After that was Azril Azam, Team Lead, Global Response Centre
IMPACT, who talked about how secure it is to use cloud and its overall
security. According to Azril. hackers will exploit weakness derived from future
IT markets needs and growths (meaning hackers also learn finance and business),
for example weaknesses derived from Bring Your Own Device (BYOD) in the cloud
and finally the communication between devices. More flexibility between devices
means lesser security. That's another route hackers can use to steal
information.
After that was
Azril Azam, Team Lead, Global Response Centre IMPACT, who talked about how
secure it is to use cloud and its overall security
Azril says. "Back then, to access company flies,
organisation will provide notebooks or other devices with certain
amount of security in it. Nowadays, workers are using their own devices
for work. Mobile Trojans have been rising. Viruses from Symbian arc now heading
over to the Android and iOS platform. Imagine using your own device to access
the enterprise cloud. The Trojans that arc already inside the device can go
anywhere and even access the enterprise cloud. It can then open a backdoor for
the hacker to do or place whatever files they want in this enterprise cloud.”
Azril also presented case studies done by them, of
cyberthreats involving human factor, lousy codes and poor access control. The
first case study saw them employing a less experienced technical person who was
then allowed to install any security software on a virtual machine (VM),
without having any kind of security knowledge or guided policy. What happened
was due to lack of knowhow, security patches weren't updated resulting in a
huge security loophole. “The human factor is the weakest link also because of
social engineering," Azril emphasises.
Another case study was to do with bad programming practices
and testers asked a less experienced programmer to develop code for cloud
software with security in it Azril explains,
According to
Azril, hackers will exploit weakness derived from future IT markets needs and
growths (meaning hackers also learn finance and business), for example
weaknesses derived from Bring Your Own Device
“Even a senior programmer was told to take part by
monitoring them. But because of unsecured development code, a
SQL injection into the login page was all too easy."
This was due to programmers not being educated and made aware of security.
Even poor system access controls can compromise
a system. The last system, saw downloading of exploited binaries from a
fake server because of a poisoned DNS. "Downloads or updates to clouds can
also compromise cloud security. A senior system admin was asked to install a
Qemu virtual machine, and sure enough, the poisoned DNS rerouted to a fake
website with compromised Qemu software. This resulted in easy access to the
servers that have the contaminated software. " Azril concludes with the
moral of the story which is that free software comes with a 'penalty' that the
provider may impose less security and contaminated software binaries.computing
into three categories, namely public, private and hybrid.
According to Sykes, cloud computing is having your
applications being installed in some place by someone so that it can be
accessed from almost anywhere and at any time. Sykes says, from a security
point of view, the problem with this is almost everything; when people start to
move ahead with these things, overtime, history repeats itself. Security is
always second in place.
He explains, "What tends to happen is that people tend
to get carried away with an opportunity and go ahead to implement it. Then
businesses will realise that they are dependent on this stuff and wonder if
there is enough security for this? Then they need to spend more money on it and
the people who develop these applications will say it's not their problem. In
quick summary, people need to step back a little bit and start thinking about
putting security in right from the start."
“Mobile Trojans
have been rising. Viruses from Symbian are now heading over to the Android and
iOS platform” Azil says.
After that was Azril Azam, Team Lead, Global Response Centre
IMPACT, who talked about how secure it is to use cloud and its overall security.
According to Azril, hackers will exploit weakness derived from future IT
markets needs and growths (meaning hackers also learn finance and business),
for example weaknesses derived from Bring Your Own Device (BYOD) in the cloud
and finally the communication between devices. More flexibility between devices
means lesser security.
That's another route hackers can use to steal information.
Azril says, "Back then, to access company files,
organisation will provide notebooks or other devices with certain amount of
security in it. Nowadays, workers are using their own devices for work. Mobile
Trojans have been rising. Viruses from Symbian are now heading over to the
Android and iOS platform. Imagine using your own device to access the
enterprise cloud. The Trojans that are already inside the device can go
anywhere and even access the enterprise cloud. It can then open a backdoor for
the hacker to do or place whatever files they want in this enterprise
cloud."
Azril also presented case studies done by them, of
cyberthreats involving human factor, lousy codes and poor access control. The
first case study saw them employing a less experienced technical person who was
then allowed to install any security software on a virtual machine (VM),
without having any kind of security knowledge or guided policy. What happened
was due to lack of knowhow, security patches weren't updated resulting in a
huge security loophole. "The human factor is the weakest link also because
of social engineering," Azril emphasises.
"The human
factor is the weakest link also because of social engineering," Azril
emphasises.
Another case study was to do with bad programming practices
and testers asked a less experienced programmer to develop code for cloud
software with security in it. Azril explains, "Even a senior programmer
was told to take part by monitoring them. But because of unsecured development
code, a SQL injection into the login page was all too easy.” This was due to
programmers not being educated and made aware of security.
QEMU software
Even poor system access controls can compromise a system.
The last system, saw downloading of exploited binaries from a fake server
because of a poisoned DNS. "Downloads or updates to clouds can also
compromise cloud security. A senior system admin was asked to install a Qemu
virtual machine, and sure enough, the poisoned DNS rerouted to a fake website
with compromised Qemu software. This resulted in easy access to the servers
that have the contaminated software. ” Azril concludes with the moral of the
story which is that free software comes with a ’penalty' that the provider may
impose less security and contaminated software binaries.
