0% found this document useful (0 votes)
311 views54 pages

Cloud Computing Security Breaches

The document discusses several security risks associated with cloud computing including loss of control over data and applications, lack of trust, multi-tenancy issues, and potential for data corruption or loss. It also provides examples of principal security dangers to cloud computing and strategies for mitigating risks.

Uploaded by

leon77banga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
311 views54 pages

Cloud Computing Security Breaches

The document discusses several security risks associated with cloud computing including loss of control over data and applications, lack of trust, multi-tenancy issues, and potential for data corruption or loss. It also provides examples of principal security dangers to cloud computing and strategies for mitigating risks.

Uploaded by

leon77banga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 54

Presented By

Sahil
What is Cloud Security ?
Cloud security is an evolving sub-domain of
computer security, network security, and, more
broadly, information security. It refers to a broad set
of policies, technologies, and controls deployed to
protect data, applications, and the associated
infrastructure of cloud computing.
Security Issues in the Cloud
LossofControl
Takebackcontrol
Dataandappsmaystillneedtobeonthecloud
Butcantheybemanagedinsomewaybytheconsumer?
Lackoftrust
Increasetrust(mechanisms)
Technology
Policy,regulation
Contracts(incentives):topicofafuturetalk
Multi-tenancy
Privatecloud
Takesawaythereasonstouseacloudinthefirstplace
Strongseparation

Loss of Control in the Cloud


Consumerslossofcontrol
Data,applications,resourcesarelocatedwithprovider
Useridentitymanagementishandledbythecloud
Useraccesscontrolrules,securitypoliciesandenforcementaremanaged
bythecloudprovider
Consumerreliesonprovidertoensure
Datasecurityandprivacy
Resourceavailability
Monitoringandrepairingofservices/resources

Example :
Lack of Trust in the Cloud
Abriefdeviationfromthetalk
(Butstillrelated)
Trustingathirdpartyrequirestakingrisks
Definingtrustandrisk
Oppositesidesofthesamecoin(J.Camp)
Peopleonlytrustwhenitpays
Needfortrustarisesonlyinriskysituations
Defunctthirdpartymanagementschemes
Hardtobalancetrustandrisk
e.g.KeyEscrow(Clipperchip)
Isthecloudheadedtowardthesamepath?
Multi-tenancy Issues in the Cloud
Conflictbetweentenantsopposinggoals
Tenantsshareapoolofresourcesandhave
opposinggoals
Howdoesmulti-tenancydealwithconflictof
interest?
Cantenantsgetalongtogetherandplaynicely
?
Iftheycant,canweisolatethem?
Howtoprovideseparationbetween
tenants?

Principal security dangers to


cloud computing
Principal security dangers
Loss of governance
Responsibility ambiguity
Isolation failure
Vendor lockin
Compliance and legal risks
Handling of security incidents
Management interface vulnerability
Data protection
Malicious behavior of insiders
Business failure of the provider
Service unavailability
Insecure or incomplete data deletion

Mitigating Risk

Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud SLA
Understand the security requirements of the exit process

Data corruption or loss
As more businesses move their operations
to the cloud and other virtual
environments, a new survey reveals some
of the pitfalls associated with storing
critical information there.

The survey revealed that 65 percent of
businesses and other organizations have
frequently lost data from a virtual
environment,
Data corruption or loss
According to the survey, common causes of
data loss from virtualized environments
include:
file system corruption
deleted virtual machines
internal virtual disk corruption
RAID and other storage
server hardware failures
deleted or corrupt files
Cause of Data Failure
Top 5 causes of
data loss
Software
failure
Hardware
failure
Human
error
Employee
theft
Cybercrime
Risk Score
3
Factoid A Awareness
Category: People
Class: Training
Frequency: High
Impact: High
Vulnerability:

Inadequate user and Cloud servicer provider employee awareness training
on cyber and other security risks.

Threat Actors:

Cloud service provider employees and Cloud users (inadvertently).

Risk:

Poorly trained or unaware employees are less likely to detect and respond
to internal or external data security breaches or threats.

