Category Archives: Security

Maintaining High Level of Information Security During the COVID-19 Pandemic

As more people are forced to work from home during this pandemic, it is important to maintain a high level of security to safeguard the company’s information assets as well as its employees.  Endpoints such as laptops not connected to corporate network are more vulnerable when used at home.  Stressed out employees are more prone to social-engineering attacks.  They may visit sites that are usually blocked on a corporate firewall. Not surprisingly, this is also the best time for bad actors to take advantage of this opportunity.  

To mitigate these risks, the company’s security office should work with the IT department in implementing the following security measures:

  1. Enhance user security awareness by using creative ways to make the users pay attention to the message, such as using short video instead of just sending email.  Emphasize COVID-19-themed scams and phishing email and websites.  
  2. Identify and monitor high-risk user groups. Some users, such as those working with personally identifiable information (PII) or other confidential data, pose more risk than others, and their activity should be closely monitored. 
  3. Make sure all laptops have the latest security patches.  Critical servers that are accessed remotely should also have the latest security patches.
  4. Critical servers should only be accessed via virtual private network (VPN)
  5. Users connecting to the corporate network via VPN should use multi-factor (MFA) authentication. Corporate applications in the cloud should also use MFA authentication
  6. If your Virtual Desktop Infrastructure (VDI) can handle the load, users should use virtual desktops in accessing corporate applications.
  7. To support the massive users working remotely, IT should add more capacity to the network bandwidth, VDI, VPNs and MFA services.
  8. Validate and adjust incident-response (IR) and business-continuity (BC)/disaster-recovery (DR) plans.
  9. Expand monitoring of data access and end points, since the usual detection mechanism such as IDS/IPS, proxies, etc. will not secure users working from home. 
  10. Clarify incident-response protocols. When a breach occurs, security teams must know how to report and take action on it.

Source: https://www.mckinsey.com/business-functions/risk/our-insights/cybersecurity-tactics-for-the-coronavirus-pandemic?cid=other-eml-alt-mip mck&hlkid=cc61f434b9354af8aaf986862aa59350&hctky=3124098&hdpid=fd48c3f4-6cf9-4203-bfae-3df232c30bb7

Automating Security

One of the most exploited security weaknesses that leads to data breaches is device misconfigurations, Some of these misconfigurations are:

  • Not changing the default passwords
  • Not cleaning up unused user accounts
  • Failing to remove unused / temporary access
  • Inability to cope with changes
  • Overly complex policies
  • Creating incorrect or non compliant policies
  • Changing wrong policies

Compared to security device flaws, misconfigurations can be mitigated by enforcing strict procedures as well as automation. Automating security configuration will eliminate human errors amidst the complex and rapidly changing environment.  For instance, Operating System images can be defined in a template format which have been hardened with the necessary configurations.  Orchestration tools such as Puppet, Ansible, or Chef are then used to deploy and implement automatically.  

How to Permanently Delete Data in the Cloud

In the pre-cloud era, to permanently delete data, the sectors on the physical disk must be overwritten multiple times with zeros and ones to make sure the data is unrecoverable. if the device will not be re-used, it must be degaussed. The Department of Defense standard, DoD 5220.22-M, goes so far as destroying the physical disk through melting, crushing, incineration or shredding to completely get rid of the data.

But these techniques do not work for data in the cloud. First, cloud customers probably will not have access to the provider’s data centers to access the physical disks. Second, cloud customers do not know where they are written, i.e. which specific sectors of the disk, or which physical disks for that matter. In addition, drives may reside on different arrays, located in multiple availability zones, or data might even be replicated in different regions.

The only way to permanently erase data in the cloud is via crypto-shredding. It works by deleting the encryption keys used to encrypt the data. Once the encryption keys are gone, the data cannot be recovered. So it is imperative that even before putting data in the cloud, they should be encrypted. Unencrypted data in the cloud will be impossible to permanently delete. As a cloud customer, it is also important that you own and manage the encryption keys and not the cloud provider.

Cloud Security Best Practices

Two of the most common security issues in AWS are platform misconfigurations and credential mismanagement.  Although AWS offers many security features, if they are not used or not configured correctly, your applications and data will be vulnerable .  However, these common security issues can be easily mitigated using the following best practices:

1.  Use VPCs (virtual private clouds). Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.  You can apply security groups and access control lists to the VPC to secure it.

2. Limit administrative access with AWS Security Groups. A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.  Security groups helps block attackers who may try to probe your AWS environment.

3. Lock down your root, domain, and administrator-level account credentials. For day-to-day operations, use your own account and only use these privileged accounts when absolutely necessary.  Don’t share passwords and only a handful of administrators should have possession of the passwords.

4.  Use IAM Roles. An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles can be used to define permission levels for different resources and applications that run on EC2 instances. When you launch an EC2 instance, you can assign an IAM role to it, eliminating the need for your applications to use AWS credentials to make API requests. 

5. Enable Multi Factor Authentication (MFA). MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication response from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

6. Mitigate distribute denial of service (DDoS) attacks by using elastic load balancing, auto scaling, Amazon Clouldfront, AWS WAF, or AWS Shield. AWS provides flexible infrastructure and services that help customers implement strong DDoS mitigations and create highly available application architectures.

