The video discusses the evolving threat landscape in the cloud computing industry, projected to reach $600 billion in 2024. As more data moves to the cloud, IBM's X-Force Research Group is evaluating the risks associated with this transition. The group leverages threat intelligence reports, penetration tests, incident response planning, and insights from the dark web to assess vulnerabilities.

Key vulnerabilities identified in the report include cross-site scripting and stolen credentials, with cross-site scripting accounting for a significant percentage of discovered vulnerabilities. The report highlights how these vulnerabilities occur and affect online security, as well as methods like multifactor authentication and passkeys that can mitigate these issues.

Please remember to turn on the CC button to view the subtitles.

Key Vocabularies and Common Phrases:

1. attack surface [əˈtæk ˈsɜrfɪs] - (noun) - The sum of the different points where an unauthorized user can try to enter data to or extract data from an environment. - Synonyms: (vulnerable points, access points, entry points)

And what that means is an expanded attack surface.

2. penetration tests [ˌpɛnɪˈtreɪʃən tɛsts] - (noun) - Simulated cyber attacks against a computer system to check for exploitable vulnerabilities. - Synonyms: (security testing, vulnerability scanning, ethical hacking)

IBM's X force team is called in to do penetration tests.

3. incident response [ˈɪnsɪdənt rɪˈspɒns] - (noun) - A formal, coordinated approach to addressing and managing the aftermath of a security breach or cyberattack. - Synonyms: (crisis management, emergency response, breach handling)

We also do incident response planning and the emergency response services that go along with that.

4. Common Vulnerabilities And Exposures (Cve) [ˈkɒmən ˌvʌlnərəˈbɪlɪtiz ənd ɛkˈspəʊʒəz] - (noun) - A list of publicly disclosed computer security flaws or weaknesses. - Synonyms: (security flaws, security threats, system weaknesses)

But it came in at 27% of the newly discovered common vulnerabilities and exposures.

5. cross-site scripting [krɔːs-saɪt ˈskrɪptɪŋ] - (noun) - A security vulnerability that allows an attacker to introduce malicious scripts into web pages viewed by other users. - Synonyms: (XSS, script injection, code injection)

It's something called cross site scripting.

6. session tokens [ˈsɛʃən ˈtəʊkənz] - (noun) - Small pieces of data that a server sends to clients to identify an active session, often used in web applications to remember the state of a user's session. - Synonyms: (session identifiers, authentication tokens, session cookies)

For instance, one of the things it can do is hijack his session by allowing the bad guy to take his session tokens.

7. phishing [ˈfɪʃɪŋ] - (noun) - A cyber attack that uses disguised email as a weapon to trick individuals into disclosing personal information. - Synonyms: (email scam, spoofing, email deception)

phishing and business email compromise.

8. business email compromise [ˈbɪznɪs ˈiːmeɪl ˈkɒmprəmaɪz] - (noun) - A type of scam targeting companies who conduct wire transfers and have suppliers abroad. - Synonyms: (email fraud, email scam, business impersonation)

Business email compromised 39%.

9. impersonation attack [ɪmˌpɜːrsəˈneɪʃən əˈtæk] - (noun) - A type of cybersecurity attack where the attacker pretends to be another user or a system in the network. - Synonyms: (identity spoofing, masquerade attack, deception)

In these situations I'm dealing more with impersonation, impersonation attacks.

10. multifactor authentication [ˌmʌltiˈfæktər ɔˌθentiˈkeɪʃən] - (noun) - A method of confirming a user's identity by requiring multiple credentials. - Synonyms: (two-factor authentication, dual-step verification, security verification)

One way that I could drive it in that direction is multifactor authentication.

