Based on a recent study, it was found that over 60% of companies consider a move to the cloud as a board level strategic decision. In the same study, over 30% of companies found IT, including security, to be an obstacle in the transition. When it comes to moving to the cloud, as security experts, we can take the approach of a leader, an inhibitor or an observer.  Specifically, we can either lead the effort for a secure cloud strategy, react to and find fault in all the decisions of others, or just get left out of the conversation.

It is easy to look at cloud as another on a list of threats and risk that we have to address. However, moving to the cloud may be a chance to address the important issue, how we protect our data. With the basic responsibilities of managing a system transferred to the cloud service provider, we have more time and resources to focus on the design and acquisition of controls needed to better protect our information.

Many recommendations across the internet say to not keep your information on the cloud. Fair enough, but it's the same as if you asked, "How not to get my house burned down?" and the answer would be, "Do not have a house." The logic is solid, but a better way to translate such advice is, "avoid storing sensitive information on the cloud." So if you have a choice, your cloud strategy can include keeping your non-crucial information in the virtual world, and critical, sensitive and PII data in designated hosting environments.

No credit card data was leaked and the rest was hashed and salted.

At approximately 1pm PDT, on July 1st, video streaming service, Plex, learned that servers hosting their forums and blogs were compromised. Information including, IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for forum users were exploited. As a precaution, Plex reset user passwords and sent further instructions to users via email.

The hackers asked for 9.5 bitcoins, which is equivalent to about $2,400 but wrote that the ransom would increase to 14.5 bitcoins, which is equivalent to $3,700, if it wasn’t paid in a timely manner. The hackers claimed that the stolen information will be released to the public via torrent networks if the ransom was not paid.

Companies often ignore such extortion attempts as this creates incentives for other hackers to try out the same thing. Plex said the passwords were salted, which is a security measure that makes it more difficult for hackers to convert the passwords to plain text. In a security update provided to users on Plex's website on July 6:

After thorough investigation by a team of forensic specialists, we’ve identified the source of the compromise to the forums server. As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available. The investigation did not turn up any other compromised systems...We’re committed to bringing back the forums as soon as humanly possible.