Key Controls:

Contractual terms that specify the training regime required, supported by
quality assurance and audit processes. Similar training must also occur in-
house at the users site.
2
Percentage of people surveyed by (ISC) who believed
that the weather could affect Cloud services.
25%
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
E Cloud Provider Employees
Category: People
Class: Background Checks
Frequency: High
Impact: Medium
Vulnerability:

Because Cloud services are generally hosted overseas, the same employee
screening checks as those used at home may not be possible. In many
cases, they may not even be legal.

Threat Actors:

Foreign rogue employees and criminals or single issue extremists.

Risk:

Cloud service providers may be penetrated by threat actors intent in
accessing hosted data or subverting key systems.

Key Controls:

Prior investigation to short list Cloud providers and who can and do
conduct suitable pre-employment screening.
Percentage of businesses stating that employee lack of
awareness is a greater threat to data security than
attacks by cyber criminals.
65%
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
U User Account Management
Category: People
Class: User privileges
Frequency: High
Impact: Medium
Vulnerability:

A failure to amend users system privileges when they change roles or leave
the organisation.

Threat Actors:

Cloud service provider employees and sub-contractors.

Risk:

Users retain access rights after they are no longer required. Any resulting
abuses may be difficult to track.

Key Controls:

Close, automated liaison between HR and Security to ensure that all role
changes result in a review of user access rights plus regular audits of user
accounts and roles to verify appropriateness.
Percentage of UK residents expressing concern that
companies or their employees would sell on their
personal data without approval.
97%
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid Regulatory Non-compliance
Category: Applications
Class: Data Protection
Frequency: High
Impact: High
Vulnerability:

Data held or manipulated by third party service provider employees in
foreign jurisdictions may not be subject to the same level of protection as
that required of the data controller by the regulator in the home country or
that agreed with the Cloud host.

Threat Actors:

Cloud service provider third party employees.

Risk:

Data breaches occurring overseas can lead to regulatory sanctions locally.

Key Controls:

Contractual defences designed to mitigate the potential for regulatory
penalties in the data custodians home country.
Percentage of UK business unable to quantify their
spending on data security.
80%
R
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
C Data Classification Failures
Category: Applications
Class: Data Protection
Frequency: High
Impact: High
Vulnerability:

Poor processes for classifying data according to sensitivity and type can
lead to sensitive data being transported to Cloud storage inappropriately.

Threat Actors:

Employees and sub-contractors of the data controller.

Risk:

Data that should not be placed in Cloud storage is moved to remote
storage without the appropriate controls being implemented.

Key Controls:

A structured and audited data inventory and classification framework and
supporting processes. Regular ongoing Cloud storage inventory audits.
Percentage of businesses that do not manage corporate
data held on personal mobile devices or in personal
Cloud storage.
60%
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid Ds Denial of Service
Category: Applications
Class: Service disruption
Frequency: Low
Impact: Critical
Vulnerability:

The dependency of Cloud users on remote services means that attacks or
technical failures that disrupt Cloud-based services or applications can halt
local business operations.

Threat Actors:

DoS or DDoS attackers, Malware Devs, Cloud provider staff or contractors.

Risk:

Partial or complete loss of access to key systems. Possible business failures
and/or financial losses.

Key Controls:

Localised disaster recovery and backups. Cloud provider resilience. Cloud
risk audits. Data classification and segmentation.
The number of UK Internet users who downloaded the
free Low Orbit Ion Cannon denial of service attack tool
over a period of just 3 days in 2012.
34,000
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
Ec E-crime
Category: Applications
Class: e-Commerce Fraud
Frequency: High
Impact: Medium
Vulnerability:

E-Commerce platforms hosted in the Cloud are subject to attacks and
manipulation by internal and external fraudsters. Cloud service employees
with admin rights can potentially access sensitive payment data and
systems.

Threat Actors:

Cloud service employees, contractors, hackers, external fraudsters.

Risk:

Exposure and misuse of payment data or fraudulent payments for goods
and services via the payment platform.

Key Controls:

Payment Card Industry Data Security Standard (PCI DSS) controls & audits.
Cybercrime:
Espionage
Service denial
E-crime:
Financial fraud
Personal gain
E-crime and cybercrime have different motives, focuses
and effects. While they do overlap, cybercrime is
primarily technical and e-crime is essentially financial.
Copyright The Risk Management Group, 2013
Risk Score
2
Factoid H Hyperjacking
Category: Applications
Class: Takeover
Frequency: Low
Impact: Critical
Vulnerability:

Insecure Hypervisor (supervisory) Cloud applications can theoretically be
taken over by malicious attackers.

