Five Steps to Improve your Multi-Cloud Security

/by

In 2021, the COVID-19 pandemic had a dramatic impact on how and where we do business. For many enterprises, the “where” became the cloud – immediately. This rapid adoption of the cloud – in most cases multiple clouds – created a rapid increase in security issues. Suddenly, enterprises had new cloud security requirements they needed to understand and deploy without the benefit of time to learn. The complexity continued to increase, and this triggered new security issues with potentially costly consequences. These included:

  • Data leakage/exfiltration – Unauthorized movement of sensitive data from inside the enterprise to outside can be accidental or deliberate. Often the discovery that data has been leaked occurs days, weeks, or months later, and can result in a damaged brand, lost customer trust, and fines.
  • Ransomware – Enterprises can pay thousands to millions of dollars to access encrypted data and systems in order to restore operations. Additionally they can be extorted to pay for the recovery of stolen sensitive information.  If they refuse to pay,  enterprises can lose days or weeks of revenue trying to recover their systems, and risk having sensitive data posted on the internet.
  • Non-compliance – Enterprises not adhering to mandatory regulations (PCI-DSS, CMMC, HIPAA) or voluntary cybersecurity frameworks (NIST, GDPR) can incur costly penalties and potential shutdowns that limit their ability to conduct business. Customer relationships may be damaged by the perception that security isn’t a priority.
  • Team collaboration/staffing shortages – DevOps is highly distributed across the enterprise and many teams acknowledge the lack of cloud platform security expertise. Cloud security practices should encourage significant collaboration that leverages both internal and external expertise.

To maintain cloud security and reduce–if not totally eliminate–the impact of these serious security issues, enterprises need a proven cybersecurity framework to address these issue directly.

Steps to strengthen your cloud security

Cloud environments are dynamic and constantly evolving. These 5 steps provide a proven framework to improve your enterprise’s cloud security using a technology driven approach, even in a multi-cloud environment.

  1. Visualize/maintain an accurate inventory of compute, storage and network functions
    Security teams often lack visibility across multi-cloud and hybrid environments. Cloud environments are often managed in disparate consoles in tabular forms. Security teams need to understand controls that filter traffic, including cloud native controls (network security groups and NACLs), and third-party infrastructure (SASE, SD-WAN and third-party firewalls). A single solution that provides a detailed visual representation of the multi-cloud environment is critical.
  2. Continuously monitor for exposed resources
    It is important to understand which cloud resources are publicly accessible or Internet-facing. Unintentional exposure of resources to the Internet is a major cause of cloud breaches. This includes any data resources like AWS S3 buckets or AWS EC2 instances. Security teams need to easily identify and report on exposed resources, and then provide remediation options that include changes to security groups or firewall policy.
  3. Continuously validate against industry best practices
    There are many industry best practice frameworks that can be used to validate cloud security. CIS Benchmarks and Cloud Security Alliance are two of these frameworks. Security teams should continuously validate adherence to best practices and quickly remediate findings to eliminate misconfigurations and avoid excessive permissions.
  4. Validate policies – segmentation within/across clouds and corporate mandates
    Many security teams create segmentation policies to minimize attack service and reduce the risk of lateral movement. Examples may be segmenting one Cloud Service Provider from another (AWS cannot talk to Azure) or segmenting access across accounts in the same CSP. Both segmentation and corporate policies should be continuously monitored for violations and provide detailed information that enables rapid remediation.
  5. Conduct comprehensive vulnerability prioritization
    All vulnerability management solutions provide a severity score, but more comprehensive prioritization can occur by identifying which vulnerabilities in the cloud are Internet-facing (including the downstream impact of these vulnerabilities).

Implementing success

While the risks grew for many enterprises this past year as they rapidly moved to the cloud, several have dodged the bullet. RedSeal has helped many successfully adopt a strong security framework and gained actionable insights into their cloud environments. These insights were often an eye-opener.

