How Baseline Security Practices Could Have Prevented Recent Cloud Attacks
The Russian-based agency behind last year's massive SolarWinds cyberattack has targeted hundreds more companies and organizations in its latest wave of attacks on U.S.-based computer systems, Microsoft said in a blog post.
According to Microsoft, the recent attacks were carried out by the Russian nation-state actor Nobelium. This is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the US government and others have identified as being part of Russia’s foreign intelligence service known as the SVR.
Did Security Practice Failings Contribute to These Attacks?
This time, the blog explained, Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. However, now it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
The attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, the Redmond, WA-based informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, Microsoft notified customers about attacks from all nation-state actors 20,500 times over the past three years.
Elsewhere, US cybersecurity officials reported to Reuters that the attack underway was unremarkable, with one unnamed senior administration official calling it an unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices. So can we have faith in cloud security?
Cloud Risk Profile
There is a lot to be said about the attack and the fact that it appears to be directed by a nation-state. However, for enterprises the comments by the administration official that it could have been prevented by baseline security practices appears to suggest that, yet again, enterprises are failing to secure their infrastructure.
Jeremy Roberts is analyst and research director of cloud and core infrastructure at Canada-based enterprise IT analyst firm, Info-Tech Research Group. He explained how cloud security works. "You are always accountable for the security of the data entrusted to you," he said. In the public cloud, the business shares responsibility with a provider. If the business is purchasing services through a partner, it is also sharing responsibility with both the provider and the partner. “If you don’t have baseline security practices in place, it would be dangerous to rely on a provider to do that work for you,” he said.
The risk profile in the cloud is just different. You can get away with a lot of bad practices if they’re confined to your network — that is to say, security baselines should still be adhered to, but skipping them has historically been less consequential. However, when you transition to the cloud, there is a much larger attack surface, and those baselines become more important. If you are a partner managing environments on behalf of multiple clients, you can expect the target on your back to be even larger since cybercriminals — correctly, it seems — view partners as a backdoor into customer environments. Think about zero trust as an example.
This is a best practice, but if you have an isolated network, it is less likely to be an issue. If a partner with multiple clients is breached and is not properly challenging actors who bounce between resources, the consequences are more severe.
Cloud Security Considerations
There are a number of considerations IT and cloud managers need to keep in mind:
- Identity Is a Key Frontier in the Cloud: Make sure your identity management practices are well-defined and that you are using techniques like multi-factor authentication and privileged access management to ensure that malicious actors cannot gain access to systems.
- Double-Check the Defaults: Cloud providers sell toolsets with some defaults that might not be suitable for you and your needs. Make sure that you understand your security requirements and make changes where necessary rather than just going with whatever the provider suggests.
- Vet Your Partners: Partners are attractive targets because they have theoretical access to large amounts of client data. Ask them about their data handling practices, how they manage identities, and what they do to ensure security in the cloud. Ask for any relevant certifications. Include contract language around breaches and reporting.
Increasing Cloud Attack Surfaces
One of the major issues, according to Aron Brand, CTO of New York City-based CTERA, is that organizations face a confluence of rising attacks and increasing attack surfaces as workers become more distributed post-pandemic.
The latest wave of Russian cyberattacks should serve as an impetus for distributed enterprises to protect corporate data from edge to cloud. For baseline security, enterprises should ensure all the data is reliably backed up and physically separated from the main dataset, with backup versions in a read-only repository.
If your data is outside your firewall, in a public cloud for example, it must be encrypted. Keys should be generated and managed internally by trusted individuals, separate from any third-party service to ensure total data privacy.
“With the rise in edge users and devices, understand that user identities can be compromised, and that the communication source is now meaningless from a security standpoint, “he said.
The bottom line is that enterprise managers must adopt a zero-trust policy. Verify any device or user trying to connect to their systems before granting access. “This is the essence of a zero-trust philosophy: systems should never rely on the communication source and should authenticate each access attempt from every endpoint, including devices on the LAN or VPN,” he added.
Related Article: Take Your Cloud Strategy Into the Future
Strong Security Needs to Be Built Into the Foundations
However, before doing anything, it is important to remember that the problem is not the cloud — it’s the implementations. Cloud service providers, like AWS and Azure offer a wealth of security features while there is a massive universe of security technologies that provide all manner of protections and alerting for attacks, Andrew Plato, CEO of Beaverton, OR-based Zenaciti. “The problem is, and always has been, how companies implement, manage, monitor, and maintain their workloads in the cloud, he said. “If you start with a weak infrastructure or lack of controls, and keep nursing that along for years it is an inevitable you will be attacked.”
The real problem with cloud security is that it is not the same as on-premise security. Many companies (and vendors) keep promoting the idea that you can simply take what you have running in a data center and move it to the cloud. That does not work. Cloud environments are fundamentally different and require a fundamentally different approach to security. This is why there is such a strong push for zero-trust environments. Moreover, many of these companies lack basic monitor abilities.
As such, when an attack happens it can be weeks or months before they are even aware of the attack, since there are no monitoring capabilities. “Cloud service providers offer a large collection of tools. If a company uses those tools to build an insecure application, it is not the tool that is the problem. It is the person holding the tool,” he added.