AWS Cloud: Proactive Security and Forensic Readiness – Part 1

December 11, 2017 | Leave a Comment

By Neha Thethi, Information Security Analyst, BH Consulting

Part 1 – Identity and Access Management in AWS
This is the first in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to identity and access management in AWS.

In a recent study by Dashlane regarding password strength, AWS was listed as an organization that supports weak password rules. However, AWS has numerous features that enable granular control for access to an account’s resources by means of the Identity and Access Management (IAM) service. IAM provides control over who can use AWS resources (authentication) and how they can use those resources (authorization).

The following list focuses on limiting access to, and use of, root account and user credentials; defining roles and responsibilities of system users; limiting automated access to AWS resources; and protecting access to data stored in storage buckets – including important data stored by services such as CloudTrail.

The checklist provides best practice for the following:

  1. How are you protecting the access to and the use of AWS root account credentials?
  2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
  3. How are you protecting the access to and the use of user account credentials?
  4. How are you limiting automated access to AWS resources?
  5. How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?

Best-practice checklist

1) How are you protecting the access to and the use of AWS root account credentials?

  • Lock away your AWS account (root) login credentials
  • Use multi-factor authentication (MFA) on root account
  • Make minimal use of root account (or no use of root account at all if possible). Use IAM user instead to manage the account
  • Do not use AWS root account to create API keys.

2) How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?

  • Create individual IAM users
  • Configure a strong password policy for your users
  • Enable MFA for privileged users
  • Segregate defined roles and responsibilities of system users by creating user groups. Use groups to assign permissions to IAM users
  • Clearly define and grant only the minimum privileges to users, groups, and roles that are needed to accomplish business requirements.
  • Use AWS defined policies to assign permissions whenever possible
  • Define and enforce user life-cycle policies
  • Use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources
  • Use roles for applications that run on Amazon EC2 instances
  • Use access levels (list, read, write and permissions management) to review IAM permissions
  • Use policy conditions for extra security
  • Regularly monitor user activity in your AWS account(s).

3) How are you protecting the access to and the use of user account credentials?

  • Rotate credentials regularly
  • Remove/deactivate unnecessary credentials
  • Protect EC2 key pairs. Password protect the .pem and .ppk file on user machines
  • Delete keys on your instances when someone leaves your organization or no longer requires access
  • Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
  • Delegate access by using roles instead of by sharing credentials
  • Use IAM roles for cross-account access and identity federation
  • Use temporary security instead of long-term access keys.

4) How are you limiting automated access to AWS resources?

  • Use IAM roles for EC2 and an AWS SDK or CLI
  • Store static credentials securely that are used for automated access
  • Use instance profiles or Amazon STS for dynamic authentication
  • For increased security, implement alternative authentication mechanisms (e.g. LDAP or Active Directory)
  • Protect API access using Multi-factor authentication (MFA).

5) How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?

  • Limit access to users and roles on a “need-to-know” basis for data stored in S3
  • Use bucket access permissions and object access permissions for fine-grained control over S3 resources
  • Use bucket policies to grant other AWS accounts or IAM

 

For more details, refer to the following AWS resources:

Next up in the blog series, is Part 2 – Infrastructure Level Protection in AWS – best practice checklist. Stay tuned.

Let us know if we have missed anything in our checklist!

DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only.

 

What Will Software Defined Perimeter Mean for Compliance?

December 8, 2017 | Leave a Comment

By Eitan Bremler, VP Marketing and Product Management, Safe-T Data

Your network isn’t really your network anymore. More specifically, the things you thought of as your network — the boxes with blinking lights, the antennae, the switches, the miles of Cat 5 cable — no longer represent the physical reality of your network in the way that they once did. In addition to physical boxes and cables, your network might run through one or more public clouds, to several branch offices over a VPN, and even through vendor or partner networks if you use a managed services provider. What’s more, most of the routing decisions will be made automatically. In total, these new network connections and infrastructure add up to a massive attack surface.

The software defined perimeter is a response to this new openness. It dictates that just because parts of your infrastructure are connected to one another, that doesn’t mean they should be allowed access. Essentially, the use of SDP lets administrators place a digital fence around parts of their network, no matter where it resides.

Flat Networks Leave Data Vulnerable
Where security is concerned, complicated networks can be a feature, not a bug. For companies above a certain size, who must protect critical data, a degree of complexity in network design is recommended. For example, can everyone in your company access the shared drive where you store your cardholder’s information? This is bad practice — what you need to adopt is a practice known as segmentation, recommended by US-CERT.

Any network in which every terminal can access every part of the network is known as a “flat” network. That is, every user and application can access only those resources which are absolutely critical for them to do their jobs. A flat network operates by the principle of most privilege — everyone gets access to anything. In other words, if a hacker gets into an application, or an employee goes rogue, prepare for serious trouble.

Flat networks are also a characteristic of networks lacking a software defined perimeter.