  • Underestimated VPC[1] inventory in the cloud – A healthcare customer expected “a few VPCs” in their cloud environment. The implementation of RedSeal revealed they had over 200 VPCs. This helped them see their overall cloud footprint and reduced their attack surface.
  • Exposed cloud resources– An enterprise customer incorrectly believed that all of their cloud resources were protected by a third-party firewall. Consequently, many resources were directly exposed to the Internet. RedSeal identified the exposed resources and the misconfigurations before any exploitation occurred.
  • Risky shadow IT – A technology company’s business unit had cloud instances that did not pass the company’s access security mandate. RedSeal identified these resources and helped determine that employees had bypassed process and created unauthorized cloud resources. The company’s shadow IT with respect to cloud security is now under control.
  • Zone-based segmentation as required by PCI-DSS – A payment card provider validated that card holder data was segregated and protected after their cloud migration. They modeled and monitored their segmentation policy, enabling their audit to be completed quickly and confidently.
  • VPC/VNET without subnets or subnets without instances – A healthcare customer discovered 100s of empty VPC/VNET subnets and subnets without instances in their cloud environment. The default configuration: “ANY/ANY” could have been easily exploited by malicious actors and industry best practices indicate they should be deleted or actively monitored.

 

With RedSeal, all these enterprises, and more, have utilized a multi-cloud security methodology that highlights: Visualization/Inventory, Exposure, Industry Best Practices, Policy Validation, and Vulnerability Prioritization. These 5 steps can bring peace of mind to security teams who have had to act quickly and without warning in response to this most unprecedented year.

Learn More

Looking for more details on how 3rd party firewalls may impact your cloud security framework? Download our whitepaper “How Should I Secure My Cloud?

RedSeal’s Cloud Security Solution -Ensure Your Critical Cloud Resources Aren’t Exposed to the Internet

[1] AWS uses the term VPC (Virtual Private Cloud) and Azure uses the term VNet (Virtual Network). Conceptually, they provide the bedrock for provisioning resources and services in the cloud. However, there is variability in implementation.

The Real Reason for Breaches (and How to Avoid Them)

/by

Security is a tough job – we invest so much effort, and yet the breaches keep on happening.  Why?  In a word, complexity. 

The digital world brings so many great efficiencies and innovations – the pressure to move fast and exploit opportunities is irresistible to every organization.  But crossing all these online frontiers brings the unavoidable frontier challenges – lawlessness, chaos, and rapid change.  Security is easiest in mature, well understood, and above all, in simple infrastructures.  Every added bit of complexity and change moves away from security, and towards chaos.  The security professional has a thankless task – we cannot simply demand that our employers be more orderly or cease changing.  Instead, we have to adapt constantly, and try to keep up with all the new territory that is constantly opening up, with new threats and new ways to get it all wrong.

When you analyze any of the major breaches in detail, you find they are always multi-component – there is never just one simple, single cause.  Attackers are stealthy, persistent, and they move from one foothold to another.  This means that when a breach happens, it’s a system-level failure, not just one component that could have been isolated and fixed.  Worse, even if you put all your effort into fixing as many components as possible, you’ll never get to 100% secure and impervious to attack.  The bad guys will search and search for anything you missed, then exploit it, gain a new foothold, and work outwards from there.

Clearly, the road to security doesn’t come from finding and fixing everything – it’s impossible to fix every issue in your network today, and even if you could, there will be new defects tomorrow, because the rate of change is so high.  Instead, we have to learn to thrive in a world with inherent vulnerability, just the way animals and people do in the biological world.  Biological systems are resilient rather than perfectly protected – they can adapt and bounce back from infection, since Mother Nature long ago learned that blocking every pathogen just wasn’t going to work.  Of course, this doesn’t mean you should give up and just accept every possible attack – biological systems still aim to be hard targets, they just actively maintain an immune system so they can detect, isolate, and remove the inevitable successful attacks.

So the way forward is to find what you have, in the cloud and across your physical sites, see how it’s all connected, and understand where you can block incoming attacks, as well as thwart lateral movement for attackers who do make it past your defenses.  The first goal is a complete inventory – in itself, that’s a hard challenge because of the diverse and changing fabric we use to get the work done.  The second goal is to harden any assets that are exposed.  The third goal is based on recognizing that perfect hardening at step two won’t happen, so instead, it’s essential to understand what is connected to what, so that you can stay ahead of attacks and block them before they get a chance to spread.  This is why RedSeal focuses on these three disciplines – gather and map the network in all its hybrid complexity, then harden the individual elements, then help our customers conduct war games where they can think at a system level, and prioritize their defensive efforts to become a resilient hard target.

