Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/28/2021
10:00 AM
Or Azarzar
Or Azarzar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Cloud Raining Sensitive Data?

Learn common Kubernetes vulnerabilities and ways to avoid them.

Kubernetes' market share continues to grow as organizations increase their use of containerized software and adopt cloud architectures. According to a Cloud Native Computing Foundation (CNCF) survey, Kubernetes use rose from 58% in 2018 to 91% in 2020. 

However, along with rapid growth, Kubernetes has already experienced a fair share of cyberattacks, with six major ones last year alone (CVE-2020-14386, CVE-2020-2121CVE-2020-8558CVE-2020-8559CVE-2020-10749, and CVE-2020-8557). This trend will most likely continue or even accelerate. As more Kubernetes clusters are put into production, bad actors will be motivated to find more security holes.

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

Kubernetes containers often have loose security settings, sometimes by default, that hackers can leverage to execute a cyberattack. Lightspin inspected where our clients use "privilege" mode, which provides almost unrestricted access to resources on the host system; "privilege escalations," where processes are given expanded privileges; and "run as root," which allows unrestricted container management. Three-quarters of the companies surveyed matched one or more of the issues, and the average percentage of pods affected was nearly 25%. These permissions are often used for development purposes but present an unacceptable level of risk when containers are put into production.

Why Kubernetes Is an Easy Target
Some increases in attacks targeting Kubernetes are due to new trends in development environments. With the move to break systems down into smaller functions, many IT teams are developing microservices that each require authentication and access control and thereby open a new attack surface. Microservices tend to be highly volatile, with the ability to move and pop in and out, making it hard to defend all their respective entry points from hackers.

Cloud environments are becoming more complex, consisting of thousands of cloud assets from multiple vendors. Often, there is confusion about the borders of security between internal organizations and cloud vendors. Gartner research indicates that about 95% of cloud security breaches through 2022 will come from customer errors fueled by misconfigurations, myths, and misunderstandings. According to our internal research, it can take 270 days on average for organizations to even notice they have a misconfiguration issue gumming up their security. That gives hackers plenty of time to access systems and files and collect proprietary and confidential data.

Kubernetes ecosystems are often constructed from various third-party open source components, making it difficult to enforce standard implementations that include proper configurations and security authorizations. This lack of control is aggravated by an emphasis on speeding product delivery. DevOps deployments often race ahead of security, introducing new functions or services that are unprotected and increasing the attack surface.

Guidelines to Protect Against Vulnerabilities
Kubernetes comes with security controls that need to be customized for each organization and its risks. Since the programming environment is highly volatile, the process needs to be updated constantly. Here are some general guidelines to consider:

  • As Kubernetes is entirely API-driven, controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense. Make sure you lock down access to the Kubernetes API server by ensuring that the API server is accessible only from trusted subnets that utilize the appropriate firewall rules. The ideal scenario is to expose the server to a virtual private cloud (VPC) network instead of the open Internet. 

  • One of the most difficult challenges security teams face is the lack of full visibility into Kubernetes architectures. Your team needs to identify and nail down all the ports that connect to your hosts, containers, and virtual machines, just like you would do for any physical, on-site data resource. Look out for all the assets with undefined security profiles or loose default settings. Be aware that the Kubernetes default is that every pod can speak to all other pods with no security restrictions. One rule of thumb is to grant the lowest level of operating system privilege necessary while constructing containers. Ensure that anonymous authentication is disabled. 

  • Allow each microservice access to only the resources it needs. This way, a vulnerability in one microservice will not expose the rest of your system to an attacker. Make sure you inspect the authorized users for each storage asset. 

  • Investigate using a tool that will give you a visual map of a Kubernetes cluster that includes role-based access control (RBAC), networking, and configuration layers down to the microservice level. Seeing the relationship between all the components or the context of each vulnerability will put security incidents into perspective to prioritize alerts and take immediate action when needed. 

The best strategy is to focus on the attack paths that threaten the most vulnerable and valuable assets. Security systems that monitor traffic for anomalies can create an excessive number of alerts that take up valuable time. But by focusing on the assets you want to protect and protecting the cloud from the inside out, you can home in on the most urgent threats.

The race to innovate faster in our online digital economy is creating more attack surfaces that introduce a higher risk of data breaches. Having full visibility into all Kubernetes components, minimizing access to assets, and focusing on the attack path can secure environments while making the best use of security personnel. Understanding each threat's context is the best way to assess priorities and take action to protect sensitive data and prevent data breaches.

Or Azarzar is the Co-Founder and CTO of Lightspin, leading the company's development, security research, and engineering operations. As an innovative security product builder, he is a thought leader in the area of defensive and offensive product research and development. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.