Cloud Threat Landscape: XSS Dominates
Key Points
- The cloud computing market is projected to reach $600 billion in 2024, driving massive migration of on‑premises data to the cloud and thereby expanding the overall attack surface.
- IBM X‑Force’s annual cloud‑threat landscape report draws on four main data sources: global threat‑intelligence feeds, penetration‑testing findings, incident‑response engagements, and monitoring of dark‑web activity.
- Cross‑site scripting (XSS) remains the leading newly discovered vulnerability, accounting for 27 % of reported CVEs, despite being a decades‑old issue.
- XSS attacks allow malicious code injected into web pages (e.g., via comment links) to hijack user sessions, redirect victims to malicious sites, alter page content, or deliver malware, underscoring the need for continued remediation and secure coding practices.
Full Transcript
# Cloud Threat Landscape: XSS Dominates **Source:** [https://www.youtube.com/watch?v=VK0GyUSDwQY](https://www.youtube.com/watch?v=VK0GyUSDwQY) **Duration:** 00:11:21 ## Summary - The cloud computing market is projected to reach $600 billion in 2024, driving massive migration of on‑premises data to the cloud and thereby expanding the overall attack surface. - IBM X‑Force’s annual cloud‑threat landscape report draws on four main data sources: global threat‑intelligence feeds, penetration‑testing findings, incident‑response engagements, and monitoring of dark‑web activity. - Cross‑site scripting (XSS) remains the leading newly discovered vulnerability, accounting for 27 % of reported CVEs, despite being a decades‑old issue. - XSS attacks allow malicious code injected into web pages (e.g., via comment links) to hijack user sessions, redirect victims to malicious sites, alter page content, or deliver malware, underscoring the need for continued remediation and secure coding practices. ## Sections - [00:00:00](https://www.youtube.com/watch?v=VK0GyUSDwQY&t=0s) **IBM X-Force Cloud Threat Analysis** - The segment outlines how IBM’s X‑Force team evaluates the expanding cloud attack surface—using threat intelligence, penetration testing, incident response data, and dark‑web monitoring—to produce its fifth‑annual cloud security report. ## Full Transcript
the cloud computing industry is expected
to hit $600
billion in 2024 that's a lot and what
that means is a lot of your data that
currently is inhouse or on Prim is going
to be moving to the cloud and what that
means is an expanded attack surface so
that's why we're taking a look
specifically IBM's exforce research
group at what is the cloud threat
landscape what are some of the things
that we're using to determine that well
this is our fifth year of doing this
report so we've got a lot of experience
with this and some of the areas that
we're using to draw our conclusions are
threat intelligence reports we have a
lot of access to information about
what's going on on the global internet
and we use that information in this
report some other things uh IBM's
exforce team is called in to do
penetration tests so we learn things
from those penetration tests where are
particular weaknesses we also do
incident response planning and the
emergency response services that go
along with that when the companies call
up and say hey our hair is on fire
where's the fire extinguisher so we try
to help figure out those kinds of things
and those incidents also inform this and
then also we look at a thing called the
dark web uh which is uh essentially a
part of the web that most people never
see and it's an area where a lot of
hackers hang out and they discuss things
and we like to sit in and listen on what
they're discussing
okay let's take a look at what some of
the key takeaways and recommendations
were from that report well number one on
the list is actually not a new one it's
been around for a good long time but it
came in at 27% of the newly discovered
Co common vulnerabilities and exposures
and it's something called cross-site
scripting cross-site scripting like I
said is not new it's been around for a
couple of decades but it's still hurting
us how does that work well here's the
version if you've got a website and a
bad guy is able to insert let's say in
the comments section he's able to put in
a link and that link contains some
additional code maybe some JavaScript
that's the in insertion that's happening
here uh and he's putting that in to the
website another guy comes along and
reads that and clicks on the link once
he clicks on the link now this content
is running on him uh it wasn't cont
content supplied by the website it was
content supplied by the bad guy and what
can that do well a number of bad things
for instance one of the things it can do
is hijack his session by allowing the
bad guy to take his session tokens and
then control the session from that point
forward another thing that can happen is
he can be redirected off to some other
sketchy website and not realize that in
fact he's even left this one uh it could
do a lot of other things like making uh
this site even look different to him
than what it should be it could implant
malware on his system a lot of different
things that could happen really bad
stuff and we're seeing this continue
there are a lot of things that we can do
and I'll talk about at the end of the
video that will help prevent that all
right our number two takeaway from the
report also was the second most
impactful in terms of it being seen in
terms of vulnerabilities and that is
stolen credentials compromised
credentials basically think passwords
and it turns out this was 20% of the
incidents that we found so that's a lot
and what we saw in particular that was
concerning in this trend is when our
exforce researchers looked on the dark
web which is sort of considered a
marketplace where a lot of bad guys are
hanging out and they are buying and
selling credentials and and all sorts of
things like that and we observed that
the cost of credentials average cost of
these went down 133%
in the last two years well that means if
it's cheaper to buy passwords then it's
going to be easier for the bad guys to
buy more of them it's going to be easier
for them to log in than it is to hack in
and that is in fact what we've seen now
another way to look at this is as cost
of those credentials goes down if we
move over here to this side then the
threat level in fact is going up so
that's what we've seen so far what we
want to see though is a turn in this
maybe I can't go make the cost of these
credentials more expensive but what I