For further details on how RedSeal tackles cloud security, check out our solution brief: “Redseal Ensures Your Critical Cloud Resources Aren’t Exposed To The Internet”

Experts Warn of Attacks on a Cisco ASA Security Flaw due to a new Proof-of-Concept Exploit

/by

RedSeal Cyber Threat Series            

Researchers at Positive Technologies have created a proof-of-concept (PoC) exploit that leverages a 2020 Cisco ASA vulnerability. A Cisco administrator would have to click on a link that takes the unsuspecting user to a web page where the malware is downloaded and the Cisco ASA must not be patched. Cisco released a patch for a Medium Severity web services vulnerability that affects the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software CVE-2020-3580. This security flaw can allow an unauthenticated attacker to remotely conduct a cross site scripting (XSS) attack against a user of the web services interface.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  A successful attack could allow the attacker to execute code or access sensitive browser information.   

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

Cybersecurity Best Practices 

  • Keep your devices patched and up to date 
  • Ensure you are using TLS v1.2 or above; disable lower versions of TLS and HTTP 
  • Disable WebVPN or AnyConnect if not in use on your device  

References 

https://securityaffairs.co/wordpress/119442/hacking/cisco-asa-under-attack.html 

https://nvd.nist.gov/vuln/detail/CVE-2020-3580 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe   

Zero Trust Is Here to Stay, So How Can I Prepare My Network?

/by

Whether you agree or not with the concept–zero trust architecture is here for the foreseeable future.

Unless your organization is cloud-native, you are going to have to prepare to implement zero trust on your existing enterprise. If you are the one responsible for deploying and maintaining networks for the Federal government, zero trust is most likely at the top of your to-do list.

The President’s latest executive order, dated May 12, 2021, compels Federal agencies to move to zero trust architectures and adoption of cloud services. This is meant to modernize departmental and agency IT infrastructures, and the security technologies that protect them. However, Federal agencies are not cloud-native companies. Most have large on-premise networks that will need to have their networks inventoried, along with all their applications and services identified, prior to implementing zero trust. Like any good implementation strategy, you are going to have to plan.

Zero trust is not a destination, but a continuous journey that is going to require rigorous configuration management and continuous monitoring.  RedSeal is not a magic zero trust platform, but it can help you on your journey to prepare and maintain specific aspects.

One major step of this journey is just understanding what you have (network devices, mobile, desktops, IOT, etc.) and how your data moves through the network, as well as existing segmentation policies to comply with standards and regulations. One of the first steps in this journey will require enumeration of all the possible pathways, from every source to every destination, and you will have the challenge of also having to account for NAT IP address, along with load balancers. That is a daunting task by itself.

This is where the power of RedSeal’s Netmap analysis comes in. RedSeal automatically calculates every possible path through the network accounting for the effect of NATs and load balancing. Then you can ask RedSeal to show you these pathways to determine if they are approved and needed for business and mission success.

A side benefit of this analysis is RedSeal creates an inventory of all your network gear and IP space, as well as your cloud and software defined network (SDN) assets.  You cannot secure it if you do not know about it, and the output of RedSeal gives you a great start on understanding what you have.  Remember, with zero trust you are going to have to identify not only who, but what can, or should have access, so an inventory is an absolute must have.

As you move along this journey, and if your journey takes some, or most of your assets to the cloud, you can test the network segmentation of your cloud configuration in RedSeal before you deploy to the cloud to verify it is configured securely. Finally, RedSeal can continuously monitor your network segmentation and micro segmentation policies to make sure they stay compliant with your zero-trust architecture goals.

If you’d like to learn more about securing both your cloud and on-premise networks, visit our Cloud Security page.

We’ve also partnered with MeriTalk on a new infographic report on “Braving the Cloud Storm” – a look at how agencies are addressing cybersecurity across a multitude of clouds and on-premise environments.

Cloud Security Posture Management and RedSeal

/by

Pilots know that to fly safely means keeping track of the weather. They track storm fronts because that is where the turbulence is. Pilots lose their wings if they fly blindly into the air.

Gaps in your security posture are where the cyber storm fronts are. The cyber storm is both on-prem and in the cloud. To do your job correctly, you need to get an accurate forecast today of the cyber weather.

The rush to move assets into the cloud has created all sorts of new stormy weather to contend with.

Pilots and Weather

A nationally recognized financial institution, a large well-resourced company, did not check the security gaps and was caught off guard when Paige Thompson, former AWS software engineer, exploited a misconfigured web application firewall to access one of their servers. That server contained 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information. Thompson then attempted to share access to the information with others online, per CNN.

Had the organization’s cyber team acted like safety-conscious pilots and checked the weather first, they would have noticed the misconfigurations before someone on the outside did.

