AWS an increasingly important tool for web app attackers

amazon web services logoIt should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.

Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?

According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.

Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:

“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.

Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.

So what’s to blame? Well not necessarily bad coding, according to Mantin.

“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.

Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.

“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.


It’s finally time for governments to get all cloudy eyed.

cloudI’ve just finished a piece for a client charting the progress of cloud computing projects in the public sector around the world and I’ve got to say, it makes pretty miserable reading for the UK.

Despite the launch, to great fanfare, of the G-Cloud project a couple of years ago, awareness among public servants seems pretty low still and sales not exactly setting the world alight – G-Cloud vendors brought in £217m in July, rising to just under £250m the month after.

That said, we’re a small country, and things are looking up. The technology is mature enough and use cases are starting to spring up all over the place, which will speed adoption. However, long term outsourcing contracts are still impeding the development of cloud projects, according to Nigel Beighton, international VP of technology at Rackspace – a G-Cloud vendor.

“The public sector’s move to the cloud is still in its infancy, and I applaud what Liam Maxwell and the whole G-Cloud team are trying to do. But it will take time,” he told me via email.

“Over the past few years the cloud has matured and grown, and is now able to do just about everything you need it to do. For public sector agencies that are yet to make the move to the cloud, one of the main benefits is that it offers great flexibility and that they won’t be locked into one provider. There are also many parts of the sector that are hit with large peaks in their service at certain times of the year, and they could really benefit from a pay as you go, or utility, cloud-model.”

Over in China there is no such reticence, mainly because many public sector bodies have no existing legacy contracts/infrastructure to encumber them. I remember EMC’s Greater China boss saying as much a couple of years ago in Hong Kong and it’s still true, according to Frost & Sullivan’s Danni Xu.

She said the central government threw RMB 1.5bn (£150m) at public sector cloud development in the five major Chinese cities in 2011. Then local governments – many with more money than some countries – followed suit: witness Guangzhou Sky Cloud Project, Chongqing Cloud Project, Harbin Cloud Valley Project and Xian Twin Cloud Strategic Cloud Town Project. An ecosystem similar to that which has grown up in the UK, US and elsewhere, has developed around this new investment, she told me.

“The formation of a more complete cloud ecosystem has benefited local enterprises and local government in many ways. With plenty of cloud offerings available in the market, the public sector itself has also emerged as an important spender for cloud services, among the various vertical sectors,” Xu said.

“For instance, the Ningxia municipal government works with AWS on building a large-scale data center in the region. Meanwhile, it will also leverage Amazon’s platform to deliver e-government services in the future.”

Forrester analyst Charlie Dai counselled that most public sector projects in China are still private cloud based, at least when it comes to SoEs.

“The government is also trying to strengthen the control and regulate the market,” he added.

“The China Academy of Telecommunications Research of the Ministry of Industry and Information Technology (MIIT) launched official authorisation on trusted cloud services (TRUCS) for public cloud early this year.”

Quelle Surprise.

What is obvious, in China as in the UK and elsewhere, however, is that we’re only at the beginning of a very long journey. Whether it takes 10 or 50 years, the cloud is ultimately where governments around the world will look to in order to work more productively and deliver public services more efficiently.