could do is do the opposite make them
worthless drive them to zero then in
fact I could make the threat go down if
these were in fact worthless how could I
do that well one way that I could drive
it in that direction is multiactor
authentication that means a password
alone will not get you into this system
so therefore having a password is not
really as valuable as it used to be so
that's going to cause the value of
passwords to go down another thing that
would really help here is the use of
pass keys and I've got a video two
videos where I talk about these these
pass keys they basically eliminate
passwords and therefore make their value
absolutely zero so people that want to
buy and sell these things would be
selling useless Commodities that is a
potential way for us to go to counteract
this particular threat so let's dissect
that last one that I just talked about I
said it's stolen credentials that are
creating a lot of problems for us how
are people actually stealing those
credentials what are the main ways that
they're doing it well it turns out there
are two main classes of attacks that are
accounting for a large number of these
fishing and business email compromise
let's talk a little about what those are
in fact fishing accounted for 33% of the
incidents where we were dealing with
this and business email compromise 39% %
now hopefully you're familiar with this
you may not be as familiar with this so
let's talk a little bit about what the
differences in these are in a fishing
attack generally speaking we're trying
to Target a whole lot of people so it's
not just a single person although there
are spear fishing attacks where we try
to Target a narrow subset of people but
it's still usually not just from going
after one person however in the case of
business email compromise these tend to
be going after just one person and in
most cases it's someone in the SE Suite
someone who's like a CEO a CIO uh a CFO
someone who's really in a position where
if I were able to get their account I'd
be able to do a lot of damage and it's a
case where I send them an email it's
very highly tailored to their specific
information so it becomes very very
believable so that's one of the big
differences between these two um in in
both of these there's an element of
deception obviously this is uh in with
fishing we're dealing with fake
typically fake websites where I send you
a link and then you're going to go to a
site that looks like what the real one
is but isn't and then I'm going to
collect your credentials when you try to
log in that's one way to do it or I send
you an attachment of some sort and then
you open the attachment maybe it puts
malware on your system and then from
that the next time you go to log in with
a keystroke logger I'm able to get your
your information that called an info
Steel so I can get whatever it is you
type in in these situations I'm dealing
more with
impersonation impersonation attacks now
are going to do something where I'm
going to say let's say I am the CFO and
I'm sending an email to the CEO so the
Chief Financial Officer sending an email
to the CEO or one of the first
lieutenants one of the people that works
for the CEO and I'm saying hey this is
me your employee trusted here I I need
the follow in information I need you to
log in and approve this particular thing
something along those lines so it's a
very specific targeted impersonation
attack in both of these cases there's an
element of social engineering so that's
what we have to look at this is how the
bad guys are getting in now you've seen
what the problems are what can we do
about it what are the recommendations
well the first relates to cross-site
scripting and the first couple of things
I'm going to refer to are really for
website Developers
and that is looking at something that
nobody likes to do and it's the hard
work of validating all the
inputs that is I've got to look at
everything that comes into an input
field and make sure that it doesn't for
instance include a script because that's
where people should be say typing in
comments typing in their name their
email address I don't expect executable
code there but if I don't check
explicitly for it then someone could put
that in and then someone else comes
along later later and it does damage
another thing I want to do is encode
outputs and this one is more for web
developers to understand what the HTML
encodings are for special characters I'm
going to go over these things in more
detail in another video on cross-site
scripting so look for that but these are
things that developers can do and
another thing end users should be
careful about is when you see links on
websites especially if the links are in
comment sections or in areas where other
people might be able to put things in
don't just click on those links that
could be a bad deal that could be a an
injection attack where someone has
injected scripting code that is going to
take over your system or do other s
sorts of things that you don't want to
have happen so be careful on that sort
of thing the other one deals with
credentials as I mentioned the other big
takeaway was about stolen credentials
and I talked a little bit about what
some of the things that that we can do
about this
it's the usual it's multiactor
authentication which causes us to not
depend so much on passwords which are
things that are not very secure to begin
with because users choose bad ones and
they can in fact be shared bought and
stolen uh and and things like that pass
Keys as I've mentioned are a good option
here as well those cannot easily be
bought and sold and things like that
they're going to stay on the device
they're cryptographically strong so
that's going to cause us to not be using
the same kind of credentials that we've
used in the in the past and they are by
the way they are designed generally
fishing resistant which is another bonus
for that and then we need to do a lot
better job of training end users there
we our job never stops here it's not
just a once a year here's your one hour
of security training we need to keep
reinforcing these messages so that it
becomes part of the DNA for every user
in the system they don't have to
understand the details of what these
things are but they need to understand
we don't do this kind of stuff and we
take advantage of these things when we
have them so that if you want to see
more and there's a lot more detail in
this report please go take a look at the
report download that and learn what you
can to protect yourself as you move into
the cloud environment