DDoS Protection: How to Survive a Distributed Denial of Service Attack

You’re sitting at your desk when the first notification arrives. Uptime monitoring has detected unusually long response times for the servers hosting the business’s primary web app. Soon after, your manager calls to say customer support is getting complaints—many users can’t sign in and the app is slow for those who can.  You try to open the app to see for yourself, but the browser times out. 

With increasing concern, you check the network monitoring dashboard, which shows the app struggling to cope with thousands of connections from hundreds of IP addresses in locations around the world. You are the target of a massive Distributed Denial of Service (DDoS) attack. Ten minutes later, all customer-facing services go offline.

DDoS attacks can devastate a business, and any company that depends on IT infrastructure is vulnerable. There were more than 5.4 million DDoS attacks in the first half of 2021, costing $20,000 to $40,000 per hour. The good news is that DDoS protection services can mitigate the worst consequences, but only if businesses prepare before the attack hits. 

What is a DDoS Attack?

Denial of Service attacks exploit the fact that server and network resources are limited. No service has infinite resources, and, even if that were possible, the cost would be astronomical. Bad actors exploit these limitations with attacks that consume a service’s available resources, leaving it unable to serve legitimate users.

The “Distributed” in Distributed Denial of Service indicates that the attack comes from many directions at once. Attackers also have resource limits, and it’s straightforward to block attacks coming from a single source once it’s identified. In a DDoS attack, the attacker uses thousands of hacked servers known as bots to access massive amounts of bandwidth and computational power. 

DDoS attacks are much more difficult to mitigate because the source is constantly changing. Their distributed nature  also allow attackers to access many times the bandwidth. Last November,  the biggest ever DDoS attack leveraged 10,000 hacked devices to generate 3.7 terabytes per second—a flood of data that threatens even the biggest and most well-resourced online services.  

5 DDoS Mitigation Strategies

Stopping DDoS attacks at the source is beyond the capabilities of most businesses. However, it is possible to implement DDoS protection strategies, also known as DDoS prevention or DDoS mitigation, to help your services to survive a DDoS attack.  

1. Reduce Infrastructure Exposure to DDoS Attacks

The first step is to limit your service’s attack surface area. Attackers will exploit any opportunity. For example, WordPress websites expose an XML-RPC endpoint and a REST API. These are useful, but they can be targeted in DDoS attacks. If they aren’t used, they should be disabled. The same goes for unused network services, ports, protocols, and applications on your servers. 

2. Hide Key Services from the Internet

Businesses can use several strategies to protect origin servers by placing them behind resilient front-line services that take the brunt of a DDoS attack. They include content distribution networks, load balancers, and bastion servers. 

A content distribution network (CDN) is a geographically distributed cache. A service’s assets are cached on many servers worldwide. Users access the assets from their nearest cache and not the server hosting the service. One benefit of using a CDN is that it reduces traffic to the origin server and distributes it to multiple sources that can better cope with excess traffic. 

Load balancers distribute traffic over multiple origin nodes which are not directly connected to the internet. The load balancers can be used to monitor and drop potentially malicious traffic, and the origin servers behind the load balancers can be scaled to handle increasing resource demands. 

Bastion servers perform a similar function for businesses that want to expose potentially vulnerable services without putting origin servers at risk. For example, an SSH bastion server mediates SSH access to servers hosting an application. Only the bastion server is impacted if the SSH service comes under attack. 

3. Deploy Web Application Firewalls

Web applications firewalls (WAFs) monitor web app traffic and block malicious connections. Standard firewalls operate at the network layer. They can, for example, block all incoming connections to a specific port, but blocking all HTTP requests would knock a targeted website offline.

A WAF, in contrast,  blocks malicious HTTP traffic at the application layer. They offer a more flexible approach to DDoS mitigation based on the nature and contents of individual web requests. For example, a WAF could block malicious requests targeting and overloading a log-in page. 

4. Leverage Infrastructure Redundancy and Scaling

Until other DDoS mitigation strategies are implemented, a business’s only option may be to scale resources to absorb the additional traffic. Scaling can be an expensive proposition, but if an online service is essential to your business’s operations, growing server resources and network bandwidth will ensure that users can still access it. 

