Scary thoughts – Data safer in a cupboard or the Cloud?

halloween-postJohn Kleeman HeadshotPosted by John Kleeman

Is it safe to put your data in the Cloud? Or is it safer in a server in a cupboard under your desk, or even in an internal corporate data center? It’s scary how many organizations think a local server is in fact safer than the cloud, when this isn’t always the case.

I was struck recently by a surprising statistic in the 2016 Data Breach Investigations Report by Verizon. This is a very well respected annual report (available here) on security breaches and how to prevent them.

The surprising and scary data relates to the number of data breaches that are caused by publicly announced bugs in software that organizations have not patched. When security vulnerabilities in software like Microsoft Windows or other widely used software is identified, it is given a CVE number and put in a CVE database. CVEs vary with severity. More serious ones might allow an attacker to gain access to a server without permission; others might be a gap in security that could allow an attacker to increase their access or gain access in conjunction with some other exploit. For almost all CVEs, it’s important to patch them to avoid risk.

In the graph below, you can see that during 2015, around 70 CVEs found in 2015 were exploited in 2015, but an amazing number of other vulnerabilities were also exploited – some dating back many years. So a large number of actual breaches are caused by organizations not fixing vulnerabilities that were found and fixed last year or in previous years.

Graph showing count of CVEs exploited in 2015 by CVE publication date showing a large number of vulnerabilities from prior to 2015 still exploited in 2015

Questionmark, like any other reputable cloud vendor, has a well organized process to keep watch for publicly announced security vulnerabilities. We subscribe to all the appropriate information feeds — and when we hear of a vulnerability, we review the risk and if it is critical, we will deploy very quickly; even if that means disrupting our team’s other projects to ensure security is paramount.

But the graph above shows that some organizations don’t update their systems reliably or often enough. Or else they incorrectly deploy software and get caught by old vulnerabilities. The scary thing is that once a vulnerability is disclosed, attackers set up programs to try attacks based on it indiscriminately.  As the Verizon report says, “attackers automate certain weaponized vulnerabilities and spray them across the internet, sometimes yielding incredible success.”

We can draw an analogy between this and money. Some people are worried that it’s not safe to keep money in the bank, and they store their cash in a cupboard or under a mattress. Those people don’t get hurt by bank fraud but are much more vulnerable to fire, theft and other risks of keeping money at home.

Many organizations that use on-premise software have well-staffed, professional IT departments that implement software fixes promptly and quickly. But the graph above shows that many organizations worldwide do not patch their software for vulnerabilities quickly or at all. You could think that those organizations are essentially keeping their data in a cupboard or under the mattress.They might think it’s safe as it’s under their control, but if you don’t have a well-organized process to fix patches reliably and fast, that safety is only an illusion.pumpkin

Is your assessment data in a cupboard? If so, consider putting it in in the Cloud with a system like Questionmark OnDemand!

Wishing Everyone a Safe and Happy Halloween!

Leave a Reply