Create Nested Software Defined Perimeters for Extra Security
Flat networks introduce a high level of risk for flat organizations, but the use of SDP can eliminate this risk. The software-defined approach can create isolated network segments around applications and databases. What’s more, this approach doesn’t rely on either physically rewiring a network or creating virtual LANs, both of which are time-consuming processes.

This approach is already used in public cloud data centers, where thousands of applications that must not communicate with one another must coexist on VMs that are hosted on the same bare-metal servers. The servers themselves are all wired to one another in the manner of a flat network, but SDN keeps their networks or data from overlapping.

Do You Need SDP in Order to Be Compliant?
Software defined perimeters are strongly recommended for security, but it’s actually not necessary for compliance — yet. PCI DSS 3.2 doesn’t require network segmentation — in the main because the technology is still in its relative infancy, and is not yet accessible to every company. Those companies that can segment their networks, however, do receive a bit of a bonus.

If you manage to segment your network appropriately, only the segments of your network that contain cardholder data will be subject to PCI audit. Otherwise, the entirety of a flat network will be subject to scrutiny. Clearly, it’s easier to defend and secure a tiny portion of your network than the entire thing. Those who learn the art of network segmentation will have a massive advantage in terms of compliance.

Look for Software-Defined Perimeter Solutions
Solutions using the SDP method will help organizations set Zero Trust boundaries between different applications and databases. These are effectively more secure than firewalls, because they obviate the necessity of opening ports between any two segmented networks. This additional security feature lets companies reduce the scope of PCI without changing

Your Morning Security Spotlight: Apple, Breaches, and Leaks

December 7, 2017 | Leave a Comment

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

–Apple’s High Sierra has massive vulnerability
–Survey says all firms suffered a mobile cyberattack
–Morrisons liable for ex-employee leaking data
–S3 misconfiguration leaks NCF customer data
–Imgur reports 2014 breach of 1.7 million credentials

Apple’s High Sierra has massive vulnerability
Apple’s latest operating system, High Sierra, was found to have a massive vulnerability. By typing the username “root” and leaving the password blank, devices running the operating system could be accessed, offering a way to steal data and upload malicious software.

Survey says all firms suffered a mobile cyberattack
In Check Point’s survey of 850 businesses around the world, all were found to have experienced a mobile cyberattack. This demonstrates the dangers of enabling unsecured BYOD and mobile data access. Additionally, the report contains surprising statistics on mobile malware, man-in-the-middle attacks, and more.

Morrisons liable for ex-employee leaking data
The supermarket chain Morrisons was recently found liable for a breach caused by an ex-employee in 2014. In 2015, the employee was sentenced to eight years in jail for maliciously leaking the payroll data of 100,000 fellow employees. However, Morrisons will now be held responsible, as well.

S3 misconfiguration leaks NCF customer data
The National Credit Federation (NCF) is reported to have leaked sensitive data belonging to tens of thousands of its customers. The information, which included bank account numbers and scans of Social Security cards, was leaked through an Amazon S3 misconfiguration that allowed complete public access to certain data.

Imgur reports 2014 breach of 1.7 million credentials
Imgur recently discovered that it suffered from a breach in 2014 that led to the compromise of 1.7 million users’ email addresses and passwords. The attack serves as an example of the fact that breaches (and ongoing data theft) can take years to detect.

Clearly, organizations that fail to protect their sensitive information will suffer the consequences. Learn how to achieve comprehensive visibility and control over data by reading the solution brief for the Next-Gen CASB.

Electrify Your Digital Transformation with the Cloud

December 5, 2017 | Leave a Comment

By Tori Ballantine, Product Marketing, Hyland

Taking your organization on a digital transformation journey isn’t just a whimsical idea; or something fun to daydream about; or an initiative that “other” companies probably have time to implement. It’s something that every organization needs to seriously consider. If your business isn’t digital, it needs to be in order to remain competitive.

So if you take it as a given that you need to embrace digital transformation to survive and thrive in the current landscape, the next logical step is to look at how the cloud fits into your strategy. Because sure, it’s possible to digitally transform without availing yourself of the massive benefits of the cloud. But why would you?

Why would you intentionally leave on the table what could be one of the strongest tools in your arsenal? Why would you take a pass on the opportunity to transform – and vastly improve – the processes at the crux of how your business works?

Lightning strikes
In the case of content services, including capabilities like content management, process management and case management, cloud adoption is rising by the day. Companies with existing on-premises solutions are considering the cloud as the hosting location for their critical information, and companies seeking new solutions are looking at cloud deployments to provide them with the functionality they require.

If your company was born in the digital age, it’s likely that you inherently operate digitally. If your company was founded in the time before, perhaps you’re playing catch up.