Threat Actors:

hackers or rogue employees.

Risk:

Control over the Hypervisor application stack gives the attacker control
over hosted Cloud applications and services can be denied or data
exposed. Crypto-extortion attacks are also possible.

Key Controls:

Logical security of the Hypervisor stack, supported by audits and regular
penetration testing.
The Cloud is becoming increasing fragmented and
complex. Once fairly well defined, new entrants and old
hands are both adding new types of service all the time.
Something-as-a-Service
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
M Malware
Category: Applications
Class: Infections
Frequency: High
Impact: High
Vulnerability:

Like any other form of IT infrastructure, Cloud service platforms are
exposed to a wide range of malware infections, particularly if anti-malware
applications are not updated regularly.

Threat Actors:

Malware developers, Cloud users and hardware suppliers.

Risk:

Malware payloads can expose data, introduce persistent spyware, edit
operational parameters, facilitate account takeover or execute crypto-
extortion and logical denial of service attacks.

Key Controls:

Anti-malware applications from recognised suppliers, regularly updated.
90% 135/150
ANDROID OS
Percentage of mobile malware infections specifically
affecting the Android Operating System in 2013.
Image source: http://mashable.com/2011/08/12/mobile-malware/
Copyright The Risk Management Group, 2013
Risk Score
2
Factoid Sy Unauthorised Systems Access
Category: Applications
Class: Data Protection
Frequency: Low
Impact: High
Vulnerability:

Weak controls (e.g. poor or shared passwords) can lead to unauthorised
access to systems and data held in the Cloud.

Threat Actors:

hackers and data thieves, Cloud provider staff, joint Cloud tenants and sub-
contractors.

Risk:

Data is exposed, read, stolen, deleted or edited. Crypto-extortion attacks
may also result.

Key Controls:

Secure authentication, staff vetting, data encryption, key management,
contractual terms to establish liabilities and responsibilities, plus audits.
70%
Percentage of business reporting
that mobility and remote access
are their greatest data security
challenges.
Copyright The Risk Management Group, 2013
Risk Score
2
Quote Sc Side Channel Attacks
Category: Applications
Class: Data Protection
Frequency: Low
Impact: High
Vulnerability:

Only demonstrated in the lab so far, this form of attack involves a joint
Cloud tenant sniffing the authentication session for another tenant and
then engineering an intrusion.

Threat Actors:

Malicious joint Cloud tenants.

Risk:

Data may be exposed or corrupted and account takeover or crypto-
extortion attacks may occur, leading also to regulatory exposure.

Key Controls:

Multi-factor authentication, encrypted channels, contractual rights to
exclude selected joint tenants or exclusive tenancy agreements.
Multi-tenant environments: The protection
requirements for each tenant might differ, which can
make a multi-tenant cloud a single point of
compromise.

Hassan Takabi and James B.D Joshi, Gail-Joon Ahn, 2012
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid So Source Code
Category: Applications
Class: Intellectual Property
Frequency: Medium
Impact: High
Vulnerability:

Unrestricted access to application or object source code.

Threat Actors:

hackers, Cloud service provider employees, contractors.

Risk:

Theft of intellectual property or the manipulation of Cloud systems and
hosted code.

Key Controls:

Tight access restrictions to source code and the use of compiled (secure)
code that defies reverse engineering.
75%
Percentage of IT decision makers
who told Intel that they value
strong customer service and
technical support over higher
hosting prices.
Copyright The Risk Management Group, 2013
Risk Score
4
Factoid Sp Self Provisioning
Category: Applications
Class: Data Protection
Frequency: High
Impact: Critical
Vulnerability:

Frustrated by traditional IT project timelines and controls, many employees
now provision their own departmental Cloud services and pay with a credit
card.

Threat Actors:

Well intentioned but impatient employees.

Risk:

Data is placed in Cloud storage without classification and approval and
outside the prescribed control framework. Unsuitable Cloud service
providers may be selected.

Key Controls:

Rules on self-provisioning. Regular audits and data inventory checks.
45%
Percentage of employees who
reported that they have self-
provisioned some Cloud service
for full or partial business use.
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
D Device Risks
Category: Network
Class: Access Control
Frequency: High
Impact: High
Vulnerability:

A failure to identify personal mobile or portable devices being used for
business purposes (laptops, tablets, PDAs and mobile phones) which often
present a higher risk level than desktop devices.

