MAPGENESYS Inc. https://mapgenesys.com/ Delivering Transformation Innovatively Wed, 15 Feb 2023 15:13:12 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.5 https://mapgenesys.com/wp-content/uploads/2022/07/mapgenesys-favicon.png MAPGENESYS Inc. https://mapgenesys.com/ 32 32 Protecting Your Business: Expert Tips for Creating a Comprehensive Cybersecurity Strategy https://mapgenesys.com/expert-tips-for-comprehensive-cybersecurity-strategy/ Wed, 15 Feb 2023 14:45:35 +0000 https://mapgenesys.com/?p=4814

Protecting Your Business: Expert Tips for Creating a Comprehensive Cybersecurity Strategy

In the digital age, cybersecurity threats are becoming increasingly sophisticated and widespread. Cybercriminals are constantly finding new ways to exploit vulnerabilities in business networks and steal sensitive data. According to a recent report by Cybersecurity Ventures, cybercrime is expected to cost the world $10.5 trillion annually by 2025. With these figures in mind, it's clear that creating a comprehensive cybersecurity strategy is no longer optional - it's essential for the survival of any business.

Conducting a Thorough Threat Assessment

The first step in creating a comprehensive cybersecurity strategy is to conduct a thorough threat assessment. This involves identifying the specific types of cyber threats that your business is most vulnerable to. According to a survey by Cybersecurity Insiders, the top three cybersecurity threats faced by businesses in 2021 are phishing attacks (66%), ransomware (54%), and malware (53%). By understanding these threats, you can develop a plan to address them and minimize your risk.

Developing a Risk Management Plan

Once you've identified your specific cyber threats, the next step is to develop a risk management plan. This plan should outline the steps you'll take to mitigate each type of threat, as well as the measures you'll take to prevent them from occurring in the first place. According to a survey by Deloitte, the most common cybersecurity measures implemented by businesses in 2021 include firewalls (86%), antivirus software (85%), and access controls (82%).

Securing Your Network and Data

Another key aspect of a comprehensive cybersecurity strategy is network and data security. This includes securing your company's IT infrastructure, such as servers, routers, and switches. According to a report by Statista, the global cybersecurity market is expected to reach $248.26 billion by 2023. This indicates the growing need for businesses to invest in network and data security measures such as encryption, access controls, and incident response plans.

Educating Your Employees

Employee training is another important part of a comprehensive cybersecurity strategy. Many cyber-attacks are the result of human error, such as clicking on a phishing email or using a weak password. According to a survey by KnowBe4, 96% of cybersecurity breaches are caused by human error. By training your employees on best practices for cybersecurity, you can reduce the likelihood of these types of incidents. Some training topics might include password management, email security, and social engineering awareness.

Ensuring Compliance with Regulations and Standards

Compliance is another important consideration when developing a cybersecurity strategy. Depending on your industry and the types of data you handle, you may be subject to certain regulations and standards, such as HIPAA or PCI DSS. Ensuring that you are in compliance with these requirements is an essential part of protecting your business from legal and financial consequences.

Managing Vulnerabilities

Finally, vulnerability management is an ongoing process that is essential for maintaining the security of your business. This involves regularly scanning your network for vulnerabilities and weaknesses, and taking steps to address any issues that are identified. According to a survey by Ponemon Institute, the average time to identify a data breach is 228 days, and the average time to contain it is 83 days. By actively managing your vulnerabilities, you can reduce the impact of any potential breaches.

The cost of a cyber-attack can be devastating for a business, not only in terms of financial losses but also damage to reputation and customer trust. By investing in a comprehensive cybersecurity strategy, you can protect your business and give yourself and your customers peace of mind.

With cybercrime on the rise, it's more important than ever for businesses to prioritize cybersecurity. According to a report by Varonis, there were 5,258 data breaches in 2020, resulting in the exposure of 8.4 billion records. The total cost of cybercrime is expected to reach $6 trillion by 2025. These statistics show that cybersecurity is a critical issue for businesses of all sizes and in all industries.

In addition to the financial and reputational costs of a cyber-attack, businesses can also face legal consequences for failing to protect sensitive data. For example, under GDPR regulations, businesses can face fines of up to 4% of their global annual revenue for non-compliance with data protection rules. This highlights the importance of ensuring compliance with relevant regulations and standards when developing a cybersecurity strategy.

In conclusion, cybersecurity is a critical issue that every business must take seriously. By conducting a thorough threat assessment, developing a risk management plan, securing your network and data, educating your employees, ensuring compliance with regulations and standards, and managing vulnerabilities, you can reduce your risk of cyber-attacks and minimize the impact of any incidents that do occur. With cybercrime on the rise, investing in a comprehensive cybersecurity strategy is no longer optional - it's essential for the survival of your business.

]]> Third-Party Risk Management https://mapgenesys.com/third-party-risk-management/ Fri, 07 Oct 2022 13:45:49 +0000 https://mapgenesys.com/?p=4402

Contents

What is Third-Party Risk Management?

Third-Party Risk Management (TPRM) is the process of identifying, analyzing, and reducing the risks associated with the third-party vendors/suppliers

Every organization engages third-party to deliver products and services. These vendors can range from few to hundreds to thousands depending on the size of the organization and nature of products and services they offer. Their services and products are needed for day-to-day operations that helps these organizations to deliver back to their clients to manage their markets.

Every vendor carries a potential risk profile while delivering such products and services. Management in most organizations would assume a higher level of security that comes with it. However, no vendor can escape from being a victim of Cyber Attacks, Data Exploits, and other Breaches, Unless the vendor truly understands the security within.

Most organizations are struggling with their TPRM/VRM/SRM Program, as they do not fulfil the activities critical to operations in the areas of vendor risk profiles, compliance, and quality benchmarking (Assessments). The products/solutions as provided by Vendor/Supplier/Third party has some form of weakness which remains underestimated.

