Most Prevalent Incident Types Vary Between On-Premises and Cloud
Still, the most prevalent types of incident do vary between on-premises environments and CHP environments. The top three incident classes for on-premises data centers were malware/botnet (affecting 56 percent of customers), brute force (49 percent of customers) and vulnerability scans (40 percent of customers). For CHPs, the most common incidents were brute force (44 percent), vulnerability scans (44 percent) and web application attacks (44 percent).
"Our intelligence suggests that the observed increase in cloud attacks is correlated to the growth of cloud adoption in the enterprise," Coty says. "As more enterprise workloads have moved into the cloud and hosted infrastructures, some traditional on-premises threats have followed them. This reinforces the necessity for enterprise-grade security solutions specifically designed to protect cloud environments."
"The number one thing you need to really understand in a cloud environment is that security in the cloud is a shared responsibility," Coty says. "The service provider is responsible for the foundation. They're even responsible for some level of perimeter security, hardening the hypervisor, giving you root access to your instance. But other than that, you as a consumer are 100 percent responsible for what happens in that environment. The better you understand the shared model between you and your service provider, the better you'll be able to secure your environment. That really applies to all service providers."
Honeypots in European Clouds Attract the Most Flies
Alert Logic's cloud honeypots also told an interesting story. The company deployed its honeypots in public cloud infrastructures around the world in an effort to observe the types and frequencies of attacks, as well as how they vary geographically. Alert Logic found that honeypots in European clouds experienced the highest number of attacks four times more than honeypots in U.S. clouds and twice as many as honeypots in Asian clouds.
The incident attack types against European honeypots were tremendously varied. They included: MS-SQL Server (13 percent), MySQL (13 percent), HTTP (13 percent), RPC (13 percent), FTP (13 percent) and MS-DS (35 percent).
"The attacks in Europe were probably more diverse than anywhere else in the world," Coty says. "Outside of attacks on Microsoft Directory Services, everything was about 13 percent across the board."
Coty attributes the number and variety of attacks in Europe to Eastern European malware "factories," primarily in Russia, testing their efforts locally before deploying worldwide.
"The Eastern European guys who write a lot of this code test it in their own backyard," Coty says. "It originates from Europe. Once they've successfully deployed one place in Europe, they just go all over the globe now."
In Asia, the story is different. Attacks on MS-DS represent 85 percent of incidents there, particularly attacks on port 445. Coty attributes this to the plethora of pirated (and unpatched) Microsoft software in China and some other Asian countries. Port 445 supports direct hosted "NetBIOS-less" SMB traffic and file-sharing in Windows environments and, if not locked down appropriately, it is an easy target for accessing files and infecting systems.
Sign up for Computerworld eNewsletters.