Alert Logic released their semiannual State of the Cloud Security Report today. Among the most significant outcome of the findings, was the discovery that on-premise IT infrastructure is more likely to be attacked, more often, and through a broader spectrum of attack vectors than cloud-based infrastructures. This finding counters commonly held security concerns about the cloud.
The methodology used in the report included an analysis of operational data from Alert Logic’s business customers in both on-premise and service provider environments. This included comparisons of the occurrence, frequency and diversity of incidents across seven categories of security threats. During the study, 1.5 billion security events were observed, evaluated and correlated and reviewed by Alert Logic’s security analysts. Over 70,000 security incidents were verified and classified into seven incident categories from this pool of events.
Some of the key findings in the report detail:
- Half of all enterprises are victims of web application attacks: Web application attacks were experienced by 53% of service provider environments and 44% of on-premise environments with a majority from easy-to-implement automated tools available online that can make even the most novice hacker a professional.
- The cloud is no less safe than the on-premise environment: For every incidence class, including web application attacks, brute force attacks and reconnaissance attacks, the number of incidents per impacted customer was higher in the on-premise environment than cloud-based.
- Infrastructure is more important than industry: The study finds that variations in threat activity among industries are less important than the environment where infrastructure is located. It is not safe to assume that one’s industry is not targeted by attackers, or that an organization is too small to be targeted. Analysis suggests that attackers are using reconnaissance techniques to identify and exploit targets revealing that many attacks are simply opportunistic in nature.
- Unsecured personal computers in the U. S. lead to high attack rates: The United States was the country of origin for 33 percent of the incidents analyzed in this study, including 35.4 web application attacks per impacted customer. This is the result of the U.S. having a large number of unsecured personal computers with access to broadband connections that are attractive targets to be hijacked by hackers in other countries and used for botnet attacks.
- Global indicators reveal that attacks originating in the East lead to breaches in the West:China accounted for 16 percent of the attacks, ranking second. The research noted an especially high frequency of incidents per customer impacted for reconnaissance attempts originating in China. This suggests a scenario in which hackers in China are doing reconnaissance, identifying vulnerable workstations in the bandwidth-rich U.S., adding those machines to botnets and using them to launch attacks on nearby targets.
Interestingly, it appears that industry was not a great predictor of threat levels in the customer base. The likelihood of risk was much more aligned with whether the target was on premises or cloud-based. An additional outstanding point was that about 2/3 of attacks witnessed were based on freely downloadable hacker tools, such that even the most junior of motivated hackers can use them to attack web apps. Close to 44% of the web app attacks witnessed were from the SQL injection attack tool known as Havij, regardless of environments. Most importantly however was that it appears that there is no statistically different security posture in service provider-based environments as opposed to on-premise environments. Most attacks when evaluated across all incidents are poised to exploit misconfiguration events, such as missing patches, unnecessary services, permissions issues and so on. The high percentage of attacks originating in the US are indicative of ubiquitous broadband access and suggests along with other high attack points of origin, that botnets are a phenomenon that persist in the current state of security.
Alert Logic is a SaaS security provider that focuses on delivering security for the cloud environment. With over 1,500 enterprise customers, Alert Logic delivers cloud security and compliance services. Their State of the Cloud security report was launched in February. The report is slated to be launched twice yearly, and intends on expanding the depth of information in the future potentially including analysis of honeypot data and further conceptual topics in future reports. The freely available report can be found at www.alertlogic.com/csr.