How can We Help You?

mapgenesys can help corporates and SMB to overcome risks that’s not addressed completely, even if you’re managing risks internally. mapgenesys solutions would help you to gain more insight and have a centralized visibility into risks that concerns more. mapgenesys Accelerates a Unified Third-Party Risk Program which integrates with GRC functions and IT Assurance services.

mapgenesys’s Supplier/Third-party risk management program has been designed to an organization of all fit (size and ecosystem). We help our clients to build an efficient and effective Third-party relationship so that your leadership can trust and benefit from the exchange of services/products without any business interruptions, without any risks and minimizing the scope of any potential breach.

mapgenesys help clients resolving critical challenges around Supplier/Third-party risk in the areas of Regulatory Compliance, Governance, Operations, Legal and Financial and Technology risks. mapgenesys Solutions help bridge GAP between the Supplier/Third party and our clients. mapgenesys Provides RAAS (Risk Assurance as Service), where we assess and understand your existing vendor risk portfolios and Risk landscape and help you design a process to manage all vendors centrally, then in a distributed environment with automation as and where needed.
mapgenesys has designed effective TPRM/SRM solutions that help our clients benefit from less risky supplier/Third-Party partnership. We provide a unified solution that’s tied with the centralized management process that are robust, repeatable, and flexible enough to grow with your business.

Third-Party Risk Services

  • We are the interface between our clients and their Vendors
  • We assess and evaluate our client’s security objectives, compliance & Internal controls, and Risk appetite (the assessment is mapped back to the vendor assessment to understand if the vendor meets the client’s security requirements)
  • We identify the scope and requirement of the product/service and initiate the vendor security assessment process (Pre and Post assessment process; based on the vendor profile)
  • We complete the due diligence process (Risk Information: SOC II report, Pen Test Reports, Security Questionnaire, Disclosures, etc.) and provide a detailed analysis and recommendations
  • All Risks as identified will be monitored and tracked for risk remediation measures with process enhancements as needed
  • We provide vendor risk profile summary at a high level to better engage vendors based on Business/strategy changes
  • We integrate and unify various Industry standard and regulatory frameworks to keep our client’s business compliant and safe from cyber incidents (attacks, exploits, breaches, etc.)

Benefits of Third-Party Risk Management

  • Management has visibility in their vendor’s risk profile which results in better informed decisions that relate to new and emerging technologies
  • Manage time and save cost on resources and infrastructure
  • Avoid/Minimize Operation, Legal threats, Regulation actions, Reputation/Brand issues, Data and Security compromises, financial losses, etc.
  • Always stay compliant with various regulations and standards

Our array of Services

Importance of TPRM as a Service

Most Organizations, Markets and Governments always face the heat of growing Cybersecurity Malicious activities and incidents. We all know the worst cyber-attacks of 2021 that were experienced by SolarWind, Microsoft Exchange, REvil, Colonial Pipeline, Kaseya, Microsoft's (Print)Nightmare and Log4.

We don’t know who would be next, but we can help you to avoid such unforeseen and unfortunate situations.

Third-Party risks should be a point of great concern. Most organizations do not have the capacity to fulfil the Due-Diligence process on their Vendors. One risk will breach the foundation of the organization that attracts loss of Brand reputation, penalties and more. Third-Party risks can be accounted based on the evaluation areas of Regulatory Compliance, Operational, Legal, Strategic, Financial Risks and Cyber Security events.

Governance Risk and Compliance (GRC) Program

mapgenesys will bring value to your business with the array of GRC and IT Assurance services.

GRC – IT Assurance Services

mapgenesys’s Unified Governance, Risk and Compliance Services (GRC) program offers a complete range of IT Audit, Risk and Compliance Assurance Solutions that are tailormade for different industry verticals across small, medium, and large organizations/Enterprises.

We provide these solutions based on the organization’s size, culture, business, sector, geographical presence and spread and relevant regulatory requirements as applied.

mapgenesys Can overcome the challenges an Organizations/Enterprise faces:

  • Overcome the need to optimize ROI arising from the IT Assurance program
  • Overcome Resource/skill shortage as needed to deliver IT Assurance Program
  • Overcome Distributed domain specialist support. (Support Audit reviews and IT Controls for Internal and Vendor/Third Party Risks)
  • Overcome Compliance with specific regulation/Legislation/standards with reference to IT Controls
  • Overcome Risk and Compliance risks from Emerging Technology and Infrastructure changes
  • Overcome IT Assurance program with Acquire/Merged Organizations

GRC – Enterprise Risk Management

mapgenesys’s Unified Risk Management establishes an effective risk framework across enterprise-wide with standards and methods for risk identification, assessment, management, and reporting while supporting the risk program to meet the critical and unique needs of our clients.

mapgenesys Accelerates a unified risk program, validating current security posture and risk landscape to understand so that we can build and provide secure and reliable solutions that not only saves cost, but time and effort.

mapgenesys has also been delivering Cybersecurity and TPRM Advisory services over a decade now. Our team of consultants can quickly Assess and build unified control library while doing Internal risk assessments and Audit assurance services/projects.

GRC – Risk-Audit Assurance Services

mapgenesys’s has developed interrelated and unified approach which revolves around Risk-Audit, Compliance, Controls and Assurance Services. We bring in solutions that protect and strengthen every business from people process and technology.

mapgenesys help clients with the design and implementation of IT risk, Vendor Risk and IT Controls to safeguard businesses involving complex and emerging technologies risk landscape. We help you overcome your challenges and risks as underestimated and undefined in the areas of shadow IT processes.

mapgenesys is prepared and equipped to resolve risks revolving around “Digital Solutions”. Every business prefers automation so that all processes can be aligned without a margin of error. However, if the automation does not meet the logic and the purpose, it would deviate and would result in creating risks that may go un-noticed.

