The constant struggle to keep malware out of the organisation and deal with it when the inevitable ingress occurs is a well-trodden path for CIOs. But as organisations reach further into the cloud for essential everyday capability, the cloud malware landscape has taken on a new dimension – one where the cloud is a route for its distribution.
Cloud malware is a relatively new phenomenon, but cybercriminals are quickly wisening up to the fact that these online environments are a perfect conduit for spreading malware. CIOs need to take it very seriously and ensure they’re on top of any potential opportunity it might have to enter their systems.
Fast and silent spreading
The purveyors of malware have started to make greater use of the cloud for a number of reasons. We are increasingly prolific users of cloud services and tend to have multiple accounts, increasing the scope for using the cloud to distribute malware. And cloud-only malware can and does spread incredibly quickly – which tends to happen automatically and be undetectable to the user.
A case in point is Virlock. This is a ransomware which first surfaced in 2014, and which has evolved to spread itself through cloud file sharing tools. All it takes to start a whole new chain of infection is an infected file in a cloud shared folder that’s synced between two computers. When someone clicks that file, the infection spreads across not just the shared folder, but also all the files on the new computer. It has multiplied exponentially and will spread further through any files shared with other users.
The scale of the cloud malware problem
Locating and containing potential cloud malware spreaders is a challenge because it’s highly likely an organisation uses a lot more cloud services than it thinks. There are, in effect, two types of cloud use. One is the formal, centralised services that are set up and managed by the IT team. Think of accounting, human resources, CRM and other organisational management services, as well as systems that relate to the services or goods that an organisation provides.
Then there are the cloud tools people seek out for themselves and use because they help in getting work done – what’s known as shadow IT. Many – quite probably most – of these will not have been sanctioned by the IT team. Typically, CIOs estimate that there to be 30 or 40 cloud apps in use within their organisation – in reality, it’s closer to 1,000. An audit will provide visibility into what is being used and by whom, but that just exposes the scale of the problem to be addressed.
Trust – and the need for education
[clickToTweet tweet=”One of the reasons why #cloud-only #malware is so potentially dangerous is that users tend to have very high implicit trust in files that appear in corporate approved cloud file shares. #cybersecurity #CIO” quote=”One of the reasons why cloud-only malware is so potentially dangerous is that users tend to have very high implicit trust in files that appear in corporate approved cloud file shares”]
One of the reasons why cloud-only malware is so potentially dangerous is that users tend to have very high implicit trust in files that appear in corporate approved cloud file shares – as well as files that are attached to records in the CRM system. The assumption is that they must be safe. Whenever a file is uploaded the context and origin of the file is often lost. It is assumed that the file must have been uploaded by someone internally.
Security education and awareness need to be updated to explain the new cloud-only malware threat to users and to treat files in popular file sharing apps – like Dropbox and Google Drive – in a similar way to file attachments to emails from unknown senders.
Blocking the routes to infection
Businesses need to take control, in order to secure their infrastructure. Of course, the easiest way to do so is by blocking the use of such apps, but, in reality, the IT team will win no friends if they remove access to tools people have adopted to help them work more effectively. So, the holy grail in this situation is finding a way to protect the organisation from cloud malware, while allowing people to continue to use the cloud apps they need and want.
Rather than simply banning apps, organisations can categorise behaviours within those services and remove the ability to perform risky actions. For example, it might be prudent to remove the ability to attach files to webmail apps, or to limit access to documents within file sharing apps to view only.
But inevitably, these moves will restrict productivity. If a user can’t download a file from a file sharing app, can they do what they need to? What’s really needed is a much more granular approach, which allows full access to cloud services in the way people want.
When the prevalence of email threats became apparent, it became common practice to scan all messages and attachments for viruses or malware. The same concept can be applied to web apps. Scanning all uploads and downloads will reduce the risk, as will applying Data Loss Prevention (DLP), which will typically scan all uploads for keywords or phrases and block anything that looks suspiciously like confidential, commercially sensitive or other data that the organisation wants to keep private is being shared.
A good time to take steps
Cloud malware is a real threat today, and it is growing. Moreover, the new GDPR coming into force in Europe at the end of May could result in far heavier penalties for data leaks than we’ve seen in the past. Rather than wait for the stick to hit, organisations should be thinking of the carrot – enabling their people to use the tools that they rely on for efficient working.
There is absolutely no doubt that cloud apps can help a business be more efficient. That goes for the organisation wide apps formally sanctioned by the IT team and the myriad apps people find and use themselves, but they must be de-risked as much as possible.
Frankly, an organisation that doesn’t think about dealing with cloud malware now is an organisation that’s waiting to be caught out.
Ed Macnair, is CEO of cloud security specialist, CensorNet and has over 30 years of sales and business development expertise in the technology and IT security world. Ed led the acquisition of CensorNet in October 2014 with the aim of accelerating the company company’s product development efforts and growing revenues.