DOD’s Forecast Post-JEDI: Multi-Cloud with a Chance of Peril

NexGov | July 20, 2021

The Pentagon’s abandonment of the Joint Enterprise Defense Infrastructure, or JEDI, contract was an anticlimactic demise for the once visionary single-cloud network.

…the protracted legal battle pushed JEDI past viability. While the cloud titans fought for their slice of the pie, other actors within the federal government, most significantly the intelligence community, transitioned to a multi-cloud network. As a result, the decision to retire JEDI is best seen as an inevitable step toward DOD’s multi-vendor destiny.

Five Steps to Improve your Multi-Cloud Security

In 2021, the COVID-19 pandemic had a dramatic impact on how and where we do business. For many enterprises, the “where” became the cloud – immediately. This rapid adoption of the cloud – in most cases multiple clouds – created a rapid increase in security issues. Suddenly, enterprises had new cloud security requirements they needed to understand and deploy without the benefit of time to learn. The complexity continued to increase, and this triggered new security issues with potentially costly consequences. These included:

  • Data leakage/exfiltration – Unauthorized movement of sensitive data from inside the enterprise to outside can be accidental or deliberate. Often the discovery that data has been leaked occurs days, weeks, or months later, and can result in a damaged brand, lost customer trust, and fines.
  • Ransomware – Enterprises can pay thousands to millions of dollars to access encrypted data and systems in order to restore operations. Additionally they can be extorted to pay for the recovery of stolen sensitive information.  If they refuse to pay,  enterprises can lose days or weeks of revenue trying to recover their systems, and risk having sensitive data posted on the internet.
  • Non-compliance – Enterprises not adhering to mandatory regulations (PCI-DSS, CMMC, HIPAA) or voluntary cybersecurity frameworks (NIST, GDPR) can incur costly penalties and potential shutdowns that limit their ability to conduct business. Customer relationships may be damaged by the perception that security isn’t a priority.
  • Team collaboration/staffing shortages – DevOps is highly distributed across the enterprise and many teams acknowledge the lack of cloud platform security expertise. Cloud security practices should encourage significant collaboration that leverages both internal and external expertise.

To maintain cloud security and reduce–if not totally eliminate–the impact of these serious security issues, enterprises need a proven cybersecurity framework to address these issue directly.

Steps to strengthen your cloud security

Cloud environments are dynamic and constantly evolving. These 5 steps provide a proven framework to improve your enterprise’s cloud security using a technology driven approach, even in a multi-cloud environment.

  1. Visualize/maintain an accurate inventory of compute, storage and network functions
    Security teams often lack visibility across multi-cloud and hybrid environments. Cloud environments are often managed in disparate consoles in tabular forms. Security teams need to understand controls that filter traffic, including cloud native controls (network security groups and NACLs), and third-party infrastructure (SASE, SD-WAN and third-party firewalls). A single solution that provides a detailed visual representation of the multi-cloud environment is critical.
  2. Continuously monitor for exposed resources
    It is important to understand which cloud resources are publicly accessible or Internet-facing. Unintentional exposure of resources to the Internet is a major cause of cloud breaches. This includes any data resources like AWS S3 buckets or AWS EC2 instances. Security teams need to easily identify and report on exposed resources, and then provide remediation options that include changes to security groups or firewall policy.
  3. Continuously validate against industry best practices
    There are many industry best practice frameworks that can be used to validate cloud security. CIS Benchmarks and Cloud Security Alliance are two of these frameworks. Security teams should continuously validate adherence to best practices and quickly remediate findings to eliminate misconfigurations and avoid excessive permissions.
  4. Validate policies – segmentation within/across clouds and corporate mandates
    Many security teams create segmentation policies to minimize attack service and reduce the risk of lateral movement. Examples may be segmenting one Cloud Service Provider from another (AWS cannot talk to Azure) or segmenting access across accounts in the same CSP. Both segmentation and corporate policies should be continuously monitored for violations and provide detailed information that enables rapid remediation.
  5. Conduct comprehensive vulnerability prioritization
    All vulnerability management solutions provide a severity score, but more comprehensive prioritization can occur by identifying which vulnerabilities in the cloud are Internet-facing (including the downstream impact of these vulnerabilities).

