Cloud Computing and Cybercrime 2 0 Nir Kshetri

Cloud Computing and Cybercrime 2. 0 Nir Kshetri The University of North Carolina-Greensboro Geneva, 6 -7 December 2010 Addressing security challenges on a global scale

Concerns about privacy and security in the cloud Security/privacy-- topmost concerns in cloud adoption decisions – not TCO(Brodkin 2010). IDC report (Oct. 2008 ): security concern was the most serious barrier to cloud adoption. IDC poll (April 2010) (Asia Pacific): < 10% of respondents confident about cloud security measures. Harris Interactive survey for Novell (Oct. 2010) 90%--concerned about cloud security; 50%--security concerns primary barrier to cloud adoption; 76%--private data more secure when stored on the premises 81%--worried about regulatory compliance. A commonplace observation: cloud providers offer sophisticated services but have weak performances in policies/practices related to privacy/security. Cloud: “a largely nascent technology” Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 3

Cloud is an opportunity for cyber-criminals as well Observation: Cloud will make "Healthcare 2. 0", "Banking 2. 0" and "Education 2. 0" realities, especially in developing countries (Economist 2008). Cyber-criminals’ perspective: opportunity for online criminal practices to upgrade to cybercrime 2. 0. Cloud’s diffusion and that of social media have superimposed onto organizations’ rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the cloud’s weaknesses. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 4

A framework for understanding security and privacy issues facing the cloud Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 5

Institutional factors affecting security/privacy in cloud Cloud-related legal system/enforcement mechanisms evolving slowly (e. g. , legislation in jurisdictions of the user’s, the provider’s or the data’s location will govern the protection of the data? ) Overreach by law enforcement agencies. Professional/trade associations--emerging and influencing security and privacy issues Industry standards organizations--address some concerns. Concern about dependency on cloud vendors’ security assurances and practices. Cloud users’ inertia effects Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 6

Technological factors affecting security/privacy in cloud The cloud’s newness and unique vulnerabilities Attractiveness and vulnerabilities of the cloud as a cybercrime target Value of data in the cloud Criminal controlled clouds Nature of the architecture Virtual and dynamic Sophistication and complexity Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 7

Cloud’s newness/unique vulnerability Evolution and popularity of virtualization technology: new bugs, vulnerabilities and security issues are proliferating (Brynjolfsson et al. 2010). Cloud--unfamiliar terrain for security companies. Lack of mechanisms to guarantee security and privacy--an uncomfortable reality for cloud providers. Dawkins (1982): rare enemy syndrome--a helpful theoretical perspective --victims often fall to new unfamiliar baits or lure. The enemy’s manipulation is so rare that evolutionary development has not yet progressed to the point that the victim has an effective counter poison. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 8

Cloud’s newness/unique vulnerability (cont. ) A problem : a user may be able to access to the provider’s sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010). August 2010: the U. S. National Institute of Standards and Technology announced a vulnerability a user can cross from one client environment to other client environments managed by the same cloud provider (NIST 2009). Forensically challenging in the case of a data breach Some public cloud systems may store and process data in different jurisdictions--different laws (Mc. Cafferty 2010). Some organizations may encrypt data before storing (Taylor et al. 2010). Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 9

Attractiveness/vulnerability as a cybercrime target: Value of data in the cloud Target attractiveness = f (perceptions of victims). Monetary or symbolic value and portability (Clarke 1995). Accessibility—visibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies’ networks offer more targets. Cloud suppliers bigger than clients—more attractive targets. Offers a high “surface area of attack” (Talbot 2010). One fear: IP and other sensitive information stored in the cloud could be stolen. Cloud providers may notify their clients. Underreporting of cybercrimes: embarrassment, credibility/reputation damage, stock price drop. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 10

Attractiveness/vulnerability: Value of data in the cloud Late 2009: Google discovered a China-originated attack on its cloud infrastructures. The attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies. Information stored in clouds—potential goldmine for cyber-criminals (Kshetri 2010). Early 2010: Yale University postponed plan to move Webmail service to Google Apps tailored for students and faculty. Reason: Google's size and visibility makes it more susceptible to cyber-attacks. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 11

Attractiveness/vulnerability as a cybercrime target Criminal-controlled clouds The cloud is potentially most vulnerable-- viewed against the backdrop of criminal owned-clouds operating in parallel. Diamond is the only material hard enough to cut diamond effectively Criminal-owned clouds may be employed to effectively steal data stored in clouds. Cloud may provide many of the same benefits to criminals as for legitimate businesses. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 12

Attractiveness/vulnerability: Criminal-controlled clouds The Conficker virus Most visible example of a criminal-owned cloud. Arguably the world’s biggest cloud Controls 7 million computer systems 230 regional and country top-level domains Bandwidth capacity of 28 terabits per second. Larger footprint/resources--spreads malware to control more computers Less active recently but is still a threat. last major Conficker attack--April 2009 last reported attack: February 2010 on the network of Manchester police department (U. K. ). Addressing security challenges on a global scale Geneva, 6 -7 December 2010 13

The Conficker cloud Conficker is available for rent. Criminals can choose a location they want to rent the Conficker cloud. Pay according to the bandwidth they want Choose an operating system. Customers have a range of options for the type of services to put in the Conficker denial-of-service attack spreading malware sending spam data exfiltration(Mullins 2010). Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 14

The cloud as the ultimate spying machine Cyber-espionage 2. 0. Easier for governments to spy on citizens. A Google report: governments request for private information and to censor its applications. Apr. 2010: Report on Shadow network: Targets: Indian Ministry of Defense, the UN, the Office of the Dalai Lama. The report noted: “Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command control architectures” (IWMSF 2010). Atmosphere of suspicion/distrust among states U. S. -China trade and investment policy relationship. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 15

Concluding comments Too simplistic to view the cloud as a low-cost security. Legitimate/illegitimate organizations and entities--gaining access to data on clouds through illegal, extralegal, and quasi-legal means. Technological and behavioral/perceptual factors--equal consideration in the design/implementation of a cloud network. New institutions and the redesign of existing institutions needed to confront emerging security and privacy problems. existing institutions are thickening. Privacy and security issues related to the cloud undergoing political, social, and psychological metamorphosis. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 16

References Armbrust, M. , Fox, A. , Griffith, R. , Joseph, A. D. , Katz, R. , Konwinski, A. , Lee, G. , Patterson, D. , Rabkin, A. , Stoica, I. , & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), 50 -58. Bottoms, A. E. , &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620– 656. Brodkin, J. (2010). 5 problems with Saa. S security. Network World, 27(18), 1 -27. Brynjolfsson, E. , Hofmann, P. , & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), 32 -34. Dawkins, R. (1982) The extended phenotype. Oxford University Press. Information Warfare Monitor/Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2. 0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR 03 -2010, April 6, http: //www. utoronto. ca/mcis/pdf/shadows-in-the-cloud-web. pdf Kshetri, N. (2010). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), 47 -55. Mc. Cafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, 103, 28 -33. Mullins, R. (2010). The biggest cloud on the planet is owned by. . . the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at http: //www. networkworld. com/community/node/58829? t 51 hb. Accessed July 24, 2010. NIST (2009). Vulnerability Summary for CVE-2009 -3733, 08/21/2010, The US National Institute of Standards and Technology, available at http: //web. nvd. nist. gov/view/vuln/detail? vuln. Id=CVE-2009 -3733. Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), 46 -51. Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36 -42. Taylor, M. , Haggerty, J. , Gresty, D. , & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), 304 -308. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 17