As the digital environment changes, so do the means and security risks of cybercrime. We interviewed Petri Riihikallio, an experienced AWS expert and trainer, to find out what you need to consider right now to reduce your security risks. We also asked Petri how AWS can be adapted to organisations with high security requirements, for example. Read Petr’s answers below.
Which security risks in particular should you be prepared for right now?
Encryption crackdowns are really common. An organisation will be completely paralysed if all its files are suddenly unusable. Virtual currencies make extortion easy and safe for criminals because the ransom is untraceable. Criminals can operate from anywhere in the world and automate their operations. Automated extortion is highly scalable and highly profitable. That’s why it’s being tried on such a large scale.
Distributed denial of service attacks are still being carried out. Denial of service attacks are essentially a nuisance attack for which there is no monetary gain, so criminals are not interested. In the beginning, these attacks were carried out by hackers who were in need of attention, but now they seem to be carried out by state actors. Some attacks are directed against visible targets, such as governments, but sometimes the rationale behind the choice of targets is difficult to understand. The intention is probably just to create uncertainty and frustration in the public.
Password fishing is still popular. Some of it is done by criminals, seeking bank codes or other personal data. You can no longer rely on the fact that you can tell it is a fishing expedition by its clumsy appearance or grammatical errors. The quality of fishing messages has been improving all the time. Even more dangerous is targeted phishing, where the target is a specific person. This person is first identified by gathering all possible information from public sources such as social media. Then familiar names and events are used to trick the target into signing up to the scam site.
What three things would you highlight to remember to minimise security attacks?
Of course, protecting against malware helps against encryption attacks, but the only sure way is to have up-to-date backups. Backups may sound boring and old-fashioned, but they are still important, even though backups are no longer much needed in case of malware. Backups should not be kept on the same machine, because then they too can become encrypted. Backups must be moved or otherwise prevented from being written to.
Cloud services can help against denial of service attacks. By using a cloud service provider’s protection, you can decentralise your own service to withstand distributed attacks. If it takes a thousand attack machines to suppress one machine, it takes a million bots to suppress a cloud operator’s farm of a thousand machines. Even if you still want to keep your service in your own data centre, you can route connection requests through a layer of protection in the cloud.
To combat password fishing, you can of course help by guiding users, but also by federating user accounts. Instead of having many passwords for different systems, it is worth centralising the passwords in a single, well-protected system. Users authenticate to this system using a number of methods – password, SMS, email, mobile app – and then have access to all the systems they need.
How is AWS suitable for organisations with very high security requirements and how is AWS suitable for handling or storing sensitive data?
AWS’s entire operation is open to the Internet, so AWS is forced to take security threats seriously for the sake of its own operations. AWS has a large number of employees who are responsible for security full time and are on site at all times of the day and night. All systems are monitored at all times. They have a huge amount of experience in dealing with different types of attacks and how to prevent them.
AWS complies with American standards PCI-DSS and HIPAA to protect payment transactions and patient data. Both of these are tough requirements, because a large part of the public’s trust in the functioning of society depends on these services. You can also comply with the European GDPR, for example by choosing where your data is stored. However, these are only the basic infrastructures on which a service built upon must also be designed to be secure. On the other hand, a reliable foundation is a good start for building a secure service. AWS has a lot of documentation on security – after all, they’ve seen it all. It’s good to learn from the experiences of others.
Aws security essentials 20 oktober
Security Engineering on AWS 14 – 18 september, 11 – 13 oktober
AWS Discovery day – Cloud Practitioner Essentials 20 oktober Kostnadsfritt.