Cavirin Blog

Control Your Cloud

Petya'd?  Cavirin to the Rescue!

On the back of WannaCry, the latest ransomware of the week is GoldenEye, a variant of Petya.  First reported a few days back, it has already caused havoc within some very large organizations.  Maersk, for example, was impacted, and one of our engineers from Bangalore reported that 10 million containers at the port of Mumbai don't know where to go.  No, Docker isn't going to come to the rescue.  And you think an airline reservation system shutdown is bad!  What is disturbing to me is that four of the companies hit - Maersk, Me-Doc, Merck, and Mondelez - all start with 'M', and that it is mostly targeted against critical industries.  Today's ransomware attack is sponsored by the letter M.  Someone refining their attack vectors?

Just to be totally accurate, the Petya variant encrypts, but doesn't have a provision for decryption, so it is more of a 'wiper' than ransomware.  It is also most probably an actual nation-state cyberattack against Ukraine, only pretending to be ransomware, as concluded by Comte's Matthieu Suiche.  So, what could have been done to protect against it?  

First, note that it is limited to Windows. Microsoft has released patches for the basic vulnerabilities, but that doesn't imply that they've been universally applied.  However, Petya also spreads via Office documents, opening up another vector of attack.  In addition, there is no kill-switch that can be used to stop the attack.

A number of security vendors have listed the specific actions that should be taken by any organization:

1.  Apply the Microsoft patch MS17-010.  This dates from March 14, as noted earlier, over 90 days ago.  Our Patches and Vulnerabilities pack would have caught this.

2.  Disable TCP port 445.  Our Network Security Policies pack closes this.

3.  Restrict administrator group level access.   Our CIS Benchmarks assess and remediate across any OS in any environment, on-premise, cloud, or container.

Ultimately, we provide continuous workload protection, whether your company begins with the letter 'A' or the letter 'Z'. 

Control Your Cloud

A few days back, a security researcher came upon what is potentially one of the largest exposures to-date of Personally Identifiable Information (PII), but one that was so easy to prevent using the tools available.  Deep Root, a data analytics firm, had posted almost 200 million voter records to their AWS S3 database. This is the distributed offering leveraged by the majority of businesses and SaaS offerings that use AWS.  Note that this is also the same S3 that experienced a wide-ranging failure earlier in the year.  In this case, Deep Root set permissions on their database that would expose it unencrypted and with no password required to the outside world.  Just think what would have happened under GDPR if this occurred in 2018 within the European Union.

Though just over 1 TB was exposed, out of a total of 25 TB, this was enough to make visible the name, date of birth, home address, phone number, and registration details of almost every registered voter in the US.    We only wonder what the other 24 TB contained.  A case can be made that all of this data was publically available, state-by-state in advance.  True, but when aggregated and analyzed it becomes more valuable, more sensitive.  And this type of data aggregation will only increase in the future.  So how do we maintain cloud security and protect against what was clearly the ‘human element’ in this case, non-malicious but nevertheless devastating? 

The major cloud service providers, AWS included, have published in conjunction with the CIS a set of best-practices, benchmarks that should be adhered to by every organization using their IaaS, PaaS, or SaaS platforms.  These documents align to what we term the ‘shared responsibility model’, where the provider and the customer each have their own responsibilities. In this case, the breach was totally in the domain of the customer.  

Specific areas of guidance within the benchmarks include, and there are others, encryption and separation of duties.  The AWS CIS security benchmark have a check that the S3 buckets have encryption enabled by policy.  A continuous security tool like Cavirin would have caught that both at-rest and in-transit encryption policies were missing.  Here, even if the data was released to the Internet, it would be unreadable.

On the separation of duties front, AWS provides a means of achieving this by creating roles and groups to put users into, and assigning different levels of permissions on an ‘as needed’ basis.  These feed into Identity & Access Management security policy tests, also coded within the benchmarks.  This reduces the complexity of access management, and also minimizes the accidental chances of users receiving and retaining excessive privileges.  In the case of Deep Root, the policies would have at least flagged a potential violation by creating checks and balances.

Though we can’t stop all breaches from occurring, the automation enabled by the Cavirin platform can reduce their frequency, their impact, and act as a backstop to organizations operating at ‘cloud speed’ but lacking the resources to ensure that they are always protecting the integrity of the data they handle.

