#cybersecurity | hacker | The cloud security capers | SC Media


The
False Choice

A biometrics security and identity solutions
provider sought to establish itself as the premium global brand in the physical
security industry. To achieve this goal, company leaders knew they had to adopt
cutting-edge technologies to gain and maintain a competitive advantage. By
leveraging the cloud, the company’s developers were able to innovate quickly
and provide its flagship product to users around the globe.

The company was wildly successful; it secured
over 1.5 billion users across 150 countries. As a part of its business
offering, it was tasked with storing those users’ sensitive biometrics so that
users could securely and physically access confidential areas within their
organization. However, the company did not have any guardrails in place to verify
the work its developers were doing, and eventually, a pair of security
researchers discovered that one of the company’s databases was publicly
accessible, without even basic password protection. The exposure of the
database, which contained nearly 30 million of the company’s users’ biometrics
and other personally identifiable information (PII), resulted in hefty fines —
4% of
its annual global turnover for violating GDPR
, and a loss of
consumer trust, which caused their market share to plummet. To pay the fine and
fees from other resulting lawsuits, the company had to take out loans that it
was unable to pay back and filed for Chapter 11 bankruptcy.

Businesses continue to adopt cloud technology
to allow developers to innovate and reduce the overall time it takes to bring
new products and services to market, scale the company, and increase process
efficiency by reducing IT costs. However, as companies continue to embrace
cloud apps and services, they often overlook the cultural and personnel changes
that are necessary to maintain security and compliance in this environment. To
recognize the full benefits of cloud infrastructure, organizations believe that
they must either choose between security or innovation. However, this is a
false choice — companies don’t have to choose. Organizations can recognize the
full benefits of cloud by leveraging automated security strategies that ensure
developers are acting wisely and not creating preventable risks, such as
misconfiguring a database containing millions of customers’ biometric data.

M&A
Mayhem

An American hotel chain yearned to increase
its global presence to become the largest hotel company in the world. As a
result, the hotel acquired an international resort group for $15 billion,
bringing its combined number of global properties to 6,000 with a total of 1.5
million rooms. One year after acquiring the international resort, the American
hotel chain’s net income dropped from $850 million to $750 million, but its
total assets increased from $6 billion to $25 billion. Two years after, the net
income rose exponentially to $1.4 billion, about a 65% increase.

The success of the acquisition not only made
the hotel happy, but its shareholders were also pleased because the price per
share of the hotel’s stock jumped from $67 to $101 within a year. However, the
American hotel chain made a critical error throughout the acquisition process
— it mishandled the M&A risk IT security and compliance risk assessment and
failed to account for, and minimize, existing security risks. In fact, the
acquired resort was already compromised when it was bought — a database stored
in the cloud was not locked down properly. As a result, a cybercriminal was
able to obtain access to the American hotel’s infrastructure and continued to
siphon off guest’s PII for years before being discovered.

Ultimately, the hotel group was fined a
combined $550 million for violating GDPR and its shareholders were not happy.
The total cost suffered for this data breach ended up being the total
difference between the hotel’s net income before and after acquiring the
international resort group, resulting in a major loss of capital.

Mergers and acquisitions are an essential part
of the enterprise business landscape. These deals foster innovation and create
some of the biggest and most successful companies in the world. But one of the
largest potential pitfalls in any M&A transaction is mishandling IT
integration and creating or failing to mitigate security risk. In the era of
cloud computing, the cost of inheriting poor security can be massive and
quickly destroy the value of the transaction. Companies must have the proper
tools in place to gain complete visibility over assets stored across all cloud
environments, then be able to identify risk. Furthermore, companies must be
able to enforce security best practices and ensure compliance with relevant
regulations at all times during the M&A process.

Cloud
Adoption with No Silver Lining

A multinational logistics corporation invested
in AWS to improve its customer communications, effectively store customers’ PII
and reduce the time it would take for a consumer to make a purchase online. As
a result, the corporation improved its users’ experience, which led to a distinct
increase of market share. After realizing the cloud enabled its developers and
engineers to bring new services to market faster and store additional user data
as the corporation scaled, the company was running most of its workload in AWS.
The ability to innovate at an accelerated pace and increase revenue resulted in
the organization’s developers and engineers bypassing basic security practices.
Organizations believe they either need to choose between innovation and
security.

One day, a group of ethical researchers that
were using Shodan identified an exposed S3 instance from the logistics
corporation that contained hundreds of thousands of customers’ passports,
shipping addresses, photo IDs and more. The researchers tried contacting the
corporation for days in an attempt to either secure the database or bring it
offline, but  the logistics company
ignored these warnings and continued business as usual. Just three days after
the discovery, researchers noticed that a Chinese IP address connected to the
exposed S3 instance, wiped it out and left a ransom note.

The international courier company was in
disbelief, as this attack caused significant business operations disruption and
loss of productivity that led to a massive decrease in expected revenue. The
company opted to pay the ransom, hoping that it would see the return of its
customers’ sensitive  information.  Unfortunately, the attackers did not return
the data, and once the public became aware of the data breach, the company
faced class-action lawsuits, fines for violating data privacy laws, a sinking
stock price, and huge loss in customers who had lost trust in the company and
instead opted for a competing shipping service.

Conclusion

The cloud offers countless benefits, but the
self-service and dynamic nature of cloud infrastructure creates challenges for
risk and compliance professionals that are tasked with protecting their
organization from cyber threats. As organizations continue to adopt cloud and
multi-cloud environments, many fail to realize that tools and controls that
worked well for security and compliance in the traditional datacenter do not
translate to the public cloud.

Organizations
need policies that span all clouds and a platform that can automatically
remediate misconfigurations in real-time.These modern services will help your
enterprise innovate quickly and maintain a competitive position in the market,
but the implementation can be highly complex and can lead to an abundance of
potential security gaps. The choice between innovation and security is not one
that cloud users have to make, but the stories above above highlight a few
scenarios that can play out if companies don’t take control of their cloud
environments.



Original Source link

Leave a Reply