So, what is the cyber equivalent of checking the weather?

Cloud Security Posture Management

Cloud security posture management (CSPM) automates the identification and remediation of risks across cloud infrastructures, including Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).

Without CSPM, developers can create any number of instances in the cloud, and deploy them, with little oversight.

According to Threatpost, the team at Imperva created an internal compute instance that was misconfigured and publicly accessible. Worse, it had an AWS API key that enabled attackers to access a database snapshot and exfiltrate customer information.

It was reported that security researchers found MongoDB database, run by a vendor, that was left unprotected on a cloud server and contained 2.8 million CenturyLink data records belonging to several hundred thousand of the tech company’s customers.

Why? Most companies have a lack of central control and value speed over security.

If large companies like these are messing up the necessary security configurations in their cloud services, then medium and small sized firms are unquestionably doing the same thing, given their lack of resources.

How is the RedSeal Approach to CSPM Different?

The thing is, most enterprise networks are hybrid, spanning both public and private cloud environments along with physical network infrastructure. While you may have security tools for each environment, you probably cannot see how your whole network is woven together.

RedSeal’s cloud security solution is the only product that brings complex hybrid multi-cloud networks into one unified model. You’ll be able to understand all your network environments in one dynamic visualization, where your high-value assets are, and all the ways they are vulnerable to attack.

RedSeal shows you all possible network access — across, within and between public cloud, private cloud and physical network environments — whether the access is intended or not.

RedSeal allows SMBs to compete and defend themselves and overcome their lack of experience. The responsibility for security is different on different platforms, and smaller companies automatically assume that it has been taken care of, when it’s not. Moreover, different providers use different terminology for the same services.

You are only milliseconds away from the bad guy.

Pilots are grounded when they fly willy-nilly into a dangerous storm, if they are lucky enough to still be alive. Gaps in your security posture are the cyber storms you have to contend with and plan for. These storms are both on-prem and in the cloud. Today’s accurate forecast of the cyber weather comes from RedSeal.

Happy flying!

For more information, visit our page Understand Your Hybrid Multi-Cloud Network.

Old Fortinet Flaws are being used to breach federal and commercial networks

/by


RedSeal Cyber Threat Series            

The Federal Bureau of investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory warning that 3 Fortinet CVEs (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) are being leveraged to gain a foothold in government agency and commercial networks to be exploited in the future. The FBI and CISA observed attackers scanning for ports 4443, 8443, and 10443.

Enterprises should immediately patch their FortiOS software and follow the recommended configuration guidance.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://www.ic3.gov/Media/News/2021/210402.pdf

https://www.fortiguard.com/psirt/FG-IR-19-283

https://www.fortiguard.com/psirt/FG-IR-18-384

https://www.fortiguard.com/psirt/FG-IR-19-037

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49410

 

 

F5 Server iControl REST unauthenticated remote command execution vulnerability

/by

RedSeal Cyber Threat Series

F5 has released patches for several BIG-IP and BIG-IQ critical vulnerabilities. CVE-2021-22986 is the most critical since it allows unauthenticated attackers with network access to use the iControl REST interface, via the BIG-IP management interface and self IP addresses, to execute system commands that could lead to complete system compromise. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane.

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:

https://support.f5.com/csp/article/K03009991

https://www.tenable.com/blog/cve-2021-22986-f5-patches-several-critical-vulnerabilities-in-big-ip-big-iq

 

Microsoft Releases Fixes for 4 Zero Day Exchange Server Vulnerabilities

/by

RedSeal Cyber Threat Series

Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.

The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.

The four Zero Day Microsoft CVEs are as follows:
• CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
• CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
• CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
• CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange

The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.

RedSeal customers should:

1) Track the Hosts that the vulnerability scanner identifies as Exchange servers (this example was done with Rapid7 data).

2) Report to inventory the existence of hosts with any of the four vulnerabilities required for this exploit

3) Report on the access from subnets indicated as Internet to Exchange servers via TCP 443

4) -optional- Report on the access from ALL subnets to Exchange servers via TCP 443

All of these actions will be performed using the RedSeal Java UI.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

References:
https://cyber.dhs.gov/ed/21-02/

NSA publishes list of top vulnerabilities currently targeted by Chinese hackers

/by

RedSeal Cyber Threat Series

 

The U.S. National Security Agency published a report detailing the top 25 vulnerabilities consistently being scanned, targeted, and exploited by Chinese state-sponsored hacking groups.

