Articles

Cyber threats have become more sophisticated. Hence, it is a good idea to utilize the expertise of public cloud providers to better manage assets against security threats. Cloud security is a collection of proactive measures to protect your cloud assets from internal and external threats. In this Refcard, we will walk through common cloud security challenges, continuous security for cloud infrastructure, and advanced strategies for securing cloud workloads.
Source de l’article sur DZONE

The network model for security fails in the cloud. While the old on-prem model made sense in the earlier days of computing, the rapidly expanding suite of cloud providers, along with their infinite combinations of settings and services, now places an extraordinary burden on security teams to become cloud-centric. An enterprise that doesn’t fully understand its role in securing its data in the public cloud is taking unnecessary risks with its outdated security strategies.

In the traditional data center, the network provided a secure boundary for the organization. The network was carved up into zones and trusts were established within and between zones. Security architectures were established and tools deployed based on this strategy, which largely involved monitoring the traffic flows and enforcing controls where the zones met. But in the cloud, this approach is no longer relevant. Time and again, in breach after breach, headline after headline, the modern attack cycle, particularly in the cloud, starts with identity. Attackers seek access to the identity, then pivot between resources, discovering credentials and other identities that give them more and more access to get what they want.

Source de l’article sur DZONE


Background

The Common Vulnerabilities and Exposures (CVE) tells us the whole story just by its name — these are exposures and vulnerabilities that are common. But what happens when uncommon issues are discovered and exploited by attackers? What if attackers just want us to think they’d only exploit common issues and vulnerabilities?

Securing CVEs sounds like it should be the right place to start from. Exploring common vulnerabilities and exposure is where script kiddies start from, that’s what bots are exploiting, and none of us want to end up in the security hall of shame, set aside for organizations that were exploited and affected by ransomware, thanks to an unpatched CVE from months ago.

Source de l’article sur DZONE

Cybersecurity researchers at Check Point today disclosed details of two recently patched potentially dangerous vulnerabilities in Microsoft Azure services that, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure. Azure App Service is a fully-managed integrated service that enables users to create web and mobile apps for any
Source de l’article sur The Hacker News

The practice of creating a threat model can help teams proactively understand and develop a strategy for managing the possible vulnerabilities their organization faces, instead of waiting until after an incident occurs. OWASP defines threat modeling as “a procedure for optimizing security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.”

SecOps teams can benefit from creating a threat model for cloud infrastructure and defining an approach to operationalizing, hardening, and automating security throughout the software development lifecycle. While it’s best to build security into the design of your systems at the outset, remember the motto:

Source de l’article sur DZONE

According to a 2014 study, 69 percent of businesses had at least an application or a part of their infrastructure on the cloud.

With the significant number of businesses depending on the cloud, it’s security should be given a serious amount of thought!

Source de l’article sur DZONE

Aqua Security has been actively participating in the open source community around Kubernetes security, including contributing significantly to the kube-bench project. We have followed that up with the release of the kube-hunter project, named for its ability to hunt for security weaknesses in Kubernetes clusters. Kube-hunter enables Kubernetes administrators, operators and security teams to identify weaknesses in their deployments and address those issues before attackers can exploit them.  

Kube-hunter augments the CIS validation for K8s deployments provided by kube-bench with discovery and penetration testing capabilities. In that respect it works much like an automated penetration testing tool — you give it the IP or DNS name of your Kubernetes cluster, and it will probe for security issues and alert you, for example, if your dashboard is open or your kubelets are accessible. Use kube-hunter to find Kubernetes installations in your environments, assess them for potential security risks, and receive suggestions on remediation for a wide range of vulnerabilities.

Source de l’article sur DZONE

The principle of least privilege is key when it comes to securing your infrastructure on AWS. For example, an engineer should only be able to control EC2 instances that are in scope for their day-to-day work. But how do you make sure an engineer is only allowed to …

  • Start, stop, and terminate a specific instance?
  • Create, attach, and delete specific volumes?
  • Create, restore, and delete specific snapshots?

As illustrated in the following figure you can restrict access to EC2 instances, EBS volumes, and EBS snapshots by making use of …

Source de l’article sur DZONE