FAQ

Third-Party risk management primary goals is to manage the overall risk associated with conducting business with Client suppliers/vendors by utilizing the following methods:

  1. Identify, Categorize and Prioritize Third Party/Suppliers/Vendors
  2. Perform TPRA using Central questionnaire database as available
  3. Monitor and track identified risks (including periodic re-assessments as needed). This is a part of due diligence process
  4. Communicate findings to Business owners and Third Party/Supplier/Vendor
  5. Project Dashboard reporting to the Management
  6. Reduce Risks to Client and their Customers
  1. Vendor/Supplier who handle PII or generally Sensitive Data (ex; Intellectual Property (IP), Financial data, HR application/support vendors, etc.).Vendor/Supplier that develop custom software or hardware for Client/Third-party manufacturing companies
  2. Vendor/Supplier with access to our network/systems
  3. Vendor/Supplier performing work at third-party/offshore locations
  4. Cloud service providers
  5. Contingent Workforce Suppliers (CWS) and consulting companies
  1. Minimize exposure and losses for both Client and our customers
  2. Ensure our compliance with various regulations and standards such as PCI, GDPR, ISO2700X, NIST, etc.
  3. Enable the business to make informed decisions
  4. Tracking and monitoring third-party/suppliers/Vendors, helps mitigate and manage Information Security – privacy related risks. This is important due to risk factors such as:
    • Recent increased threat from hackers, ransomware/malware, and global threat actors
    • The proliferation of the use of new, cutting-edge technologies (ex: Cloud)
    • New regional laws and regulations based around cybersecurity and data privacy

TPRM framework consists of:

  1. Due-diligence process by providing vendor questionnaires
  2. Reviewing security responses and mapping to security controls
  3. Review controls concerning policy, procedure, and standards
  4. Assessing vendors based on security ratings and external disclosures

Advancement of emerging technologies to meet future demands and scalability has left organizations with challenges on how to address third party risks who acts a key spoke in their technology delivery. Underrated risks arising from Vendors (Third Party) exposes revenue loss.

  1. Risks over data security and integrity for vendors/Third party’s having remote access within or beyond geographical boundaries
  2. Risks over vulnerabilities and threat landscape in vendor’s environment and map any dependencies with their sub-contracting parties
  3. Non-Compliance against Regulatory Audits and compliance attestation and Certification through inadequate assessments and activities performed
  4. Process not aligned/mapped with different control frameworks. Lack of skilled resource to manage and monitor the risks on vendors/Third Party’s
  5. Lack of awareness and training in a multi network vendor activity and not limited to scope of policies, process people and technology
]]> An escalation of Conti ransomware attacks 2021 – Double Extortion Ransomware https://mapgenesys.com/double-extortion-ransomware/ Fri, 13 May 2022 11:02:30 +0000 https://mapgenesys.com/?p=1920

CISA, the FBI, and the NSA have issued a warning to US organizations around increased attacks from the Conti Ransomware.

With the disappearance of REvil earlier this year, many affiliates shifted strains, with Conti being one of the popular variants adopted by these criminals, explaining this rapid increase in attack attempts, with the FBI confirming that they have witnessed at least 400 individual attacks against domestic and foreign institutions. Conti ransomware uses the MITRE ATT&CK techniques, and in typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

This year Conti successfully disseminated a huge attack against Ireland’s Health Service Executive (HSE) and Department of Health (DoH), one which demanded $20 million, and Irelands Health Service is still recovering from this. The FBI has confirmed that healthcare continues to be one of the most targeted sectors amongst Conti’s attack efforts.

Here we have yet another sophisticated and successful ransomware-as-a-service (RaaS) strain operating out of Russia. Conti is a strain known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors, to maintain persistence on victim networks. Legitimate tools such as Sysinternals and Mimikatz are then utilized on the victim’s network to obtain credentials and escalate privileges, before moving laterally across the network and deploying the Conti malware.

Ransomware places customer call centers on hold. A Conti ransomware attack on GSS, the Spanish and Latin America division of Covisian, leading European customer care and call center provider, has locked up its IT systems and disrupted call center operations of companies like Vodafone Spain, Madrid’s water supplier, and television stations. Details are few, but the Record by Recorded Future notes that GSS described the incident as “inevitable/unavoidable.”

What happens with the attack?

Ransomware gangs actively look for and prey on victims who are using legacy cybersecurity products. These solutions typically have a difficult time keeping up with modern sophisticated attacks due to their model of requiring a sample of the malware before being able to create signatures that guard against it.
Like many other ransomware gangs, Conti completely removes the volume of shadow copy files on a system – making simple restoration impossible.
In May, the Federal Bureau of Investigation (FBI) revealed that the Conti ransomware gang has hit at least 16 healthcare and first responder organizations.
In August, an affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.
The Conti Ransomware operators offer their services to their affiliates and maintain 20-30% of each ransom payment.
The affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

More Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. Conti developers likely pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receive a share of the proceeds from a successful attack.

Conti actors often gain initial access [TA0001] to networks through:

  • Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
  • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.

Conti actors often use the open-source Rclone command-line program for data exfiltration [TA0010]. After the actors steal and encrypt the victim's sensitive data [T1486], they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with the public release of the data if the ransom is not paid.

Ref: https://us-cert.cisa.gov/

The advisory published by various US agencies and to secure our client’s environment mapgenesys suggest you with the following mitigations:

  • Use multi-factor authentication to remotely access networks from external sources.
  • Implement network segmentation and filter traffic. Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
  • Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites.
  • Scan for vulnerabilities and keep software updated. Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.
  • Upgrade software and operating systems, applications, and firmware on network assets promptly. Consider using a centralized patch management system.
  • Remove unnecessary applications and apply controls. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise.
  • Implement endpoint and detection response tools. Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Limit access to resources over the network, especially by restricting RDP.
  • Secure user accounts. Regularly audit logs to ensure new accounts are legitimate users.
  • Use the Ransomware Response Checklist in case of infection.

