After iCloud massacre, it’s time to re-visit the tips to secure your data on Cloud
Hollywood stars are all over the internet, and not because of Emmys, but because some nut job stole their nude photos and leaked them online. From cloud…nope, iCloud! I can almost hear Steve Jobs rolling in his grave. All hell has broken loose. Suddenly everyone’s attention is back on the cloud- who all are using it, how much data is on cloud and how it should be removed immediately because nothing is safe on the cloud. But then where is it safe? Is it fair to not place proper security measures in place first, and then blame cloud? After all, you do not leave your house open and then blame the thief if he ransacks your home…so what makes it different for the cloud? By following some simple and effective security measures, the data can be as safe on Cloud, as it is anywhere else.
What Raised This Cloud Storm?
The photos were leaked from the iCloud accounts of the affected stars. The exact details are not known but as per a statement issued by Apple, “certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions a practice that has become all too common on the Internet”. Apple rarely issues a statement, and this itself shows the severity of this attack.
Some security researchers have said that they believe, Apple left iCloud vulnerable to a brute force password hacking attempt, which was used by hackers to use software to keep trying random passwords till the time targeted accounts with comparatively weaker passwords gave away.
Ten Tips to Secure your Data on the Cloud
To secure data on the cloud, the data center organizations and users need to follow some simple, but crucial steps to avoid the fate of iCloud:
- Encryption– It is possible to decrypt data, but it is quite a time-consuming job and is mostly not very beneficial to hackers. Therefore data stored in the encrypted form is safer.
- 2-factor authentication– 2 factor or multi-factor authentication means that if anyone tries to log into your account from a new device, it asks for a second identification, which mostly involves entering a code in your device that would have been sent on your phone or email. Even if a hacker has your password will also need possession of your phone to get that code from the text. Many accounts have started offering 2-factor authentication, but only a few have made it mandatory. And since we do not like to get involved in processes involving extra steps, most of us do not use it, even though it would spell out more security for us.
- WAF– A web application firewall offers organization protection against cyber-attacks. A robust WAF defends against malicious web traffic, by monitoring the traffic and pinpointing the bad elements, therefore following a proactive approach. In case of an attack, source of the attack can be diagnosed through a WAF, and in case of a delay in finding and fixing that, a virtual patch can be applied, thereby mitigating the loss through the attack.
- Authorization practices– Many times, an organization has all its security measures in place but is turned into a victim due to human error. This is something which is widely understated and ignored. Access to data should be provided only to the employees who absolutely need it. Also, data access should be according to the work profile of the person in question. A marketing person does not need access to financial information.
- Application Scanning– Periodic scanning keeps you informed of any weak point in your perimeter and informs you of a vulnerability before it is noticed by a hacker and exploited. The possibility of a hacker finding an electronic backdoor is always there, therefore continuous scanning is crucial.
- Beware of phishing emails and spam attachments– If a mail looks shady, it probably is. If an attachment is not from someone you trust, don’t fall for the temptation to open it. If a website looks “odd”, double check the URL. You might ask what this has to do with data security in cloud…well, the same rules should be followed when one decides to buy online or create new online accounts. Do not put in your data on any website that looks somewhat out of place.
- Not forgetting about your mobile applications– The iCloud hack has re-enforced the fact that your mobile applications’ security cannot be ignored. They are as important as web applications and should be scanned continuously with a mobile application security solution. A malware-infected app is a good news for hackers and very bad news for you. The ‘coincidence’ that the iCloud hack came soon after an online post mentioned a bug in Apple’s ‘Find My iPhone service’ app, is evidence strong enough to get organizations working on the security of their mobile apps. (Try IndusGuard Mobile Pen-Test)
- Do not opt for auto-saving of login details on shared devices– Be aware of the device you are using. Browsers often ask to save your login information and keep a login session alive as long as the browser is open. Unless you are using your personal device, do not opt for this option.
- Passwords– Make your passwords tough to crack. It’s high time we stopped using lame passwords.
When the site RockYou.com was hacked in 2009, a security firm examined the 32 million compromised passwords and found that thousands upon thousands of users relied on the same basic phrases. The password “123456” took first place with 290,731 hits; “12345,” “123456789,” “Password” and “iloveyou” rounded out the top five most-used passwords. The scenario hasn’t changed much since. If you find it tough to remember passwords, use a password manager. And do not re-use passwords on multiple sites. It’s like using one key for all your locks. So if one door key is found, your complete house is doomed. Another trend noticed is that people share their passwords with friends. No one might want to intentionally lead to your account breach, but if someone writes your password in a place which is later compromised, your account security goes for a toss.And lastly, but extremely important-please do not save your passwords in plain text on your PCs, tabs or phones. You might as well hand them over to the hackers directly. Use encryption as much as possible. - Do not ignore software updates– Install all important OS updates on time. Once a vulnerability is disclosed, hackers scan systems/devices still waiting to install the patched version and hack them. This can simply be avoided by keeping your devices updated.
Competition in cloud storage companies is increasing, and the reputation of a data storage company can make all the difference between getting a client or losing it to the competition. It’s imperative that these companies provide the most secure and reliable services. These are requirements that cannot be negotiated on.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.