Cavirin Blog

Control Your Cloud

Petya'd?  Cavirin to the Rescue!

On the back of WannaCry, the latest ransomware of the week is GoldenEye, a variant of Petya.  First reported a few days back, it has already caused havoc within some very large organizations.  Maersk, for example, was impacted, and one of our engineers from Bangalore reported that 10 million containers at the port of Mumbai don't know where to go.  No, Docker isn't going to come to the rescue.  And you think an airline reservation system shutdown is bad!  What is disturbing to me is that four of the companies hit - Maersk, Me-Doc, Merck, and Mondelez - all start with 'M', and that it is mostly targeted against critical industries.  Today's ransomware attack is sponsored by the letter M.  Someone refining their attack vectors?

Just to be totally accurate, the Petya variant encrypts, but doesn't have a provision for decryption, so it is more of a 'wiper' than ransomware.  It is also most probably an actual nation-state cyberattack against Ukraine, only pretending to be ransomware, as concluded by Comte's Matthieu Suiche.  So, what could have been done to protect against it?  

First, note that it is limited to Windows. Microsoft has released patches for the basic vulnerabilities, but that doesn't imply that they've been universally applied.  However, Petya also spreads via Office documents, opening up another vector of attack.  In addition, there is no kill-switch that can be used to stop the attack.

A number of security vendors have listed the specific actions that should be taken by any organization:

1.  Apply the Microsoft patch MS17-010.  This dates from March 14, as noted earlier, over 90 days ago.  Our Patches and Vulnerabilities pack would have caught this.

2.  Disable TCP port 445.  Our Network Security Policies pack closes this.

3.  Restrict administrator group level access.   Our CIS Benchmarks assess and remediate across any OS in any environment, on-premise, cloud, or container.

Ultimately, we provide continuous workload protection, whether your company begins with the letter 'A' or the letter 'Z'. 

Control Your Cloud

A few days back, a security researcher came upon what is potentially one of the largest exposures to-date of Personally Identifiable Information (PII), but one that was so easy to prevent using the tools available.  Deep Root, a data analytics firm, had posted almost 200 million voter records to their AWS S3 database. This is the distributed offering leveraged by the majority of businesses and SaaS offerings that use AWS.  Note that this is also the same S3 that experienced a wide-ranging failure earlier in the year.  In this case, Deep Root set permissions on their database that would expose it unencrypted and with no password required to the outside world.  Just think what would have happened under GDPR if this occurred in 2018 within the European Union.

Though just over 1 TB was exposed, out of a total of 25 TB, this was enough to make visible the name, date of birth, home address, phone number, and registration details of almost every registered voter in the US.    We only wonder what the other 24 TB contained.  A case can be made that all of this data was publically available, state-by-state in advance.  True, but when aggregated and analyzed it becomes more valuable, more sensitive.  And this type of data aggregation will only increase in the future.  So how do we maintain cloud security and protect against what was clearly the ‘human element’ in this case, non-malicious but nevertheless devastating? 

The major cloud service providers, AWS included, have published in conjunction with the CIS a set of best-practices, benchmarks that should be adhered to by every organization using their IaaS, PaaS, or SaaS platforms.  These documents align to what we term the ‘shared responsibility model’, where the provider and the customer each have their own responsibilities. In this case, the breach was totally in the domain of the customer.  

Specific areas of guidance within the benchmarks include, and there are others, encryption and separation of duties.  The AWS CIS security benchmark have a check that the S3 buckets have encryption enabled by policy.  A continuous security tool like Cavirin would have caught that both at-rest and in-transit encryption policies were missing.  Here, even if the data was released to the Internet, it would be unreadable.

On the separation of duties front, AWS provides a means of achieving this by creating roles and groups to put users into, and assigning different levels of permissions on an ‘as needed’ basis.  These feed into Identity & Access Management security policy tests, also coded within the benchmarks.  This reduces the complexity of access management, and also minimizes the accidental chances of users receiving and retaining excessive privileges.  In the case of Deep Root, the policies would have at least flagged a potential violation by creating checks and balances.