Threat Actors:

Mobile device users with infected devices, device thieves, malware
developers, hackers.

Risk:

Mobile devices are more easily stolen and are increasingly likely to be
infected by malware.

Key Controls:

Segmentation of access rights by device and/or connection type.
70%
30%
Allowed on site
Allowed for business use
The use of personal devices on business premises for
business-related use is rising.
Copyright The Risk Management Group, 2013
Risk Score
3
History lesson P Port Misuse
Category: Network
Class: Access Control
Frequency: High
Impact: Medium
Vulnerability:

Weak access controls on configuration and diagnostic ports within the
Cloud environment.

Threat Actors:

hackers and script kiddies, fraudsters and data thieves.

Risk:

Weak control over equipment ports can open the Cloud environment up to
a wide range of data theft and takeover threats.

Key Controls:

Proper user account management and restricted access to key commands
and systems (Firewalls, super user and system admin rights, etc.) all
reinforced by a sound audit and penetration test regime.
Hacking into configuration ports in the telecoms PBX
sector has been a long-standing problem which has
cost that industry hundreds of millions of dollars in
fraud losses over the past three decades.
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid
Ry Remote Access
Category: Network
Class: Access Control
Frequency: High
Impact: High
Vulnerability:

Remote user access has not been subjected to enhanced levels of security.

Threat Actors:

hackers, script kiddies, rogue employees, data thieves and state actors.

Risk:

Insufficiently validated remote users are able to access sensitive systems
and data.

Key Controls:

Multi-factor authentication for remote users, supported by an audit and
penetration testing programme.
60%
The percentage of new vehicles produced in the USA
that can remotely access Cloud Apps in 2013.
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid Si Sniffing & Interception
Category: Network
Class: Data Interception
Frequency: Medium
Impact: High
22%
Percentage of respondents who
told Intel that they had
experienced major challenges
in implementing Cloud security.
Vulnerability:

Unencrypted packets sent across the public Internet might be exposed to
interception.

Threat Actors:

hackers and state actors.

Risk:

Exposure of confidential data, session hijacking and man-in-the-middle
attacks.

Key Controls:

All sensitive data should be encrypted during transmission. Audits and
penetration tests should be used to validate the efficacy of this control.
Copyright The Risk Management Group, 2013
Risk Score
4
Factoid Id Insecure disposal
Category: Platforms
Class: Data Protection
Frequency: High
Impact: Critical
Vulnerability:

Cloud service providers often change out hardware without notifying the
parties accountable for the data contained within them. If not
professionally disposed of, such equipment may still hold confidential data.

Threat Actors:

Agents of foreign states, data thieves, corporate spies.

Risk:

Forensic recovery of data held on disposed equipment by a third party.

Key Controls:

Contractual and audit procedures to ensure that the data controller is
given advance warning of all equipment swaps and that professional
disposal routines are adopted.
11%
Percentage of companies
surveyed by Intel who stated a
preference for a Public Cloud.
The majority strongly preferred a
Private Cloud architecture.
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid Ih Infected Hardware
Category: Platforms
Class: Malware
Frequency: High
Impact: High
Vulnerability:

Grey market hardware and even some hardware from mainstream sources
have been proven to contain Spyware and other forms of APT malware,
apparently pre-installed at the point of manufacture.

Threat Actors:

Manufacturers, state sponsors, channel staff and engineers.

Risk:

Data exposure, crypto-extortion or denial of service attacks.

Key Controls:

Contractual terms that require the secure sourcing of Cloud service
hardware, along with a right to audit clause and a remote auditing
capability.
20%
Percentage of brand new laptops
already containing malware
when purchased during a
Microsoft investigation in
Chinese computer retail shops.
Copyright The Risk Management Group, 2013
Risk Score
3
Factoid Pf Platform failures
Category: Platforms
Class: Disaster Recovery
Frequency: Low
Impact: Critical
Vulnerability:

As with any IT system, Cloud platforms can fail and the data they contain
can be lost or damaged.

Threat Actors:

Malware developers or other attackers. Cloud service provider staff.

