A recent CSOonline article - http://bit.ly/2T42WwD - identified a dozen security threats in the cloud. The abstract referred to these threats as the "Treacherous 12," the top security threats organizations face when using cloud services. That piqued my interest, specifically the cloud services angle. What I discovered was the Treacherous 12 are actually what my former employer’s (Perot Systems) CEO and founder 20+ years ago, the late Ross Perot, would state to his associates, the 12 are mostly blocking and tackling areas for securing an enterprise which needs to be executed correctly the first time.
That said, it’s 2019. To execute blocking and tackling when addressing security threats at this time, one must start to look past the conventional practices that, while great for their time, have grown tired and predictable with age. And while these conventional practices may provide an organization with the base elements of a compliance checklist, they are no longer enough. To truly build an environment that has a chance of surviving the onslaught of today’s cybersecurity attack vectors, it is time to start looking towards the unconventional and designing an architecture that takes advantage of this type of thinking. Your adversaries are not just using conventional methods and thinking to attack your network. They exploit us for using the conventional methods of providing security protection. Why are we who are defending a network also not adopting unconventional methods? A single compromise of an organizations Operational Technology (OT) environment can start a painful recovery process. This includes not just technology issues in the recovery but the business issues of SEC reporting (if the organization is large or public), penalties documented in client contracts, loss of customers & prospects, loss of company valuation (stock price decrease), and public relations issues. Not to mention there is new precedence where insurance companies are excluding payouts if they can prove the attack vector emanated from a nation state as opposed to a run of the mill evil actor.
This position paper begins a review of the Treacherous 12 article with observations of what choices an organization has to protect themselves; and this will be accomplished in a 3-part series. This first document addresses:
· Data Breaches
· Insufficient identity, credential, and access management
· Insecure interfaces and application programming interfaces (APIs)
· System vulnerabilities
However, before we start, it should be pointed out that NCoded Communications (NCC) has a solution to these, our Zero Trust Environment (ZTE) Overlay solution http://bit.ly/339gnQI. Where and how it’s applicable will be identified in this paper.
The dirty dozen: 12 top cloud security threats
The author quotes Gartner as stating that public cloud utilization leads to potential risk. Later he states, “Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer.”
Cybersecurity enterprise protection deployment meeting compliance requirements for the organization is imperative, regardless if the solution emanates from a datacenter or the cloud.
NCC agrees that responsibility of managing the risk of the cloud implementation lies with the cloud customer and not the service provider…. just as it does if an implementation is entirely in a datacenter. It is the responsibility of the organization that is providing the solutions, not the cloud company. Therefore, the adage learned from the late Mr. Perot decades ago applies: Maintaining any IT solution, in this case the cybersecurity risk profile, requires “blocking and tackling.” Cybersecurity enterprise protection deployment meeting compliance requirements for the organization is imperative, regardless if the solution emanates from a datacenter or the cloud.
The Dirty Dozen
1. Data breaches
The Dirty Dozen article starts with a very broad overall threat, data breaches, without detailing the specific 2019 threats of operating in a cloud. It does detail a 2012 LinkedIn breach that did not implement proper cybersecurity practices on their database. Database best security practices have been well known for more than 15 years now. These best practices should apply to all databases; both cloud and datacenter databases. The location (cloud vs. datacenter) is irrelevant and best security practices should be followed.
We agree with the article that states “information that was not intended for public release, including personal health information, financial information, personally identifiable information, trade secrets, and intellectual property” should be protected. We believe OT’s should protect all of its transactional servers with a Software Defined Perimeter (SDP) disallowing direct external Internet access.
2. Insufficient identity, credential, and access management
The Dirty Dozen article next identifies poor and insufficient identity, credential, access/key management. This includes bad actors accessing data-in-transit. It extends to applications, such as MongoDB (referenced in the article).
