Today’s breaking news uncovered by threat researchers at TrapX Security involves compromised firmware in handheld scanners being used to compromise corporate networks. The attack appears to have used sophisticated malware embedded in the mobile scanner firmware that subsequently targeted servers inside the enterprise. According to the Dark Reading article, “A Chinese manufacturer that sells the popular devices for scanning items shipped or transported apparently has been implanting the malware in its products”.
This new report of a supply chain attack is something that the US Department of Defense (DOD) Defense Science Board warned about. What I find interesting in this particular attack is 1) the supply chain approach and 2) the sophistication (malware in the handheld scanners that then launched against servers).
This attack is in a similar vein to the NSA’s Tailored Access Operations (TAO) catalog of exploits. It is a matter of time before bad guys profit using techniques pioneered by sophisticated state actors (if they are not doing so already).
It is a small step for the attack technique using handheld scanners to be applied against servers. For example, a compromised NIC from China gets slotted into a server and exposes an organization’s sensitive data.
While today’s news involved handheld scanners, tomorrows news could involve other IT supply chain elements. Enterprises need to consider validating the integrity of the components coming through their IT supply chain. What can a savvy IT security person do to avoid these sorts of threats going against server infrastructure? As Gartner analyst Joerg Fritsch and Mario DeBoer highlighted in recent research, you need to validate server integrity to bootstrap trust as well as consider runtime security controls.
Gartner analyst Joerg Fritsch published a new report last week titled “Enabling High-Risk Services in the Public Cloud With IaaS Encryption”. It provides juicy insights into the ins and outs of Infrastructure-as-a-Service (IaaS) encryption, trade-offs between data confidentiality and reliability, and provides a nice comparison table of vendor options. And I am delighted that the research includes a PrivateCore vCage mention! PrivateCore is the only significant new defensive technology mentioned alongside traditional technologies from legacy vendors.
A point that Joerg highlights in a blog post announcing the report is, “Parts of the confidential data must always be in cleartext in RAM, – even the necessary encryption keys!” Even if an enterprise uses encryption in the IaaS cloud where they control the keys, at the end of the day those keys need to be in clear text in memory for processing. A bad guy (outside hacker, malicious insider, etc.) can grab the memory and parse the contents to get encryption keys and decrypt data. Also, your favorite government agency (FBI, etc) that can provide a national security letter requesting the encrypted data and a memory snapshot, parse the memory to get the encryption keys, and decrypt the encrypted data-at-rest. This is where PrivateCore can help by encrypting memory.
The public cloud has some compelling advantages in speed and deployment, but enterprises need to grapple with the resulting data security issues explained in the Gartner research. If you want to use the cloud with some comfort that the CSP insiders, hackers, or lawful outsiders cannot grab your memory to view cleartext, it is time for your to consider vCage Host.
Gartner’s analysts Joerg Fritsch and Mario de Boer published a comprehensive report covering server security on 31 March 2014 titled “The Feasibility of Host-Based Controls and the Evolution of Server Security”. This report (G00260437) is a tour de force on all aspects of physical and virtual server security – if you are in the business of securing enterprise server infrastructure, you should get ahold of it and spend some quality time digesting it. This report is a great example of the value of a Gartner IT Pro service subscription.
The report is holistic and touches on all aspects of server security, including anti-malware (AV), host-based intrusion prevention (IDS/IPS), application whitelisting, file integrity monitoring (FIM), privileged account monitoring and server integrity.
Something that we are proud of is the recognition given to PrivateCore vCage Manager as a leading solution for bootstrapping trust in private and public clouds. As Gartner states in the report, “…bootstrapped trust comes in with a very moderate price tag, or it could even be a feature of products that are already deployed in the local data center, such as the HyTrust appliance, PrivateCore vCage Manager or OpenStack.”
Reading between the lines, I suspect the recent news regarding NSA’s Tailored Access Operations (TAO) unit is motivating more focus on system integrity. As Oded pointed out in his January blog post, bad guys will eventually learn from the NSA TAO techniques for illicit gain. The Gartner Server Security report lays out best practices in securing such systems. As you look to implement such best practices described by Gartner, have a chat with us about maintaining Linux/OpenStack system integrity with PrivateCore vCage.
Firmware compromises are starting to make their way into the mainstream news media and are expected to proliferate in the wild. Oded (PrivateCore’s CEO) prognosticated in an post in early January that cybercriminals would learn from the very skilled NSA ANT technologists to manipulate firmware in their effort to make illicit profits. Others now share that view.
In reading yesterday’s New York Times, I came across an article based on CrowdStrike threat research that included the quote, “As security software becomes more prolific, hackers continue to make their way down the food chain to computer hardware where it is much more difficult to identify and remove.”
The details behind security breaches take time to make their way into the news. I expect that we will eventually read about firmware compromises in the future, but it will take some time before such breach details make their way into the media.
While compromised hardware and firmware might be difficult to identify, that is the hard problem that PrivateCore has focused on since our founding in 2011. New threats require new countermeasures. Hardware and firmware attacks call for a new layer of defense, and PrivateCore provides that layer of defense. If you are an enterprise IT security concerned about trusted computing for your servers, you should take PrivateCore vCage software for a spin.
As 2013 comes to a close, news from Germany’s Spiegel Online that the NSA Tailored Access Operations (TAO) unit created a toolbox of exploits to compromise systems caught my attention. Todd’s prediction: this news is a harbinger of infosecurity risks making headlines in 2014 as bad guys learn from the extremely talented NSA.
The news generated by Mr. Snowden’s disclosures has brought data privacy headlines. What was different about the Der Spiegel article highlighting the TAO was not only the breadth of exploits, but also the depth and sophistication.
The sophisticated exploits highlighted in the Spiegel piece were designed for persistence. These are advanced persistent threats (APTs) – once you are in, can you stay in. As the article highlights, “the [NSA] ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.”
Modifying the BIOS bypasses traditional security layers such as antivirus software. Mitigating against threats using such attack vectors requires an additional layer of security to attest the validity of the host system, harden systems against compromise, and secure the underlying data-in-use (as well as data-at-rest and data-in-transit). This is bad news for enterprises and service providers who need to consider protecting their server infrastructure, but the good news is that there are solutions to shut down this attack vector, notably PrivateCore vCage (my shameless product plug for this post).
The Spiegel news dovetails with a cybersecurity prognostication for 2014 from IT risk and governance auditor Coalfire:“There will be a significant security breach at a cloud service provider that causes a major outage.” Reading the Spiegel Online article, the “security breach” part might have already happened. Buckle your seatbelts and enjoy 2014.
Sharing is usually considered to be a positive attribute – parents teach children to share and we are moving into a “sharing economy” with services like Zipcar and Airbnb. For most businesses and the security of their sensitive data, sharing is a threat. In fact, numerous laws have been created to curb or manage sharing including copyright provisions designed to protect music, books, software and more. Cloud security is no exception. For businesses, sharing responsibility for the security of their data with a cloud service provider can lead to unpleasant consequences and finger-pointing. For years, standards bodies like the PCI Council and leading cloud providers like Amazon Web Services and Microsoft Azure have fostered the perception that shared responsibility for security in the cloud with infrastructure as a service (IaaS) providers is the best approach. Times have changed, this is no longer the case.
What is the downside of shared responsibility in the cloud? The enterprise has ultimate accountability for security of its data, yet must share the responsibility for data security with the Cloud Service Provider (CSP). Put another way, shared responsibility means shared access to your sensitive data. You share responsibility for security of the overall environment, but implicit in that relationship is that your CSP can access your data. You might not like it, but the shared responsibility model forces you to trust the CSP and face the consequences when the CSP falls short. Amplifying these consequences for the enterprise are CSP terms of service that are typically one-sided and hand the aftermath of breached data to the enterprise customer. Consequences can include fines, reputational risk, and lost competitive advantage – items that would not be covered by a CSP refunding your payment. The shared responsibility model also requires elaborate and time-consuming legal contracts so the obligations of the CSP and the enterprise are understood. While shared responsibility can be mitigated in a Software-as-a-Service (SaaS) where the SaaS vendor is fully accountable for data loss, it does not make sense in the Infrastructure-as-a-Service (IaaS) world where IaaS vendors significantly (Amazon EC2, etc.) limit their responsibility for security.
While the CSP needs to provide their service with sufficient security to satisfy customers, the CSP is usually not the one holding the bag when something goes wrong. Interest in cloud encryption has grown as enterprises wrestle with securing their data at the CSP. Enterprises understand the need to secure their data while at rest and while in transit by holding the encryption keys themselves. However, the shared responsibility model circumvents at-rest and in-transit encryption; the cloud service provider can access enterprise data-in-use while the cloud server runs in the CSP datacenter. Data-in-use, or memory, contains secrets including encryption keys, digital certificates, and sensitive information such as intellectual property. Accessing data-in-use leaves the door open to lawful or unlawful interception of data of any data on the server. Sensitive data can be encrypted at rest or in motion, but it is “in the clear” and available to the CSP while in use.
What if a new technology allowed you to have control and visibility into the security of cloud servers without ever having to set foot in a cloud data center? PrivateCore does just that, allowing the enterprise to take complete ownership of data security rather than relying on the CSP. This approach also permits the CSP to focus on their core competencies and reduce liabilities. PrivateCore vCage provides a secure foundation, ensuring that nobody at the CSP can access or manipulate your data without your consent. Deploying vCage as a foundation of trust for your IaaS security enables you to avoid lengthy security negotiations because you control the security of your server and its data.
PrivateCore vCage secures server data-in-use with full memory encryption. Data-in-use can contain valuable information such as encryption keys for data-at-rest, certificates, intellectual property, and personally identifiable information. Accessing data-in-use provides a pathway to decrypt data-at-rest and data-in-motion. Compromising data-in-use, be it through a malicious insider or lawful request, leaves a system open and available.
While security measures such as data-at-rest and data-in-motion encryption are necessary, they are insufficient if the foundation has a crack that allows information to be siphoned off. PrivateCore vCage changes the game, obviating the need for “shared responsibility” by providing a foundation of trust in the cloud so you can take control of the security of your data in the cloud.
As the news around NSA information collection and Edward Snowden continues to dribble out, something that is grabbing the attention of enterprises around the world the topic of “lawful interception”. The lawful intercept topic has cruised under the radar for a number of years (I was surprised to see the variety of vendor products enabling interception when I googled “lawful interception”), but Mr. Snowden brought it to the fore. Companies around the globe are rethinking security of their data in light of security and data sovereignty issues raised by the NSA Prism program.
What is lawful interception? While it sounds like a term used in American football, it is a serious issue of concern to most enterprises. National governments can request service providers (think Google, Yahoo, Amazon, etc) to provide customer information for analysis or investigation in the name of national security. There are various legal vehicles – The US has various laws including the Foreign Intelligence Surveillance Act (think of National Security Letters), the UK has its Regulation of Investigatory Powers Act, etc. The basic concept is the same – your friendly national government can knock on the service provider’s door and request information relevant to a national security issue. The service provider holding your information could be compelled in the name of national security to hand it over to the authorities.
Service providers are legally compelled to respond while not informing customers that their information is being provided to the government. If you are an enterprise with your information in the public cloud, the service provider could hand over your information to the authorities pursuant of an investigation without your knowledge. Enterprises typically want to know if their information is being handed over by their service providers so they can prepare themselves.
How does encryption play in this? You would think that if your cloud data is encrypted, is is safe from prying eyes. Not necessarily. This is a tricky issue that hinges on a few variables:
Who holds the encryption keys?
Where is the encrypted data stored?
Who controls the server hardware?
With those variables in mind, below are a few potential scenarios to consider:
Infrastructure-as-a-Service with IaaS encryption/keys- Enterprises with sensitive data in the cloud can secure their data with encryption, but that data is open to lawful interception if the service provider holds the encryption keys. One example of this is Amazon S3 encryption – Amazon holds the keys and could be compelled to hand the data and keys to the authorities.
IaaS with enterprise-controlled keys – an enterprise could deploy their own encryption and keys to the cloud, while keeping those keys stored in their enterprise office. However, this provides a false sense of security. Authorities could still request encrypted data and a snapshot of memory from the Cloud Service Provider and parse that memory to get the encryption keys for the data at rest. Unless you are securing not only the data-at-rest, but also the data-in-use (memory), the authorities could access your data unbeknownst to you.
Gateway Encryption for Software-as-a-Service – For SaaS environments, the enterprise typically needs to rely on their SaaS provider to secure data. However, gateway encryption solutions can encrypt or tokenize SaaS data at the enterprise edge so that the SaaS provider is only dealing with ciphertext and not clear text. If the authorities come knocking, they have to knock on the enterprise door to access the data.
What are questions you should be asking internally or of your service provider when it comes to lawful interception?
Is my cloud data encrypted? Encrypting sensitive data in the cloud is a best practice. If it is not encrypted, then accept that a lawful intercept request could occur and your information could be provided to the authorities without your knowledge. If your cloud SaaS data is encrypted at the enterprise gateway, the authorities have to knock on your door to access it. If the cloud IaaS data is encrypted, then you need to ask the next question.
Where are the encryption keys? Do I hold them or does the cloud service provider hold them? If the CSP holds the keys, your data can be compromised without your knowledge. The CSP could be compelled to deliver the data plus keys to decrypt the data. If the enterprise holds the keys, the authorities will have to knock on the enterprise door and say “Give me the keys” and unlock the cloud data. the data is more secure but could still be compromised; the authorities would need to jump through some hoops to do so (decrypting data using keys parsed from memory).
Is my server memory secure? If the memory is not secure, the authorities can ask for the encrypted data-at-rest as well as a snapshot of the data-in-use (memory) and parse that memory for the encryption keys.
Lawful intercepts are the flip side of unlawful intercepts. You might want to know if the authorities are sniffing at your data so you are fully informed, but you also will want to know if some malicious insider within the CSP might be compromising your data. Considering the lawful intercept issue also addresses the rogue insider problem.