If you’re battling this or a similar threat, you’ve come to the right place. The mapgenesys Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

Based on different techniques used by the attackers, we have different processes to help our customers secure their organizations mapgenesys's endpoint security includes data security, network security, advanced threat prevention, forensics, endpoint detection, and response (EDR), and remote access VPN solutions.

We have a global consulting team standing by to assist you in providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://mapgenesys.com/contact-us/

]]> Exploiting recent patches: Zero-Day Vulnerability in MSHTML (CVE-2021-40444) https://mapgenesys.com/exploiting-recent-patches-zero-day-vulnerability-in-mshtml-cve-2021-40444/ Fri, 13 May 2022 09:32:29 +0000 https://mapgenesys.com/?p=1908

Microsoft released an advisory on a zero-day (CVE-2021-40444) vulnerability in Microsoft MSHTML that adversaries are actively exploiting through Microsoft Office documents. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In an attempt to exploit this vulnerability, attackers create a document with a specially crafted object. If a user opens the document, MS Office will download and execute a malicious script.

Is Protected View Defended the attacks?

Even though Microsoft stated that Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack, the RTF attack vector is still open for exploitation. Adversaries can use several other bypasses for Protected View. Regardless, administrators should ensure they have Protected View enabled. Microsoft has provided workarounds as temporary mitigation until they release a patch.

The same attacks are still happening all over the world. We are currently seeing attempts to exploit the CVE-2021-40444 vulnerability targeting companies in various sectors includes the research and development sector, the energy sector, large industrial sectors, banking, medical technology development sectors, telecommunications, and the IT sector.

Microsoft has stated that both Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious files as long as the definitions are up-to-date. Organizations using only Microsoft Defender for Endpoint should ensure that they have placed their EDR in block mode.

Ref: https://securityaffairs.co/

Technical details

The remote code execution vulnerability CVE-2021-40444 was found in MSHTML, the Internet Explorer browser engine which is a component of modern Windows systems, both user and server. Moreover, the engine is often used by other programs to work with web content (e.g. MS Word or MS PowerPoint).
In order to exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing an URL for a malicious script. If a victim opens the document, Microsoft Office will download the malicious script from the URL and run it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim’s computer. For example, the original zero-day exploit which was used in targeted attacks at the time of detection used ActiveX controls to download and execute a Cobalt Strike payload. We are currently seeing various types of malware, mostly backdoors, which are delivered by exploiting the CVE-2021-40444 vulnerability.

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV) The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.
  • Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior)
  • Suspicious use of Control Panel item

Mitigations

  • Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants.
  • Use the latest Threat Intelligence information to keep up to date with TTPs used by threat actors.
  • Businesses should use a security solution that provides vulnerability, patch management, and exploit prevention components, such as the Automatic Exploit Prevention component in Kaspersky Endpoint Security for Business. The component monitors suspicious actions in applications and blocks malicious file execution.
  • Use solutions like mapgenesys MDR-as-a-service and our Built to Suit Services service, which helps identify and stop an attack at an early stage before the attackers achieve their final goal.
  • mapgenesys Solutioning teams help you with pre-implementation discovery, planning, design activities, and execution in the “Outcome-based - Built to Suit Services” model.

Preventing Exploit with mapgenesys’s EndPoint Security

  • Based on different techniques used by the attackers, we have different processes to help our customers secure their organizations mapgenesys's endpoint security includes data security, network security, advanced threat prevention, forensics, endpoint detection, and response (EDR), and remote access VPN solutions.
  • In addition to Incident response, vulnerability management, and various other security services, we provide threat hunting that exposes the Advanced Persistent Threats (APTs) and potential risks along with Machine-learning classification to detect zero-day threats in near real-time.
  • Centralized endpoint management platform for greater visibility and simplify operations

We advise administrators to perform an enterprise-wide IoC sweep to check if their organizations have been targeted. mapgenesys is aware of targeted attacks using CVE-2021-40444, and our products protect against attacks leveraging the vulnerability. On September 7, 2021, Microsoft shared a partial workaround for the flaw, and only in 24 hours, they observed a rise in exploitation attempts within. Since no patch is yet available and bypasses are available for the mitigations, enterprise defenders must remain vigilant and proactively hunt for threats in their network.

]]> OWASP Top 10 2021 release shakes up Web App Threat Categories https://mapgenesys.com/owasp-shakes-up-web-app-threat-categories-with-release-of-draft-top-10/ Thu, 12 May 2022 12:30:55 +0000 https://mapgenesys.com/?p=1864

The latest installment of The OWASP Top 10 2021- a list of the most dangerous web vulnerabilities, has been updated after four years, and, after more than a decade, there is a new vulnerability at the top of the ranking.

Created in the mid-2000s, the list is curated by the Open Web Application Security Project, a nonprofit foundation that’s made up of security experts from around the world to evaluate the importance and severity of vulnerabilities in web-based apps.

For example, bug bounty platforms use the OWASP Top 10 list to classify bugs that need to be patched right away or deserve higher monetary rewards.

Because the web programming landscape and its applications are constantly evolving as new programming languages and techniques are incorporated, OWASP experts usually get together once every three-four years to update the Top 10 ranking, moving entries in or out and up and down the list to reflect the current web app ecosystem.

The ranking was updated the last time in November 2017.

But last week, the OWASP team released its upcoming list, one that comes with a complete shake-up and even a new leader.

Ref: https://owasp.org/Top10/

OWASP Top 10: The full list

2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

2021-Cryptographic Failures shift up one position to #2, previously known as Sensitive Data Exposure, which was a broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.

