POODLE Update – Latest Data Alarms Experts
You’ve seen the headlines about POODLE alongside images of menacing fluffy dogs. We have an update on the current extent of the breach as well as a tool enterprises can use to quantify exposure to POODLE within their own corporate environments.
Last week, we wrote about the POODLE vulnerability first reported on October 14 by three Google security researchers (see original post here). Our blog post provided a POODLE 101 breakdown, explained the risk of this particular SSL vulnerability, and recommended the steps you can take to protect your company’s data.
As of this posting, the number of cloud services that are vulnerable to POODLE has dropped from 4,704 to 2,844. This means that 2,844 of cloud providers have not yet addressed POODLE with a fix, alarming security experts that expected quicker resolution on the part of major cloud service providers. Skyhigh recommends that these providers start looking at their SSL stack configuration and disabling previous versions of SSLv3.
Skyhigh has identified the cloud service providers that are still at risk of getting their SSL v3 connections hijacked and decrypted. We’re offering a free POODLE audit to any organization interested in understanding their services in use that are still vulnerable.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
In Plain Sight: How Hackers Exfiltrate Corporate Data Using Video
Consumers and companies are embracing cloud services because they offer capabilities simply not available with traditional software. Cyber criminals are also beginning to use the cloud because it offers scalability and speed for delivering malware, such as in the recent case of Dyre, which used file sharing services to infect users. The latest evolution of this trend is attackers using the cloud to overcome a key technical challenge – extracting data from a company. Under the cover of popular consumer cloud services, attackers are withdrawing data from the largest companies in ways that even sophisticated intrusion prevention systems cannot detect.
Previously, researchers at Skyhigh uncovered malware using Twitter to exfiltrate data 140 characters at a time. Skyhigh recently identified a new type of attack that packages data into videos hosted on popular video sharing sites, a technique difficult to distinguish from normal user activity.
The Industrialization of Hacking
The target of these attacks ranges from customer data such as credit card numbers and social security numbers to intellectual property, which can include design diagrams and source code. In recent years, hacking has undergone a revolution. Once a hobbyist pursuit, hacking is now performed at industrial-scale with well-funded teams backed by cartels and national governments. Stealing data is big business, whether to compromise payment credentials and resell them for profit or to gain access to intellectual property that could allow a competitor to catch up on years (or decades) of research and development.
In response, companies have made significant investments in software that can detect telltale signals that attackers have gained access to their network and are attempting to extract sensitive data. With these intrusion prevention systems in place, it can be quite challenging for attackers to remove a large amount of data without being discovered. In the same way that thieves would find it difficult to sneak bags of money out the front door of a bank undetected by guards and security cameras, today’s cyber criminals need a way to mask their exit. That’s why they’ve turned to cloud services to make large data transfers.
Their latest technique involves consumer video sites. There are two attributes that make video sites an excellent way to steal data. First, they’re widely allowed by companies and used by employees. There are many legitimate uses of these sites such as employee training videos, product demos, and marketing the company’s products and services. Second, videos are large files. When attackers need to extract large volumes of data, video file formats offer a way to mask data without arousing suspicions about a transfer outside the company.
How the Attack Works
Once attackers gain access to sensitive data in the company, they split the data into compressed files of identical sizes, similar to how the RAR archive format transforms a single large archive into several smaller segments. Next, they encrypt this data and wrap each compressed file with a video file. In doing so, they make the original data unreadable and further obscure it by hiding it inside a file format that typically has large file sizes. This technique is sophisticated; the video files containing stolen data will play normally.
They upload the videos containing stolen data to a consumer video sharing site. While they’re large files, it’s not unusual for users to upload video files to these types of sites. If anyone checked, the videos would play normally on the site as well.
After the videos are on the site, the attacker downloads the videos and performs the reverse operation, unpacking the data from the videos and reassembling it to arrive at the original dataset containing whatever sensitive data they sought to steal.