Implementing success

While the risks grew for many enterprises this past year as they rapidly moved to the cloud, several have dodged the bullet. RedSeal has helped many successfully adopt a strong security framework and gained actionable insights into their cloud environments. These insights were often an eye-opener.

  • Underestimated VPC[1] inventory in the cloud – A healthcare customer expected “a few VPCs” in their cloud environment. The implementation of RedSeal revealed they had over 200 VPCs. This helped them see their overall cloud footprint and reduced their attack surface.
  • Exposed cloud resources– An enterprise customer incorrectly believed that all of their cloud resources were protected by a third-party firewall. Consequently, many resources were directly exposed to the Internet. RedSeal identified the exposed resources and the misconfigurations before any exploitation occurred.
  • Risky shadow IT – A technology company’s business unit had cloud instances that did not pass the company’s access security mandate. RedSeal identified these resources and helped determine that employees had bypassed process and created unauthorized cloud resources. The company’s shadow IT with respect to cloud security is now under control.
  • Zone-based segmentation as required by PCI-DSS – A payment card provider validated that card holder data was segregated and protected after their cloud migration. They modeled and monitored their segmentation policy, enabling their audit to be completed quickly and confidently.
  • VPC/VNET without subnets or subnets without instances – A healthcare customer discovered 100s of empty VPC/VNET subnets and subnets without instances in their cloud environment. The default configuration: “ANY/ANY” could have been easily exploited by malicious actors and industry best practices indicate they should be deleted or actively monitored.

 

With RedSeal, all these enterprises, and more, have utilized a multi-cloud security methodology that highlights: Visualization/Inventory, Exposure, Industry Best Practices, Policy Validation, and Vulnerability Prioritization. These 5 steps can bring peace of mind to security teams who have had to act quickly and without warning in response to this most unprecedented year.

Learn More

Looking for more details on how 3rd party firewalls may impact your cloud security framework? Download our whitepaper “How Should I Secure My Cloud?

RedSeal’s Cloud Security Solution -Ensure Your Critical Cloud Resources Aren’t Exposed to the Internet

[1] AWS uses the term VPC (Virtual Private Cloud) and Azure uses the term VNet (Virtual Network). Conceptually, they provide the bedrock for provisioning resources and services in the cloud. However, there is variability in implementation.

The Real Reason for Breaches (and How to Avoid Them)

Security is a tough job – we invest so much effort, and yet the breaches keep on happening.  Why?  In a word, complexity. 

The digital world brings so many great efficiencies and innovations – the pressure to move fast and exploit opportunities is irresistible to every organization.  But crossing all these online frontiers brings the unavoidable frontier challenges – lawlessness, chaos, and rapid change.  Security is easiest in mature, well understood, and above all, in simple infrastructures.  Every added bit of complexity and change moves away from security, and towards chaos.  The security professional has a thankless task – we cannot simply demand that our employers be more orderly or cease changing.  Instead, we have to adapt constantly, and try to keep up with all the new territory that is constantly opening up, with new threats and new ways to get it all wrong.

When you analyze any of the major breaches in detail, you find they are always multi-component – there is never just one simple, single cause.  Attackers are stealthy, persistent, and they move from one foothold to another.  This means that when a breach happens, it’s a system-level failure, not just one component that could have been isolated and fixed.  Worse, even if you put all your effort into fixing as many components as possible, you’ll never get to 100% secure and impervious to attack.  The bad guys will search and search for anything you missed, then exploit it, gain a new foothold, and work outwards from there.

