Get the Latest News and Press Releases

Is CYbersecurity an essential work from Home tool?

Is Cyber Security an essential work from tool? This is one of the areas that was not considered in most remote working arrangements!!
If remote work is a new practice for a company, set standards, expectations and processes for your staff. The most basic areas to address are whether employees will be using company-provided or personal devices and a VPN or a remote desktop, and whether work-from-home systems can be tested. Some workers may want to use unsecured public Wi-Fi. That’s always inadvisable for work devices, and employers should discourage it. Many workers will be logging in to their personal Wi-Fi network and should make sure it is set up securely with a strong password.

Experts recommend that organizations require employees who are working remotely to use VPNs to help maintain end-to-end data encryption.
Contact us today for a free assessment of your work from home policies!!

(208.6 kb)


From infiltrations on infrastructure and data breaches to spear phishing and brute force. Online threats are varied and they don’t discriminate organizations from individuals when looking for a target.

You’ve likely heard the term “cyber threat” thrown around in the media. But what exactly are these cyber threats?

A cyber or cyber-security threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber attacks include threats like computer viruses, data breaches, and Denial of Service (DoS) attacks. However, to truly understand this concept, let’s go a bit further into the background of cyber-security.


What are cyber threats?
Types of cyber-security threats
Sources of cyber-security threats
Best practices for cyber defense and protection



Cyber threats, sadly, are becoming more and more of a threat in today’s smart world. But what exactly is a cyber threat?

A cyber threat is an act or possible act which intends to steal data (personal or otherwise), harm data, or cause some sort of digital harm. 

Today, the term is almost exclusively used to describe information security matters. Because it’s hard to visualize how digital signals traveling across a wire can represent an attack, we’ve taken to visualizing the digital phenomenon as a physical one.

A cyber attack is an attack that is mounted against us (meaning our digital devices) by means of cyberspace. Cyberspace, a virtual space that doesn’t exist, has become the metaphor to help us understand digital weaponry that intends to harm us.

What is real, however, is the intent of the attacker as well as the potential impact. While many cyber attacks are merely nuisances, some are quite serious, even potentially threatening human lives.


Cyber threats are a big deal. Cyber attacks can cause electrical blackouts, failure of military equipment and breaches of national security secrets. They can result in the theft of valuable, sensitive data like medical records. They can disrupt phone and computer networks or paralyze systems, making data unavailable. It’s not an exaggeration to say that cyber threats may affect the functioning of life as we know it.

The threats are growing more serious, too. Gartner explains, “Cybersecurity risks pervade every organization and aren’t always under IT’s direct control. Business leaders are forging ahead with their digital business initiatives, and those leaders are making technology-related risk choices every day. Increased cyber risk is real — but so are the data security solutions.”

The US government is taking cyber threats seriously but appears to be moving too slowly to mitigate them. The White House’s Office of Management and Budget revealed that, of 96 federal agencies it assessed, 74 percent were either “At Risk” or “High Risk” for cyber attacks. They needed immediate security improvements.

The US government has experienced numerous crippling data breaches in the last few years. Examples include the massive breach of the Federal Office of Personnel Management and the theft of secret US Naval codes. Both attacks have been attributed to Chinese state intelligence agencies.


Cybersecurity threats come in three broad categories of intent. Attackers are after:

  1. Financial gain
  2. Disruption
  3. Espionage (including corporate espionage – the theft of patents or state espionage)

Virtually every cyber threat falls into one of these three modes. In terms of attack techniques, malicious actors have an abundance of options.


  1. Malware. Software that performs a malicious task on a target device or network, e.g. corrupting data or taking over a system.
  2. Phishing. An email-borne attack that involves tricking the email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.
  3. Spear Phishing. A more sophisticated form of phishing where the attacker learns about the victim and impersonates someone he or she knows and trusts.
  4. “Man in the Middle” (MitM) attack. Where an attacker establishes a position between the sender and recipient of electronic messages and intercepts them, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another. A MitM attack might be used in the military to confuse an enemy.
  5. Trojans. Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the malicious code once inside the host system.
  6. Ransomware. An attack that involves encrypting data on the target system and demanding a ransom in exchange for letting the user have access to the data again. These attacks range from low-level nuisances to serious incidents like the locking down of the entire city of Atlanta’s municipal government data in 2018.
  7. Denial of Service attack or Distributed Denial of Service Attack (DDoS). Where an attacker takes over many (perhaps thousands) of devices and uses them to invoke the functions of a target system, e.g. a website, causing it to crash from an overload of demand.
  8. Attacks on IoT Devices. IoT devices like industrial sensors are vulnerable to multiple types of cyber threats. These include hackers taking over the device to make it part of a DDoS attack and unauthorized access to data being collected by the device. Given their numbers, geographic distribution and frequently out-of-date operating systems, IoT devices are a prime target for malicious actors.
  9. Data Breaches. A data breach is a theft of data by a malicious actor. Motives for data breaches include crime (i.e. identity theft), a desire to embarrass an institution (e.g. Edward Snowden or the DNC hack) and espionage.
  10. Malware on Mobile Apps. Mobile devices are vulnerable to malware attacks just like other computing hardware. Attackers may embed malware in app downloads, mobile websites or phishing emails and text messages. Once compromised, a mobile device can give the malicious actor access to personal information, location data, financial accounts and more.