7. Monitor your environment by using AWS tools including CloudTrail, CloudWatch and VPC Flow Logs.  They provide information about how data flows in and out of your AWS environment. They also provide data that you can mine and analyze to check intrusions, security breaches, and data leaks. You can also integrate these tools with third party applications that can perform thorough log analysis and event correlation.

Source: https://docs.aws.amazon.com/

Guiding Principles for Cloud Security

To create a solid security for your servers, data, and applications hosted in the cloud, you must adhere to the following security guiding principles:

Perimeter Security

The first line of defense against attacks is perimeter security.  Creating private networks to restrict visibility into computing environment is one of them.   Micro-segmentation which  isolates applications and data with a hardened configuration is another one. Creating  a strong abstraction layer from hardware and virtualization environment will also strengthen perimeter security.  

Continuous Encryption

There shouldn’t be any more reason why data traversing the network (public or private) and data stored on storage arrays shouldn’t be encrypted.  Even the popular Google Chrome browser started to flag unencrypted websites to alert users.  Leverage cheap computing power, secure key management, and the Public Key Infrastructure to achieve data-in-transit and data-at-rest encryption. 

Effective Incident Response

Attacks to your servers, data, and applications in the cloud will definitely occur.  It’s just a question of “when” will it happen.  An effective incident response program – using automated and manual response – ready to be invoked once an attack occurs will lessen the pain of the breach.

Continuous Monitoring

Continuous and robust monitoring of your data, applications, and security tools and on-time alerting when security breach happens is a must.  In addition, easy integration of third party monitoring capabilities will also help in achieving sound monitoring system.

Resilient Operations

The infrastructure should be capable of withstanding attack.  For instance, you should maintain data and applications availability by mitigating DDoS attacks. The applications should continually function in the presence of ongoing attack.  In addition, there should be minimal degradation of performance as a result of environmental failures. Employing high availability, redundancy, and disaster recovery strategy will help achieve resilient operations.

Highly Granular Access Control

Organizations need to make sure that their employees and customers can access the resources and data they need, at the right time, from wherever they are. Conversely they need to make sure that bad actors are denied access as well.  They should have a strong cryptographic Identity and Access Management (AIM).  They should leverage managed Public Key Infrastructure service to authenticate users, restrict access to confidential information and verify the ownership of sensitive documents.

Secure Applications Development

Integrate security automation into DevOps practices (or DevSecOps), ensuring security is baked in, not bolted on.

Governance, Risk Management, Compliance

Finally, a great cloud security program should be properly governed, for instance, by having visibility of configurations. Risks should be managed by readily identifying gaps or other weakness.  Lastly, your security program should have broad regulatory and compliance certifications.

Cloud Security vs On-Prem Security

One of the big differences between cloud security and on-prem security is that the former is built from the ground up while the latter is bolted in the process. AWS for instance had made their infrastructure secure ever since they first built it. They realized early on that companies will not be putting their data in the cloud if it’s not inherently secure.

However, security is still a shared responsibility between the cloud provider and the consumer. By now, everybody should be aware of the AWS Shared Responsibility Model. Companies who are used to the traditional security model will find that cloud security entails a different mindset. In the cloud, the focus shifts from network, operating systems, and perimeter security to security governance, access control, and secure development. Since the underlying infrastructure of the cloud is secured by the provider, companies utilizing it can now focus on the true information security – the ones that really matters to the company, such as data, users, and workflow security.

Security governance is important in the cloud. Security folks should spend more time planning and less fire fighting. They should be crafting and implementing policies that truly secure the company’s assets – such as data-centric security policies and secure software development. There should be a solid access control. For example, users are only granted access if they really need it.

There are a couple of challenges with cloud security. First is the obvious disconnect between shared security model and traditional security model. Companies used to on-prem security will still want to spend resources on perimeter security. Second is compliance. For instance, how can traditional auditors understand how to audit new technologies in the cloud like Lambda, where there is no server to verify?

Companies using the cloud should realize that security is still their responsibility but they should focus more on data and application security.

Cloud Security Challenges and Opportunities

I recently attended the ISC2 Security Congress held on Oct 8 to 10, 2018 at the Marriott Hotel in New Orleans, Louisiana.  Based on the keynotes, workshops, and sessions at the conference, these are the challenges and opportunities facing cloud security:

  1. Container and serverless (e.g. AWS Lambda) security.  For instance, how will you ensure isolation of various applications?
  2. Internet of Things (IOT) and endpoint security.  As more and more sensors, smart appliances and devices with powerful CPUs and bigger memories are connected to the cloud, more computation will happen on the edge, thus increasing security risks.
  3. Machine learning and artificial intelligence (AI).  How can AI help guard against cyber-attacks, predicts impending security breach, or improve investigation or forensics?
  4. Blockchain technology. Blockchain will be transforming how audits will be performed in the future.
  5. Quantum computing if and when it comes into fruition will break cryptography.  Cryptography is the reason why commerce happens on the Internet.  New encryption algorithm is needed when quantum computing becomes a reality.
  6. How will the implementation of GPDR (General Data Protection Regulation) in the European Union affects data sovereignty (“a concept that information which is stored in digital form is subject to the laws of the country in which it is located”), data privacy, and alignment of privacy and security?
  7. DevSecOps (having a mindset about application and infrastructure security from the start) will continue to gain momentum.