All 25 vulnerabilities are known and have patches available from their vendors.

Exploits for many vulnerabilities are available publicly and have been used by various malware and ransomware groups and other nation-state actors.

The first three CVEs of this 25 that should be remediated — especially if open to an untrusted network — are:

  • Citrix Netscaler CVE-2019-19781
  • Windows RDP Exploit (aka Bluekeep) CVE-2019-0708
  • Windows Zerologon CVE-2020-1472)

RedSeal customers should:

 Create and run daily reports until all systems with the 25 vulnerabilities are patched.

 For additional details, contact your RedSeal sales representatives or email info@redseal.net

 References:

https://www.zdnet.com/article/nsa-publishes-list-of-top-25-vulnerabilities-currently-targeted-by-chinese-hackers/

 

Lessons for All of Us From the SolarWinds Orion Compromise

/by

All cybersecurity news events, like the recent disclosure of compromise involving SolarWinds Orion by APT 29, aka “Cozy Bear,” cause CISOs to ask the same initial questions:

  • Do I have this problem?
  • Where?
  • What are the consequences?

In this instance, the attack is extremely sophisticated, and quite alarming – it’s a supply chain attack, involving compromise of a widely used and trusted monitoring product.  This adds a lot of pressure to these questions.  As organizations are scrambling to respond, we wanted to publish some suggestions here, as a resource.  In discussions with our customers, many of whom have been impacted by this compromise, we find there is a common playbook, as follows:

  • Step 1: Do I have SolarWinds Orion?
  • Step 2: Where is it, in the context of my network?
  • Step 3: What is it capable of accessing or controlling?
  • Step 4: Fix Orion, or take it offline (if subject to the CISA Emergency Directive)
  • Step 5: Block unwanted access to or from SolarWinds Orion, to the extent possible
  • Step 6: For all assets SolarWinds could reach, reset them to known good state

This is an arduous journey. RedSeal can be one of your supporting resources. It is especially helpful in the middle stages – steps 2, 3, and 5 in the above playbook.

Specifically, for Step 2, a RedSeal network map can help you locate the hostnames or addresses of your SolarWinds Orion software.  One large customer of ours had well over 100 distinct addresses with this software installed. Your total is likely to be lower, but still may be more than just a single location.  Mapping out where they all are is a starting point, before heading in to the deeper stages.

Note also, in Step 2, that RedSeal’s L2 mapping capability may be helpful, since you can locate the nearest switch port to any given endpoint.  This may be helpful if you need to abruptly terminate network access, or decide to monitor span traffic closely.  (If you have not previously set up L2 mapping, we would not recommend this as a tactical step in your response, because the data gathering setup would take some time, but if you already have the data in place, this is a good time to use it, as an aid to shutting down any inappropriate activity.)

In Step 3, it’s important to know what a compromised instance of the monitoring product could reach.  Sadly, because this is a widely trusted product, whose whole purpose is to give you wide visibility, in most networks this turns out to be a large space.  We have had customer reports of a “blast radius” of endpoints well into 6 figures.  Figuring this out by hand is absurdly difficult – far better to automate the search.  In RedSeal, this involves an Access Query, from your SolarWinds Orion instances, out to the wider network.  Just be prepared – the query may be so large that RedSeal will prompt you to make sure you want that much data in one go.  If it’s not manageable, you may prefer to break the query into regions – “What can Orion reach in New York?”, or “in my Amazon fabric”, and so on.

For step 5, blocking unwanted access from SolarWinds Orion to the Internet, RedSeal’s capability to define Zones and Policies may be helpful.  As a first step, a Zone containing your SolarWinds Orion endpoints, and another Zone of Internet, can be used to investigate what access is already possible.  Unfortunately, this may be quite wide, since you may actively be using Orion to monitor cloud fabric and you may want to permit access for software updates (even though, ironically, this was the method originally used in the compromise – but subsequently addressed).  Still, before you can lock this down just to the access you feel is necessary, it can help to review what the current state is, and see what blanket restrictions might be possible, without removing any access pathways you need to keep open.

Hopefully this overview is of use, as a playbook of the common steps we are seeing.  If we can be of any assistance as you work through the cleanup of this incident, please don’t hesitate to get in touch.

Download: A step-by-step guide for using RedSeal to respond

RedSeal customers: Take advantage of our complimentary Sunburst Exposure Assessment.

Not a customer yet? Contact us at info@redseal.net to explore how we can help.