It’s worth noting that not all hosting providers can scale to support large DDoS attacks. Smaller hosting providers may instead take services offline to protect their network. Larger cloud providers like AWS and Microsoft Azure can scale to absorb large attacks, but even they struggle to accommodate very high bandwidth denial of service attempts. 

5. DDoS Protection Services

Finally, your business can utilize specialist DDoS protection and DDoS mitigation services. These often function much like a CDN. The DDoS mitigation provider’s infrastructure acts as an intermediary layer between your infrastructure and the internet. Their software detects DDoS attacks and drops suspect traffic before it reaches your infrastructure. Some of the best-known DDoS mitigation services include Cloudflare, AWS Shield, Fastly, and Akamai

How KirkpatrickPrice Helps Businesses To Secure Online Services

DDoS attacks are only one of the many security threats companies face in 2022. KirkpatrickPrices helps businesses to maintain security and compliance with services that include:

Contact an information security expert today to begin your journey to more secure online services.

Testing MFA Controls: Learning from the CISA Cybersecurity Advisory

You thought you did everything right. You enabled multi-factor authentication (MFA) on all of your accounts and configured it so that all employees and customers are required to use it. You have automated checks set up to make sure MFA is still required. And yet you still experience a data breach. This is exactly what happened to the non-governmental organization (NGO) described in the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA)’s recently released joint Cybersecurity Advisory (CSA).

In May 2021, a Russian state-sponsored actor took advantage of a misconfigured account with default MFA settings. The actor was able to register a new device for MFA and access the NGO’s network by exploiting a critical Windows Print Spooler vulnerability called “PrintNightmare.” This vulnerability allowed the Russian state-sponsored actor to run arbitrary code with system privileges, ultimately permitting them to gain access to important documents within the company’s cloud and email accounts.

This incident proves why internal audits conducted by a third-party are so important. The purpose of internal audits is to provide your organization with total assurance that your information security program is actually keeping your company’s sensitive data safe. Sometimes people will hang their hat on automated audit results that provide false assurances. An automated check can say that MFA is enabled, but an experienced professional looks at it more thoroughly than that to make sure the configurations are working as they were intended to.

We’ve seen that many of our clients are vulnerable to this same type of incident. During one of our audits, the auditor realized that the company’s developers were completely bypassing the MFA/VPN requirement. The developers were connecting to the production environment using SSH with no MFA. If the auditor had stopped after only the automated tests, the results would have said that the VPN was in place and MFA was enabled. And while those would be true statements, they don’t accurately reflect the security posture of that company’s development practices. The company would still be at risk despite the results of their audit because automation doesn’t understand the context of what the employees’ processes look like. Only a real-life person can verify these processes are working (or not working) like they are intended to, so that a company can have total confidence in their security practices.

A Cybersecurity Checklist Isn’t Enough

If your organization wants total confidence that its security practices are keeping the company safe, it isn’t enough to put a checkmark by “MFA enabled.” Your organization needs to be performing comprehensive tests over the functionality of its configurations. While we believe a cybersecurity checklist will never be enough to fully provide your organization with the assurance it needs, reviewing or testing the following security best practices are a good place for your organization to start:

  • Test the MFA enrollment process
  • Test whether disabled accounts can be used to bypass MFA requirements
  • Review the VPN configuration to ensure 256-bit encryption through modern protocols like OpenVPN or IKEv2
  • Review the VPN configuration to ensure MFA is enforced
  • Identify the method of administrative access in place to segment remote systems from production (i.e., jump server (bastion host), AWS Systems Manager, etc.) is properly segmenting systems and users
  • Review protocols enabled to administrate systems and their source (i.e., SSH or RDP over VPN from jump server only…no direct access from the Internet)
  • Review cloud application or production configuration to ensure they may only be administrated from approved network devices, once authenticated over VPN
  • Allow remote desktop access only over a VPN with MFA (no direct access from the Internet)

Only an Audit with an Experienced Security Professional Can Give You the Assurance Your Organization Needs

While all of the above steps are good practices for your organization’s configuration management processes, conducting a third-party audit with a firm like KirkpatrickPrice is the best way to gain the assurance your company needs. Only an internal audit or continuous penetration testing conducted by an experienced security professional can prove that your organization has implemented the best security controls for the protection of your sensitive data and that those controls are functioning correctly. An automated tool can check that those controls are in place, but they can’t evaluate their functionality. Our experts can find exactly how your configurations are working and provide you the guidance needed to strengthen your organization’s security posture. Because at the end of the day, it isn’t enough to just have MFA enabled. You need to be sure that your MFA configurations are keeping bad actors away from your valuable data.

