Highlights2017RSAPost

Posted on Posted in Uncategorized

Highlights from the 2017 RSA Security Conference

February 13th, 2017

It seems that every major hardware and software security provider, and every IT security consulting firm in the world had gathered together at the RSA Security Conference held in San Francisco this year. There were lots of great topics that stalwarts gave talks on, and even the keynote sessions were interesting. The talk that we thought was the most helpful was the opening day (Monday, February 13th, 2017) seminar put together by the Cloud Security Alliance entitled “The Treacherous 12 – Cloud Computing Top Threats in 2016”.

For those who didn't attend this conference, here are 12 treacherous threats, ranked in order of severity, and what you can do to prevent them:

Cloud Computing Security Threat #1 – Data Breaches

Several high-profile companies such as antivirus firm BitDefender, health insurance company Anthem, and British telecom provider TalkTalk have had data breaches that exposed the data of millions of customers to hackers. In data breaches, personally identifiable information (PII) such as personal health information, financial information, trade secrets, and/or intellectual property are exposed / stolen. Companies can prevent against data breaches in the cloud by implementing multifactor authentication and encryption.

Cloud Computing Security Threat #2 – Insufficient Identity, Credential, and Access Management
Source code repository company Github was mined to find a project where a WordPress plugin developer using Github had stored their AWS access keys within the stored code. Within 12 hours of the blunder, perpetrators had used the stolen credentials to kick off hundreds of AWS EC2 instances, for which they would have to foot the bill which was 352x their usual monthly amount. Companies can prevent such misuse by not only doing the obvious, i.e. not embed cryptographic keys and credentials in source code stored in public-facing code repositories, but by also implementing policies to securely manage the Public Key Infrastructure (PKI), and also implement Identity and Access Management Systems that support the de-provisioning of access to IT resources when no longer needed. Companies should implement systems that mandate strong passwords, forced rotation periods, and multifactor authentication systems such as smartcards, one-time passwords (OTP), and/or phone authentications. Companies should also consider federating identities with public cloud providers, and using Security Assertion Markup Language (SAML) assertions to authenticate and authorize data exchanges.
Cloud Computing Security Threat #3 – Insecure Interfaces and APIs
The Internal Revenue Service (IRS) exposed 300,000 records via a vulnerable API (“Get Transcript”), and realized the importance of Adaptive API Security. When customers access user interfaces (UIs) to login, and Application Programming Interfaces (APIs) to manage cloud services, they are dependent on the security the APIs with their exposed IP address has. Companies should leverage threat modeling applications and systems including data flows and architecture designs during the development process, and IT security departments should perform security-specific code reviews, and rigorous penetration testing. CISOs should also take an adaptive security approach using machine learning and statistical models to constantly learn “good behaviors”, which can help distinguish from “bad behaviors” such as systematic walk-through of application resource paths by bots, etc.
Vulnerabilities
The United States Department of Defense, and content delivery network Akamai were attacked by a botnet created by hackers taking advantage of the bug, named “shellshock”, in the widely popular bash shell used by UNIX-like systems, which was still widely prevalent on millions of unpatched servers. Bugs aka system vulnerabilities in open source software (OSS) can create risk for companies if left unpatched. Companies can prevent these sorts of issues, which are the source for 75% of all attacks, by putting in place IT processes that patch automatically in a recurring manner, and design steps to remediate Common Vulnerabilities and Exposures (CVEs) until a patch is made available by the vendor.
Cloud Computing Security Threat #5 – Account Hijacking
Code Spaces’ Amazon AWS account was hijacked, and all of its assets were destroyed, putting the company out of business. Service/account hijacking attack methods include phishing, fraud, and exploitation of software vulnerabilities, and once the attacker is inside a company’s network, the devastation they can cause is immeasurable. Companies can prevent this by harnessing techniques such as multifactor authentication, and threat monitoring and analysis tools.
Cloud Computing Security Threat #6 – Malicious Insiders
