Cloud misconfigurations are becoming another risk for corporations. At RSA 2020, Steve Grobman, senior vice president and chief technology officer at McAfee, explained how easy it is to take advantage of cloud misconfigurations, an expensive security problem for corporations. He compared cyber security to infectious disease control: an imperfect science.
“We know that the answer to the flu is the flu shot,” he said. “If it were that easy, we would simply inoculate everyone and call it a day.”
Grobman said he picked the theme of his keynote speech in November, well before the coronavirus became an international problem. His timely scenario was a group of researchers sequencing the genome of a virus to illustrate how sharing data through the cloud can lead to a security vulnerability.
Grobman described a hypothetical case of researchers who wanted to share data that was only accessible through a virtual private cloud, not through the Internet.
The researchers used a reverse proxy server to pull data that is not directly exposed, a solution that is fast but not safe, Grobman said.
“These are epidemiologists, not security experts,” he said.
A reverse proxy server retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they came from the proxy server itself.
This reverse proxy server set up for sharing research data can access both data that the researchers wanted to share and data they didn’t.
Grobman then walked through the process a hacker would take to find this vulnerability.
The first step is to see if there is access to anything by default. The next step is to check connectivity to the reverse proxy server.
As he spoke, the code needed to check for these vulnerabilities scrolled up on the screen behind him.
“Next we find out that we can access the URL where the instance metadata is stored,” he said.
Instance metadata is information about a cloud instance that is used to configure or manage the instance, including, host name, events, and security groups.
The final step is to check for access privileges. In this case, a hacker had full Simple Storage Service (S3) access.
“This is the holy grail that the attacker is looking for,” Grubman said.
With access to this information, attackers can change the contents of data buckets as well as access to them and control over them. In this made-for-RSA story, the data files included important information that the researchers wanted to keep private.
“We have now stolen the top secret data with that simple of an attack, and this is just one of 43 cloud-specific techniques on Mitre’s ATT&CK matrix,” he said.
SEE: How to prevent the top 11 threats in cloud computing (free PDF) (TechRepublic)
Securing data now for the future
In addition to making sure cloud configurations are secure, security teams have to address tomorrow’s security risks today, Grobman said.
Advances in quantum computing will be a double-edged sword with the downside being the threat to existing encryption systems.
“Nation-states will use quantum computing to break our public key encryption systems,” he said. “Our adversaries are getting the data today and counting on quantum to unlock in tomorrow.”
Grubman said that companies need to think about how long data will need to be protected.
“Even in 2020, there are documents in the National Archives in relation to the Kennedy assignation that still have redacted information due to national security concerns of today,” he said.
Grubman wants NIST to move faster to find solutions for the post-quantum ecosystem.
“We need quantum-resistant algorithms as soon as possible,” he said. “I am confident we can do these things as long as we don’t remain blind to the threats that target the platform.”