KirkpatrickPrice Can Give You That Assurance

Let KirkpatrickPrice give you the assurance you need through an audit or penetration test. Contact our experts today to see which services are right for you and make sure you’re secure.

How to Prevent Ransomware

Ransomware is perhaps the most disruptive and infuriating security threat facing businesses in 2022. A ransomware infection is a symptom of an information and infrastructure security failure that may hurt a business’s reputation and pose a compliance risk. Ransomware not only deprives a business of data essential to its operations; it also forces business leaders to decide whether to pay off criminals—an action that has ethical, financial, and legal implications.

Over the last few years, ransomware has become a persistent threat to businesses of all sizes. According to Sophos’s The State of Ransomware 2021, 37% of businesses were hit by ransomware over the last year. The average ransom paid was $170,000, but the total cost of ransomware attacks—taking into account the ransom, downtime, mitigation costs, and staff time—averaged $1.8 million. Most chillingly, the average victim who pays retrieves only 65% of encrypted data—most ransomware victims suffer permanent data loss even when they pay.

Ransomware is likely to become more prevalent in 2022. It remains a high-value revenue generator for cybercriminals. The Treasury Department estimates that criminals made $600 million from ransomware in the first six months of 2021 and expects the year’s total to exceed the combined ransom payments of the previous ten years. The true cost is likely much higher because businesses are motivated to hide successful attacks once they pay a ransom.

What is Ransomware?

Ransomware is malicious software that encrypts files using a key known only to the ransomware operator, who then demands a ransom in exchange for providing the key to decrypt the data. The ransom demand typically asks for payment in an untraceable cryptocurrency. If the victim pays, they usually—although not always— receive the key and can therefore retrieve the lost data.

The most commonly encountered variants in 2021 included REvil/Sodinokibi, Hades, and DoppelPaymer, although one of the most impactful attacks of the year was carried out by the Darkside cybercriminal group, whose attack against Colonial Pipeline disrupted the supply of fuel to the East Coast for a week in May and resulted in a ransom payment of 75 bitcoins, equivalent to $4.4 million at the time the ransom was paid.

What Causes Ransomware?

Ransomware depends on an existing vulnerability to infiltrate a target system. The most common methods of infiltration are phishing attacks, brute force attacks, attacks against insecure RDP services, and the exploitation of software vulnerabilities. For example, the REvil/Sodinokibi ransomware spread through brute force attacks and server exploits, among other vectors. It initially used a vulnerability in Oracle WebLogic to download the code which encrypts the victim’s files, but the method used changes over time because ransomware is constantly evolving as criminals seek to exploit new vulnerabilities.

Can Data Encrypted By Ransomware Be Recovered?

Businesses should assume that once their data is encrypted by ransomware, it cannot be retrieved. Ransomware uses sophisticated cryptographic technology that cannot be reversed without the key. In the past, security experts have managed to reverse the encryption of poorly coded ransomware, but that is unlikely to happen for modern ransomware.

In some cases, including REvil/Sodinokibi, law enforcement agencies were able to identify and infiltrate the ransomware operator’s infrastructure, allowing them to extract the master key and build decryption software. However, it’s rare that this happens on a time-frame acceptable to businesses, and the most likely outcome of a successful ransomware attack is that data is irretrievably lost until the victim pays a ransom and the attacker provides a decryption key—although there is no guarantee the data will be retrieved even if the ransom is paid.

Should Businesses Pay the Ransomware Ransom?

The temptation to pay a ransom is understandable, especially if your business is facing severe disruption because critical data is no longer available to employees or customers. Many businesses choose to pay. But, as we mentioned earlier, businesses that pay get an average of 65% of their data back. Only 8% get all of it back. Even if you do pay, it’s unlikely your business will be made whole.

Furthermore, the attackers may not delete their copy of the data. It is increasingly common for ransomware attackers to sell or otherwise disclose stolen data. In fact, some ransomware attackers don’t encrypt the data at all. They steal it and promise to delete what they stole if paid a ransom. Needless to say, criminals are not always honest.