During Christmas time, on-demand video entertainment service Netflix’s customers suffered a service outage when a cloud-privileged administrator at Netflix’s service provider, Amazon AWS made an unwitting error. Threats from malicious insiders can involve a privileged current or former employee, contractor, or business partner, with access to a company’s network, systems, or data, to purposefully, or sometimes unintentionally, access compromise confidentiality, integrity, and/or availability of information or information systems. While the practice of shared accounts should be terminated, organizations can do more than just rely on the Cloud Service Provider’s (CSP) encryption services. Companies can set up auditable processes, and monitor for ad hoc or unexpected actions using insider threat detection and analysis tools so as not to face the penalties that Morgan Stanley had to pay the FCC.
Cloud Computing Security Threat #7 – Advanced Persistent Threats
Undisclosed (to avoid embarrassment) banks in Russia, Japan, the United States and Europe had Advanced Persistent Threats (APT) waged against them, losing $300MM in the process. APTs are attacks wherein insiders unwittingly download malware onto their machines, and spread it to others within the organization, and eventually allow the attackers to manipulate data and steal money oftentimes several months after being initially affected. These attacks start with seemingly innocent drive-by downloads, which happen while the user is doing something else on their computers and doesn’t know that they have been compromised. These can be prevented by flagging suspicious sessions, especially ones that download malware from suspicious sites, and expose the attackers’ progress before more damage is inflicted.
Cloud Computing Security Threat #8 – Data Loss
An Amazon EC2 crash resulted in customers losing their data. Sony Pictures faced incredible embarrassment when employees’ computers were hijacked, and lodes of emails were exposed online, jeopardizing business relationships, and even releasing an upcoming movie (their copyrighted intellectual property) before the studio did it themselves. Data loss can happen due to one of many possibilities, e.g. accidental deletion by a cloud service provider (CSP), natural disasters (earthquakes, fires), or as in Sony’s case, by the lack of malware protection causing them to be susceptible to phishing attacks, and the lack of proper network security precautions. End-to-end cloud-based data encryption, and regular geo-redundant cloud backups can prevent against data loss.
Cloud Computing Security Threat #9 – Insufficient Due Diligence
Netflix didn’t perform a thorough-enough due diligence when agreeing to Amazon’s AWS public cloud to stream content to customers, and thus their US-Eastern Region customers suffered an outage when AWS elastic load balancers were accidentally deleted. IBM and Dell faced challenges when the cloud storage company they were using, Nirvanix filed for Chapter 11 bankruptcy, and had 2 weeks to move their data. This can only be mitigated by performing the due diligence before signing contracts with cloud service providers.
Cloud Computing Security Threat #10 – Abuse and Nefarious Use of Cloud Services
Hackers used Amazon’s EC2 Cloud to launch an attack on Sony’s PlayStation. When malicious actors abuse Cloud Service Providers (CSPs) by using them to launch DDos attacks, automated click fraud, email spamming, phishing campaigns, and hosting pirated content, etc., the CSPs have to spend their resources battling the malice, and this sucks away their ability to respond to legitimate customers’ needs and to provide the service customers are paying for. These sorts of issues can be mitigated if Cloud Providers include controls for customers to monitor their cloud workload.
Cloud Computing Security Threat #11 – Denial of Service
Cloud-based services Evernote, Feedly, and Deezer were knocked offline when their cloud service provider was under a DDoS attack. In a Distributed Denial of Services (DDoS) attack, cloud-based resources are overwhelmed with requests, which can slow or even make completely unavailable the services delivered over the cloud. To prevent this, tools must be put in place to be notified of a DDoS attack that is ongoing, and administrators should have the ability to get to resources that can be used to mitigate the attack.
Cloud Computing Security Threat #12 – Shared Technology Vulnerabilities
It has been proven that it is possible for a compromised piece of code on a virtual instance in a cloud could make it possible to affect other VMs on the same physical resource. This can be prevented against through Host-based Intrusion Detection Systems (HIDS) and Network-based Intrusion Detection Systems (NIDS).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.