2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.

2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.

2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the industry survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any CVEs mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now include CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

2021-Server-Side Request Forgery is added from the industry survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the industry professionals are telling us this is important, even though it’s not illustrated in the data at this time.

2021

Broken Access Control

Cryptographic Failures

Injection

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

2017

Injection

Broken Authentication

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

Security Misconfiguration

Cross-Site Scripting (XSS)

Insecure Deserialization

Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring

2013

Injection

Broken Authentication and Session Management

Cross-Site Scripting (XSS)

Insecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function Level Access Control

Cross-Site Request Forgery (CSRF)

Using Components with Known Vulnerabilities

Unvalidated Redirects and Forwards

2010

Unvalidated Redirects and Forwards

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection

Unvalidated Redirects and Forwards

2007

Cross-Site Scripting (XSS)

Injection Flaws

Malicious File Execution

Insecure Direct Object Reference

Cross-Site Request Forgery (CSRF)

Information Leakage and Improper Error Handling

Broken Authentication and Session Management

Insecure Cryptographic Storage

Insecure Communications

Failure to Restrict URL Access

2004

Unvalidated Input

Broken Access Control

Broken Authentication and Session Management

Cross Site Scripting

Buffer Overflow

Injection Flaws

Improper Error Handling

Insecure Storage

Application Denial of Service

Insecure Configuration Management

Analysis: OWASP shifts left

The 2021 ranking is also the first time since 2007 that the “Injection” vulnerability category has not been at the top of the ranking. Instead of old risks going away, OWASP has consolidated existing risks into several categories and new risks have been added, reflecting the increased threats facing web applications. For the 2021 list, OWASP added three new categories: ‘Insecure Design’,

The reason for this is because web apps are getting more and more complex, and oftentimes, they are just a collection of APIs, with their own set of configuration options that, when combined, leave the door open for misconfigurations, unprotected endpoints, or unforeseen interactions.

Many of these risks are not new, so why do organizations fail to find these problems before releasing code to production, or fail to protect these vulnerabilities against attack in production? (Considering the newly added category: ‘Insecure Design’).

The impact of broken access control

  • Hidden Exposure for Sensitive Data, Elevation of privilege usage of the custom API attack tool, CORS misconfiguration allowing unauthorized API access, forced browsing, and Depending on the specific vulnerability, the consequences can be devastating. The worst-case scenario is when an unauthorized user has access to a privileged function. This can give them the ability to modify or delete content on the website, or even worse, gain full control over the web application.
  • Remediating of access control vulnerabilities will typically involve changes to the functionality of application code. These changes often include implementing server-side checks to ensure that the users attempting to access or modify data have rights to do so and changing the default behavior to deny access/modification unless access is explicitly granted.
  • Organizations should investigate and implement a Systems Development Life Cycle (SDLC) policy that adopts secure coding practices while ensuring penetration testing is performed in the final stages of development to identify access control issues not identified during development.

What mapgenesys can do as your Security Specialist

  • Our Cybersecurity Practitioners, Professional Services (PS), and Security Specialists, and DevOps teams can improve monitoring, compliance, and response with centralized control of all cloud workloads and IaaS, PaaS, container, and virtual environment. Our team conducts penetration testing as part of our security testing services.
  • Our advanced endpoint security solution includes several technologies and capabilities like zero-day threats by using machine-learning, behavioral analysis, Security Analytics, Real-time threat intelligence, and Endpoint detection and response (EDR).
  • Fully managed end-to-end vulnerability management program development and administration.
  • The protection of systems and devices has become more important and we pledge to ease out the difficulty in managing your security services.

Added Benefits with mapgenesys

  • Auditing and reporting for visibility into the usage of systems and its information
  • Deliver smarter authentication, secure authorization, and high scalability
  • Enforcement of user access rights to certain systems and information
  • Govern and protect your business, data, users and assess

mapgenesys Managed AppSec services allow you to offload your application security program – from Application scanning and vulnerability validation to pen testing – onto our experts, guaranteeing a consistent application assessment process to help you to minimize your workload, maximize your productivity, and free you up for other tasks. 

mapgenesys Application security services consist of 3 categories:

]]> Human-Led Threat Hunting Methodology with mapgenesys for Seamless Security https://mapgenesys.com/old-threats-new-faces-threat-hunting-made-easy-with-mapgenesys/ Thu, 12 May 2022 11:47:27 +0000 https://mapgenesys.com/?p=1859

According to data from CrowdStrike, 68% of detections from the last three months were not malware-based - identifying more than 65,000 potential intrusions, or approximately 1 potential intrusion every 8 minutes — 24 hours a day, 365 days a year.

  • The time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment - from July 1, 2020, to June 30, 2021, the average was just 1 hour 32 minutes. Moreover, it was found that in 36% of those intrusions, the adversary was able to move laterally to additional hosts in less than 30 minutes.
  • Most ransomware operators engaged in big game hunting (BGH) activity have now adopted the threat of data leaks alongside data encryption to extract payment from victims. Many adversaries have also established dedicated leak sites (DLSs) as a forum to publicize victim details and release the stolen data. INDRIK SPIDER is an exception to this trend toward the use of data extortion.
  • A year-over-year comparison of the total number of attempts that were observed is that attacks targeting the telecommunications and retail industries more than doubled. The professional services industry saw a more than 90% increase in numbers, while the government and academic sectors both saw attacks increase by more than 80%.
  • Common initial access techniques observed in use against the telecommunications industry include spearphishing, vulnerability exploitation, use of legitimate credentials, and supply chain compromise. Once access has been gained, adversaries often exploit services or use system-native tools, such as Windows Management Instrumentation (WMI) and various command and script interpreters, to stage the rest of their operation.
  • China-nexus adversary WICKED PANDA often uses a variety of remote access tools including Cobalt Strike and their custom software such as Winnti, ShadowPad, or RouterGod to progress their intrusions. The LightBasin cluster has a diverse toolset that includes a tool referred to as sun4me, which has been deployed as an encrypted payload using a key derived from the victim's environment and is decrypted by a tool referred to as STEELCORGI. sun4me's wide-ranging features include:
  • Tools to enumerate the network via SNMP, UDP and different traceroute mechanisms
  • WHOIS and DNS query tools
  • Exploits for HeartBeat, Java over Remote Method Invocation (RMI), Apache Struts,
  • Weblogic, Veritas Veritas NetBackup, and others
  • Administration interface for MikroTik routers
  • Tools to remotely extract the configuration from Cisco routers
  • Tools to decrypt passwords from Cisco configuration, vncpasswd, and cvspass files
  • Tools to monitor activity on the infected host
  • Tools to enumerate remote users and brute force their credentials via SSH
  • Utility tools such as grep, hexdump, shred, compress and uncompress, and various versions of netcat