What Companies can do to Protect Themselves
Traditional intrusion detection technology generally does not detect data exfiltration using this technique. One way to identify this attack is an anomalous upload of several video files with identical file sizes. To identify this type of activity, what is needed is a big data approach to analyzing the routine usage of cloud services in the enterprise to detect these anomalous events.
Skyhigh analyzes all cloud activity to develop behavioral baselines using time series analysis and machine learning, and identified the attack in the wild at a customer site.
Importantly, the detection relied on analysis of normal usage activity rather than detecting malware signatures that don’t exist before the attack has been catalogued. Skyhigh’s approach requires no knowledge of the attack before it’s detected.
Companies can proactively take steps to protect themselves by limiting uploads to video sharing sites while allowing the viewing or download of videos. Deploying a cloud-aware anomaly detection solution can also give early warning to an attack in progress and either block it from occurring or quickly allow a company to take action to stop the attack and prevent additional data from being exfiltrated.
The volume and sophistication of attacks is increasing. In this threat environment, companies must take additional steps to protect data while allowing the use of cloud services that also drive innovation and growth in their businesses. State-sponsored attacks and sophisticated criminal organizations are now using the cloud as a delivery vehicle for malware and as an exfiltration vector, but companies can also take advantage of a new generation of cloud-based detection and protection services to safeguard their data and protect themselves.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
The Data Factory: 12 Essential Facts on Enterprise Cloud Usage & Risk
Between headlines from the latest stories on data breaches and the hottest new apps on the block, it’s easy to be captivated with what people are saying, blogging, and tweeting about the state of cloud adoption and security. But let’s face it: It’s hard to separate the hype from the truth, and stories about security can range from hyperbolic to accurately frightening.
The fifth installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a data-based analysis of enterprise cloud usage. With cloud usage data from over 13 million enterprise employees and 350 organizations spanning all major verticals, the report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services. For the first time in the report’s history, we’ve partnered with the Cloud Security Alliance to gather IT managers’ perceptions on cloud adoption and risk and compare their perceptions with hard data. The results reveal a disparity between perception of enterprise cloud use and reality.
You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several shocking findings.
Mind the Cloud Enforcement Gap
IT often blocks cloud services that fail to meet their organization’s acceptable use policies. Due to changing cloud service URLs, inconsistent policy enforcement, and unmonitored exceptions, the cloud enforcement gap is a shocking 6x. For example, more than 50% of the enterprises intended to block Apple iCloud, but actual usage data showed iCloud was blocked in only 9% of the enterprises.
Don’t Underestimate Insider Threat
Security professionals believe insider threat incidents are rare, with only 17% of respondents aware of an incident at their organization in the past year. The reality is 85% of companies had cloud usage activity strongly indicative of insider threat.
The Cloud 1% and the 80-20 Rule
While the average organization employed 831 cloud services, the distribution of data revealed that 80% of data uploaded to the cloud goes to just 11 cloud services – less than 1% of the total number. Still, enterprises can’t ignore other cloud services: The remaining 20% of data account for 81.3% of anomalous activity indicative of malware, compromised account, and insider threat.
IT’s Worst Nightmare: The World’s Riskiest User
One anonymous user uploaded more than 15 GB of data to high-risk services such as Sourceforge and ZippyShare over 3 months. This individual used 182 high-risk cloud services, any one of which could have been a vector for confidential data to be inappropriately leaked or for malware to be introduced into the enterprise, thus proving that even a single employee is capable of significant damage to corporate security.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
74% of Cloud Services do not Meet European Data Residency Requirements
The European Union (EU) contains 28 countries and it has some of the strongest sets of data protection regulations in the world. These don’t just affect organisations based in Europe, but anyone who deals with PII (personally Identifiable Information) of any citizens of those 28 countries. In this globalised world, that probably means you!
Organisations which hold this information need to conform to the current EU Data Protection Directive (and in future, their likely even stronger EU General Data Protetion Regulation). The directive includes requirements to keep the data secure and that the data must not be exported outside the European Economic Area except to countries or organisations that have signed up to equivalent privacy protection.
