Enterprise Security Weekly #51
Recorded on June 29, 2017 at G-Unit Studios in Rhode Island!
- Microsoft confirms its buying Israeli cloud-monitoring startup Cloudyn - The Cloudyn solution will be incorporated into Microsoft’s product portfolio — offering customers the industry’s broadest set of multi-cloud management, security and governance solutions
- Carbon Black Threat Research Technical Analysis: Petya / NotPetya Ransomware - Carbon Black - On June 27, public announcements were made about a large-scale campaign of ransomware attacks across Europe. The ransomware impacted notable industries such as Maersk, the world’s largest container shipping company. The initial infection vector appears to be the exploitation of a Ukrainian tax software called MEDoc. The sample also spreads on the internal network via exploitation of the EternalBlue SMB vulnerability, PsExec, WMI, and Admin$ shares.
- Press Release: New Research Shows Cybersecurity Battleground Shifting to Linux and Web Servers - Linux malware is on the rise, making up 36 percent of the top malware detected in Q1. The increased presence of Linux/Exploit, Linux/Downloader and Linux/Flooder combined to illustrate attackers’ increased focus on Linux servers and IoT devices. Users should protect IoT products and Linux servers from the internet with layered defenses. - Legacy antivirus (AV) continues to miss new malware – at a higher rate. In fact, AV solutions missed 38 percent of the total threats WatchGuard caught in Q1, compared to 30 percent in Q4 2016. The growing number of new or zero day malware now evading traditional AV highlights the weaknesses of signature-based detection solutions and the need for services that can detect and deter advanced persistent threats. - The cybersecurity battleground is shifting toward web servers. Last quarter, drive-by downloads and browser-based attacks were predominant. In Q1, 82 percent of the top network attacks targeted web servers
- Office 365 Security Use Case #1 for a CASB: Managing External Sharing - Users can share files via Office 365 in three ways: 1) by inviting a user by the recipient’s email, 2) by sending a link, or 3) by configuring the sharing policy to make a document publicly available and searchable. Analyzing the sharing permissions of files in the cloud, Skyhigh has found 28.3% of files are shared with email domains associated with business partners. However, another 6.2% are shared with personal email domains (e.g. gmail.com, yahoo.com)
- It Only Takes One Compromised Account or Vulnerability to Cause a Data Breach - Even one stolen account can lead to a disaster—ask anyone who’s had their identity stolen. In a corporate setting, it only takes one password, particularly if it belongs to a privileged user, to start an attack sequence that can lead to the capture of thousands or even millions of user accounts and records. With access to just one device, hackers can plant ransomware, keyloggers, botnets, worms, or many other varieties of malicious code.
- Opinion: 4 Reasons Why Organizations Cant Just Patch - If the system isn’t under your control, you can’t update it. The issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system. Voiding the warranty and licensing terms by doing your own patching is not an option for most enterprises, even assuming you know how to do it...Organizational constraints, particularly in the public sector. Taxpayers aren’t going to pay to update hardware and software that are working just fine....“Built to last” directly conflicts with “update early and often.” When you’re paying millions of dollars for an MRI machine and suite, you expect it to last for decades, and indeed it was built for that purpose. The idea of changing it by updating the software on a weekly or monthly basis was unthinkable...Any system with external, highly entangled dependencies will take longer to update — even years, as integration testing, certifications, regulatory alignment in multiple countries, and staged deployment must all be carefully scheduled.
Topic: Docker Security In The Enterprise
Love it or hate it, Docker (and containers) are here to stay. Embrace change in this segment where Paul and Apollo discuss using Docker in the enterprise. We cover security considerations, deployment scenarios and much more! Also, check out this great post on the topic as well:
Enterprise Security Considerations for Docker
During this segment we covered the following in great detail:
- While Docker allows for developers to be more flexible and platform independent, in a way in makes them a developer+systems administrator
- Docker introduces some complexity, but if you can overcome the complexity it is more manageable. This seems backwards and the security concern lies within the complexity.
- The distributed environment could allow for better security.
- Using public images does not allow for better security
- Does Docker make it easier to move from development to staging/QA to production?
- Does Docker increase or decrease your attack surface? Or, is it the same attack surface, just more modular?
- Docker allows containers to communicate, how secure is the containerization and communications?
- Can't we just deploy our applications using virtualization?
Tech Segment: Managing AWS Cloud Resources with Apollo Clark
Apollo Clark discusses the tools and techniques your team can use to manage, monitor and tune your enterprise AWS deployment.
How to Manage AWS Cloud Resources
The Triangle of Security Success states: "Every good sales pitch involves triangles facing up or down." - Andy Sutcliffe
- Inventory Management
- Resources State Management
- Default, weak, reused passwords, shared accounts
- Upgrade Old Components
- Log and Metric Monitoring
- Automatic Remediation
1. Managing Resources Correctly
- inventory management
- track all states
- cloud resources
- security groups
- OS version
- system users
- installed packages
- running services
- service config
- network connections
- osquery, https://osquery.io/
- ensure consistent state
- prevent out-of-band changes
2. Current Options
- aws web interface (slow, tedious)
- aws-cli (tedious to maintain Bash scripts)
- aws-sdk (requires writing a ton of code)
- Chef, Puppet, Ansible (don't support all resources)
- ServiceNow (costs a lot of money)
- CloudFormation (doesn't scale see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html)
- Terraform (open source, 3 years old, awesome!)
- state file
- offline diffs
- multiple cloud Provider support (https://www.terraform.io/docs/providers/index.html)
- Provisioners, only supports Chef natively
- can be used with Ansible and Puppet, calling "local-exec"
- multiple Backends, store and share state, Remote Backends (https://github.com/gruntwork-io/terragrunt)
- Segment Stack https://github.com/segmentio/stack
4. Building AMI's
- Terraform cannot directly build EC2 images
- Packer can build for multiple Post-Processors
- Can build AMI's
- Can reusing existing AWS HVM optimized AMI's
5. Scaling Up
- Cloudwatch Metrics (http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/viewing_metrics_with_cloudwatch.html)
- ELK, Logstash support (https://www.elastic.co/guide/en/logstash/current/plugins-inputs-cloudwatch.html and https://www.elastic.co/guide/en/logstash/current/plugins-outputs-cloudwatch.html)
- Cloudwatch Custom Metrics (aws-cli HTTP POST) (https://aws.amazon.com/blogs/aws/amazon-cloudwatch-user-defined-metrics/ and http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html)
- Cloudwatch Logs, Metric Filter (http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
- CloudwatchTrail Events
- Auto-scaling Triggers (Metric Alarm, Log Alarm, Trail Events) (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html)
- SNS Alerts, email