Top Threat by Cloud Security Alliance Foreshadows the Capital One Breach
By: Angela Polania and Leon Chirino
With many more organizations moving their IT assets to the Cloud every day and with three solid players in the Cloud offering such as Microsoft Azure, AWS and Google Cloud, have you considered the threats that may affect the cloud environments? Things have changed, we are not talking about the traditional server room in premises or the co-location datacenter scenarios.
The Cloud Service Providers (CSPs) have revolutionized the IT industry so rapidly that not everything that we see now is guaranteed to stay longer. The concepts are constantly changing and evolving so dynamically that it is hard to keep up with new developments and the way they work.
One of the most important topics surrounding IT in general and IT Security, is Risk Assessment. To assess risk for an IT system, you need to know what are the potential threats that may affect that system, environmental, socio-political, crime organizations, intentional acts, errors and accidents and so on.
So, we cannot expect now to consider the same threats we have been using for the non-cloud or in-house environments. Some of them would still apply but it is of upmost importance that we take the time to identify these threats now affecting our cloud systems. For example, during our practice, we have seen with many clients that the physical, environmental and data availability threats are still valid threats, but they do not have the same impact weight as with traditional systems. We know that all three major competitors, MS Azure, AWS and Google Cloud have built “fortress” data centers with “state of the art” physical and environmental controls, with multiple data centers around the world allowing data replication and backups using their cloud applications.
The Cloud Security Alliance (CSA) has created the Top Threats Working Group to conduct exhaustive research work about risk, threats and vulnerabilities affecting cloud computing, and to provide recommendations and raising awareness, including continuous updates as platforms and environments change.
In the recent “Top Threats to Cloud Computing 2019” report, the CSA Top Threats Working Group highlights 10 Top Threats. Following is an extract of the report, listing the Top 5 reported threats in order of significance:
Number 1. Misconfiguration and Inadequate Change Control
Well, this is at the top of the list and what happened with Capital One based on the information provided in the FBI statement: “ A Firewall misconfiguration permitted commands to reach and be executed by that server, which enables access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company”.
Misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to unauthorized actions. Misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption. Again, Capital One, the perfect example.
An absence of effective change control is a common cause of misconfiguration in a cloud environment. Cloud environments and cloud computing methodologies differ from traditional IT in ways that make changes more difficult to control. Traditional change processes involved multiple roles and approvals and could take days or weeks to reach production. Cloud computing techniques rely on automation and expansion of roles and access to support rapid change.
In a nutshell what are the controls:
- Strong Change and Configuration Management Practices
- Proactive monitoring with alerting and someone looking at the alerts!! (not sure where the SOC team at Capital One was on this). There are great tools in place but without people and knowing what to monitor, it is like a nice car seating in your garage collecting dust…
- File integrity monitoring
Always a word on tools is that the tools are just as good as how they are configured and monitored thus governance is KEY in Cyber Security.
Number 2. Lack of Cloud Security Architecture and Strategy
Organizations without a proper security architecture and strategy become increasingly vulnerable to successful cyber-attacks. Implementing security architecture and developing a robust security strategy, will give organizations a “home court advantage” and greatly reduce the risk of being compromised.
Organizations around the globe are migrating pieces, if not all, of their IT infrastructure to public clouds. One of the biggest challenges during the transition is a strategy to combat threats and appropriate security architecture to withstand cyber-attacks – security architecture and strategy in the cloud is still a mystery to many organizations.
We see in several clients that some of the basic architecture designs do not consider seriously security as part of the design.
Controls: Hire someone that knows what the are doing, get a second opinion, continuously evaluate your architecture and stay on top of your cloud providers’ improvements and evolving technologies
Number 3. Insufficient Identity, Credential, Access and Key Management
Identity, credential, and access management comprises of tools, policies and systems that allows organizations to manage, monitor and secure access to valuable resources such as electronic files, computer systems, or physical resources such as server rooms and buildings.
Cloud computing introduces multiple changes to how we have traditionally managed IAM for internal systems. Organizations planning to federate identity with a cloud provider need to understand the security around the cloud provider’s identity solution, including processes, infrastructure, segmentation between customers (in the case of a shared identity solution), and implemented by the cloud provider.
In Capital One, the hacker got access to the credentials to exfiltrate the data… where was MFA (multi-factor authentication) on this? again, proactive monitoring? Of course, we do not have all the details and I have to believe Capital One had these controls, thus something else failed?
Some controls that come to mind:
- Multi-factor authentication on privileged users and really all users if you can
- Use of Key Vaults with Keys not in the same environment.
Number 4. Account Hijacking
Phishing attacks, exploitation of cloud-based systems and credentials compromise can and do often lead to account hijacking. This threat is unique, in its nature, as well as its grievous potential impact – a complete annihilation of the cloud environment, with all operations, data and assets lost or otherwise compromised. This stems from the delivery model of cloud services, as well as that of its organization and governance – data and applications reside in cloud services which reside in a cloud account or subscription. Said subscription is implicitly and by default accessible to via the internet to anyone with privilege and credentials.
In addition to the ones mentioned, as there is not one control that solves all your problems:
- Have a strong method of authentication for cloud app users. (e.g. SSH with MFA)
- Make sure all of your data is securely backed up in the event that your data is lost in the cloud.
- Restrict the IP addresses allowed to access cloud applications. Some cloud apps provide tools to specify allowable IP ranges, forcing users to access the application only through corporate networks or VPNs.
- Encrypt sensitive data before it goes to the cloud. Capital, one has some data encrypted and tokenized but why not all? Again, don’t know enough about the case to have these levels of details.
Number 5. Insider Threat
CERT defines an insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization”. Insiders can be current or former employees, contractors, or other trusted business partners. Unlike external threat actors, insiders do not have to penetrate firewalls, VPNs, and other perimeter security defenses. Insiders operate within a company’s security circle of trust where they have direct access to networks, computer systems, and sensitive company data.
So the typical controls here apply, whether cloud or not for employees and/or people you grant access to your environments, do you know who the are, how long they have access, what kind of access they get, how to the access, do you monitor access? Do you trust but verify?
Stay tuned for the Next Newsletter that will cover the remainder threats:
- Number 6: Insecure Interfaces and APIs
- Number 7: Weak Control Plane (System Vulnerabilities)
- Number 8: Megastructure and Applistructure Failures (Data Loss)
- Number 9: Limited Cloud Usage Visibility (Shared technology vulnerabilities)
- Number 10: Abuse and Nefarious Use of Cloud Services
So, as we see here, you cannot leave protecting your data to your cloud provider. Security requires a defense in depth approach and knowledge of what you are protecting.
Thank you for reading our blog!!!