This week over 44,000 people traveled to Las Vegas to attend AWS re:Invent, Amazon’s largest conference of the year. I spoke to a crowd of close to 500 people on Monday about top cloud security threats, along with my co-presenter, Boyan Dimitrov, from Sixth who presented on compliance and security automation. A short overview follows. For more information, watch the video and refer to the detailed articles and blog posts on each topic.
Leaky S3 Buckets. Attackers have been able to steal data from S3 buckets of many companies. Make sure you configure S3 buckets securely. Understand best practices and security controls for each cloud service before using it.
Unprotected Keys and Credentials. A recent example of this breach occurred when a developer published keys to a Github which were used to instantiate over $64,000 worth of unauthorized resources. Another company created an API with a single set of credentials that provided access to all customer data.
Broad Permissions for Engineers. Engineers want permissions to do everything in an AWS account. If malware infects an engineer’s laptop, the malware can do anything credentials stored on that machine can do. Companies should limit access to what is required and consider segregation of duties to limit risk.
Unpatched Software. Companies could have prevented breaches such as WannaCry and Equifax if they had patched their systems instead of running software with known software vulnerabilities. Although patching is hard, the video offers some suggestions for patch management.
Malicious Software Updates. Make sure software is coming from trusted sources and business partners following best security practices. A company in Ukraine inadvertently delivered malware in software updates to customers, causing the spread of NotPetya. Public repositories could be hosting malicious versions of software libraries.
Open Network Ports. Although lack of patching contributed to WannaCry, this attack required port 445 to be open to attackers on the Internet to access and infect hosts. Failing to block unneeded ports from receiving Internet traffic asks for trouble. In a recent incident, a host in a wide-open network on AWS was infected with ransomware and potentially bitcoin miners. Watch my upcoming blog posts for more information.
Flat Network. When designing a network, never connect databases directly to the Internet. Use network segregation to create layers that attackers must traverse to get to your most valuable assets. Then monitor at each network layer for invalid access attempts. If possible, use a security service between the Internet and your protected assets such as a WatchGuard Firebox Cloud, AWS WAF, Shield, or custom lambda functions to validate API requests.
Broad Permission for Application. Malware on an instance can do anything the credentials on that host allow. Similar to developer permissions, limit system permissions to only what is minimally required. Follow IAM best practices and use IAM roles on EC2 instances.
Unauthorized Resources. If instances have broad permissions, malware on an instance can instantiate unauthorized resources such as an attacker did in the One Login breach.
Deleted Assets. Worse still, an attacker on an instance with permissions to delete other resources could delete everything in the account. Code Spaces is the most well-known example. Make sure you limit permissions and have backups!
Data Exfiltration. S3 bucket breaches are the most obvious example of data stolen from an account. Attackers can use much trickier tactics to sneak data out of a network such as embedding extra data in ping packets or using malformed DNS requests and responses. Monitor traffic with tools like WatchGuard Dimension and use security services such as WatchGuard’s Data Loss Prevention service.
The Black Swan. Although a risk model can be used for known threats, unknown threats, or zero day malware requires a different mindset. A previous blog post about the black swan in relation to zero day malware explains the concept. To protect against the black swan, think like an attacker and try to proactively figure out what they might do to attack your system and how to prevent it. For zero day malware, consider tools that use more than simple pattern-matching techniques to spot malware.
Companies should use configuration management to help protect them from these cloud security threats. To learn more about these threats, compliance, and security automation, you can watch the full video below. — Teri Radichel (@teriradichel)
