Regular Amazon Cloud Leaks Highlight the Risks of Third-Party Cloud Storage

A hobby for many security consultants is finding easily, exploited weak spots in major cloud storage and service providers. These guys do it with a positive mission, but we guarantee the criminals out there are doing the same thing and will be delighted to steal your insecure data.

By Chris Knight

Kevin Beaumont is a high profile security consultant and when he tweets about weaknesses in cloud systems (like the recent Capital
One leak from Amazon’s AWS
) you can bet plenty of hackers are taking notice. That and when Amazon S3 data buckets are a high profile topic of discussion at DefCon hacker events, you just know the risks of using them in an insecure manner are high.

The issues are two-fold. Despite the automated nature of using cloud services, there are still people involved, and all it takes is one grumpy current or ex-employee with the right log-in details to siphon off your data, or there can be someone working at a third party with access who might decide they can make some money.

The second issue is the classic use of weak passwords/login details and not checking system logs to see who is accessing those services and your data. So many businesses are reliant on their data, but lack the time or security awareness to check the data is secure and that access rights are managed, and passwords changed on a regular basis, especially when someone leaves the business.

There’s a risk that many businesses don’t even know what an EBS snapshot is (elastic block storage). If these are not correctly configured, anyone can go browsing through them and find data, application keys and other information of use, putting the entire business at risk.

Protecting Your Cloud and Other Services

This hacker’s paradise is the result of businesses lacking the basic security information or expertise as they grow. IT security awareness needs to be at the heart of every business decision and IT process, from secure networking to strong access rights. And if your company lacks that knowledge then a secure partner needs to be involved, and today is the bare minimum you should be starting on that journey as tomorrow could be too late.

Without securing the business, your client information could be stolen leading to prosecutions and fines. Your databases could be kidnapped by ransomware or wiped, crippling the business, or sold to rivals. Even losing access to services can damage a company’s reputation and revenue.

As the number of IT-related security incidents grows, your business might not seem like a target. But, the more cloud and third-party services you rely on – and the more people who have access – the risk increases. Amazon and other cloud providers has their own security, but it is down to individuals to manage all the features and settings properly, something that creates weak points, especially when all eyes are focused on growing the business.

Having an expert on hand can bolster your security and identify weakpoints across the businesses’ IT infrastructure, making’s services an essential that could save any company from a crisis or prevent it from going out of business.

Smart Tech Creates New Vulnerabilities That Traditional Services Can’t Defend Against

By Chris Knight

Attacks on businesses are coming from a whole different direction to what your IT department might be used to. From hijacked routers, smart hubs and printers to deeply hidden attack code in documents or other web services that traditional solutions are no match for.

Pity the poor receptionist who opens an important looking email she thinks is from her boss with an attached spreadsheet. She launches that, and without knowing it compromises her whole company’s IT infrastructure, data and services. Or, consider the increasing number of weak devices with common passwords or broken encryption like brand name and generic IP cameras, many network routers and printers, that can be attacked directly with bots hunting down millions of these devices 24/7.

Once a hacker has found any exploit through phishing or direct attack, they can steal your data, hold it for digital ransom, or bring your business crashing to its knees. All done invisibly in a matter of seconds, just because they can. Traditional firewall and antivirus software is not sufficient to intercept these types of attack, it takes always updated services with AI smarts to track down brand new threats to protect your endpoints, services and servers from attack.

Attacks have destroyed the IT systems of giant companies like shipping firm Maersk while endless small businesses are wiped out due to a lack of precautions, thinking it will never happen to them. Computers and services might be considered a consumable, almost throwaway service, by many, but when their files vanish and they don’t have backups, reality bites very hard indeed.

As we all rely increasingly on IT to get more of our business processes done, hackers know they can take systems and services down, and many companies will pay up to get them back, even if the criminals have no intention of restoring them. In short, this is a battle your business cannot afford to lose.

Protect Your Business From All Threats

As there is no such thing as “totally secure” in the digital era, your business needs a range of tools to protect the company’s IT infrastructure and data. You need to protect both endpoints (including PCs, smartphones, tablets and other gadgets) and your cloud presence and remote services.

Every company also needs network security tools and design advice to build a network robust enough to defend against hackers and agile enough to adjust should a DDOS or other outage occur. Startups with a cluster of random network appliances are at massive risk, thinking they are too small to be hit, but automated attacks can easily devastate the company before people can react.

With all the services in place, there is still no guarantee, so penetration testing can automatically see just how secure your network is and highlight any weak spots. And the attacks can be run repeatedly using the latest information and weaknesses to check if your systems are secure.

Using any or all of these services, your business stands a better chance of survival than using the traditional methods alone. And if there is an attack, incident response gives you professional advice rather than having staff floundering around looking for the source.

You should also ensure your staff are well trained in how to spot phishing attacks, taught not to bring random personal devices into the office, and to make sure they backup their own data alongside the company’s own precautions, in line with any legal requirements.

Tomorrow or next week, the threat landscape will change again with new risks, perhaps through your company chatbot or a partner’s cloud services. Using always-on, multi-level, security, you can protect against the vast majority of threats.