Clearly, the road to security doesn’t come from finding and fixing everything – it’s impossible to fix every issue in your network today, and even if you could, there will be new defects tomorrow, because the rate of change is so high.  Instead, we have to learn to thrive in a world with inherent vulnerability, just the way animals and people do in the biological world.  Biological systems are resilient rather than perfectly protected – they can adapt and bounce back from infection, since Mother Nature long ago learned that blocking every pathogen just wasn’t going to work.  Of course, this doesn’t mean you should give up and just accept every possible attack – biological systems still aim to be hard targets, they just actively maintain an immune system so they can detect, isolate, and remove the inevitable successful attacks.

So the way forward is to find what you have, in the cloud and across your physical sites, see how it’s all connected, and understand where you can block incoming attacks, as well as thwart lateral movement for attackers who do make it past your defenses.  The first goal is a complete inventory – in itself, that’s a hard challenge because of the diverse and changing fabric we use to get the work done.  The second goal is to harden any assets that are exposed.  The third goal is based on recognizing that perfect hardening at step two won’t happen, so instead, it’s essential to understand what is connected to what, so that you can stay ahead of attacks and block them before they get a chance to spread.  This is why RedSeal focuses on these three disciplines – gather and map the network in all its hybrid complexity, then harden the individual elements, then help our customers conduct war games where they can think at a system level, and prioritize their defensive efforts to become a resilient hard target.

For further details on how RedSeal tackles cloud security, check out our solution brief: “Redseal Ensures Your Critical Cloud Resources Aren’t Exposed To The Internet”

Experts Warn of Attacks on a Cisco ASA Security Flaw due to a new Proof-of-Concept Exploit

RedSeal Cyber Threat Series            

Researchers at Positive Technologies have created a proof-of-concept (PoC) exploit that leverages a 2020 Cisco ASA vulnerability. A Cisco administrator would have to click on a link that takes the unsuspecting user to a web page where the malware is downloaded and the Cisco ASA must not be patched. Cisco released a patch for a Medium Severity web services vulnerability that affects the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software CVE-2020-3580. This security flaw can allow an unauthenticated attacker to remotely conduct a cross site scripting (XSS) attack against a user of the web services interface.

Enterprises should patch their Cisco ASA Software and Firepower Software as soon as possible.  A successful attack could allow the attacker to execute code or access sensitive browser information.   

RedSeal customers should:

  1. Run a custom best practice check to receive a list of vulnerable devices
  2. Create and run daily reports until all affected systems are patched.

For additional details, contact your RedSeal sales representatives or email info@redseal.net

Cybersecurity Best Practices 

  • Keep your devices patched and up to date 
  • Ensure you are using TLS v1.2 or above; disable lower versions of TLS and HTTP 
  • Disable WebVPN or AnyConnect if not in use on your device  

References 

https://securityaffairs.co/wordpress/119442/hacking/cisco-asa-under-attack.html 

https://nvd.nist.gov/vuln/detail/CVE-2020-3580 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe   

Zero Trust Is Here to Stay, So How Can I Prepare My Network?

Whether you agree or not with the concept–zero trust architecture is here for the foreseeable future.

Unless your organization is cloud-native, you are going to have to prepare to implement zero trust on your existing enterprise. If you are the one responsible for deploying and maintaining networks for the Federal government, zero trust is most likely at the top of your to-do list.

The President’s latest executive order, dated May 12, 2021, compels Federal agencies to move to zero trust architectures and adoption of cloud services. This is meant to modernize departmental and agency IT infrastructures, and the security technologies that protect them. However, Federal agencies are not cloud-native companies. Most have large on-premise networks that will need to have their networks inventoried, along with all their applications and services identified, prior to implementing zero trust. Like any good implementation strategy, you are going to have to plan.

Zero trust is not a destination, but a continuous journey that is going to require rigorous configuration management and continuous monitoring.  RedSeal is not a magic zero trust platform, but it can help you on your journey to prepare and maintain specific aspects.

One major step of this journey is just understanding what you have (network devices, mobile, desktops, IOT, etc.) and how your data moves through the network, as well as existing segmentation policies to comply with standards and regulations. One of the first steps in this journey will require enumeration of all the possible pathways, from every source to every destination, and you will have the challenge of also having to account for NAT IP address, along with load balancers. That is a daunting task by itself.