There is a list of countries with equivalent protection including Argentina, Canada, Israel, Switzerland and New Zealand. Data can be exported to the USA if the company the data is sent to has signed up to the US Department of Commerce’s Safe Harbor scheme. Sadly, less than 9% of US cloud service providers have signed up to the Safe Harbor scheme.
Skyhigh’s Q3 Cloud Adoption and Risk in Europe Report looks at the cloud service providers used by employees in European organisations and 74.3% of the providers do not meet these stipulations – so any organisation sending PII to these service providers is breaking the EU Data Protection Directive.
At present, fines for data loss can be up to $800,000, though the proposal is that the new regulations will increase this to 5% of turnover. Anyone who has data on EU citizens should be taking a very careful look at their data safeguards and the contracts between themselves and any cloud provider that they use.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
Compliance, Governance, and Salesforce, Oh My!
Back in June we announced that Salesforce participated in Skyhigh’s Series C funding round as a strategic investor. The move validated our status as a category-creating company dedicated to addressing compliance and governance requirements and boost the enterprise adoption of Cloud Security services.
Now we are thrilled to announce Skyhigh’s induction into Salesforce’s Independent Software Vendor (ISV) Partnership Program. Skyhigh for Salesforce is now available on the Salesforce App Exchange. This latest offering brings function-preserving encryption with customer-owned keys and tokenization, as well as comprehensive data governance capabilities such as activity monitoring, anomaly detection, and contextual access control. searchable, order-preserving, and format-preserving encryption with customer-owned keys, activity monitoring, and data discovery customers’ Salesforce deployments.
A Vote of Confidence
By inducting Skyhigh into the ISV Partnership Program, Salesforce recognizes the value Skyhigh delivers to Salesforce customers. Skyhigh aligns with Salesforce’s “cloud-first” approach by supporting multiple deployments options, including cloud, on-premise, and hybrid, and by fully supporting the Salesforce1 mobile app. But, we believe the partnership goes beyond the technical integration and is a testament to our culture. We bring our guiding principles of transparency and a true spirit of partnership to all collaborations, and we look forward to delivering excellence in product and service to our mutual customers with Salesforce. Existing partnerships with key-management company SafeNet and single sign-on providers Okta and Ping Identity allow Skyhigh for Salesforce to cover an even wider range of use-cases and customer requirements.
Our work at creating the best possible solution does not stop here; the partnership marks an ongoing collaborative relationship. As an ISV partner Skyhigh will receive early access to Salesforce upgrades, and we look forward to continuous innovation in compliance, and governance for Salesforce.
Preserving Functionality for All Salesforce
Enterprise users love the functionality and user interface of the Salesforce platform. While encryption can break functionality cloud-based SaaS applications, Skyhigh for Salesforce provides a seamless user experience. To do so, we worked with experts from our academically renowned Cryptography Advisory Board on delivering function-preserving encryption schemes. These cutting-edge algorithms enable searchable, format-preserving, and order-preserving encryption for data housed in Salesforce, ensuring customers can safely leverage mission-critical data while still meeting compliance requirements.
Leveraging Big Data for Additional Security
Enterprises need to protect intellectual property and sensitive company data stored in Salesforce from insider threat and compromised accounts. In order to augment Salesforce’s security capabilities, Skyhigh’s machine-learning analytics automatically develop behavioral baselines to monitor activity and identify anomalous activity indicating insider threat or compromised accounts. Customizable alert thresholds enable administrators to harness big data without drowning in the proverbial data pool. Skyhigh’s Activity Monitoring enables forensic analysis at the object level for the most detailed incident reports.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
POODLE – How bad is its bite? (Here’s the data)
A major vulnerability affecting the security of cloud services dubbed POODLE (Padding Oracle on Downgraded Legacy Encryption) was reported on October 14th by three Google security researchers—Bodo Moller, Thai Duong, and Krzysztof Kotowicz. Their paper about the vulnerability is available here.