Last week, Mary Meeker and her team at Kleiner Perkins published their yearly internet opus.  For those keeping track, it is now at 355 slides!  Though much of it focuses on the continuing evolution of commerce, media and gaming, as well as China and India, there are some excellent nuggets on the cloud security.  Her analysis plays well into Cavirin’s strategy and product direction.

We live in an increasingly multi-cloud world.  Amazon with AWS got off to an early start, but Microsoft’s Azure, by virtue of its strong enterprise footprint, is gaining ground quickly.  Whereas companies leveraging AWS remained constant at 57% between 2016 and 2017, Azure use grew from 20% to 34%.   And not to be dismissed is the Google Cloud Platform (GCP), growing from 10% to 15% and benefitting from strong enterprise focus as evidenced at this year’s Google Next conference. Beyond this baseline, AWS will experience even greater competition in the future, as only 27% of organizations who don’t currently use AWS are experimenting with or planning to use the platform in the future.   This grows to 33% for Azure and 30% for GCP.   Cavirin natively supports the three major cloud service providers (CSPs), and delivers consistent analysis between these and any on-premise deployments.


Control Your Cloud

By now, anyone with any connection to security is aware of the WannaCry ransomware attack, and it says something, that on the Wiki entry, it is already listed amongst major incidents with Anthem, Sony Pictures, and the US Election.   As a quick review, the attack, leveraging the leaked NSA tool EternalBlue, took advantage of vulnerabilities in Microsoft’s SMB implementation.   The company issued a critical security bulletin, MS17-010 (CVE-2017-0144) on March 14, 2017, along with a patch for new versions of the OS.  Note that this was a 1-day exploit, and not a zero-day exploit since it was announced and patched.   But the issue is that older versions of the OS were still vulnerable, not every organization is on top of patches, and in some countries, the high percentage of bootleg software effectively disconnected the user from patching.  Nonetheless, Cavirin can play an integral role in helping to identify and remediate these types of vulnerabilities.

First off, Cavirin’s partner SecPod included the notification in its March 16, 2017 SCAP Feed Release.  This was two days after the Microsoft announcement.  This is automatically included in Cavirin’s Patches & Vulnerabilities policy pack, which continually updates the live deployment.   Based on this notification, the customer may quickly scan their environment and identify vulnerable resources.   They may then manually patch their workloads, or may have in place an automated mechanism (i.e., Chef, Ansible) to pull down the Microsoft patch and update their systems.

AWS suffers outage

With increasing reliance on the cloud, and in many cases on a single cloud service provider, the probability for a widespread (though infrequent) outage grows.  On Tuesday, AWS S3 storage experienced a major outage, taking down the back-ends of many sites that include Netflix, Slack, and HubSpot, two of which we use at Cavirin.  For enterprises that were single threaded, they just had to wait it out, and though the actual outage lasted only 4 hours, it took the remainder of the day for many to recover.  To give you an idea of the magnitude of the impact, AWS S3 supports over 150K sites and upwards of three trillion data elements.  Thousands of tweets were questioning if the Internet went down, just like last October with the Mirai outage.  Compounding the problem is that the storage service is shared across multiple AWS zones, and though an enterprise may distribute compute across geographies, due to practical or cost reasons they may depend upon a single storage instance. 

The CISO is under immense pressure, expected to manage a dozen or more vendors across perimeter, endpoint, network, application, and data security, not to mention having to be an expert on policy and operations.  Hackers in many cases have the upper hand, and the human element is still the weak link. 

Because of this, more and more enterprises are realizing that what we offer to automate some of this is no longer a nice-to-have…. It is a must-have!   At the same time, we’re able to clearly show our differentiation from the vulnerability assessment vendors, and we are more versatile than the cloud-only solutions.  Look at it this way, best articulated by one of our customers, Cepheid.  VA will tell you how many windows and doors you have, and which are open.   We take the next step, and tell you how to close them.  And, if you are so inclined, we’ll do the closing.  

The API-first architecture of our new Pulsar platform was also top of discussion, with potential ecosystem partners realizing the need for a unified view of overall security compliance, be it server, endpoint, identity, or vulnerability, and across all clouds and containers.  If you missed it, check out our Pulsar General Availability PR.  In all, a more than successful first day for Cavirin’s first RSA presence, based on both the quantity, and more importantly, the quality of discussions and demos. 

(Breaches photo from SS8 shirt at RSA - thanks!)







Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.



5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

Cavirin US Location