FBI Portland
Portland Media Office
(503) 460-8060
October 24, 2017

FBI Tech Tuesday—Building a Digital Defense Against Cloud Computing Dangers

Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense against the risks that come with cloud computing.

In recent years, we have seen an increase in the number of small and medium-sized businesses using cloud computing services.

If your business uses a cloud computing service, your data is stored on hardware owned by and housed at a different company. You access your information via a web-based service that you can log into from any of your company’s computers.

This system has its advantages. For example, it shifts the responsibility of buying and maintaining hardware and software from your business to your cloud computing service provider. You only need the right software and some computers from which you can run it.

However, cloud computing also comes with its own set of risks. The two biggest concerns? Losing access to your data and someone else stealing your data.

Losing access to your data can be caused by malware. This includes ransomware—where the bad guy demands money in exchange for returning your files—and distributed denial of service (DDoS) attacks—where the bad guy blocks your access by flooding your cloud computing service with requests. It can also be caused by something as simple as a power outage if the service provider doesn't take the proper precautions.

Stealing your data is primarily achieved through malware, particularly browser attacks. In a browser attack, the bad guy might be able to see what keys you press—including your passwords—record your browser session, or intercept communication between you and your database.

So how do you protect yourself? Ask questions!

  • Does your cloud service provider have adequate backups and redundancies? If the company hosts a back-up copy of your data separate from the primary files, it could make it available to you in the case of a ransomware attack or a hardware failure.
  • Does your provider have adequate logging? If there is an attack, you want your cloud service company to have a clear idea of what happened so that it can patch its security against future attacks.
  • Does your provider have a distributed denial of service (DDoS) mitigation plan? The key phrase to listen for is "black hole." In this context, a black hole is an inactive or unused IP address where the unwanted traffic from a DDoS attack can be sent without notifying the bad guy.
  • Are strong password requirements enforced? Do you use two-factor authentication? Yes, bad guys might still be able to get your data without directly logging into your account, but why make it easy for them?
  • Do your employees know what a "phishing" attempt may look like and how to respond? They should be very aware of how this social engineering technique works and know not to click on any embedded links.
  • Finally, is your data encrypted at rest and in transit? You want legitimate users to be the only ones with the opportunity to read it.

For more information on cloud computing security or cyber crimes, check out the FBI’s website at www.fbi.gov. If you have been the victim of any Internet crime, you can file an online report at the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.