Cyber threats are never static. There are millions being created every year. Most threats follow the standard structures described above. However, they are becoming more and more potent.

For example, there is a new generation of “zero-day” threats that are able to surprise defenses because they carry no detectable digital signatures.

Another worrisome trend is the continuing “improvement” of what experts call “Advanced Persistent Threats” (APTs). As Business Insider describes APTs, “It’s the best way to define the hackers who burrow into networks and maintain ‘persistence’ — a connection that can’t be stopped simply by software updates or rebooting a computer.”

The notorious Sony Pictures hack is an example of an APT, where a nation-state actor lurked inside the company’s network for months, evading detection while ex-filtrating enormous amounts of data.


Cyber threats come from a variety of places, people and contexts. Malicious actors include:

  • Individuals that create attack vectors using their own software tools
  • Criminal organizations that are run like corporations, with large numbers of employees developing attack vectors and executing attacks
  • Nation states
  • Terrorists
  • Industrial spies
  • Organized crime groups
  • Unhappy insiders
  • Hackers
  • Business competitors

Nation states are the sources of many of the most serious attacks. There are several different versions of nation-state cyber threats. Some are basic espionage— trying to learn another country’s national secrets. Others are aimed at disruption.

For example, Chris Painter of the U.S. Department of State commented in a Brookings Institution article that China and North Korea “have frequently exercised their cyber power to achieve their strategic goals around the globe.”

He noted, though, “Their motivations and objectives differ: While North Korea primarily aims to develop capabilities for revenue generation and destructive capabilities for potential conflicts outside North Korea, China mainly utilizes its cyber means for espionage and intellectual property theft. “Naming and shaming” has been an effective tool against China because of its government’s concerns on the potential blow back on its soft power.”

These are the so-called “cyber weapons” that might be used to shut off electricity in enemy territory during a war. In some countries, the boundaries between criminal organizations and national intelligence are blurred, with the criminals doing the actual work of cyber espionage.

Many cyber threats are bought and sold on the “dark web,” a disorganized but widespread criminal segment of the Internet. In this online bazaar, aspiring hackers can buy ransomware, malware, credentials for breached systems and more. The dark web serves as a multiplier for threats, with one hacker being able to sell his or her creation over and over.


It’s easy to get frustrated over the severity of the threat environment. However, it is possible to protect your business from cyber threats. Consumers can also defend themselves.


Enterprise best practices for defense from cyber defense include basic but extremely important countermeasures like patching systems. When a tech vendor discovers (or is informed of) a security flaw in their product, they typically write code that fixes or “patches” the problem.

For example, if Microsoft finds that a hacker can gain root access to Windows Server through a code exploit, the company will issue a patch and distribute it to all owners of Windows Server licenses. They, among many others, do this at least once a month. Many attacks would fail if IT departments applied all security patches on a timely basis.

A host of new technologies and services are coming onto the market that make it easier to mount a robust defense against cyber threats. These include:

  • Outsourced security services
  • Systems that enable collaboration between security team members
  • Continual attack simulation tools
  • Point solutions for anti-phishing and secure browsing


For individuals, the best practices are simple. The good news is that in most cases, some pretty big security organizations stand between the consumer and the hacker, e.g. the SecOps team at Verizon or AT&T. There are still preventative measures you should take to help ensure your information’s safety:

  1. Password hygiene. Big security organizations cannot protect consumers against phishing or hackers who can guess passwords like “1234.” Common sense and password hygiene can go a long way to protect consumers from cyber threats.
  2. Anti-virus software. Subscribe to anti-virus software and keep your system up to date with automated, scheduled scans.
  3. Caution against phishing attacks. Be careful about opening file attachments. Phishing and spear phishing emails ones that look real but are not. if you pay attention. For instance, if you get an email that says “past due invoice” with a PDF attachment, don’t open it unless you are 100% sure you know who sent it. If you double check, you’ll probably see it comes from an unusual email, like this one, from anny234526426@gmail.com:A PHISHING EMAIL IN ACTION


It can be a scary time for businesses and consumers who are worried about cyber threats. The threats certainly exist, and they’re getting increasingly potent and frequent. The attackers are varied, with many worrisome imbalances between attackers and their targets.