It is not usually illegal for U.S. businesses to make ransomware payments. However, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued an advisory in 2020 declaring that it is unlawful to facilitate ransom payments to attackers on the Department of Treasury sanctions list. The FBI advises businesses not to pay ransoms for the reasons we’ve discussed. It also encourages businesses to report ransomware attacks to the Internet Crime Complaints Center.

How to Prevent Ransomware: 6 Ransomware Protection Best Practices

Once the sole copy of a business’s data is encrypted by ransomware, its options are limited. Therefore, it is preferable to prevent ransomware infection in the first place and to ensure that important data is copied to a location ransomware cannot reach.

Regularly Update Software to Apply Security Patches

Many ransomware infections start with software vulnerabilities. The attacker exploits the vulnerability to gain access to a network and then uses that access to infiltrate their malware. It is not possible to guarantee a system is free from exploitable vulnerabilities, but updating software regularly ensures that known vulnerabilities are repaired.

To underline the importance of regular software patching: the EternalBlue vulnerability, which was widely exploited by the catastrophic WannaCry ransomware campaign, was fixed by a software patch months before attacks began. Victims were vulnerable because they had not updated the relevant software.

Back-Up Data to a Secure Remote Location

Ransomware is effective because it deprives businesses of the data assets they need. But that can’t happen if the data also exists in a secure offsite location the malware cannot access. Sophisticated ransomware is capable of finding and encrypting local backups on connected systems, so an effective backup must copy data to a system that is not easily reachable over the local network.

If the business has an up-to-date backup, they can simply delete the infected systems and restore or deploy cloud disaster recovery infrastructure with their apps and the backup data.

Implement Least-Privilege Access Policies

Data should be accessible only to users and services who need it. The more people who have access, the greater the likelihood credentials will be leaked or stolen. If an individual no longer needs access, revoke their permissions.

Limit permissions to those that are required. For example, if a user needs to see information but not to change it, ensure they only have read permissions and not write permissions on the database, disk, or cloud storage service that stores the data.

Follow Cloud and Physical Infrastructure Configuration Best Practices

Cloud configuration errors often lead to vulnerabilities a ransomware attacker can exploit. For example, incorrectly configured access permission on AWS S3 buckets may allow ransomware attackers to download, edit, and delete data. Ensure your business follows industry best practices for data security. If your business lacks the expertise to secure its data, hire a professional who can assess your security implementation and provide guidance.

We wrote more about cloud security best practices in 10 Top Tips For Better AWS Security Today

Carry Out Regular Security Risk Assessments

Ransomware attacks often occur because a business misunderstands risks associated with their behavior or their system’s implementation. The BlueEternal example discussed above is a useful illustration; most businesses know that updating software is a good idea, but they choose not to because they don’t apprehend the seriousness and potential cost of living with that risk.

Risk assessments help businesses to understand potential security threats, including threats that may lead to a successful ransomware attack.

Implement Security Awareness Training

Phishing attacks are one of the most widely exploited ransomware vectors. Attackers send an email to employees or managers containing a link. The link takes the target to a site that infects their system with malware or that dupes them into entering authentication credentials.

One way to combat phishing is to ensure that employees recognize the signs. To achieve that you’ll need to train every employee who might pose a risk. Security awareness training is required by several regulatory frameworks and organizations, including FINRA, HIPAA, and AICPA.

Prevent Ransomware with KirkpatrickPrice

Ransomware is a pressing security threat facing businesses in 2022. If you’d like help to identify and mitigate ransomware risks with remote security services, security awareness training, or a compliance audit, contact a KirkpatrickPrice information security specialist today.

6 Steps to Prevent Data Breaches

As we enter a new year, it’s traditional to look back at the successes and failures of the last twelve months. The information security world is no different, and as the year draws to a close, information security writers publish a flurry of articles with titles like The Top Data Breaches of 2021 and The Top 5 Scariest Data Breaches in 2021. They are sobering reading: each listicle entry represents hundreds of millions of people hurt by data breaches that expose their private details to criminals and the wider world.