We are likely to be seeing continuing innovations in these areas within the next few years.

Protecting Your Company Against Ransomware Attacks

Ransomware attacks are the latest security breach incidents grabbing the headlines these days. Last month, major companies including Britain’s National Health Services, Spain’s Telefónica, and FedEx were victims of the WannaCry ransomware attacks. Ransomware infects your computer by encrypting your important documents, and the attackers then ask for ransom to decrypt your data in order to become usable again.

Ransomware attack operations have become more sophisticated, in some cases functioning with a full helpdesk support.

While the latest Operating System patches and anti-malware programs can defend these attacks to a point, they are usually reactive and ineffective. For instance, the WannyCry malware relied heavily on social engineering (phishing) to spread, and relying on end users to open malicious email or to click on malicious websites.

The best defense for ransomware attacks is a good data protection strategy in the area of backup and disaster recovery. When ransomware hits, you can simply remove the infected encrypted files, and restore the good copies. It’s surprising to know that a lot of companies and end users do not properly backup their data. There are tons of backup software and services in the cloud to backup data. A periodic disaster recovery test is also necessary to make sure you can restore data when needed.

A sound backup and disaster recovery plan will help mitigate attacks against ransomware.

Securing Your Apps on Amazon AWS

One thing to keep in mind when putting your company’s applications in the cloud, specifically on Amazon AWS, is that you are still largely responsible for securing them. Amazon AWS has solid security in place, but you do not entrust the security aspect to Amazon thinking that your applications are totally secure because they are hosted there. In fact, Amazon AWS has a shared security responsibility model depicted by this diagram:

Source:  Amazon AWS

Amazon AWS is responsible for the physical and infrastructure security, including hypervisor, compute, storage, and network security; and the customer is responsible for application security, data security, Operating System (OS) patching and hardening, network and firewall configuration, identity and access management, and client and server-side data encryption.

However, Amazon AWS provides a slew of security services to make your applications more secure. They provide the AWS IAM for identity and access management, Security Groups to shield EC2 instances (or servers), Network ACLs that act as firewall for your subnets, SSL encryption for data transmission, and user activity logging for auditing. As a customer, you need to understand, design, and configure these security settings to make your applications secure.

In addition, there are advance security services that Amazon AWS provides, so that you don’t have to build them, including the AWS Directory Service for authentication, AWS KMS for Security Key Management, AWS WAF Web Application Firewall for deep packet inspection, and DDOS mitigation.

There is really no perfect security, but securing your infrastructure at every layer tremendously improves the security of your data and applications in the cloud.

Mitigating Insider Threats

With all the news about security breaches, we often hear about external cyber attacks, but internal attacks are widely unreported. Studies show that between 45% to 60% of all attacks were carried out by insiders. In addition, it is harder to detect and prevent insider attacks because access and activities are coming from trusted systems.

Why is this so common and why is this so hard to mitigate? The following reasons have been cited to explain why there are more incidents of internal security breaches:

1. Companies don’t employ data protection, don’t apply patches on time, or don’t enforce any security policies/standards (such as using complex passwords). Some companies wrongly assume that installing a firewall can protect them from inside intruders.

2. Data is outside of the control of IT security such as when the data is in the cloud.

3. The greatest reason for security breach is also the weakest link in the security chain – the people. There are two types of people in this weak security chain:

a. People who are vulnerable such as careless users who use USB, send sensitive data using public email services, or sacrifice security in favor of convenience. Most of the time, users are not aware that their account has already been compromised via malware, phishing attacks, or stolen credentials gleaned from social networks.

b. People who have their own agenda or what we call malicious users. These individuals want to steal and sell competitive data or intellectual properties to gain money, or they probably have personal vendetta against the organization.

There are however proven measures to lessen the gravity of insider threats:

1. Monitor the users, especially those who hold the potential for greatest damage – top executives, contractors, vendors, at-risk employees, and IT administrators.

2. Learn the way they access the data, create a baseline and detect any anomalous behavior.

3. When a divergent behavior is detected such as unauthorized download or server log-ins, perform an action such as block or quarantine user.

It should be noted that when an individual is caught compromising security, more often than not, damage has already been done. The challenge is to be proactive in order for the breach to not happen in the first place.

An article in Harvard Business Review has argued that psychology is the key to detecting internal cyber threats.

In essence, companies should focus on understanding and anticipating human behavior such as analyzing employee language (in their email, chat, and text) continuously and in real time. The author contends that “certain negative emotions, stressors, and conflicts have long been associated with incidents of workplace aggression, employee turnover, absenteeism, accidents, fraud, sabotage, and espionage”

Applying big data analytics and artificial intelligence on employees language in email, chat, voice, text logs and other digital communication may uncover worrisome content, meaning, language pattern, and deviation in behavior, that may make it easier to spot indications that a user is a security risk or may perform malicious activity in the future.