Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Computing and Cybercrime 2.0 Nir Kshetri The University of North Carolina-- Greensboro 2 Addressing security challenges on a global scaleGeneva,

Similar presentations


Presentation on theme: "Cloud Computing and Cybercrime 2.0 Nir Kshetri The University of North Carolina-- Greensboro 2 Addressing security challenges on a global scaleGeneva,"— Presentation transcript:

1

2 Cloud Computing and Cybercrime 2.0 Nir Kshetri The University of North Carolina-- Greensboro 2 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

3 Concerns about privacy and security in the cloud Security/privacy-- topmost concerns in cloud adoption decisions– not TCO(Brodkin 2010). IDC report (Oct ): security concern was the most serious barrier to cloud adoption. IDC poll (April 2010) (Asia Pacific): < 10% of respondents confident about cloud security measures. Harris Interactive survey for Novell (Oct. 2010) 90%--concerned about cloud security; 50%--security concerns primary barrier to cloud adoption; 76%--private data more secure when stored on the premises 81%--worried about regulatory compliance. A commonplace observation: cloud providers offer sophisticated services but have weak performances in policies/practices related to privacy/security. Cloud: a largely nascent technology 3 Geneva, 6-7 December 2010Addressing security challenges on a global scale

4 Cloud is an opportunity for cyber-criminals as well Observation: Cloud will make "Healthcare2.0", "Banking2.0" and "Education2.0" realities, especially in developing countries (Economist 2008). Cyber-criminals perspective: opportunity for online criminal practices to upgrade to cybercrime2.0. Clouds diffusion and that of social media have superimposed onto organizations rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the clouds weaknesses. 4 Geneva, 6-7 December 2010Addressing security challenges on a global scale

5 A framework for understanding security and privacy issues facing the cloud 5 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

6 Institutional factors affecting security/privacy in cloud Cloud-related legal system/enforcement mechanisms evolving slowly (e.g., legislation in jurisdictions of the users, the providers or the datas location will govern the protection of the data?) Overreach by law enforcement agencies. Professional/trade associations--emerging and influencing security and privacy issues Industry standards organizations--address some concerns. Concern about dependency on cloud vendors security assurances and practices. Cloud users inertia effects 6 Geneva, 6-7 December 2010Addressing security challenges on a global scale

7 Technological factors affecting security/privacy in cloud The clouds newness and unique vulnerabilities Attractiveness and vulnerabilities of the cloud as a cybercrime target Value of data in the cloud Criminal controlled clouds Nature of the architecture Virtual and dynamic Sophistication and complexity 7 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

8 Clouds newness/unique vulnerability Evolution and popularity of virtualization technology: new bugs, vulnerabilities and security issues are proliferating (Brynjolfsson et al. 2010). Cloud--unfamiliar terrain for security companies. Lack of mechanisms to guarantee security and privacy--an uncomfortable reality for cloud providers. Dawkins (1982): rare enemy syndrome--a helpful theoretical perspective --victims often fall to new unfamiliar baits or lure. The enemys manipulation is so rare that evolutionary development has not yet progressed to the point that the victim has an effective counter poison. 8 Geneva, 6-7 December 2010Addressing security challenges on a global scale

9 Clouds newness/unique vulnerability (cont.) A problem : a user may be able to access to the providers sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010). August 2010: the U.S. National Institute of Standards and Technology announced a vulnerability a user can cross from one client environment to other client environments managed by the same cloud provider (NIST 2009). Forensically challenging in the case of a data breach Some public cloud systems may store and process data in different jurisdictions--different laws (McCafferty 2010). Some organizations may encrypt data before storing (Taylor et al. 2010). 9 Geneva, 6-7 December 2010Addressing security challenges on a global scale

