Evolving Threats and Attacks:
A Cloud Service Provider’s viewpoint
John Howie Senior Director
Online Services Security and Compliance
Introduction
• Microsoft’s Cloud Infrastructure
• Evolution of Threats and Cyberattacks
• Attacks against Customers and Providers
• The Future
Global Foundation
Services
Microsoft’s Cloud Environment
Physical infrastructure
Logical Infrastructure
Compute runtimes
Identity and directory stores
Cloud Platform Services
And others
Cloud Infrastructure Consumer and
Small Business Services
Enterprise Services
Third-Party Hosted Services
Cloud Security Challenges
Growing Interdependence Amongst Public and Private Sector
With these new dependencies come mutual expectations that platform
services and hosted applications be secure and available.
Evolving Technologies, Changing Business Models, Dynamic Hosting Environment
Keeping pace with growth and anticipating future needs is essential to running an effective security program.
Increasing Sophistication of Attacks
Malicious activity focuses on infiltrating and disrupting online service offerings.
Complex, Global Regulatory Requirements and Industry Standards
Each country may pass their own laws that govern the provision and use of online environments.
Cloud
Challenges
Evolution of Threats and Attacks
5
Why Attack?
• The reasons evolve over time
– Curiosity – Notoriety
– Profit (the Willie Sutton motive)
– Modern warfare
• Today we are somewhere between profit
and warfare
The Statistics
• 192% growth in spam from 2007 to 2008
• 75,000 bot-infected computers found daily in 2008, up 31% from 2007
• 90% of breaches in 2008 involved
organized crime targeting corporate information
• 285 million records stolen in 2008
– 230 million between 2004 and 2007
Statistics courtesy of Symantec Corporation
The Statistics
(continued)
• Hacking accounted for 60% of exposed identities in 2009, from 29% in 2008
• Credit card data accounts for 32% of goods advertised in the underground economy
• IP theft costs companies $600 billion globally
Statistics courtesy of Symantec Corporation
Attacks versus neglect
• Incidents involving negligence have
declined steeply over the past two years
Security breach incidents, by incident type, 1H08 – 2H09
0 20 40 60 80 100 120
1H08 2H08 1H09 2H09
Incidents
Negligence Attack
Attacks against providers
and customers
Types of Cloud and Internet Attacks
• There are two types of attack
– Against service providers
– Against customers of service providers
• We need to consider an evolving type of attack
– Against a country and its citizens
Attacks against providers and customers
The Provider
Cybercrime attacks against providers
• Most common attacks are
– Denial of Service (including DDoS)
– Web-site defacement (usually political)
– DNS hijacking
• Rarely seen are attempts to get access to billing records and other data
– Aurora attack in 2009 is an exception rather
than the norm
Cybercrime attacks against providers
(continued)
• Increasing number of sophisticated attacks against advertising networks and other ad- generated revenue systems
– Pay-per-click systems most exploited
• Most attacks can be defeated with
behavioural monitoring and log analysis
– Privacy concerns are an issue
Cybercrime attacks against providers
(continued)
• Some attacks against providers are a precursor to other crimes
– Extortion
– Attacks against customers of the provider
Defeating attacks against the provider
• Ongoing threat and vulnerability
management is key to defeating attacks
– Should be part of a comprehensive information security and risk management program
• Incident response teams should be well- equipped, with plans in place
• BCP/DR plans help recover from DoS
attacks
Non-attacks against the provider
• Cloud service providers have a new challenge to deal with
– Customers that use the provider’s services to launch attacks
• The cloud is a pre-built botnet
• The solution would be to monitor customer use of service for abuse
– Violation of privacy?
Attacks against providers and customers
The Customer: Consumer
Cybercrime attacks against consumers
• Criminals know humans are the weakest link in the security chain
– Exploited for centuries and adapted for cyberspace
• Typical attacks against consumers include
– Phishing (including spear-phishing)
– Fraud (popular on auction sites)
– Luring to compromised sites
Malicious Web Sites - Phishing
• A small number of sites account for the bulk of social network phishes
Active phishing sites tracked each month in 2H08 and 2H09, indexed to December 2009
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Jul-09 Aug-09 Sep-09 Oct-09 Nov-09 Dec-09
Social Networking Sites Online Services E-Commerce Sites Financial Sites
Distribution of Phishing Web-Sites 2H09
Stopping phishing attacks
• Service providers spend time blocking phishing emails
– Either caught as spam or visibly marked as
potential phishing attack on confidence factor
• Browsers and AV/AM software query databases of known sites real-time
– Warn users of known phishing sites
• Service providers issue take-down notices
Stopping phishing attacks
(continued)
• Education is part of solution
– Consumers need to learn what a phishing attack looks like
• Companies must follow best practices
– Do not send out phishing-style emails
– Do not ever request PIN numbers of customers
– Use two-factor authentication where feasible
Distribution of malware hosting sites 2H09
Distribution of malware 2H09
Distribution of Drive-By Sites 2H09
Attacks against providers and customers
The Customer: Enterprises
Cybercrime attacks against enterprises
• Companies moving to the cloud will be a target for criminal activity
– Companies using IaaS public cloud offerings may be most at risk, SaaS the least
• Typical attacks against enterprises include
– Cross-site scripting – SQL Injection
– Brute force authentication attempts
Cybercrime attacks against enterprises
• Companies moving to the cloud will be a target for criminal activity
– Companies using IaaS public cloud offerings may be most at risk, SaaS the least
• Typical attacks against enterprises include
– Cross-site scripting – SQL Injection
– Brute force authentication attempts
Automated SQL Injection Attacks
The Future
Cyberwarfare
• Nation States are starting to flex their cyber muscles
– It is possible to compromise user security and privacy without attacking the cloud or the user
• Non-State actors are increasingly active
– Conventional terrorists
– Minority interest groups
This material is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
©2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Hotmail, Microsoft Dynamics, MSN, SharePoint, SQL Server, Windows, and Xbox LIVE are either trademarks or registered trademarks of the Microsoft group of companies.