Since the beginning of 2020, with the onset of the global pandemic, businesses worldwide embarked on the largest remote work initiatives ever seen. In 2021, organizations are still mostly remote work-centric as employees are still largely working from home offices. Cybersecurity has come into clear focus as organizations have adjusted to longer-term remote work plans and as cyberattacks have exploded since the start of the COVID-19 pandemic.
A continued plague on business-critical data is ransomware. Ransomware attacks have increased as cybercriminals attempt to capitalize on cybersecurity vulnerabilities. Cloud Software-as-a-Service (SaaS) environments have seen massive growth due to the need for collaboration and seamless connectivity. Even with data in cloud SaaS, ransomware poses a danger. Let’s look at ransomware vs. remote work cloud SaaS data and see how companies can protect themselves and their cloud data from the threat of ransomware.
Ransomware poses a tremendous threat to cloud SaaS data
Can ransomware really threaten your cloud SaaS data?
Many organizations and business leaders may incorrectly assume that data stored in the cloud is immune to ransomware infection. The confusion generally comes from the robust nature of cloud infrastructure. Most equate the extremely resilient infrastructure provided by cloud environments with the inability of ransomware to delete data. However, this is far from the truth. Ransomware can infect your cloud data, and this is usually made possible in a couple of ways.
- Compromised OAuth permissions delegation
- File synchronization
Let’s see how ransomware can use each means to infect your cloud SaaS environments.
Compromised OAuth permissions delegation
You might say, “O-what?” OAuth permissions delegation may not be familiar to most. However, for most of us, we interact with OAuth daily. It is true, especially if you have a smartphone connected to your cloud SaaS environment or you have integrated an application and allowed it to have access to your cloud data. If you have seen a prompt similar to the below, you have witnessed OAuth in action.
OAuth permissions delegation
OAuth permissions delegation is the “secret sauce” that allows third-party applications to access and interact with your cloud data without having your password. When you grant an application requesting permissions to your cloud data, you enable the application to have a unique “token” that gives the app access under the context of your identity to work with the data.
Most of the major cloud service providers use the OAuth standard, which has evolved into the OAuth 2.0 standard. These include Facebook, Amazon, Instagram, LinkedIn, Microsoft, Netflix, Apple, PayPal, and others. OAuth is an authorization protocol, technically not an authentication protocol. What is the difference between authentication and authorization? When you compare the two, authentication verifies a user’s identity. Authorization establishes permissions for a user’s access.
How does OAuth play into ransomware risks? OAuth permissions delegation is a double-edged sword in terms of ransomware. While it makes integrating third-party applications tremendously easy in cloud environments, it opens the door for an attacker to abuse the workflow of OAuth to dupe end-users into granting access to cloud data. How so?
An attacker can use several means to present what looks to be a legitimate app to end-users. Attackers often use malicious emails that look legitimate to pass off a malicious app to end-users for installation. Kevin Mitnick demonstrated what he referred to as “Ransomcloud,” a type of email that lured end-users into granting permissions to a malicious application that could encrypt cloud email in Microsoft Office 365. The attack goes something like this.
An end-user opens what they assume is a legitimate email from Microsoft stating they have a “security update” they need to install for their Office 365 account. When they click the link embedded in the email, it requests their Office 365 permissions in a very legitimate way with the expected screens. Once the end-user grants the requested permissions to the “security app,” the ransomware has everything it needs to begin encrypting the user’s email data.
The problem with OAuth is not really in the way it works. However, it is in reliance on the end-user to screen requests for granting OAuth permissions requests. Users are so accustomed and conditioned to click or tap “accept” on any permissions requested by third-party applications without thinking about security. It does not bode well for companies relying on end-user employees to screen malicious requests for accessing business-critical data correctly.