mapgenesys Human-led Threat Hunting Methodology

Threat hunting is the adoption of simple and unique methods, standards, and practices, it is a unique ability to see and stop the most sophisticated threats. With top-level proactive threat hunting, anomaly detection, statistical & behavioral analysis, our threat hunters have helped our clients achieve a secure environment.

Our Human-led Threat Hunting Methodology finds a needle in a haystack — described below, to systematically detect threats at scale:

  • Search for indicators of compromise: Using Indicators of Attack (IOAs) and tactics, techniques, and procedures (TTPs) proactively hunt for and validate potential threats and incidents- Rather than sit back and wait for threats to strike.
  • Hypothesis-driven investigation: Our cyber threat hunters gather events from millions of endpoints and formulate a hypothesis that aligns with MITRE and is based on knowing the behaviors of threat actors and validate those hypotheses through active searches in the environment.
  • Initiate actions to remotely disrupt, contain, and neutralize threats: We hunt and detect threats faster, 24x7, and respond more adaptively to contain and remediate. We protect our clients from countless new vulnerability points and highly sophisticated attacks.

With each new threat, mapgenesys extracts new insights to drive continuous advancements in automated detections and human threat hunting.

Outcome-Focused Security

Our experts look at the behaviors and activities associated with malicious screen capture activity, including the writing of image files to disk, the deployment and execution of file compression and archival utilities, and anomalous traffic to unknown external hosts that may indicate potential exfiltration activity. Our Threat hunters proactively investigate lateral movement activity, enriched by contextual system events.

Our mission is to expose advanced interactive threats and deliver actionable contextual threat intelligence through our shared factory operations. mapgenesys supports fully and co-managed security teams around the globe by delivering alerts in Real-time. These alerts enable security responders to act quickly and decisively against live threats in their environment. But finding the threat is only half the battle — it is crucial that defenders contain and remediate the threat quickly before any damage can be done.

Difficulty in Finding threats? known adversaries or insider threats or outside attackers? Our Team is constantly monitoring the threat landscape to detect new types of attacks, critical vulnerabilities, and the behavior of cybercriminals and other adversaries.

Recommendations for Seamless Security

  • Organizations must employ strict patch management and enforce robust user and password controls, coupled with robust privileged access management practices while ensuring an appropriate level of scrutiny and caution is applied for all externally accessible services.
  • Be vigilant and ready to act. Adversaries are continuing to find new ways to breach organizations and can move laterally in just minutes. Defenders must hunt around the clock and must be ready to act within minutes.
  • Pay close attention to remote access. The use of legitimate, non-native remote access tools such as TeamViewer, AnyDesk, or VNC (and its variants) by eCrime actors is common. Defenders should restrict and audit the use of such tools in their environment, even for authorized use cases.
]]> LockBit Resurfaces with Version 2.0 Ransomware https://mapgenesys.com/lockbit-2-ransomware/ Thu, 12 May 2022 11:35:14 +0000 https://mapgenesys.com/?p=1852

Like other ransomware-as-a-service (RaaS) operations, LockBit 2.0 looks for affiliates to perform the intrusion and exfiltration on targets.

The gang went on a hiring spree in the wake of DarkSide and REvil both shutting down operations, putting up wallpaper on compromised systems that includes text inviting insiders to help compromise systems, and promising payouts of millions of dollars.

LockBit 2.0 shows influences of and similarities to Ryuk and Egregor, particularly certain notable behaviors.

Ransomware Threat Landscape:

  • Recently, Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit, resulting in the publishing of stolen data. LockBit mostly targets organizations like enterprises and governments that will be disrupted enough by ransomware that paying up is the easy way out.
  • Earlier this month the gang hit outsourcing and accounting firm Accenture. The company reported revenues of $44.33 billion in 2020 and had 569,000 employees across 50 countries. Rumors swirled that the cybercrimes demanded $50 million in cryptocurrency from the consulting MNC. The deadline was continually moved forward until Accenture concluded the stolen data was not significant.
  • Another LockBit target was UK train operator Merseyrail, which fell victim in April 2021. Trains continued to run on time, but the criminals got bragging rights after reportedly pwning a company director's Office 365 account and using it to email employees and journalists about their achievement.

