Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
7/11/2017
12:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Securing your Cloud Stack from Ransomware

Poor configuration, lack of policies, and permissive behaviors are three factors that can leave your cloud infrastructure vulnerable to ransomware threats.

For enterprises that use the cloud, the key to being protected starts with understanding the layers that make up the components of their cloud stack. These different layers create multiple potential targets, and for the informed, they each represent a piece of the cloud environment that can be secured against potential threats.

Ransomware, for example, doesn't have to be terribly complex stuff. To be effective, it just needs access. By paying attention to the different pieces of the cloud stack, and addressing their unique security needs, your environment can be far more resistant to ransomware threats.

Identity Management
Besides enforcing secure passwords and multifactor authentication (MFA), apply the "least privilege roles" concept: Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if an accident is made or a bad actor gets access to the account. 

Secure the Cloud Compute Layer
Take steps to secure your compute layer to ensure availability of systems and data, and to keep bad actors from using your compute power to further spread malware across your business and the Internet. The first step here is to enable secure login by issuing SSH keys issued to individuals.

Use a Jump Host
A jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. It is an extra step that will add a layer of security complexity to keep hackers out of your system. As the single administrative entry point, be sure to take steps to protect this server and maintain strict access controls. Also, be sure to turn on logging so you can audit all activity. But, if this one server gets owned, the jump server will allow you to create a new one with the push of a button.

Create Hypervisor Firewall Rules
The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens the leaking of your intellectual property, it is important to ensure you have outbound rules that are explicitly declared.

Only Use Trusted Images
Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities. The hackers have gotten clever enough to respond to hot topics and embed malware into packages and templates.

Manage Data Access for Cloud Storage
Identity and Access Policies (IAM) policies and Access Control Lists help you centralize the control of permissions to your storage.  Bucket policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL. 

Encrypt, Encrypt, Encrypt
When using public cloud infrastructure, it is imperative that your data is encrypted both in transit and at rest. There are many great encryption tools and services that will help with each. Note that the metadata (the data describing what you’re storing) is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.

No Delete Rights or MFA for Delete
You can set up roles in your cloud infrastructure that do not allow the user to delete any data. This protects you in case an attacker has gained control of a user’s account. In that case, attackers may be able to access the data, but they can’t delete it, which is usually what is threatened in ransomware attacks. Also, in most cloud storage solutions you can enable a feature that requires the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.

Don’t Allow Services to Call Home to SaaS Systems Like Github
All it takes is for a bad actor to get access to your Git repo, and they can infect and potentially get access to more of your systems the next time one of your systems calls home. A better option is to store your Git or code repositories securely in your own cloud environment.

Our Evident security platform analyzes more than 10 billion events every month, and we see that poor configuration, lack of policies, and permissive behaviors lead to too many openings that are exploitable by ransomware.

For more information on creating an optimal security environment for your cloud environment that will assist in thwarting ransomware through a set of corrective actions and behavioral modifications, click here.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...