Though we can’t stop all breaches from occurring, the automation enabled by the Cavirin platform can reduce their frequency, their impact, and act as a backstop to organizations operating at ‘cloud speed’ but lacking the resources to ensure that they are always protecting the integrity of the data they handle.

Control Your Cloud

This is the sixth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

The fifth blog, 'Security as you Go', is available here

-------------------

You have often heard about companies budgeting for compliance certifications. Each year, businesses budget for audits and achieving vertical specific compliance certification and authority to operate. These budgets are non-trivial and usually are spent in short-periods of time rather than throughout the year.

There is a confusion over agility and reality.


Businesses demand a rapid pace (agility) but at the same time must deal with compliance (reality).


A typical scenario is that during audits, the budgets are spent in a hurry to ensure that security controls are in place and not to miss the compliance certificate. This approach is potentially flawed. Compliance should be treated as a by-product of security. Good security measures and spending ensure that you have the necessary controls in place and those controls are functioning as intended. Such security measures help you get compliance certificates. Additionally, it ensures a uniform security posture throughout the year and not spikes at audit times to avoid fines and problems.

Your hybrid cloud strategy demands that you pay attention not only to on-premise workloads but also to your extended or shadowed datacenters.


You quickly tend to acquire cloud-specific tools (agility) and then invest in staff to maintain two set of tools (reality).


The applications and tools that you use for on-premise workloads may not deal with the realities of cloud. The flux and dynamicity of the cloud demands tools that can match the realities of hybrid workloads. Today your compute/storage/networking resources are fragmented between cloud and on-premise. This is your new reality. Your legacy as well as modern applications have security requirements and it is pointless to maintain footprint specific tools anymore. You benefit from streamlining your tools that work seamlessly on both the footprints.

You have convinced the management to transform your security tools and processes to match cloud and on-premise needs and you are ready to evaluate your options.

Last week, Mary Meeker and her team at Kleiner Perkins published their yearly internet opus.  For those keeping track, it is now at 355 slides!  Though much of it focuses on the continuing evolution of commerce, media and gaming, as well as China and India, there are some excellent nuggets on the cloud security.  Her analysis plays well into Cavirin’s strategy and product direction.

We live in an increasingly multi-cloud world.  Amazon with AWS got off to an early start, but Microsoft’s Azure, by virtue of its strong enterprise footprint, is gaining ground quickly.  Whereas companies leveraging AWS remained constant at 57% between 2016 and 2017, Azure use grew from 20% to 34%.   And not to be dismissed is the Google Cloud Platform (GCP), growing from 10% to 15% and benefitting from strong enterprise focus as evidenced at this year’s Google Next conference. Beyond this baseline, AWS will experience even greater competition in the future, as only 27% of organizations who don’t currently use AWS are experimenting with or planning to use the platform in the future.   This grows to 33% for Azure and 30% for GCP.   Cavirin natively supports the three major cloud service providers (CSPs), and delivers consistent analysis between these and any on-premise deployments.

 

Control Your Cloud

This is the fifth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

-------------------

Extrapolating the cloud mindset, security as you go sounds promising. You could start small, sampling a fraction of your workloads, and then scale to accommodate everything that matters to you. The cloud gives you the flexibility to expand your resources as you need them. Your security tools should follow the same trait.

Automatically scaling your security tools help you to maintain their availability and allows you to scale your security tools as you need them without incurring significant costs. Let us understand this with an example. Security tools typically begin with a set of pre-requisite hardware configuration spec. This hardware specification is usually defined by the vendor at an optimum support level. But, you may not need it all the time. There are certain spikes (CPU, Memory or Network) at some stage of the security workflow in your tool. For example, if you are running an anti-virus tool, the resource requirements are high during a full system scan and low when you are just scanning for deltas. This did not “cost” you money if you kept running your anti-virus appliance in your own data center at the same resource allotment levels. But, in the cloud, if you choose a “bigger” instance size, you pay more whether you use it or not.

Control Your Cloud

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:


“Ensure no security group allows ingress from 0.0.0.0 or from the world on any port”


This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

  1. Ensure that SSH connections are not open to the world
  2. Ensure that DB ports are not open to the world
  3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.

 

Address

5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

  sales@cavirin.com

  press@cavirin.com

  info@cavirin.com

Cavirin US Location