1 / 17

Cloud Computing and Cybercrime 2.0

Cloud Computing and Cybercrime 2.0. Nir Kshetri The University of North Carolina-- Greensboro. Concerns about privacy and security in the cloud. Security/privacy-- topmost concerns in cloud adoption decisions– not TCO(Brodkin 2010).

joshua-justice
Download Presentation

Cloud Computing and Cybercrime 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing and Cybercrime 2.0 Nir Kshetri The University of North Carolina-- Greensboro Addressing security challenges on a global scale

  2. Concerns about privacy and security in the cloud • Security/privacy--topmost concerns in cloud adoption decisions– not TCO(Brodkin 2010). • IDC report (Oct. 2008 ): securityconcern was the most serious barrier to cloud adoption. • IDC poll (April 2010) (Asia Pacific): < 10% of respondents confident about cloud security measures. • Harris Interactive survey for Novell (Oct. 2010) • 90%--concerned about cloud security; • 50%--security concerns primary barrier to cloud adoption; • 76%--private data more secure when stored on the premises • 81%--worried about regulatory compliance. • A commonplace observation: cloud providers offer sophisticated services but have weak performances in policies/practices related to privacy/security. • Cloud: “a largely nascent technology” Addressing security challenges on a global scale

  3. Cloudis an opportunity for cyber-criminals as well • Observation: Cloud will make "Healthcare2.0", "Banking2.0" and "Education2.0" realities, especially in developing countries (Economist 2008). • Cyber-criminals’ perspective: opportunity for online criminal practices toupgrade to cybercrime2.0. • Cloud’sdiffusion and that of social media have superimposed onto organizations’ rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the cloud’s weaknesses. Addressing security challenges on a global scale

  4. A framework for understanding security and privacy issues facing the cloud Addressing security challenges on a global scale

  5. Institutional factors affecting security/privacy in cloud • Cloud-related legal system/enforcement mechanisms evolving slowly (e.g., legislation in jurisdictions of the user’s, the provider’s or the data’s location will govern the protection of the data?) • Overreach by law enforcement agencies. • Professional/trade associations--emerging and influencing security and privacy issues • Industry standards organizations--address some concerns. • Concern about dependency on cloud vendors’ security assurances and practices. • Cloud users’ inertia effects Addressing security challenges on a global scale

  6. Technological factors affecting security/privacy in cloud • The cloud’s newness and unique vulnerabilities • Attractiveness and vulnerabilities of the cloud as a cybercrime target • Value of data in the cloud • Criminal controlled clouds • Nature of the architecture • Virtual and dynamic • Sophistication and complexity Addressing security challenges on a global scale

  7. Cloud’s newness/unique vulnerability • Evolution and popularity of virtualization technology: new bugs, vulnerabilities andsecurity issues are proliferating (Brynjolfsson et al. 2010). • Cloud--unfamiliar terrain for security companies. • Lack of mechanisms to guarantee security and privacy--an uncomfortable reality for cloud providers. • Dawkins (1982): rare enemy syndrome--a helpful theoretical perspective --victims often fall to new unfamiliar baits or lure. • The enemy’s manipulation is so rare that evolutionarydevelopment has notyet progressed to the point that the victimhas an effective counter poison. Addressing security challenges on a global scale

  8. Cloud’s newness/unique vulnerability (cont.) • A problem : a user may be able to access to the provider’s sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010). • August 2010: the U.S. National Institute of Standards and Technologyannounced a vulnerability • a user can cross from one client environment to other client environments managed by the same cloud provider (NIST 2009). • Forensically challenging in the case of a data breach • Some public cloud systems may store and process data in different jurisdictions--different laws (McCafferty 2010). • Some organizations may encrypt data before storing (Taylor et al. 2010). Addressing security challenges on a global scale

  9. Attractiveness/vulnerability as a cybercrime target: Value of data in the cloud • Target attractiveness = f (perceptions of victims). • Monetary or symbolic value and portability (Clarke 1995). • Accessibility—visibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). • Large companies’ networks offer more targets. • Cloud suppliers bigger than clients—more attractive targets. • Offers a high “surface area of attack” (Talbot 2010). • One fear: IP and other sensitive information stored in the cloud could be stolen. • Cloud providers may not notifytheir clients. • Underreporting of cybercrimes: embarrassment, credibility/reputation damage,stock price drop. Addressing security challenges on a global scale

  10. Attractiveness/vulnerability: Value of data in the cloud • Late 2009: Google discovered a China-originated attack on its cloud infrastructures. • The attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies. • Information stored in clouds—potential goldmine for cyber-criminals (Kshetri 2010). • Early 2010: Yale University postponed plan to move Webmail service to Google Apps tailored for students and faculty. • Reason: Google's size and visibility makes it more susceptible to cyber-attacks. Addressing security challenges on a global scale

  11. Attractiveness/vulnerability as a cybercrime target • Criminal-controlled clouds • The cloud is potentially most vulnerable-- viewed against the backdrop of criminal owned-clouds operating in parallel. • Diamond is the only material hard enough to cut diamond effectively • Criminal-owned clouds may be employed to effectively steal data stored in clouds. • Cloud may provide many of the same benefits to criminals as for legitimate businesses. Addressing security challenges on a global scale

  12. Attractiveness/vulnerability: Criminal-controlled clouds • The Conficker virus • Most visible example of a criminal-owned cloud. • Arguably the world’s biggest cloud • Controls 7 million computer systems • 230 regional and country top-level domains • Bandwidth capacity of 28 terabits per second. • Larger footprint/resources--spreads malware to control more computers • Less active recently but is still a threat. • last major Conficker attack--April 2009 • last reported attack: February 2010 on the network of Manchester police department (U.K.). Addressing security challenges on a global scale

  13. The Conficker cloud • Conficker is available for rent. • Criminals can choose a location they want to rent the Conficker cloud. • Pay according to the bandwidth they want • Choose an operating system. • Customers have a range of options for the type of services to put in the Conficker • denial-of-service attack • spreading malware • sending spam • data exfiltration(Mullins 2010). Addressing security challenges on a global scale

  14. The cloud as theultimate spying machine • Cyber-espionage2.0. • Easier for governments to spy on citizens. • A Google report: governments request for private information and to censor its applications. • Apr. 2010: Report on Shadow network: • Targets: Indian Ministry of Defense, the UN, the Office of the Dalai Lama. • The report noted: “Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures” (IWMSF 2010). • Atmosphere ofsuspicion/distrust among states • U.S.-China trade and investment policy relationship. • . Addressing security challenges on a global scale

  15. Concluding comments • Too simplistic to view the cloud as a low-cost security. • Legitimate/illegitimate organizations and entities--gaining access to data on clouds through illegal, extralegal, and quasi-legal means. • Technological and behavioral/perceptual factors--equal consideration in the design/implementation of a cloud network. • New institutions and the redesign of existing institutions needed to confront emerging security and privacy problems. • existing institutions are thickening. • Privacy and security issues related to the cloud undergoing political, social, and psychological metamorphosis. Addressing security challenges on a global scale

  16. References • Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), 50-58. • Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620–656. • Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), 1-27. • Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), 32-34. • Dawkins, R. (1982) The extended phenotype. Oxford University Press. • Information Warfare Monitor/Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR03-2010, April 6, http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf • Kshetri, N.(2010).Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), 47-55. • McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, 103, 28-33. • Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24, 2010. • NIST (2009). Vulnerability Summary for CVE-2009-3733, 08/21/2010, The US National Institute of Standards and Technology, available at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733. • Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), 46-51. • Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42. • Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), 304-308. Addressing security challenges on a global scale

More Related