Risk:

Loss of data, corruption of data and loss of service.

Key Controls:

Disaster recovery and business continuity plans, including provisions for
local recovery infrastructure, must be implemented, audited and regularly
tested. Up-to-date anti-malware applications must also be installed.
66%
Percentage of business
informing Intel that data loss and
compromised platform or
infrastructure assets are their
biggest concerns when it comes
to Cloud outsourcing.
Copyright The Risk Management Group, 2013
Risk Score
2
Factoid Ps Physical Security
Category: Platforms
Class: Access Control
Frequency: Low
Impact: Medium
Vulnerability:

Smaller Cloud service providers might not be able to offer the required
standards of physical site security and access control that larger, more
expensive providers can put in place.

Threat Actors:

Intruders.

Risk:

Damage to or theft of hardware, data theft or exposure, data loss.

Key Controls:

Contractual definition of physical security and access control requirements,
confirmed by on-site audits and penetration tests.
99%
Percentage of business
informing Intel that security
played a major role in
determining their Cloud
deployment strategy.
Copyright The Risk Management Group, 2013
Cloud Risks Threat Actors
Fa The Fraudster
Typical motives

The goal of the online fraudster is simply to
make a financial gain or cause a financial
loss through the use of deception. His or
her motives are generally restricted to
either profit or revenge.
Profile

The online fraudster comes in many forms,
including the old-fashioned financial
fraudster, the e-commerce fraudster, the
payment card fraudster, the mortgage
fraudster, the insurance claim fraudster, and
those attempting to commit market abuse
or similar crimes. Indeed, there are any
number of fraudster profiles online, limited
only by the range of services, payment
mechanisms and business models on offer.
Copyright The Risk Management Group, 2013
Ha The Hacker
Profile

The traditional hacker is a technical expert,
often renowned for his or her skill and
generally proud of it. The hacker specialises
in breaking into systems by breaching
security using high-tech methodologies. He
or she may view corporations and
governments with suspicion and will often
hold the opinion that software and data
should be free of charge and free to access
for all. Few in number, experts of this ilk
keep a low profile and use pseudonyms to
disguise their real identities.
Typical motives

The hackers motives can be difficult to
define with confidence, particularly as
Hollywood stereotypes are as close as most
people will come to meeting a genuine one.
However, those hackers who have been
apprehended in the past, and who have
agreed to speak about their activities, have
often included the love of a technical
challenge and a dislike of the status quo as
drivers for their behaviour. Kudos or
reputation is sometimes cited as an
additional motive.
Copyright The Risk Management Group, 2013
Profile

The Hacktivist is a politically or ideologically
motivated hacker who tends to focus his or
her activities on particular governments,
organisations or high-profile individuals.
The employees of target organisations are
often targeted as well.

Often less technically skilled than a true
hacker, the hacktivist makes up for this
deficiency through extensive use of social
engineering and espionage, sometimes
placing spies within the target organisation
as employees.
Typical motives

Motives include single issue extremism,
political beliefs, religious zeal and
environmental concerns. Objections to
corporate profit-making, government
benefits cuts and related issues have also
been important influencers in recent years.

Some hacktivists act in support of nations
engaged in warfare or facing internal
rebellions, adding an asymmetric factor to
conventional military or political conflicts.
Ht Hacktivists
Copyright The Risk Management Group, 2013
Ma The Malware Developer
Profile

The malware developer has a great deal in
common with the hacker and may even be a
hacker in some cases, but his or her focus is
on building autonomous pieces of code that
have the ability to disseminate themselves
and infect multiple systems before
executing a variety of payloads.
Increasingly, malware developers are
working along commercial lines and using
their skills and their code to generate
revenue. Malware may also be used by
hackers to create entry points in target
systems.
Typical motives

Early malware developers were often
motivated by a desire to demonstrate
security vulnerabilities in software or
organisations, but modern malware
developers appear to be motivated
primarily by profit.
Copyright The Risk Management Group, 2013
In The Corrupted Insider
Profile

The Corrupted Insider begins his or her
employment in good faith but is either
tempted or subverted later on. They often
occupy a position of trust with access to
sensitive information or systems, which
makes them an ideal target for subversion.
Typical motives