Indicators of Compromise

File Hashes

Sha256 – 0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

URLs

hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion
hxxp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]onion

TTPs

T1562.001: Impair defenses: disable or modify tools
T1070.001: Indicator removal on host: clear Windows Event Logs
T1041: Exfiltration Over C2 Channel
T1486: Data encrypted for impact
T1489: Service stop
T1490: Inhibit System Recovery

Details of the Operations:

On August 23, 2021, a Russian-speaking tech blog YouTube channel “Russian OSINT” published an interview with the representatives of LockBit uncovering details of their operations

The LockBit 2.0 representative claims their ransomware to have the most advanced technical features allowing it to stand up among its competitors. Stated features include:

  • 1) the fastest encryption speed and data exfiltration
  • 2) automated process of distribution and encryption.
  • 3) Immediate data exfiltration

They do not attack healthcare and educational institutions, as well as social services and charities. Anything that contributes to the development of human beings and their safety remains untouched.

mapgenesys's Recommendations and Best practices:

Being aware of LockBit 2.0 capabilities, further developments, and how it is currently recruiting affiliates and insiders, it is advised to be prepared for upgrades and a lot more. Below are a few of mapgenesys’s recommendations that can help organizations prevent and mitigate the impact of attacks.

  • LockBit 2.0 is known for actively exploiting public-facing applications. Therefore monitoring endpoints should be the first mitigation strategy. The group specifically prefers the following infrastructural endpoints:
  • Corporate VPN - especially Citrix/FortiNET
  • Externally exposed RDPs
  • As a top-tier ransomware group, LockBit likely investigates recent CVEs including ProxyLogon and Microsoft Exchange exposure. Monitoring exposed endpoints and application of CVE-addressing patches is required.
  • Perform periodic vulnerability assessments, and conduct regular patching or virtual patching for operating systems and applications. Ensure that all installed software and applications are updated to their latest versions.
  • Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.
  • LockBit prioritizes network investigation which enables them to steal sensitive data. Therefore, disrupting network movements via creating segregated segments of network, clear access hierarchy, and additional security for active directory, domain admin, and local domains can significantly complicate their operations.
  • Multifactor authentication is required to protect employees’ accounts from obtaining account credentials by actors that might be used to escalate privileges and move laterally within the network.
  • It is suggested to perform daily backups and keep them offline to avoid data loss.
  • Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.
]]> Microsoft IIS Web server is the new attack vehicle for Several Malware families https://mapgenesys.com/microsoft-iis-web-server/ Thu, 12 May 2022 11:20:51 +0000 https://mapgenesys.com/?p=1841

#ESETresearch reveals #IIStealer, a malicious IIS web server extension targeting credit card information from e-commerce transactions. IIStealer is implemented as a native module for Internet Information Services, Microsoft’s web server software.

It handles the server’s BeginRequest post-event notification, which means its code is called every time the IIS server starts processing a new HTTP request.

IIStealer intercepts all the server traffic and logs payment information from e-commerce transactions, targeting POST requests made to payment URIs. The attacker then exfiltrates the logs by sending a special request to the compromised IIS server with an embedded password.

The malware affects e-commerce websites that don’t use third-party payment gateways.

Even with SSL/TLS and encrypted communication channels, IIStealer can access all data handled by the server, including credit card information being processed in its unencrypted state.

Eset has published all the IOCs at the following location: click here

Read Eset’s full guide into analyzing malicious native IIS modules at: click here

mapgenesys's Recommendations and best practices

The best way to harden an IIS server is to:

  • Analyze dependencies and uninstall unneeded IIS modules after upgrading
  • Properly configure web server user/group accounts - Use dedicated accounts with strong, unique passwords for the administration of the IIS server
  • Regularly patch your OS, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation
  • Configure HTTP Request Filtering Options
  • Dynamic IP address restrictions use a requestor’s IP addresses and domain name to determine whether or not to restrict access
  • Only install native IIS modules from trusted sources
  • Consider using a web application firewall, and/or endpoint security solution on your IIS server.
  • Do not send the password itself to the server (not even over SSL/TLS); use a protocol such as Secure Remote Password (SRP) to authenticate users without the need for the unencrypted password to be transmitted to the server, nor data that could be used to reauthenticate. IIS infostealers are a good example of why server-side hashing is not good enough.
  • Avoid unnecessarily sending sensitive information from the web application; use payment gateways.

mapgenesys’s Cybersecurity Practitioners, Professional Services (PS), and Security Specialists are available to help determine the next steps beyond the guidance/guidelines. We provide you with proactive, contextual and effective Hardening and Standardization w.r.t IIS Webserver STIG click here, OWASP guide to hardening IIS. click here, Center for Internet Security IIS 10 Benchmark. Benchmarks and click here for pdf.

As a part of our Managed Security Services, we collect Web site activity data in the W3C log file format from Microsoft IIS servers, along with these logs, we also ingest W3C-compliant log files generated by standard logging as well as advanced logging in IIS. This will be relevant to comply with technical, regulatory, and compliance reports such as PCI DSS, HIPAA, OWASP Top 10, and many others.

mapgenesys is also capable of performing a full-fledged security assessment of a website or web application and discovers server misconfigurations and vulnerabilities

]]> AWS Cloud Security Issues: What You Need to Know https://mapgenesys.com/aws-cloud-security/ Thu, 12 May 2022 10:56:42 +0000 https://mapgenesys.com/?p=1816

You can’t secure what you can’t see! With unique cloud opportunities and benefits, some challenges come with having AWS as your cloud platform.

While the concerns and issues vary widely from company to company and industry to industry, are we prioritizing a Security Strategy ahead of controls and tools?

As the ecosystem and cloud environment gets larger so do the security risks. Misconfiguration, insecure interfaces, and unauthorized access topped the list.

The over whelming digital transformation and consumerization of IT has created an explosion of data and applications in the cloud. But this rapid proliferation of applications, services and moving workloads to the cloud comes with the risk of unmonitored access, security loopholes and data leaks.

Poor visibility into an organization’s cloud usage is a major security challenge prompting many enterprises to reassess and adjust their security posture to suit the dynamic nature of cloud environments. It has been found that an average enterprise invests in 32 different cloud security tools at high cost.

