations in the US, Canada, UK, Australia and Singapore about the problems surrounding cloud adoption and use in their environments.
While 73 percent of them feel the public cloud is more secure than what they can deliver in their own data center, there are still many sore points that negatively impact their organization’s security posture:
- The continuing confusion around the shared responsibility security model
- The visibility gap
- The risks that come with an increasingly mobile workforce using cloud-delivered applications
- The unabated threat of shadow IT.
Lack of visibility and clarity about the security responsibility
Cloud services are becoming the primary data store for many organizations, but when asked which percentage of the company’s data is currently stored in the public cloud, surveyed CISOs and CIOs offered divergent answers.
“This disparity (…) is troublesome as it indicates a lack of awareness and involvement in the use of cloud services by one of the organizational leaders responsible for securing that usage,” Oracle and KPMG point out.
CISOs are, unfortunately, too often on the cloud security sidelines. “The decentralized adoption of cloud services by line of business leaders who do not follow approval methodologies creates a visibility gap for the organization’s cybersecurity leaders,” the results indicate.
82 percent of cloud users have experienced security events due to confusion over the shared responsibility model. What’s more, only 10% of the polled CISOs fully understand the shared responsibility security model, compared with 25% of CIOs who report no confusion.
The lack of visibility is also a great problem:
- A third of the respondents say that they have difficulties when it comes to detecting and reacting to security incidents in the cloud
- 29% struggle with a lack of skills and qualified staff (especially when it comes to cybersecurity)
- 24% struggle with a lack of visibility across their data center and endpoint attack surface.
Shadow IT and insecure cloud access
The respondents have witnessed unsanctioned/shadow IT cloud applications resulting in unauthorized access to data (50%), introduction of malware (48%) and loss of data (47%), and are justifiably worried about it.
Improper use of sanctioned cloud applications is also a problem:
While 91 percent of the organizations have formal methodologies around cloud usage, 71 percent of the respondents are sure these policies are being violated by employees.
“When it comes to who has access to cloud-resident sensitive data, there are many users, including business partners, contractors, supply chain partners, auditors, part-time employees, customers, and others. These individuals will use different devices and operate under different policies and norms than an organization’s full-time employees, putting cloud-resident data at risk,” Oracle and KPMG also noted.
“At the center of how the use of cloud services has increased the risk associated with third-party access are enterprise file sync and share services (EFSS). EFSS services are often used by employees to share corporate data not only with each other but as a means to easily collaborate with external partners. Because EFSS tools are one of the most common types of shadow IT applications, their use, including with whom data is being shared, is often not governed, creating additional risk for the business.”
Fixing the problems
43% of the pollees say that they have implemented automated patch management and 46% expect to implement it in the next 12-24 months. They are primarily interested in gaining greater operational efficiencies (48%), but also reducing the window in which vulnerabilities can be exploited (29%).
57% of businesses are actively evaluating replacing passwords or planning to in the next 12-24 months. 6% have already eliminated them in favor of other forms of authentication (SMS, YubiKey smart card, fingerprint, token, etc.)
28% of the organizations already use multi-factor authentication to authenticate access to a wide variety of systems and data assets, 46% use it for access to their most mission critical resources, sensitive data, and use of root/admin accounts, and 18% are in the process of implementing it in the next 18 months.
To protect the expanded perimeter of the enterprise companies have taken a variety of actions, but those that had the most positive impact are those that reduce the attack surface: more regular penetration testing, more frequent patching and automated exploitation protection. When it comes to edge-based control, web application firewalls (WAF), cloud access security brokers (CASBs), and botnet/DDoS mitigation controls are deemed to be critical or very important.
Finally, the percentage of organizations who deployed or plan to deploy machine learning technologies to meet security challenges has risen by 6%.
They hope it will help them investigate more security alerts (29%), reduce false positives (26%), eliminate other more compute-intensive detection techniques (25%), detect “zero-day” threats (25%), and handle more incidents with Tier 1 analysts.
Common WordPress Vulnerabilities & How to Protect Against Them
The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.
Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.
The WordPress Plugin Directory is a treasure trove of helpful website widgets that unlock a variety of convenient functions. The breadth of its offerings is thanks to an open submission policy, meaning anyone with the skill to develop a plugin can submit it to the directory. WordPress reviews every plugin before listing it, but clever hackers have been known to exploit flaws in approved widgets.
The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.
Phishing remains a favored attack form for hackers across all platforms, and WordPress is no exception. Keep your eyes out for phishing attacks in the comments section, and only click on links from trusted sources. In particular, WordPress admins need to be on alert for attackers looking to gain administrative access to the site. These phishing attacks may appear to be legitimate emails from WordPress prompting you to click a link, as was seen with a recent attack targeting admins to update their WordPress database. If you receive an email prompting you to update your WordPress version, do a quick Google search to check that the update is legitimate. Even then, it’s best to use the update link from the WordPress website itself, not an email.
Weak Administrative Practices
An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.
WordPress automatically creates an administrator with the username of “admin” whenever a new account is created. Never leave this default in place; it’s the equivalent of using “password” as your password. Instead, create a new account and grant it administrative privileges before deleting the default administrator account. You’ll also need to change the easily-located and often-targeted administrator url from the default of “wp-admin” to something more ambiguous of your own choosing.
