Attacks on cloud systems and infrastructure are costly. Consider the recent massive distributed denial of service attack aimed at the Internet infrastructure company Dyn. The attack dragged down Amazon, Netflix, Reddit, Spotify, Tumblr, Twitter and others. The network congestion was largely made possible by compromised IoT devices including video cameras and digital video recorders.
Hopefully, these types of attacks on the cloud infrastructure prove not to be either as successful as this attack was, or common. Enterprises are moving to cloud in a significant way. According to the most recent Cloud Adoption Report from Bitglass, 38 percent of enterprises use cloud services today, up from 28 percent in the previous report.
This increase in use of cloud services means increased risk to business disruptions due to widespread outages from some dependency in the cloud that is broken. A disruption in Google maps would affect dozens of other services, for example. A successful attack on Facebook’s authentication services could affect countless other services that are dependent on the authentication services. The same happened to all of the sites and services that were depending on the DNS services provided by DYN.
Of course it’s just not DDoS attacks that affect cloud services. Looking at the 2016 Data Breach Incident Response Report (DBIR), there are numerous attacks that affect cloud systems – but these attacks aren’t new types of attacks, just old attacks aimed at cloud systems. According to the DBIR, Web App attacks resulted in the most data breaches in 2016. Common include attacks include SQL injection, broken authentication, cross-site scripting, and others.
What other types of attacks are enterprises concerned about? According to the State of Dynamic Data Center and Cloud Security in the Modern Enterprise report, the majority of respondents are concerned about access management, application weaknesses, advanced persistent threats, malware, and more. Once advanced attackers get into any system, whether that system is a IoT device, on-premises application, or cloud system, they will exploit any weaknesses they can to advance deeper, or as in the case of the Dyn attackers, leverage their foothold to attack others.
How much do these attacks cost? There’s no way yet to tell what the economic impact of the attack last week on Dyn, when so many services are disrupted simultaneously. While the cost of attacks that result in data breaches can be reasonably estimated. For instance, the Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis, the average cost of a data breach rose is $4 million year, with the average cost per breached record at $158.
The impact of denial of service attacks not only cost the service that is targeted, whether than be a cloud services provider or a bank, not only affect the targeted firm but also has costs and perhaps lost revenues on their customers.
The takeaway here is as more enterprises depend on cloud services, and these services grow increasingly interdependent, everyone’s security posture matters to the overall security and hygiene of the Internet. This was always true to a certain degree, but it’s more true now than ever.