But that is not all, finding qualified cybersecurity expertise is another top challenge for companies battling the shortage of cloud security skills

Each business must be able to answer the following key questions:

  • Who has access to which applications and when?
  • How can we monitor for key file changes?
  • Will we be notified promptly when something anomalous occurs?
  • Do we have strong password policies and authentication practices?
  • What are the Compliance Controls?

AWS SECURITY RISKS:

A recent global Cloud Security Report released by Check Point and Cybersecurity Insiders shows that the top cloud security threats are unauthorized cloud access (42%), insecure interfaces (42%), misconfiguration of the cloud platform (40%), and account hijacking (39%).

AWS security is not fail-safe and operates on a Shared Security Responsibility model. This means that Amazon secures its infrastructure while you have your own security controls in place for the data and applications you deploy and store in the cloud.

According to RedLock’s research, the average lifespan of a cloud resource is two hours and seven minutes. With multiple cloud accounts and regions, it is highly difficult to detect risks with decentralized visibility. 85% of resources associated with security groups don’t restrict outbound traffic at all.

Administrators often forget to disable root API access. The exposed applications structure requires you to strengthen existing security controls. This includes continuously updating your security configurations with sufficient patching, strong firewall configurations, and proper network security implementations.

AWS S3 buckets are now exposed via additional channels and APIs, which create new security blind spots that hackers are waiting to exploit.

Issues with AWS infrastructure configuration based on the research done by ScienceSoft:

  • AWS Firewall Manager.
  • Identity and access management (IAM) controls.
  • Logging and monitoring tools (Amazon GuardDuty, CloudWatch, and CloudTrail used to implement an efficient SIEM solution as part of a comprehensive AWS monitoring approach).

These AWS infrastructure components may have the following typical misconfigurations:

  • Disabled multi-factor authentication for AWS services.
  • Amazon CloudTrail is not configured to log the API call history of key AWS services.
  • Wide-range permissions for S3 buckets, public cloud storage resources.
  • IAM accounts are set up as a single point of access to multiple resources.
  • Broad access ranges for AWS Security Groups.
  • Startup and configuration scripts containing authorization info.
  • Public AWS AMIs (Amazon Machine Image) containing proprietary or sensitive data.
  • Machine state snapshots placed in public storage.

mapgenesys's layered, and in-depth Cloud Security Services offer 24x7 real-time monitoring of applications, devices and servers in the cloud, in short, complete visibility of all security events to minimize vulnerabilities in your cloud infrastructure.

Our Cybersecurity Practitioners, Professional Services (PS), and Security Specialists, and DevOps teams can improve monitoring, compliance, and response with centralized control of all cloud workloads and IaaS, PaaS, container, and virtual environment. Our team conducts penetration testing as part of our security testing services.

mapgenesys's Recommendations and best practices for AWS security:

  • Think of security at every layer. Make sure that every activity is traceable and that you manage privileges meticulously
  • Be sure to encrypt every piece of sensitive data that you store in or transmit over your AWS environment.
  • Unified, comprehensive security across public, hybrid, and multi-cloud environments give you control over cloud configurations, application and API security management, and access controls, as well as monitoring data in transit, in use, and at rest.
  • Establish the proper identity and access management by setting up appropriate permissions.
  • Effectively locate security vulnerabilities using cloud security assessments
  • Monitor and Audit Server access logs and Cloud watch metrics
  • Harden AWS setup using CIS and DISA-STIG benchmarks

As a part of our Managed Cloud Security services, we leverage AWS native tools like Security Hub, Trusted advisor, Route53, WAF, Kinesis, GuardDuty, CloudTrail, CloudWatch, Macie, MFA, Inspector, DDOS mitigation, IAM, Data Encryption and Infra security to provide holistic AWS cloud security.

Our cloud security experts are constantly available to discuss your company’s needs and goals for seamless security.

]]> Kubernetes Security: Deployment Cyber Risks and mapgenesys’s Recommendations https://mapgenesys.com/security-is-one-of-the-hardest-challenges-of-running-kubernetes/ Thu, 12 May 2022 10:03:19 +0000 https://mapgenesys.com/?p=1807

Kubernetes can be a valuable target for data and/or compute power theft. While data theft is traditionally the primary motivation, cyber actors seeking computational power (often for cryptocurrency mining) are also drawn to Kubernetes to harness the underlying infrastructure.

In addition to resource theft, cyber actors may also target Kubernetes to cause a denial of service.

Pods are the smallest deployable Kubernetes unit and consist of one or more containers. Pods are often a cyber actor’s initial execution environment upon exploiting a container. For this reason, Pods should be hardened to make exploitation more difficult and to limit the impact of a successful compromise.

Three common sources of compromise in Kubernetes are supply chain risks, malicious threat actors, and insider threats.

Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition.

Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers.

Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.

Here are the recommended hardening measures and mitigations suggested by CISA and NSA:

  • Scan containers and Pods for vulnerabilities or misconfigurations.
  • Run containers and Pods with the least privileges possible.
  • Use network separation to control the amount of damage a compromise can cause.
  • Use firewalls to limit unneeded network connectivity and encryption to protect confidentiality.
  • Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
  • Use log auditing so that administrators can monitor activity and be alerted to potential malicious activity.
  • Periodically review all Kubernetes settings and use vulnerability scans to help ensure risks are appropriately accounted for and security patches are applied.

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance” – click here

mapgenesys's Recommendations For Seamless Security:

On the Control Plane:

  • TLS Everywhere
  • Enable RBAC with Least Privilege, Disable ABAC, and Monitor Logs
  • Use Third Party Auth for API Server
  • Separate and Firewall your etcd Cluster
  • Rotate Encryption Keys

On Workloads:

  • Use Linux Security Features and PodSecurity Policies
  • Statically Analyse YAML
  • Run Containers as a Non-Root User
  • Use Network Policies
  • Scan Images and Run IDS
  • Run a Service Mesh
]]>