Cloud Security Risks - Exploring the latest Threat Landscape Report

The cloud computing industry is expected to hit $600 billion in 2024. That's a lot. And what that means is a lot of your data that currently is in house or on Prem is going to be moving to the cloud. And what that means is an expanded attack surface. So that's why we're taking a look, specifically IBM's x force research group at what is the cloud threat landscape? What are some of the things that we're using to determine that? Well, this is our fifth year of doing this report, so we've got a lot of experience with this, and some of the areas that we're using to draw our conclusions are threat intelligence reports. We have a lot of access to information about what's going on on the global Internet, and we use that information in this report. Some other things. IBM's X force team is called in to do penetration tests. So we learn things from those penetration tests where are particular weaknesses. We also do incident response planning and the emergency response services that go along with that. When the companies call up and say, hey, our hair is on fire, where's the fire extinguisher? So we try to help figure out those kinds of things. And those incidents also inform this.

And then also we look at a thing called the dark web, which is essentially a part of the web that most people never see. And it's an area where a lot of hackers hang out and they discuss things, and we like to sit in and listen on what they're discussing. Okay, let's take a look at what some of the key takeaways and recommendations were from that report. Well, number one on the list is actually not a new one. It's been around for a good long time, but it came in at 27% of the newly discovered common vulnerabilities and exposures. And it's something called cross site scripting. Cross site scripting, like I said, is not new. It's been around for a couple of decades, but it's still hurting us. How does that work? Well, here's the short version. If you've got a website and a bad guy is able to insert, let's say, in the comments section, he's able to put in a link, and that link contains some additional code, maybe some JavaScript. That's the insertion that's happening here, and he's putting that in to the website. Another guy comes along and reads that and clicks on the link. Once he clicks on the link, now this content is running on him. It wasn't content supplied by the website, it was content supplied by the bad guy.

And what can that do? Well, a number of bad things. For instance, one of the things it can do is hijack his session by allowing the bad guy to take his session tokens and then control the session from that point forward. Another thing that can happen is he can be redirected off to some other sketchy website and not realize that, in fact, he's even left this one. It could do a lot of other things, like making this site even look different to him than what it should be. It could implant malware on his system. A lot of different things that could happen. Really bad stuff. And we're seeing this continue. There are a lot of things that we can do, and I'll talk about at the end of the video that will help prevent that.

All right. Our number two takeaway from the report also was the second most impactful in terms of it being seen in terms of vulnerabilities, and that is stolen credentials. Compromised credentials basically think passwords. And it turns out this was 20% of the incidents that we found. So that's a lot. And what we saw in particular that was concerning in this trend is when our X force researchers looked on the dark web, which is sort of considered a marketplace where a lot of bad guys are hanging out and they are buying and selling credentials and all sorts of things like that. And we observed that the cost of credentials, average cost of these, went down 13% in the last two years. Well, that means if it's cheaper to buy passwords, then it's going to be easier for the bad guys to buy more of them. It's going to be easier for them to log in than it is to hack in. And that is, in fact, what we've seen.

Now, another way to look at this is as cost of those credentials goes down. If we move over here to this side, then the threat level, in fact, is going up. So that's what we've seen so far. What we want to see, though, is a turn in this. Maybe I can't go make the cost of these credentials more expensive, but what I could do is do the opposite, make them worthless, drive them to zero. Then, in fact, I could make the threat go down. If these were, in fact, worthless, how could I do that? Well, one way that I could drive it in that direction is multifactor authentication. That means a password alone will not get you into this system. So therefore having a password is not really as valuable as it used to be. So that's going to cause the value of passwords to go down.

Another thing that would really help here is the use of passkeys. And I've got a video, two videos where I talk about these passkeys. They basically eliminate passwords and therefore make their value absolutely zero. So people that want to buy and sell these things would be selling useless commodities. That is a potential way for us to go to counteract this particular threat.

So let's dissect that last one that I just talked about. I said it's stolen credentials that are creating a lot of problems for us. How are people actually stealing those credentials? What are the main ways that they're doing it? Well, it turns out there are two main classes of attacks that are accounting for a large number of these. phishing and business email compromise. Let's talk a little bit about what those are.