Even if a company is targeted by a powerful nation-state, it is still possible to protect critical digital assets. It takes planning and commitment of resources, but a good security operations team or a proactive individual can stay on top of most of the most serious cyber threats.

COVID-19 Exploited by Malicious Cyber Actors


This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.

Both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.

APT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.

Note: this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.

Technical Details

Summary of Attacks

APT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and “hack-and-leak” operations.

Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.

Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure,
  • Malware distribution, using coronavirus- or COVID-19- themed lures,
  • Registration of new domain names containing wording related to coronavirus or COVID-19, and
  • Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.

Malicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:

  • Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
    • For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install “CovidLock” ransomware on their device.[1]
  • Open a file (such as an email attachment) that contains malware.
    • For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”

To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization’s human resources (HR) department and advise the employee to open the attachment.

Malicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as “President discusses budget savings due to coronavirus with Cabinet.rtf.”

Note: a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.


CISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.

Examples of phishing email subject lines include:

  • 2020 Coronavirus Updates,
  • Coronavirus Updates,
  • 2019-nCov: New confirmed cases in your City, and
  • 2019-nCov: Coronavirus outbreak in your city (Emergency).

These emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.

SMS Phishing

Most phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).

Historically, SMS phishing has often used financial incentives—including government payments and rebates (such as a tax rebate)—as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages—purporting to be from “COVID” and “UKGOV” (see figure 1)—include a link directly to the phishing site (see figure 2).

Figure 1: UK government-themed SMS phishing

Figure 2: UK government-themed phishing page

As this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.

Phishing for credential theft

A number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.

If the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including—but not limited to—email services provided by Google or Microsoft, or services accessed via government websites.

To further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport”). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.

If the victim enters their password on the spoofed page, the attackers will be able to access the victim’s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim’s address book.

Phishing for malware deployment

A number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim’s device.

For example, NCSC has observed various email messages that deploy the “Agent Tesla” keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.

In other campaigns, emails include a Microsoft Excel attachment (e.g., “8651 8-14-18.xls”) or contain URLs linking to a landing page that contains a button that—if clicked—redirects to download an Excel spreadsheet, such as “EMR Letter.xls”. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the “Get2 loader” malware. Get2 loader has been observed loading the “GraceWire” Trojan.

The “TrickBot” malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which—in turn—pulls down the TrickBot binary, executing it on the system.

Figure 3: Email containing malicious macro targeting Italian users[2]

In many cases, Trojans—such as Trickbot or GraceWire—will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[3] Spain,[4] and across Europe[5] have all been recently affected by ransomware incidents.

As always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[6],[7] and NCSC[8] provide guidance on mitigating malware and ransomware attacks.

Exploitation of new teleworking infrastructure

Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.

Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[9] and NCSC[10] provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability’s exploitation.

Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[11] and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[12]

Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online).[13] CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[14]

The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[15] and recent analysis[16] has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems—without the right security measures in place—more vulnerable to attack.[17]

Indicators of compromise

CISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:

In addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:


Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)’s COVID-19 Situation Summary.

Following the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:

Phishing guidance for individuals

The NCSC’s suspicious email guidance explains what to do if you’ve already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC’s top tips for spotting a phishing email:

  • Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
  • Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Phishing guidance for organizations and cybersecurity professionals

Organizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.

In addition to educating users on defending against these attacks, organizations should consider NCSC’s guidance that splits mitigations into four layers, on which to build defenses:

  1. Make it difficult for attackers to reach your users.
  2. Help users identify and report suspected phishing emails (see CISA Tips, Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams).
  3. Protect your organization from the effects of undetected phishing emails.
  4. Respond quickly to incidents.

CISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.

Communications platforms guidance for individuals and organizations

Due to COVID-19, an increasing number of individuals and organizations are turning to communications platforms—such as Zoom and Microsoft Teams— for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.