When left to conventional methods for the OT environment organizations at times provide poor and insufficient identity, credential and access/key management. This topic is complex for OT environments to prevent these areas from being breached. Relying on each individual enterprise system or application to manage identity, credential and access management is insufficient by itself. A larger enterprise wide solution is required! Looking back at Snowden and what he did in detail….it was not that he cracked encryption, it was that he became a master at obtaining identity and credentials to circumvent select access management systems to obtain the information he leaked. Executing this in a conventional method is tough and leads to an endless 24/7 daily struggle for OT administrators.
A major element in the NCC ZTE Overlay solution is the enterprise solution to address the issue of lack of access management, identification and credentials from many diverse sources. We provide a SDP to manage the entire ZTE overlay environment stopping direct external evil actor threats, simplifying the OT environment to focus on the management of internal users. In regard to protecting the internal environment from internal attack vectors, a ZTE Overlay can be created internally for each segregated business area, protecting one attack from spreading to another internal area. For example, protecting intellectual property areas from operational areas, or protecting legal areas from anyone not in the legal department, and so on. In these cases, there may be implementations of internal hardware-based SDP Access Points keeping other organizations out of the business area(s) desired to be protected.
Finally, the article states how a single open network port left open can allow access without authentication(s). This is one of the oldest attacks perpetrated and falls in the very definition of blocking and tackling. With NCC’s ZTE Overlay, all communications occur with only one TCP port being open and used. The NCC ZTE effectively closes all other ports to the public network regions it is protecting and runs a multi-layered encrypted tunnel through this port.
That prevention of “potentially catastrophic damage to organizations or end users” as the article highlights with a NCC ZTE Overlay the threat is eliminated.
3. Insecure interfaces and application programming interfaces (APIs)
The Dirty Dozen article next identifies insecure interfaces and APIs. The statements in the reports are true, however this is also true in a datacenter. Therefore, this should be part of blocking & tackling for an OT staff. The article goes on to say that either 3rd parties or the OT staff “need to be designed to protect against accidental and malicious attempts to circumvent policy.” That’s a large task that leads to the creation of the concept and design of Security Operation Centers (SOCs) a decade ago. They are complex and expensive to design, build, maintain and staff 24/7.
The NCoded ZTE overlay effectively cloaks the potential security holes in this area from direct external attack. Cloaking effectively makes the security holes they have invisible to external direct bad actors. This then relieves
The high overhead of a SOC & expensive staff
The reliance on many 3rd parties creating proper secure APIs for all cyber all conditions
The patching of APIs from new security threats
4. System vulnerabilities
The Dirty Dozen article next identifies vulnerabilities as being “exploitable bugs”. Ones that they can use to infiltrate a system to steal data, take control of the system or disrupt service operations. This includes operating systems, configurations of anything in the systems environment, including access to shared memory and resources creating a new attack surface which may introduce risk.
This area is one source of countless new attack surfaces appearing unannounced to OTs and end users without warning. Just the application of security patches to operating systems is a daunting, endless amount of work. However, it’s not just applying the patches but also the preparation including pre-patch testing to ensure the patch will not break or disrupt operational applications or services. Where this becomes especially problematic is with critical patches where proper planning and testing is not always able to be performed. In these situations, it becomes a "patch and hope" type of process; which is never the way an organization wants to apply patches. Organizations are often forced to decide to apply a critical patch without testing or leave exposed this new attack surfaces for evil actor(s). And all too often there are already attack vectors written and in the wild on the Internet or dark web to exploit the new attack surface.
Once again, the NCC ZTE Overlay can assist by cloaking the exposed attack surfaces allowing the OT staff to address patches in a straight forward and controlled operations fashion, as opposed to the intensity, panic and uncertainty surrounding an emergency patch procedure.
This paper is part one of a three-part series addressing the identified threats of the Dirty Dozen security issues related to cloud computing. NCC identified these as risks not just associated with cloud computing but computing in general. No matter the location of these threats, deploying a ZTE Overlay will enhance the organization’s OT environment increasing the protection of said environment.
Part 2 will address:
Advanced persistent threats (APTs)
For further information please contact:
Peter W Rung
NCoded Communications, Inc.
LinkedIn - linkedin.com/in/peter-rung-a03bb6162
Twitter - @peter_rung