10 Attractiveness/vulnerability as a cybercrime target: Value of data in the cloud Target attractiveness = f (perceptions of victims). Monetary or symbolic value and portability (Clarke 1995). Accessibilityvisibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002). Large companies networks offer more targets. Cloud suppliers bigger than clientsmore attractive targets. Offers a high surface area of attack (Talbot 2010). One fear: IP and other sensitive information stored in the cloud could be stolen. Cloud providers may not notify their clients. Underreporting of cybercrimes: embarrassment, credibility/reputation damage, stock price drop. 10 Geneva, 6-7 December 2010Addressing security challenges on a global scale

11 Attractiveness/vulnerability: Value of data in the cloud Late 2009: Google discovered a China-originated attack on its cloud infrastructures. The attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies. Information stored in cloudspotential goldmine for cyber-criminals (Kshetri 2010). Early 2010: Yale University postponed plan to move Webmail service to Google Apps tailored for students and faculty. Reason: Google's size and visibility makes it more susceptible to cyber-attacks. 11 Geneva, 6-7 December 2010Addressing security challenges on a global scale

12 Attractiveness/vulnerability as a cybercrime target Criminal-controlled clouds The cloud is potentially most vulnerable-- viewed against the backdrop of criminal owned-clouds operating in parallel. Diamond is the only material hard enough to cut diamond effectively Criminal-owned clouds may be employed to effectively steal data stored in clouds. Cloud may provide many of the same benefits to criminals as for legitimate businesses. 12 Geneva, 6-7 December 2010Addressing security challenges on a global scale

13 Attractiveness/vulnerability: Criminal-controlled clouds The Conficker virus Most visible example of a criminal-owned cloud. Arguably the worlds biggest cloud Controls 7 million computer systems 230 regional and country top-level domains Bandwidth capacity of 28 terabits per second. Larger footprint/resources--spreads malware to control more computers Less active recently but is still a threat. last major Conficker attack--April 2009 last reported attack: February 2010 on the network of Manchester police department (U.K.). 13 Geneva, 6-7 December 2010 Addressing security challenges on a global scale

14 The Conficker cloud Conficker is available for rent. Criminals can choose a location they want to rent the Conficker cloud. Pay according to the bandwidth they want Choose an operating system. Customers have a range of options for the type of services to put in the Conficker denial-of-service attack spreading malware sending spam data exfiltration(Mullins 2010). 14 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

15 The cloud as the ultimate spying machine Cyber-espionage2.0. Easier for governments to spy on citizens. A Google report: governments request for private information and to censor its applications. Apr. 2010: Report on Shadow network: Targets: Indian Ministry of Defense, the UN, the Office of the Dalai Lama. The report noted: Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures (IWMSF 2010). Atmosphere of suspicion/distrust among states U.S.-China trade and investment policy relationship.. 15 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

16 Concluding comments Too simplistic to view the cloud as a low-cost security. Legitimate/illegitimate organizations and entities--gaining access to data on clouds through illegal, extralegal, and quasi-legal means. Technological and behavioral/perceptual factors--equal consideration in the design/implementation of a cloud network. New institutions and the redesign of existing institutions needed to confront emerging security and privacy problems. existing institutions are thickening. Privacy and security issues related to the cloud undergoing political, social, and psychological metamorphosis. 16 Addressing security challenges on a global scaleGeneva, 6-7 December 2010

17 References Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620–656. Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), Dawkins, R. (1982) The extended phenotype. Oxford University Press. Information Warfare Monitor/Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR , April 6, Kshetri, N. (2010). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, 103, Mullins, R. (2010). The biggest cloud on the planet is owned by... the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at Accessed July 24, NIST (2009). Vulnerability Summary for CVE , 08/21/2010, The US National Institute of Standards and Technology, available at Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), Addressing security challenges on a global scaleGeneva, 6-7 December 2010


Download ppt "Cloud Computing and Cybercrime 2.0 Nir Kshetri The University of North Carolina-- Greensboro 2 Addressing security challenges on a global scaleGeneva,"

Similar presentations


Ads by Google