A third type of cloud-related insider is one who uses cloud services to carry out an attack on his own employer. This type of insider is similar to the previous type who targets systems or data in the cloud. In contrast, the third type of insider uses the cloud as a tool to carry out an attack on systems or data targeted, which are not necessarily associated with cloud-based systems.
Though more uncommon than the previous two examples, this type of attack could present itself in the following scenarios:
- A disgruntled insider uses several relatively cheap, easily configured cloud systems to launch a distributed denial of service attack on his organization, hindering incident investigation and limiting forensic analysis.
- An insider planning to leave the company leverages cloud storage to consolidate and exfiltrate sensitive information to take to a new job with a competitor.
There are very few empirical cases of the first example. However, CERT has cataloged many cases of the second—insiders using cloud-based services to steal information. These attacks are usually instances of theft of intellectual property.
Often the attacks use web-based email (e.g., Gmail, Hotmail) or file-sharing services (e.g., DropBox), which may circumvent controls in place to filter and/or monitor corporate email attachments. More information on this type of crime is presented in the 2011 article A Preliminary Model of Insider Theft of Intellectual Property.
Coming up next: We’ll discuss ways of securing against cloud-related insider threats.