Another risk to cloud SaaS data comes from file synchronization. While it is an older method of a ransomware attack, it can still happen. This threat vector comes into play when organizations synchronize on-premises files to the cloud using tools like Google Drive or OneDrive for Business. Ransomware can use file synchronization utilities like Google Drive and OneDrive for Business as a quick vehicle to infect cloud SaaS data. File synchronization synchronizes on-premises files up to cloud storage. The utilities work by recognizing a file is modified and synchronizing newer files to replace the cloud versions. As files synchronize to the cloud from one user, the changes are synchronized locally to other end-users connected to the same cloud storage.
A ransomware infection of cloud storage can propagate quickly to cloud storage via this file synchronization process. Suppose an on-premises user or a remote user working from home is infected with ransomware and running Google Drive or OneDrive for Business. In that case, it will synchronize encrypted ransomware files to cloud storage. Extrapolating the thought process out, a single remote user infected with ransomware can infect vast quantities of shared organization data without the proper protections in place.
Cloud SaaS Ransomware Protection for Remote Workers
The work from home culture has undoubtedly changed how companies will do business for years to come, if not permanently. With remote work a major part of how businesses are now maintaining business continuity, cybercriminals are doing their best to take advantage of this workforce shift. How do we know this?
Recent statistics show that cybercrime is up 600% since the COVID-19 pandemic started. Attackers know that businesses are preoccupied with merely maintaining business continuity. With the shift to a mainly remote workforce, end-users are often working from insecure home networks on sensitive business-critical data. When you couple this with the fact that many companies had no effective means to manage and protect workstations, laptops, and other devices once off the corporate network, it is a recipe for cybersecurity disaster.
Attackers also realize that remote workers are more distracted than ever with work from home environments less than ideal. It may include kids home from school, the pull of household duties, and a more lax attitude toward security when away from the corporate office and in the comforts of home. Cybercriminals use malicious phishing campaigns, websites, and other avenues to target distracted and relatively unprotected remote workers.
Many businesses have migrated to cloud Software-as-a-Service (SaaS) environments to empower remote workers with the tools and capabilities needed for productivity and collaboration. Both Google Workspace and Microsoft Office 365 have robust offerings that provide companies with the software tools and services needed to remain productive and collaborate no matter the remote workers’ location. What steps can businesses take to provide cloud SaaS ransomware protection for remote workers? Let’s consider the following.
- Cybersecurity training
- Two-factor authentication
- Email protection
- Third-party apps protection
- Proactive ransomware protection
1. Cybersecurity training
As described with OAuth, the weakest link often comes down to the end-user. An end-user can often thwart robust cybersecurity solutions and other technical mitigations. With continued work from home mandates, end-users must be appropriately trained to recognize and identify security threats when they encounter these. All too often, untrained end-users are “click happy” on questionable links and attachments. Proper training helps remote workers identify potential threats and think through the appropriate steps to deal with these when encountered.
Remote workers need to be able to answer the following questions:
- What are the warning signs of suspicious emails?
- How can I verify that an email is from who it says?
- What steps need to be taken if a suspicious email or link is received?
- What if a third-party mobile app requests permissions to cloud SaaS data?
- What should I do if redirected to a strange website?
There are many other questions and scenarios that end-users need to be aware of and how to respond appropriately. The key is companies provide cybersecurity training for end-users. The great thing with most services and cybersecurity awareness training, it is all online, which means remote workers can be trained from anywhere. By training end-users, cloud SaaS data can be protected from threats from phishing, malicious third-party apps, browser plugins, and other crafty schemes used to dupe end-users.
2. Two-factor authentication
According to IBM’s Cost of a Data Breach Report 2020, stolen or compromised credentials were the most expensive cause of malicious data breaches. One in five companies (19%) that suffered from a data breach event was due to compromised credentials leading to an increased cost of a breach by $1 million compared to other data breach causes. The average cost from this type of breach totaled $4.77 million. Attackers often use compromised credentials to introduce ransomware in an environment.