One of the most important practices for any WordPress administrator is keeping the WordPress version up-to-date. An ignored version update can easily become a weak point for hackers to exploit. The more out-of-date your version, the more likely you are to be targeted by an attack. According to WordPress, 42.6% of users are using outdated versions. Don’t be one of them.
Additional Security Practices
The use of reputable security plugins like WordFence or Sucuri Security can add an additional layer of protection to your site, especially against SQL injections and malware attacks. Research any security plugins before you install them, as we’ve previously seen malware masquerading as WordPress security plugins. If your security plugin doesn’t offer two-factor authentication, you’ll still need to install a secure two-factor authentication plugin to stop brute force attacks. Keeping your data safe and encrypted behind a trusted VPN is also key to WordPress security, especially for those who find themselves working on their WordPress site from public WiFi networks.
WordPress is a powerful platform, but it’s only as secure as you keep it. Keep your website and your users secure with these tips on enhancing WordPress security, and check back here often for updates on all things cybersecurity.
Webroot Reseller Partnership
Join the growing number of smart entrepreneurs taking advantage of the best cybersecurity-partnership in the world.
Webroot is the most powerful machine learning-based intelligence platform in the world. Trusted by top network and security vendors, like Cisco, Citrix, F5, and more, our cloud-based platform uses context and reputations to stop never-before-seen threats before the competition knows they’re there.
- You don’t need an IT background to succeed
- Manage your clients in the comfort of your room
- (if interested) Free Security Training from Ethnos IT Solutions Ltd
- All-paid Webroot Certification Training and Exam
- All-paid Webroot seminar within the country
- Necessary tools to grow your customer base is made available
- Progressive Profit Margin (based on Partnership Level)
- Professional Reference
Contact us today:
Office: +234-1 4546589
Mobile: +234 7036158255 (whatsapp)
AI Won’t Solve All of Our Cybersecurity Problems
Image Source: towardsdatascience.com
AI is already supporting businesses with tasks ranging from determining marketing strategies, to driverless cars, to providing personalized film and music recommendations. And its use is expected to grow even further in the coming years. In fact, IDC found that spending on cognitive and AI systems will reach $77.6 billion in 2022, more than three times the $24.0 billion forecast for 2018.
But the question remains – can businesses expect AI adoption to effectively protect them from cyber threats?
Entry points and malware
The Internet of Things (IoT) means everyday objects are generating more traffic, collecting more data and opening up more entry points for attack than ever before. This, alongside more integrated networks, results in cybercriminals having a plethora of entry points for bringing down an organization. More IoT devices means a greater likelihood of unpatched devices on the network. Unpatched individual devices on the network mean that the whole system is potentially vulnerable.
The truth is that as businesses grow smarter with AI, so do their attackers. Already, malware can infiltrate a system, collect and transmit data, and remain undetected for days. But with AI, an attack is augmented with the ability to adapt and learn how to improve its effectiveness with every moment it goes undetected.
The problems with AI and cybersecurity
It’s worth noting that AI refers to the broad concept of machines being able to mimic human cognitive functions. It can detect patterns, spot anomalies, classify data and group information. Machine learning, on the other hand, can be seen as an embodiment of AI – when machines are given enough data, they can use it to solve problems and make decisions by themselves.
In an ideal world, AI and machine learning would be able to spot and shut down an attack before humans need to do anything. After all, it has the ability to detect anomalous behavior and deter security intrusions on a round-the-clock basis.
However, this isn’t always possible. Algorithms are only as good as the humans that designed them, and any decision-making that is automated needs a significant amount of pre-planning and manual analysis of data. Furthermore, machine learning requires feedback when determining what is ‘good’ or ‘bad’.
In turn, this creates problems, as malicious attacks can be designed to appear unthreatening from the outset and slip past an AI’s algorithms. Trying to confuse and subvert the defensive algorithms of an AI is known in the research space as “adversarial machine learning” and is a particularly hard challenge to overcome. Getting machine learning right is difficult by itself: real-life data is messy, noisy and attacks are relatively infrequent. All of these factors limit the amount of useful data available for training and sharpening AI.
Given its flaws, AI should not be considered as an adequate replacement for human surveillance — at least not in the immediate future. Every technology has limits and human knowledge and intuition will remain vital to understanding how to react to a threat, and the depth of the issue at hand. Furthermore, not all attacks are sophisticated AI-based hacks. There are a variety of human threats, which must be counteracted, and as such, it still takes a human to recognize certain behavioral patterns.
A hybrid approach, where only specific processes are automated and the rest remains the responsibility of humans, is the most logical option. However, it’s not all bad. AI can share some of the burden of surveillance and take away several mundane chores from human hands, freeing them up for decision-making and specific pattern recognition.
CIOs need to ask the right questions when it comes to ensuring they don’t get swept up amongst the AI hype. Any security solution claiming absolute protection should be treated with caution. While the potential for security to become more proactive than reactive is there, a common sense, dual approach is needed. At this moment, human expertise along with AI technology can achieve better results than either one alone.