Category Archives: Threat Modelling

Key Takeaways – Top Threats to Cloud Computing Report (2020)

Leave a reply

I just re-read the “Top Threats to Cloud Computing Egregious Eleven Deep Dive” (2020) by the Cloud Security Alliance. There is a lot of good stuff (or bad stuff depending on your vantage point). I like this report because it has use cases that illustrate real threats and weaknesses; it is also data driven not Elmer F.U.Dd driven! The report has “Key Takeaways” sections too.


Source: wikimedia.org

I highly recommend reading it and revise your architecture and processes as needed. I highlighted (in bold) a few key takeaways that are particularly important for you security architects to consider.

Summary

The authors make the following summary statement in the beginning of the report.

Identity and Access Management (IAM) controls were the most relevant mitigation in this year’s report, accounting for 8 of the 9 case studies. Security Incident Management, e-Discovery and Cloud Forensics (SEF), including planning for an attack fallout and executing on the plan was paramount to successfully dealing with all but one of the incidents cited. Both IAM and SEF accounted for 17 controls each.

Key Takeaways

The authors outline the following takeaways:

  1. Data inventory/lifecycle practices for archiving, disposal, and destruction limit data exposure.
  2. Be aware of the cloud service’s metadata that can be exposed with misconfigurations
  3. Over-privileged cloud apps allow access to too much data when compromised
  4. Enable Multi Factor Authentication(MFA) to ensure strong user authentication.
  5. Implement different set of login credentials for different services on the same platform to ensure compromise of one account does not affect the other services.
  6. User awareness campaign to ensure users follow security best practices such as use of strong and unique password per account.
  7. Data stored in the cloud should be secured through encryption and the use of IAM facilities
  8. 3rd party security service providers should be vetted to make sure they are trustworthy and follow standard security practices
  9. The agility of cloud services enables more human error, design flaws and policy violations. More investments into control and correction of existing and planned states are necessary
  10. Cloud services and assets exhibit a broader external attack surface, its discovery and reduction is key.
  11. Sound architecture & design of cloud systems, networks, accounts and identities, as well as other defense in depth considerations are beneficial even for smaller cloud-using organizations and environments..
  12. Consumers have to be aware of the hidden dangers of installing apps into their mobile devices without understand the true impact to their privacy
  13. Always protect sensitive data storage via encryption
  14. Have a detailed, tested incident response plan at the ready, including arrangements for additional network and filter capacity in an emergency
  15. Perform appropriate threat modeling
  16. Lower attack surface through best practice network design (ACLs, Firewalls, port and protocol blocking, deny)
  17. Proper threat modelling allows security architects and developers time to evaluate control gaps
  18. Security Protections built in not bolted on
  19. Service provider agreements should clearly state security responsibilities of the supplier
  20. Conduct periodic security assurance audits to verify vendor conformance against organizational policies, procedures and standards.

What are some lessons from the five biggest breaches of 2017?

Leave a reply

I came across this blog posting from Continuity Central.  It is a good post because it is succinct.

  1.  NHS – Based on knowledge in the public domain, we believe the root cause of the vulnerability relates to an ‘enhanced data sharing’ option. If enabled, that data can be accessed by hundreds of thousands of other users of the same system. This is a common oversight, as organizations tend to focus on their web application testing and security but fail to extend this security to their desktop applications.We regularly find vulnerabilities like this when we’re auditing desktop applications and the communication mechanisms that support them. By extending the same care to both web and desktop applications, these vulnerabilities can be minimised.
  2. Equifax – This breach highlights how critically important it is for all organizations to be on top of their vulnerability management processes, ensuring that critical patches for software and systems are applied as soon as possible.Regular penetration testing and vulnerability scanning feed into a central vulnerability management system within the wider governance, risk and compliance (GRC) processes. They’re fundamental to help mitigate the risk of these kinds of breaches occurring. After all, if you’re not aware of your vulnerabilities and risks, you can’t treat them.
  3. Yahoo – …these types of breaches usually originate from an exploited website vulnerability. Preventing such a hack starts with using controls that identify vulnerabilities. However, it’s also critical that incident response processes are in place to identify attacks in progress.
  4. Uber – …beyond securing vulnerable information, communication is key. Uber tried to brush the breach under the carpet but making your customers aware of a breach as soon as possible is the best response. This will be critical when the General Data Protection Regulation becomes enforceable. Under the regulation, organizations must notify of the breach to the relevant supervisory authorities and affected parties within 72 hours of its discovery, as failure to do so could result in fines up to €20m or 4 percent of world-wide revenue, whichever is greater.
  5. Alteryx...a cyber risk researcher revealed that data analytics software company , had left a 36-gigabyte database exposed in an Amazon Web Services storage bucket. Alteryx’s unsecured database was discovered during a routine search of Amazon Web Services storage buckets, with the breach affecting 123 million households in the USA. Configuration related vulnerabilities like this are common, and AWS storage buckets that have not been protected correctly with the right controls are frequently discovered. According to The Register, information from Accenture, Verizon, Viacom, and the US military had been inadvertently left online due to incorrect configuration.When storing sensitive information in the public cloud, it’s vital to implement best practice security measures. All storage buckets must be configured correctly, with procedures, checks and balances in place to make sure that systems can’t go live without being properly audited. Each configuration must be checked against potential vulnerabilities, and it is best practice to ensure that the configuration is peer reviewed before the system goes live.