However, these articles don’t mention the thousands of smaller businesses targeted by cyber-criminals. The headline-grabbing data breaches are the tip of the iceberg. While most of the corporations featured will weather the storm, smaller businesses are less able to bounce back from a catastrophic exposure of sensitive data. Over half of small companies go out of business within six months of a data breach or cyber attack.

Data breaches are avoidable, but any business can significantly reduce the risk that a data breach will hurt its employees and customers, not to mention its reputation, bank balance, and regulatory compliance.

What Causes Data Breaches?

Data breaches occur when bad actors exploit weak security and privacy controls. In a secure system, sensitive data is only accessible to authorized and authenticated users. To build a secure system, businesses should implement controls that allow access to authorized users and deny it to everyone else.

Data breaches are more likely when essential controls are missing or improperly implemented. A weak password is an example of a poorly implemented access control. If a user with administrative privileges on a sensitive system chooses a password such as “123456,” an attacker can easily guess it and gain access.

Weak credentials are among the most common causes of data leaks, but there are many more, including:

  • Stolen credentials: shared or stolen passwords and authentication keys are a leading cause of data breaches.
  • Phishing attacks: attackers use email to trick employees into disclosing credentials or installing malware.
  • Software vulnerabilities: vulnerabilities in network-connected software allow attackers to access sensitive systems.
  • Insider threats: employees or ex-employees work with criminals or steal data for their own purposes.
  • Physical attacks: people who have direct physical access to servers and networks can bypass security controls.
  • Configuration mistakes: incorrectly configuring software or hardware may give an attacker access to sensitive data. This is a common cause of data breaches from cloud platforms, as we discussed in 10 Top Tips For Better AWS Security Today.

What Happens During a Data Breach?

There are many potential techniques an attacker might use to compromise a business’s network and exfiltrate sensitive data. But, at a high level, most data breaches follow a predictable course.

  • Target identification and surveillance: The attacker probes your network and organization for weaknesses. This stage may be automated: many attackers use bots to probe thousands of networks for specific security weaknesses. However, an attacker may manually probe and investigate a high-value target.
  • Social engineering: In addition to probing networks and software, the attacker may contact employees and managers, usually misrepresenting their purpose with a spurious pretext. Their aim may be to learn more about the organization and its systems, steal authentication credentials, or influence an insider to install malware.
  • Compromise: The attacker uses the information they have gathered to gain entry to the network. For example, they may have discovered a misconfigured database, which they now access over the internet. Once the attacker has compromised one network component, they may use that access to “island hop” to more sensitive systems.
  • Exfiltration: The data is copied from the business’s network to servers under the attacker’s control.

Once the attacker has the data, they can release it to the public, sell it to third-party data brokers, use it for identity theft, or extort the businesses.

How to Prevent Data Breaches

We’ve looked at some of the most widely used techniques to compromise business networks and steal data. To prevent data breaches, businesses should focus on implementing processes and controls that render those techniques ineffective.

Regularly Update Software to Apply Security Patches

Older software often contains bugs that create security vulnerabilities. The recent Apache log4J vulnerability is a perfect example. Log4j is a logging tool for the Java programming language ecosystem. It is included in over 35,000 Java packages used by thousands of businesses.

Log4J contained a security vulnerability an attacker could exploit to execute code remotely. Remote code execution vulnerabilities are severe, and the log4J vulnerability could allow an attacker to break into systems, steal data, and upload malware.

Once the vulnerability was discovered, developers quickly fixed it. But, to get the non-vulnerable version, users have to update any software that uses log4J. Although the log4J vulnerability is particularly serious, software vulnerabilities are common, and the best way to fix them is to update all business software regularly.

Encrypt Data and Store Encryption Keys Securely

Businesses should not entirely rely on their ability to keep bad actors out of their networks. It’s always possible that an attacker will find a vulnerability or an employee will make a configuration mistake. It’s best to assume that an attacker will find their way in and implement additional layers of security to deal with that contingency.

If a business ensures that all data is encrypted, an attacker who penetrates network security cannot access the original data. However, a sophisticated attacker may discover encryption keys if they are not also stored securely. The details of secure key storage differ depending on the business’s platforms, but we discussed how to store access securely and encryption keys on Amazon Web Service in How to Keep AWS Access Keys and Other Secrets Safe.

