The Poodle continues to affect Microsoft cloud: Greyhound Research

A new study by Greyhound Research shows that Poodle attack, which claimed its first victim in October 2014, has managed to cross the cloud barrier, and has penetrated cloud security SSL VPNs. The latest to fall victim to Poodle is the Microsoft cloud. “Post the hue and cry since the launch of poodle attack, Greyhound Research had run a quick Poodle Attack Vulnerability check (on  www.ssllabs.com). We found out Microsoft Office 365 continues to rate weak on SSL3.0 Security Vulnerability.  We ran the Qualys test and found that the vulnerability still affects the Office 365,” Greyhound said. To give some context, the POODLE Attack is a vulnerability that takes advantage of web browser encryptions. It gives attackers the access to the web traffic between a user’s browsers and a HTTP Secure website, which can cause serious repercussions such as decrypting sensitive user information like authentication cookies. According to Greyhound Research, Microsoft Office 365 continues to rate weak on SSL3.0 Security Vulnerability. In October 2014, Microsoft issued an advice on a Secure Sockets Layer (SSL) 3.0 security flaw that was discovered in their Azure and Office 365 exchange servers. Microsoft stated that SSL 3.0 is an aged protocol and now replaced by Transport Layer Security (TLS) protocol, which is devoid of the POODLE flaw, as also validated by US-CERT. However, we ran the Qualys test for few mail servers, only to find that the vulnerability still affects the Office 365, the research firm added. The tests for Office 365 as compared to Google Mail are below. [caption id=“attachment_2126133” align=“alignnone” width=“380”]  Pic Courtesy: Greyhound[/caption] [caption id=“attachment_2126137” align=“alignnone” width=“380”]  Pic Courtesy: Greyhound[/caption] Can such vulnerabilities be better managed? 6 of 10 IT Decision makers Greyhound engage with stated their concern of being vulnerable to cyber-attacks. This number is higher (8 of 10) for Small and Medium Businesses (SMBs) – they often do not have proper security measures in place hence make for easier prey. With players like Google (Apps for Work), Microsoft (Office 365) and IBM (Verse) increasingly catering to organisations with cloud-based productivity suite, this space is only expected to get more complex. Greyhound Research believes that IT Decision makers cannot have an escapist attitude to security while evaluating such cloud-based offerings and need to check for such vulnerabilities to ensure safety for its data (and brand). Basis our on-going conversations with leading decision makers in emerging markets, Greyhound has compiled a list of critical questions that every IT decision maker must address when implementing a cloud security strategy for their organisation. – Are my peers in other organisations adopting, planning or exploring Cloud delivered services? – Is my on-premise infrastructure more secure than cloud? – How different is Cloud security to the previous on-premise and hosted scenarios? – Is Private cloud more secure than Public cloud? – How should I assess my cloud provider? – How can I better manage data privacy for cloud delivered workloads? – What industry certifications should I look out for? – What are the key compliance requirements I need to adhere when using cloud for my org? – Are there any industry bodies certifying cloud providers? – Do I need to re-skill my team to better manage cloud providers and security? – My peers tell me Cloud is both a legal and contractual nightmare. How true is this? Standpoint Greyhound Research believes it’s important for IT leaders to not rubbish cloud services only based on perceptions and spend time understanding security measures implemented by cloud providers. Cloud offers multiple benefits through automation (higher efficiency) and shared resources (economies of scale) and cloud providers like Google, Salesforce.com and others are investing heavily in people and assets to better manage security. However, in instances like Microsoft Office 365, Cloud-based delivery only stands to increase security related concerns for an organisation.