In fact, phishing accounted for 33% of the incidents where we were dealing with this, and business email compromised 39%. Now, hopefully you're familiar with this. You may not be as familiar with this, so let's talk a little bit about what the differences in these are. In a phishing attack. Generally speaking, we're trying to target a whole lot of people, so it's not just a single person, although there are spear phishing attacks where we try to target a narrow subset of people, but it's still usually not just from going after one person.

However, in the case of business email compromise, these tend to be going after just one person. And in most cases it's someone in the C suite, someone who's like a CEO, a CIO, a CFO, someone who's really in a position where if I were able to get their account, I'd be able to do a lot of damage. And it's a case where I send them an email, it's very highly tailored to their specific information, so it becomes very, very believable. So that's one of the big differences between these two.

In both of these, there's an element of deception. Obviously, this is in with phishing, we're dealing with fake, typically fake websites where I send you a link and then you're going to go to a site that looks like what the real one is but isn't, and then I'm going to collect your credentials when you try to log in. That's one way to do it. Or I send you an attachment of some sort, and then you open the attachment, maybe it puts malware on your system. And then from that, the next time you go to login with a keystroke logger, I'm able to get your information. That's called an info stealer so I can get whatever it is you type in. In these situations I'm dealing more with impersonation, impersonation attacks now are going to do something where I'm going to say, let's say I am the CFO and I'm sending an email to the CEO. So the chief financial officer sending an email to the CEO or one of the first lieutenants, one of the people that works for the CEO. And I'm saying, hey, this is me, your employee, trusted here. I need the following information. I need you to log in and approve this particular thing.

Something along those lines. So it's a very specific targeted impersonation attack. In both of these cases there's an element of social engineering, so that's what we have to look at. This is how the bad guys are getting in. Now you've seen what the problems are.

What can we do about it? What are the recommendations? Well, the first relates to cross site scripting and the first couple of things I'm going to refer to are really for website developers and that is looking at something that nobody likes to do. And it's the hard work of validating all the inputs. That is, I've got to look at everything that comes into an input field and make sure that it doesn't, for instance include a script because that's where people should be say, typing in comments, typing in their name, their email address. I don't expect executable code there, but if I don't check explicitly for it, then someone could put that in and then someone else comes along later and it does damage.

Another thing I want to do is encode outputs. And this one is more for web developers to understand what the HTML encodings are for special characters. I'm going to go over these things in more detail in another video on cross site scripting. So look for that. But these are things that developers can do.

And another thing end users should be careful about is when you see links on websites, especially if the links are in comment sections or in areas where other people might be able to put things in. Don't just click on those links. That could be a bad deal. That could be an injection attack where someone has injected scripting code that is going to take over your system or do other sorts of things that you don't want to have happen. So be careful on that sort of thing.

The other one deals with credentials, as I mentioned, the other big takeaway was about stolen credentials and I talked a little bit about what some of the things that we can do about this are, it's the usual, it's multifactor authentication, which causes us to not depend so much on passwords, which are things that are not very secure to begin with because users choose bad ones and they can in fact be shared, bought and stolen and things like that. Passkeys, as I've mentioned, are a good option here as well. Those cannot easily be bought and sold and things like that. They're going to stay on the device. They're cryptographically strong. So that's going to cause us to not be using the same kind of credentials that we've used in the, in the past. And they are, by the way, they are designed generally phishing resistant, which is another bonus for that. And then we need to do a lot better job of training end users. Our job never stops here.

It's not just a once a year. Here's your 1 hour of security training. We need to keep reinforcing these messages so that it becomes part of the DNA for every user in the system. They don't have to understand the details of what these things are, but they need to understand we don't do this kind of stuff and we take advantage of these things when we have them. So that if you want to see more, and there's a lot more detail in this report, please go take a look at the report, download that and learn what you can to protect yourself as you move into the cloud environment.

Cloud Computing, Cybersecurity, Technology, Innovation, Ibm X-Force, Threat Analysis, Ibm Technology