Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
7/11/2017
12:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Securing your Cloud Stack from Ransomware

Poor configuration, lack of policies, and permissive behaviors are three factors that can leave your cloud infrastructure vulnerable to ransomware threats.

For enterprises that use the cloud, the key to being protected starts with understanding the layers that make up the components of their cloud stack. These different layers create multiple potential targets, and for the informed, they each represent a piece of the cloud environment that can be secured against potential threats.

Ransomware, for example, doesn't have to be terribly complex stuff. To be effective, it just needs access. By paying attention to the different pieces of the cloud stack, and addressing their unique security needs, your environment can be far more resistant to ransomware threats.

Image Source: Evident.io
Image Source: Evident.io

Identity Management
Besides enforcing secure passwords and multifactor authentication (MFA), apply the "least privilege roles" concept: Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if an accident is made or a bad actor gets access to the account. 

Secure the Cloud Compute Layer
Take steps to secure your compute layer to ensure availability of systems and data, and to keep bad actors from using your compute power to further spread malware across your business and the Internet. The first step here is to enable secure login by issuing SSH keys issued to individuals.

Use a Jump Host
A jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. It is an extra step that will add a layer of security complexity to keep hackers out of your system. As the single administrative entry point, be sure to take steps to protect this server and maintain strict access controls. Also, be sure to turn on logging so you can audit all activity. But, if this one server gets owned, the jump server will allow you to create a new one with the push of a button.

Create Hypervisor Firewall Rules
The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens the leaking of your intellectual property, it is important to ensure you have outbound rules that are explicitly declared.

Only Use Trusted Images
Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities. The hackers have gotten clever enough to respond to hot topics and embed malware into packages and templates.

Manage Data Access for Cloud Storage
Identity and Access Policies (IAM) policies and Access Control Lists help you centralize the control of permissions to your storage.  Bucket policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL. 

Encrypt, Encrypt, Encrypt
When using public cloud infrastructure, it is imperative that your data is encrypted both in transit and at rest. There are many great encryption tools and services that will help with each. Note that the metadata (the data describing what you’re storing) is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.

No Delete Rights or MFA for Delete
You can set up roles in your cloud infrastructure that do not allow the user to delete any data. This protects you in case an attacker has gained control of a user’s account. In that case, attackers may be able to access the data, but they can’t delete it, which is usually what is threatened in ransomware attacks. Also, in most cloud storage solutions you can enable a feature that requires the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.

Don’t Allow Services to Call Home to SaaS Systems Like Github
All it takes is for a bad actor to get access to your Git repo, and they can infect and potentially get access to more of your systems the next time one of your systems calls home. A better option is to store your Git or code repositories securely in your own cloud environment.

Our Evident security platform analyzes more than 10 billion events every month, and we see that poor configuration, lack of policies, and permissive behaviors lead to too many openings that are exploitable by ransomware.

For more information on creating an optimal security environment for your cloud environment that will assist in thwarting ransomware through a set of corrective actions and behavioral modifications, click here.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28636
PUBLISHED: 2021-03-04
A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability.
CVE-2020-35628
PUBLISHED: 2021-03-04
A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability.
CVE-2020-35636
PUBLISHED: 2021-03-04
A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability.
CVE-2020-8298
PUBLISHED: 2021-03-04
fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods.
CVE-2020-28601
PUBLISHED: 2021-03-04
A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability.