 With most enterprises leveraging at least one type of cloud deployment today, the question arises: is the cloud more or less secure than on-premise solutions? The reality is that for on prem or even private cloud environments, the approach to security largely relies on a barrier defense. When organizations are compromised within this barrier, it can basically become open season for malicious actors, which we’ve seen in marquee incidents such as the Target data breach, the Home Depot hack in 2014, or the recent Uber breach, which exploited an unpatched security vulnerability. Taking a step back, we see that cloud vulnerabilities fall into three main categories: cloud misconfigurations, application exploits and in security patch management. Cloud configurations that are not aligned to security best practices commonly lead to exploits, as we saw in the case of the 2019 Capital One data breach. In this breach, the bad actor took advantage of an AWS misconfiguration to bypass authentication requirements and enter the network. According to Gartner, misconfigurations and other customer missteps will result in 99 percent of cloud security incidents by 2023. There are some exceptions in how bad actors take advantage of cloud misconfigurations, such as last year’s attack exposing flaws in Microsoft Azure’s Cosmo DB, which left thousands of customers exposed to malicious actors. While significant, these scenarios are rarer to see. Thankfully, when it comes to shared responsibility, we see generally vendors do a good job of holding up their end of the bargain. The shared responsibility model also applies to patch management. We continue to see customers compromised through unpatched vulnerabilities, which often stem from not applying patches quickly enough or at all. Cloud vendors such as AWS provide transparency around their security events and maintain updated records of security bulletins, similar to Microsoft’s Patch Tuesday updates. However, security patches are only useful if they are applied in a timely manner. This was reiterated in the latest revision from the U.S. National Institute of Standards and Technology (NIST), which recently updated its guidance for enterprise patch management to encourage enterprises to implement strategies for streamlining patch management. There are also ways to reduce the element of human error when it comes to patch management. Patch management tools today which leverage Artificial Intelligence (AI) to apply automation to the patch management process, can help establish standardization policies for security teams managing patches. While not the most recent, the 2013 Target data breach remains a hallmark cyber event to warn of the dangers regarding application exploits. In the Target breach, Hackers gained access through a third-party HVAC vendor, which enabled them to access additional systems on the network and amplify their exploits. This brings up the false sense of security some organizations have from the tools used to protect networks, and points to why it is equally important to apply best practices to third-party applications. Some tools, like Intrusion Detection Prevention (IDP) devices, can help identify hackers moving laterally through a compromised network to exploit applications. While some organizations view these types of tools as a last line of defense, they should be considered an important part of cloud security best practices. Follow this thread on OUR FORUM.  Windows File Explorer finally has tabs, and you can also right-click on the taskbar to jump into Task Manager. You can have these features on a new Windows 11 update. Here are details about how these features work and when can you expect to get them.  For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months. Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows. It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks. Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source. Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time. BYOVD has been a fact of life for at least a decade. Malware dubbed "Slingshot" employed BYOVD since at least 2012, and other early entrants to the BYOVD scene included LoJax, InvisiMole, and RobbinHood. Over the past couple of years, we have seen a rash of new BYOVD attacks. One such attack late last year was carried out by the North Korean government-backed Lazarus group. It used a decommissioned Dell driver with a high-severity vulnerability to target an employee of an aerospace company in the Netherlands and a political journalist in Belgium. In a separate BYOVD attack a few months ago, cybercriminals installed the BlackByte ransomware by installing and then exploiting a buggy driver for Micro-Star’s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility. Microsoft has touted these protections since at least March 2020, when the company published this post promoting "Secured Core" PCs, which have HVCI enabled right out of the box. Microsoft presented Secured Core PCs (and HVCI in general) as a panacea for in-the-wild BYOVD attacks, stemming either from buggy drivers or "wormhole" drivers (those which are vulnerable by design). The post went on to say that "Microsoft threat research teams continuously monitor the threat ecosystem and update the list of drivers that [are] in the Microsoft-supplied blocklist. This blocklist is pushed down to devices via Windows update." A few months later, Microsoft Senior VP of Enterprise and OS Security David Weston tweeted that by turning on these protections, Windows users were safe from an ongoing BYOVD attack that had recently made the rounds. Full details can be found on OUR FORUM. |
Latest Articles
|