One of the best defenses against compromise related to credential theft is two-factor authentication. Even if an attacker has access to an account password, two-factor authentication provides an additional layer of protection from the attacker gaining access. Enabling two-factor authentication on all cloud SaaS accounts is a great way to bolster account security and protect against ransomware.
3. Email protection
Email is one of the primary ways an attacker introduces risky links, attachments, and other “lures” for end-users to click on to compromise their client, steal credentials, abuse OAuth, and introduce ransomware. Having a strong email security solution that filters SPAM, phishing, and malicious attachments are a must. No email security solution catches 100% of the risks that come through. However, in conjunction with end-user cybersecurity training, it dramatically reduces the chance of compromise through email.
4. Third-party apps protection
Using a solution that protects your environment from malicious or risk third-party applications integrating with your cloud SaaS environment is crucial. As mentioned earlier, attackers may abuse OAuth permissions using a malicious application that masquerades as a legitimate app. Once the end-user accepts the permissions request from a malicious application, the app can do anything the user can do. It includes interacting with all the entitled business-critical data.
Defining acceptable third-party apps and those that are not allowed is a great way to increase security from an OAuth standpoint in your cloud SaaS environment. Employing a cybersecurity solution to create an allow or disallow list of applications that are approved or not approved for use can provide an excellent cybersecurity defense for cloud SaaS environments. Using solutions that base this on app reputation can be extremely helpful.
Making sure your cloud SaaS data is protected by enterprice-grade backups plays a vital role in ensuring your business-critical data is protected from ransomware. There is no substitute for proper backups and organizations must take charge of their data as under the shared responsibility model of cloud SaaS enviroments, they are ultimately responsible.
With ransomware, there are only two ways to recover – restore from backup or pay the ransom. Relying on the latter is not an acceptable solution to recover your data. Cloud SaaS providers like Google and Microsoft do not provide a true backup solution as part of the services offered in the environment. This makes it critical that companies leverage a reliable and fully-featured third-party backup solution for cloud SaaS data.
6. Proactive ransomware protection
Proactive ransomware protection using artificial intelligence (AI) and machine learning (ML) can be potent in the fight against ransomware. Signature-based malware detection is no longer effective in the fight against next-generation malware, including ransomware. Using AI and ML, companies can leverage modern machine intelligence to detect and protect against malicious behaviors.
With the tremendous amount of end-user activities, logs, file changes, and other activities in cloud environments, effective cybersecurity must leverage machine intelligence in the war against current and future cybersecurity threats. Using AI and ML technologies, ransomware protection can be proactive instead of reactive.
SpinOne Cloud SaaS Ransomware Protection
For bullet-proof cloud SaaS ransomware protection for remote workers and others, businesses need to take a proactive approach that involves an effective cocktail of enterprise backups and next-generation cybersecurity. SpinOne is a modern, next-generation solution from Spin Technology that leverages both backups and cybersecurity in a perfect balance of data protection and data security.
It provides all the right features for organizations using cloud SaaS environments for productivity and collaboration. SpinOne takes the right approach that you need both backups and cybersecurity to be effective against today’s threats. It offers an industry-leading proactive ransomware protection solution that proactively reacts to ransomware, stops the threat, and restores your data. It provides a real answer to the all-important question – how to protect against ransomware?
Features included with the SpinOne solution include:
- Automatic, incremental backups
- Insider threat protection
- Third-party apps control
- Alerting and Reporting
- Ransomware Protection
Aside from the automatic backups, insider threats protection, and third-party apps control that allows effectively filtering unwanted apps, it provides a solution with machine intelligence able to watch, guard, and protect your environment 24x7x365.
The ransomware protection module provides an automated five-step response including:
- 24x7x365 cybersecurity scanner detects ransomware activity automatically
- SpinOne automatically blocks the ransomware process
- It identifies any files that were affected
- Files are automatically recovered from the last good backup taken by SpinOne
- SpinOne notifies the cloud SaaS administrator about the ransomware attack
Learn more about how SpinOne can protect your environment here.