Implement Least-Privilege Access Policies

Employees, contractors, and service providers should have the least access consistent with their role within an organization. They should be able to access only the data they need and have only essential privileges. For example, an employee who needs to download data to generate a report does not need write permissions to edit that data.

Implementing least-privilege access policies limits the risk of leaked or stolen access credentials. It also helps to reduce insider threats by limiting the data assets a malicious insider can access.

Follow Cloud and Physical Infrastructure Configuration Best Practices

Many data breaches are the result of improperly configured software and hardware. To mention just four examples:

  • AWS S3 buckets that are accidentally configured to be publicly accessible.
  • MySQL databases deployed without password authentication.
  • Improperly assigned access permissions that allow users to access information they should not be authorized to see.
  • Inadequate firewall rules or a failure to use a firewall.

Configuration errors have two leading causes. First, the business doesn’t invest the time and resources necessary to secure its infrastructure adequately. Second, the business lacks the knowledge and expertise to configure its infrastructure securely. Both scenarios introduce significant compliance and financial risks.

If a business does not have the knowledge or resources to secure its infrastructure or understand the risks, it should consider employing a third-party information security specialist to assess its security and suggest opportunities for improvement.

Carry Out Regular Security Risk Assessments

A security risk assessment can help your business identify and remediate potential vulnerabilities. A comprehensive risk assessment begins with a survey of your infrastructure before identifying risks, assessing their importance, and creating a risk management plan, which can be implemented to remove identified risks.

A third-party risk assessment by qualified information security auditors may help businesses significantly reduce the risk of a damaging data breach.

Conduct Security Awareness Training

Employees have privileged access to sensitive data, but they may not understand their part in keeping that data safe. Phishing attacks and other forms of social engineering deliberately target non-technical employees who may not understand the security implications of clicking a link in an email or sharing their password with someone who claims to be a manager or executive.

Security awareness training helps employees understand the threats their business faces and what they can do to limit exposure. It can be tailored to the company’s specific needs and relevant security frameworks, including HIPAA and PCI.

Prevent Data Breaches with KirkpatrickPrice

As a licensed CPA firm, KirkpatrickPrice specializes in information security audits and security assessments that can help protect your organization from being vulnerable to data breaches. Contact an information security specialist to learn more about our risk assessment services, security awareness training, and compliance audit services.

How to Build Secure IT Infrastructure for Your Business

The global information technology industry is worth around $5 trillion. To put that in perspective, the global oil and gas market is worth $5.8 trillion. IT is an enormous industry because every business depends on IT infrastructure. That makes infrastructure security a priority for organizations, from sole proprietorships to multinational corporations and governments.

As a business owner or executive, you are responsible for creating and managing a secure infrastructure platform. But how can you build secure IT infrastructure when your business lacks infrastructure security expertise and experience?

Every business is unique, and there is no one-size-fits-all security solution. However, we can explore five strategies that help companies protect their data while complying with security and privacy regulations.

Why IT Infrastructure Security Is Important

We all understand why IT infrastructure security matters. Leaked private data may have catastrophic legal and financial consequences. Ransomware infections force businesses to choose between losing a valuable asset and handing money to criminals. Cybercrime can take down critical systems, disrupting business operations and damaging reputations.

But few are aware of cybercrime’s true scale, prevalence, and cost.

  • The average cost of a data breach in the U.S. is $8.64 million.
  • The global cost of cybercrime is an estimated $6 trillion and is expected to grow to $10 trillion by 2025.
  • There were 304 million ransomware attacks in 2020, double the previous year.
  • The average ransomware payout grew from less than $10,000 in 2018 to more than $233,000 by the end of 2020.
  • In 2020, 300 million people were impacted by data breaches.

Cybercrime is a risk every business faces. Asking whether criminals will attack your IT infrastructure is the wrong question. Your infrastructure will be attacked; it’s just a matter of time. The real question is what you can do to make sure that the attackers fail.

5 Steps to Outstanding IT Infrastructure Security

The specifics of IT infrastructure security depend on your business’s infrastructure needs and regulatory environment. An SME storing customer relationship management records in the cloud has different security and privacy requirements from a healthcare provider storing private healthcare information or a payment processor who must comply with PCI DSS.

However, the following high-level guidelines will help any business to build a more secure IT infrastructure.