 

What is causing a lack of focus in putting the right defenses in the right places in the right amounts against the right threats?

Leave a reply

In my daily reading, the opening line and the entire post entitled, “6 reasons you’re failing to focus on your biggest IT security threats” by Roger Grimes got my attention.  The entire posting is worth a read.  Below are the highlights

Most companies are not focused on the real security threats they face, leaving them ever more vulnerable. That can change if they trust their data rather than the hype.

 Humans are funny creatures who don’t always react in their own best interests, even when faced with good, contrarian data they agree with. For example, most people are far more afraid of flying than of the car ride to the airport, even though the car ride is tens of thousands of times riskier. More people are afraid of getting bitten by a shark at the beach than by their own dog at home, even though being bitten by their dog is hundreds of thousands of times more likely. We just aren’t all that good at reacting appropriately to risks even when we know and believe in the relative likelihood of one versus the other happening.

The same applies to IT security.

Computer defenders often spend time, money, and other resources on computer defenses that don’t stop the biggest threats to their environment. For example, when faced with the fact that a single unpatched program needed to be updated to stop most successful threats, most companies do everything other than patch that program. Or if faced with the fact that many successful threats occurred because of social engineering that better end-user training could have stopped, the companies instead spent millions on everything but better training.

I could give you dozens of other examples, but the fact that most companies can easily be hacked into at will is testament enough to the crisis. Companies simply aren’t doing the simple things they should be doing, even when confronted with the data.

The problem bothered me enough that I wrote a whitepaper, slide deck, and book on the subject. Without having to read all of that, the answer for why so many defenders don’t let the data dictate their defenses is mostly about a lack of focus. A lot of priorities compete for computer defenders’ attention, so much so that the things they could be doing to significantly improve their defense aren’t being done, even when cheaper, faster, and easier to do.

What is causing this lack of focus in putting the right defenses in the right places in the right amounts against the right threats? A bunch of things, including these:

1. The sheer number of security threats is overwhelming
2. Threat hype can distract from more serious threats
3. Bad threat intelligence skews focus
4. Compliance concerns don’t always align with security best practices
5. Too many projects spread resources thin
6. Pet projects usually aren’t the most important ones

… it starts with an avalanche of daily threats and is worsened by many other factors along the project chain. The first step in fixing a problem is admitting you have a problem. If you see your company’s ineffective computer defenses represented above, now is the time to help everyone on your team understand the problem and help them to get better focus.

The Takeways

  1. Prioritize your projects.  Focus on projects that have the highest return on investment for improving the overall security posture and risk alignment
  2. Validate that your teams are working tasks related to the prioritized projects. Prioritized projects should have a smaller focus, but have aspects completed. For example, instead of deploying a database monitor solution to all of your critical databases, deploy the solution to one or two database.  The deployment should be in blocking mode and have all the operational support documents, procedures etc. completed.
  3. Leverage DevOps and Agile principles to obtain faster and incremental results as well as alignment with business
  4. Ensure the vulnerability management program is adapted and customized to your company so you can identify threats and vulnerability that are truly a priority for your team and not just hype.