The unsettling persistence of cybersecurity vulnerabilities in the cloud
Clouds are full of cybersecurity vulnerabilities.
If you’re trusting your data, applications and other business assets to any of the public cloud providers, you want them to provide strong assurance that all of that intellectual property is safe and that hackers won’t exploit them to crash your operations or bankrupt your business.
How secure are the public cloud providers? In a couple of weeks, we will be receiving an update from Amazon Web Services Inc. at its annual re:Invent conference. Wikibon, the market research firm owned by SiliconANGLE Media, will be interrogating its executives both on their cloud’s cybersecurity safeguards and on what their broad ecosystem of cybersecurity partners bring to the table.
In a recent Wikibon Action Item CrowdChat, I queried the invited subject matter experts and other participants a question that probably crosses every enterprise security specialist’s mind on any given day. I asked: “Who are the leaders in cloud cybersecurity and why?” Here are the responses we received:
- Tim Crawford: “Each of the core public #cloud providers are doing a great job for their part. However, #cybersecurity is fought with more than just #cloud.”
- Maish Saidel-Keesing: “This market has a huge influx of new small startups who are trying to provide a solution for this new world. All the ‘traditional’ vendors would love us to think that they are right there with all the answers – but they are far from it … I don’t think that there is a single leader here – it is still too early to say.”
- Craig Milroy: “The onus is on the customer as well. How many times has a customer left a S3 bucket exposed to the internet. Shared responsibility.
- Bobby Allen: Security still feels fluffy and intangible right now. Most business leaders are just doing their own thing and not engaging security experts. You also have the sacred cow of resource security vs. app security. It’s a civil war in most enterprises.”
- Andrew Miller: “Honestly don’t think there is one – it’s just too fragmented a market that is changing too quickly.”
To be quite frank, none of that inspires a ton of confidence if I were an IT professional who’s still unsure whether to dip my companies’ toes into the public cloud or wade halfway in with a hybrid cloud deployment. In addition, advances in artificial intelligence seem to be proliferating the botnets that are taking root in cloud environments everywhere and creating advanced persistent threats with devastating power.
An AI bot is nothing if not advanced and persistent. It’s advanced in that that it uses machine learning to target coordinated and purposeful actions and persistent in its ability to operate, in a distributed and elusive fashion, 24 by 7, month after month, year after year.
Not only that, but it has the adaptive, self-learning, probing intelligence to multiply its cybersecurity threat potential on every level encompassed in Lockheed Martin’s Cyber-Kill Chain framework:
- Reconnaissance: An AI bot can constantly harvest identities, application data, credentials, email addresses, behavioral patterns and other assets necessary to train its AI to make it more adept, effective, and devastating.
- Weaponization: An AI bot can impersonate any person, place, thing or other bot in order to exploit backdoor system vulnerabilities to deliver damaging payloads.
- Delivery: An AI bot can deliver weaponized payloads through any crack in a cloud, server, application, device or other system attack surface.
- Exploitation: An AI bot can explore vulnerabilities through continuous real-world experimentation in order to fine-tune its attack on the target.
- Installation: An AI bot can learn how to surreptitiously install malware and other damaging assets on target while covering its tracks.
- Command and control: An AI bot can establish an untraceable command channel for remotely manipulating the target.
Your AI assets themselves can present a huge vulnerability for AI-powered attack bots. As I noted in this recent SiliconANGLE article, the attack surface of an enterprise AI model can be vast and mysterious. Vulnerabilities in your deep neural networks can expose your company to considerable risk if they are discovered and exploited by third parties — perhaps surreptitiously through botnets — before you even realize or have implemented defenses.
The potential for adversarial attacks against deep neural networks — such as those behind computer vision, speech recognition and natural language processing — are an increasing cause for concern within the data science profession. The research literature is full of documented instances where deep neural networks have been fooled by adversarial attacks.
Your “internet of things” deployments will exacerbate those vulnerabilities, especially as AI-powered apps are pushed all the way to edge devices. As I discussed in this article, defending the IoT against cyberattacks will be the mother of all security challenges.
One of the most dreaded IoT security scenarios is the zero-day attack, under which hackers — or perhaps automated bots put in motion ages ago by hackers — exploit vulnerabilities for which there are no prebuilt defenses. The IoT presents a potentially unlimited attack surface for such assaults in the form of exploitable entry points for malware, intrusions and advanced persistent threats.
Going into re:Invent 2018, I want to hear how AWS is battening down the hatches against cybersecurity threats from within and against every last facet of its cloud, AI and IoT infrastructure.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.