Both of these types of companies can find major benefits in the cloud. Data is created digitally, natively — but there is still paper that needs to be brought into the digital fold. The digitizing of information is just a small part of digital transformation. To truly take information management to the next level, the cloud offers transformative options that just aren’t available in a premises-bound solution.

People are overwhelmingly using the cloud in their personal lives, according to AIIM’s State of Information Management: Are Businesses Digitally Transforming or Stuck in Neutral? Of those polled, 75 percent use the cloud in their personal life and 68 percent report that they use the cloud for business. That’s nearly three-quarters of respondents!

When we look at the usage of cloud-based solutions in areas like enterprise content management (ECM) and related applications, 35 percent of respondents leverage the cloud as their primary content management solutions; for collaboration and secure file sharing; or for a combination of primary content management and file sharing. These respondents are deploying these solutions either exclusively in the cloud or as part of on-prem/cloud hybrid solutions.

Another 46 percent are migrating all their content to the cloud over time; planning to leverage the cloud but haven’t yet deployed; or are still experimenting with different options. They are in the process of discerning exactly how best to leverage the power of the cloud for their organizations.

And only 11 percent have no plans for the cloud. Eleven percent! Can your business afford to be in that minority?

More and more, the cloud is becoming table stakes in information management. Organizations are growing to understand that a secure cloud solution not only can save them time and money, but also provide them with stronger security features, better functionality and larger storage capacity.

The bright ideas
So, what are some of the ways that leveraging the cloud for your content services can digitally transform your business?

  • Disaster recovery. When your information is stored on-premises and calamity strikes — a fire, a robbery, a flood — you’re out of luck. When your information is in the cloud, it’s up and ready to keep your critical operations running.
  • Remote access. Today’s workforce wants to be mobile, and they need to access their critical information wherever they are. A cloud solution empowers your workers by granting them the ability to securely access critical information from remote locations.
  • Enhanced security. Enterprise-level cloud security has come a long way and offers sophisticated protection that is out of reach for many companies to manage internally.

Here are other highly appealing advantages of cloud-based enterprise solutions, based on a survey conducted by IDG Enterprise:

  • Increased uptime
  • 24/7 data availability
  • Operational cost savings
  • Improved incident response
  • Shared/aggregated security expertise of vendor
  • Access to industry experts on security threats

Whether you’re optimizing your current practices or rethinking them from the ground up, these elements can help you digitally transform your business by looking to the cloud.

Can you afford not to?

AWS Cloud: Proactive Security & Forensic Readiness

December 1, 2017 | Leave a Comment

This post kicks off a series examining proactive security and forensic readiness in the AWS cloud environment. 

By Neha Thethi, Information Security Analyst, BH Consulting

In a time where cyber-attacks are on the rise in magnitude and frequency, being prepared during a security incident is paramount. This is especially crucial for organisations adopting the cloud for storing confidential or sensitive information.

This blog is an introduction to a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment.

Cyber-attack via third party services
A number of noteworthy information security incidents and data breaches have come to light recently that involve major organisations being targeted via third-party services or vendors. Such incidents are facilitated in many ways, such as a weakness or misconfiguration in the third-party service, or more commonly, a failure to implement or enable existing security features.

For example, it has been reported that several data breach incidents in 2017 occurred as a result of an Amazon S3 misconfiguration. Additionally,  the recent data breach incident at Deloitte appears to have been caused by the company’s failure to enable two-factor authentication to protect a critical administrator account in its Azure-hosted email system.

Security responsibility
Many of our own customers at BH Consulting have embraced the use of cloud, particularly Amazon Web Services (AWS). It is estimated that the worldwide cloud IT infrastructure revenue has almost tripled in the last four years. The company remains the dominant market leader, with an end-of-2016 revenue run rate of more than $14 billion.  It owes its popularity to its customer focus, rich set of functionalities, pace of innovation, partner and customer ecosystem as well as implementation of secure and compliant solutions.

AWS provides a wealth of material and various specialist partners to help customers enhance security in their AWS environment. A significant part of these resources is a shared responsibility model for customers, to better understand their security responsibilities based on the service model being used (infrastructure-as-a-service, platform-as-a-service or software-as-a-service).

Figure 1: AWS Shared Responsibility Model

When adopting third-party services, such as AWS, it is important that customers understand their responsibility for protecting data and resources that they are entrusting to these third parties.

Security features
Numerous security measures are provided by AWS, however, awareness of relevant security features and appropriate configuration, are key to taking full advantage of these measures. There may be certain useful and powerful features that a customer may be unaware of.  It is the responsibility of the customer to identify all the potential features so as to determine how best to leverage each one, if at all.

Five-part best practice checklist
The blog series will offer the following five-part best practice checklists, for proactive security and forensic readiness in AWS Cloud.

  1. Identity and Access Management in AWS
  2. Infrastructure Level Protection in AWS
  3. Data Protection in AWS
  4. Detective Controls in AWS
  5. Incident Response in AWS

Stay tuned for further installments.