This is where the power of RedSeal’s Netmap analysis comes in. RedSeal automatically calculates every possible path through the network accounting for the effect of NATs and load balancing. Then you can ask RedSeal to show you these pathways to determine if they are approved and needed for business and mission success.

A side benefit of this analysis is RedSeal creates an inventory of all your network gear and IP space, as well as your cloud and software defined network (SDN) assets.  You cannot secure it if you do not know about it, and the output of RedSeal gives you a great start on understanding what you have.  Remember, with zero trust you are going to have to identify not only who, but what can, or should have access, so an inventory is an absolute must have.

As you move along this journey, and if your journey takes some, or most of your assets to the cloud, you can test the network segmentation of your cloud configuration in RedSeal before you deploy to the cloud to verify it is configured securely. Finally, RedSeal can continuously monitor your network segmentation and micro segmentation policies to make sure they stay compliant with your zero-trust architecture goals.

If you’d like to learn more about securing both your cloud and on-premise networks, visit our Cloud Security page.

We’ve also partnered with MeriTalk on a new infographic report on “Braving the Cloud Storm” – a look at how agencies are addressing cybersecurity across a multitude of clouds and on-premise environments.

Dr. Mike Lloyd Named a Gold Globee Chief Technology Officer of the Year

IT World Awards | June 15, 2021

RedSeal’s Chief Technology Officer Dr. Mike Lloyd was named a Gold Globee winner for Chief Technology Officer of the Year, Security Hybrid in the 16th Annual 2021 IT World Awards honoring achievements and recognitions in the information technology and cyber security industries worldwide.

More than 65 judges from around the world representing a wide spectrum of industry experts participated in the judging process. The IT World Awards are open to all Information Technology and Cyber Security organizations from all over the world and their end-users of products and services.

 

Security Think Tank: Printer risks go deep into IT history

Computer Weekly | June 9, 2021

Though rarely discussed in a cyber context, the prevalence of connected printers and MFPs does pose security risks both technological and physical. What does a print security strategy need to take into account?

…This east-west traffic in local areas is the bane of the security professional. It makes the network harder to manage as it sprawls outwards, often in the uncontrolled IT equivalent of a shanty town. This, in turn, created the ecosystem in which security threats evolved, moving from viruses spread by floppy disks to those that spread directly over the network, and their descendants we see to this day, such as ransomware spreaders that can take over oil pipelines.

RedSeal Named to the JMP Securities Elite 80 for 2021

JMP Securities | June 1, 2021

RedSeal has been named to the JMP Securities Elite 80 report (formerly Super 70) for the fifth year in a row. The list recognizes the most interesting and strategically positioned private companies in the Cybersecurity, Data Management & IT Infrastructure industries.

EO Gives Momentum to Federal Cloud Movement

Communications Daily | May 27, 2021

President Joe Biden’s cybersecurity executive order will boost the federal government’s reliance on cloud services and information sharing, experts told us. The EO directs federal civilian agencies to “accelerate movement to secure cloud services,” including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).

“That’s really the best way for the government” to secure data, said RedSeal Federal Chief Technology Officer Wayne Lloyd. He expects the EO to drag agencies “kicking and screaming” into the cloud: “It’s something that’s long overdue,” from which the commercial sector has long seen the benefits.

Seven Cybersecurity Lessons the Coronavirus Can Teach the Armed Forces (and Us All)

Cyber Defense Review | May 21, 2021

If we have learned anything from the COVID-19 pandemic, it is that very bad things can happen very quickly, especially if we are not sufficiently prepared. It turns out that everything we have been told about the pandemic is also relevant for cybersecurity; as such, the pandemic is an exceptional learning tool for cyber professionals.

Cyberattacks are like biological viruses in several ways: they can spread incredibly fast, their consequences can wreak huge economic damage, and the destruction they cause can be very difficult from which to recover. Viruses spread through human social networks and cyber-attacks exploit our online networks of trust.