Build on Secure Cloud Platforms

Cloud platforms are a more secure option than colocated or managed servers hosted in a data center. The self-managed non-cloud option may be suitable for companies with infrastructure security expertise and resources. But for the average business, cloud platforms offer a superior balance of control, cost,  and security.

Businesses hosting code on infrastructure they own and operate are entirely responsible for securing that infrastructure. That includes the servers, their operating systems and library code, services such as databases and web servers, application code, networks, and more.

In contrast, the cloud vendor takes care of the low-level security details on a cloud platform, including physical security. That doesn’t mean cloud platforms are intrinsically secure. They are not, but they help businesses with limited security resources to achieve better security outcomes than they otherwise could. They provide a solid foundation on which companies can build secure infrastructure.

Building in the cloud doesn’t absolve businesses of security obligations. Cloud security is a shared responsibility. Companies that don’t follow cloud security best practices put their data at risk, which brings us to our next infrastructure security strategy.

Create and Enforce IT Security Policies

IT infrastructure security starts at the top of the org chart. As KirkpatrickPrice Information Security Auditor Shannon Lane points out, “When building a foundation for a culture of compliance, you must start from the top.” The leadership team and senior executives must craft policies and implement organizational structures that support infrastructure security and compliance.

We explored this concept in more detail in How to Design Effective Security Compliance Programs. In essence, businesses who want to improve IT infrastructure security should:

  • Create policies that set minimum security standards for IT infrastructure.
  • Make executives, managers, and team members responsible for implementing those policies.
  • Monitor and audit infrastructure security to ensure that policies are complied with.


The last of these points is particularly important. Without a feedback structure, an organization’s leadership is likely unaware of how security policies are implemented or if they are implemented at all.

Employ Cloud Security Experts to Verify Your Cloud Configurations

As we mentioned in this article’s introduction, cloud platforms like AWS and Microsoft Azure operate a shared responsibility model for security. They provide secure foundations but don’t prevent misconfigurations that may lead to security vulnerabilities.

For example, businesses can store sensitive data securely in AWS S3 buckets if access permissions are correctly configured. However, S3 users often accidentally expose sensitive data with permissive access permissions. We explored several AWS security vulnerabilities caused by human error in Do These 8 Vulnerabilities Affect Your Infrastructure’s AWS Security?

We recommend hiring a third-party cloud expert to verify your cloud configurations. A Remote Cloud Security Assessment reviews AWS, Azure, and Google Cloud configurations to identify potential vulnerabilities and provide actionable guidance to help businesses mitigate cloud infrastructure security risks.

Invest in Security Awareness Training for Employees

A lack of security awareness is often the root cause of cloud security vulnerabilities and data breaches. Managers and employees make mistakes when they are not aware of the risks and how to deploy and configure cloud infrastructure securely.

Security firm Kaspersky Lab recently revealed that most cloud security breaches are a consequence of social engineering, not technology failures. Bad actors use phishing attacks, executive impersonation techniques, and other forms of social engineering to gain access. These attacks target senior executives (whaling) and other employees with access to sensitive data.

Correct cloud security configurations and access controls are of limited help. Bad actors manipulate insiders with legitimate access to bypass security controls. Security awareness training helps employees to understand security risks and comply with security and privacy best practices.

Conduct Regular Cloud Security Audits

A cloud security audit is a comprehensive review of a business’s cloud security controls. Cloud security auditors analyze and report on controls for data, operating systems, networks, and access controls, among other relevant factors. An audit helps businesses to verify that their cloud security policies, configurations, and training are effective.

Audits have two primary benefits:

  • An independent expert verifies cloud infrastructure security and highlights failings that may expose businesses to security and compliance risks.
  • The business can demonstrate to customers and clients that it takes security seriously and complies with recognized industry standards.

Cloud security audits are based on the CIS benchmarks for AWS, Azure, and GCP. Businesses required to comply with other information security frameworks such as PCI DSS, HIPAA, and SOC 2 benefit from audits tailored to those frameworks.

KirkpatrickPrice is a licensed CPA firm that specializes in information security audits for regulatory frameworks and industry standards that include:

To learn more about AWS security, visit our AWS Cybersecurity Services, which offers an extensive library of actionable cloud security guidance.