Temptations often result from a
combination of either need or greed and
opportunity. Typical scenarios include the
perceived need to maintain an expensive
lifestyle or offers of financial reward by an
external attacker. Ideological factors may
also play an important role in influencing a
person to betray the trust placed in them.
Copyright The Risk Management Group, 2013
Sk The Script Kiddie
Profile

Far more common than the hacker is the script kiddie. Script kiddies lack the supreme
technical skills of hackers, but have sufficient skill and interest in the topic to be able to read
or view text and videos on hacking methods and to download and execute software scripts
specifically produced by hackers for them. Script kiddies, therefore, represent a channel to
market for hackers who wish to reduce their own risk or increase their scope by using a
multitude of less skilled hands. Many of the prominent denial of service attacks and code
injection attacks witnessed over the last two or three years were executed in large part by
script kiddies.
Typical motives

Because of their number, it is almost impossible to assign any
particular set of motives to this group, and they include single
issue extremists, bored teenagers, would be future hackers and
those with a grudge against a particular organisation or brand.
Copyright The Risk Management Group, 2013
Se The Social Engineer
Profile

The online social engineer is the Internet
version of the conman. He or she specialises in
understanding human behaviour and
psychology and in exploiting that to persuade
targets to either take or avoid specific actions,
often going against their better judgement.
Examples include persuading targets to disclose
personal data, bank account information, trade
or organisational secrets, and other confidential
information or opinions, as well as data
belonging to others.
Typical motives

Social engineers may seek such data for any
number of reasons. They might be hackers
themselves, or script kiddies, malware
developers, Internet investigators,
fraudsters and any other type of online
actor for whom the information obtained is
valuable as a source of access into secure
areas or as a mechanism for committing
fraud.
Copyright The Risk Management Group, 2013
Se The Spammer
Profile

The spammer is engaged in a commercial
activity which involves the distribution of
unsolicited messages by any available
electronic means in order to broadcast
advertising to a large target audience. In its
earliest manifestation, spam was typically
delivered via email, but as the technology
has evolved, the world has seen the
emergence of mobile phone spam, instant
message spam and more recently, social
media spam. Although organisations and
service providers have done a great deal to
manage the impact of spam on users and
consumers, spam remains a problem as it
uses up significant amounts of capacity in
the communications network, and at the
end of the day consumers still pay the cost
of this, though they may not be aware of
the fact.
Typical motives

Almost without exception, spammers have
a pure profit motive, although some forms
of denial of service or flooding attack can
have many of the characteristics of spam,
the difference being that such attacks will
tend to be directed at a relatively small
number of targets while spam is broadcast
to as many recipients as possible.
Copyright The Risk Management Group, 2013
Se The Spy
Profile

The online spy may be an agent of the state
or acting in the employ of a corporation. He
or she may also be part of a single issue,
organised crime or terrorist cell. Whatever
the nature of the organisation behind the
spy, the goals and methodologies of spies
are generally consistent; to gather secret
data for the purpose of creating business
intelligence, crime intelligence, military
intelligence or for cyber warfare planning.
This data may include competitive
information, customer data, pricing,
intellectual property, militarily dispositions,
information about Internet infrastructure
and systems, as well as state secrets. Spies
use many of the techniques described
above, including Internet investigations,
malware, hacking, social engineering, and
even fraud to achieve their ends.
Typical motives

A majority of online spies are believed to be
salaried individuals carrying out the
instructions of their employers, and in this
sense, their personal motives are largely
irrelevant. A minority of spies, for example
those engaged in terrorism or in supporting
single issue extremists, may have purely
ideological motives for their actions.
Copyright The Risk Management Group, 2013
Account Session Hijacking
Hijacking
Session Hijacking, is when you take someones cookie and inject it into
your browser, letting you log in without the password.

In beginner terms: Session Hijacking is taking the persons unique
code (cookie) stored in their browser while they are logged into
something (like GMail). If you have that code, you can put it into your
own browser, and trick the system into thinking you are that user. This
is a common method on how you can hack emails.
Example
Cloud Computing Security Models
There are a plethora of different reference
architectures, models and frameworks for
Cloud Computing. Which one should an
organization adopt? Of course theres no
straightforward answer to that question and
in this research note we provide guidance on
how to organize some of the best ideas that
are emerging in a practical structure that
should stand the test of time.
Who uses Clous Security and how ?
Security Model

You might also like