What is POODLE?
POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
This vulnerability allows for the hijacking and decryption of SSL version 3.0 connections, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. While usage of SSL 3.0 is generally limited, there is still prevalent backward-compatibility support of the protocol that exposes nearly all browsers and users.
The SSLv3 protocol has been in use since its publication in 1996. TLSv1 was introduced in 1999 to address weaknesses in SSLv3, notably introducing protections against CBC (Cipher block chaining) attacks. Although SSLv3 is considered a legacy protocol, it is still commonly permitted for backward compatibility by the default configurations of many web servers including Apache HTTP Server and Nginx. Many browsers’ support will fall back to the use of SSLv3 if an HTTPS connection to a server doesn’t support the TLSv1 protocol or a TLSv1 protocol negotiation fails for any reason.
What’s the risk?
The danger arising from the POODLE attack is that a malicious actor with control of an HTTPS server or some part of the intervening network can cause an HTTPS connection to downgrade to the SSLv3 protocol. An attack against SSLv3’s CBC encryption schemes can then be used to begin decrypting the contents of the session. Essentially, POODLE could allow an attacker to hijack and decrypt the session cookie that identifies a cloud security service user to a service like Twitter or Google, and then take over your accounts without needing your password.
How to protect your company’s data
We recommend disabling the SSLv3 protocol on all servers, relying only on TLSv1.0 or greater. Additionally, company browsers and forward proxies should disallow SSLv3 and likewise permit only TLSv1.0 or greater as a minimum SSL protocol version. Enterprises should also disable the use of CBC-mode ciphers. To patch retrying of failed connections, apply TLS_FALLBACK_SCSV option.
Legacy applications relying solely on SSLv3 should be considered at-risk and vulnerable. Generic encryption wrapper software like Stunnel can be used as a workaround to provide encrypted TLSv1 tunnels.
How many cloud services are vulnerable?
As of this morning, 61% of cloud services had not addressed the Poodle vulnerability with a fix. The fact that many cloud services still support SSLv3 is a sign that cloud providers are not paying attention to what protocols are offered by their SSL stack. Cloud service providers should start looking at their SSL stack configuration and make sure they have disabled previous versions of SSLv3. In the process, they should also ensure the SSL stack’s proper use of ciphers.
We are working with customers to proactively identify vulnerable services and users and provide guidance for measures required to protect their data and user accounts.
Author :
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,
With Impending IPO, Box Security Under Scrutiny
After the massive Target credit card breach and NSA revelations from Edward Snowden, corporate customers are taking a more careful eye toward the security of hosted data storage providers. “I think you’re seeing a greater emphasis on security than before which impacts all cloud providers, certainly, and companies like Box that are planning initial public offerings,” says Gavin Anderson.
With blue chip customers that include GE, Box’s customer base already shows that large companies have confidence in their solution. However, experts say companies evaluating a file sharing solution in the cloud are more likely to take a more detailed look at Box security given recent events. The Target credit card breach wiped 46% of the company’s quarterly profit and ended with the CIO and CEO resigning.
“No executive wants to be in a position where they have to resign over a security breach, which has elevated the topic to the boardroom,” says Anderson. Indeed, the cloud is now a board-level concern whether the company is looking to reduce expenses and transition to operating expense model over capital investments, or maintain a competitive advantage with the latest and most powerful software applications.
Experts have noted that Box security is already extremely robust compared with consumer offerings from Dropbox and Hightail. Dropbox has had several high profile breaches in recent years, including one in which individuals could login to any account without a password for several hours with only a username. Some of Box’s security features include encryption at rest, data loss prevention, and audit trails showing users behavior within the application.
As the company prepares to go public, Box security will be just one of the considerations investors consider when deciding to join the initial public offering. The company’s growth prospects and strategic position will also impact the success of the IPO. With many more cloud providers waiting to go public, all eyes will be on the Box IPO to see the appetite for these types of offerings.