Tips for defending against online meeting hijacking (Source: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI press release, March 30, 2020):

  • Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. Change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications.
  • Ensure telework policies address requirements for physical and information security.


This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.


[1] CovidLock ransomware exploits coronavirus with malicious Android app. TechR…[2] TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails. Bleeping Com…[3] Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus (COVID-1…[4] Spanish hospitals targeted with coronavirus-themed phishing lures in Netwal…[5] COVID-19 Testing Center Hit By Cyberattack. Bleeping Computer. March 14, 20…[6] CISA Tip: Protecting Against Malicious Code[7] CISA Ransomware webpage[8] NCSC Guidance: Mitigating malware and ransomware attacks[9] CISA Alert: Detecting Citrix CVE-2019-19781[10] NCSC Alert: Actors exploiting Citrix products vulnerability[11] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability[12] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide[13] COVID-19 Impact: Cyber Criminals Target Zoom Domains. Check Point blog. Ma…[14] FBI Press Release: FBI Warns of Teleconferencing and Online Classroom Hija…[15] Microsoft Security blog: Human-operated ransomware attacks: A preventable …[16] Reposify blog: 127% increase in exposed RDPs due to surge in remote work. …[17] CISA Tip: Securing Network Infrastructure Devices


NSA Ranks Cloud Security Risks — Is Your Company Safe?

source: https://www.sdxcentral.com/articles/news/nsa-ranks-cloud-security-risks-is-your-company-safe/2020/01/

Moving to the cloud can improve a company’s security posture — but cloud services aren’t without risks, and organizations should both understand and address these risks before buying these services and deploying workloads in the cloud. To that end, the National Security Agency (NSA) published new guidance titled “Mitigating Cloud Vulnerabilities.”

The report targets companies’ leadership and technical staff. It highlights the basic components of cloud architecture and threat actors. And then it also ranks four different types of cloud security risks — misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities — that, according to the NSA, account for the vast majority of known security flaws.

While each cloud service providers’ architecture will be slightly different, most clouds have four components in common. This includes identity and access management — these are the controls in place for customers to protect access to their resources as well as controls that the service providers use to protect back-end cloud resources — as well as compute, networking, and storage.

Shared Responsibility

The NSA report also discusses the concept of shared responsibility. This is important because security vendors and cloud service providers alike say many of their customers still don’t have a strong grasp on this model and how it works. Cloud providers like Amazon Web Services (AWS) and Microsoft Azure are responsible for protecting their public cloud infrastructure and implementing logical controls to separate customer data. The customer, however, is responsible for configuring application-level security controls, and for protecting its workloads running on cloud servers. In other words, both the cloud provider and the customer have a shared responsibility when it comes to cloud security.

“Shared-responsibility model is a tough one,” said James Christiansen, VP of cloud security transformation at Netskope. Part of the difficulty comes from “a mindset that when you outsource something, you wash your hands of it.”

In other words, when companies move from their on-premises infrastructure and into the public cloud, often they just assume that AWS or Azure is responsible for all the security measures needed to protect the resources running in the cloud. However, this is not the case.

Also, Christiansen says he’s not a fan of the term “shared responsibility.” Instead, “I would just go with a responsibility matrix: these are your responsibilities, and these are ours,” he added. “There are very distinct responsibilities, and when you see those failures, it’s often the failure of not understanding the part that they are responsible for.”

NSA’s Top 4 Cloud Vulnerabilities

The NSA categorizes cloud vulnerabilities and mitigations into four groups. It also says how prevalent each one is, and what level of sophistication it requires for an attacker to pull it off.

Misconfiguraiton, a widespread threat that requires a low level of sophistication, tops the list. According to the NSA, misconfiguration of cloud resources remains the most prevent cloud vulnerability. “Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise,” the report says. “The rapid pace of [cloud service providers’] innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources.”

The report says least privilege and defense in depth are two of the security principles that organizations should apply from the planning phase. A least-privilege model restricts access for accounts to only the resources required to perform routine, legitimate activities. Defense in depth involves placing multiple layers of security controls throughout an IT system.

The No. 2 vulnerability — poor access control — happens when companies have weak authentication methods in place to allow access to cloud resources, or when these cloud resources have flaws that enable attackers to bypass these methods. The NSA deems this vulnerability widespread and says it requires a moderate level of sophistication to pull off.

Organizations can mitigate poor access control by enforcing strong authentication protocols such as multi-factor authentication and using automated tools to audit access logs.

No. 3, shared tenancy vulnerabilities, remain rare, according to the report, and require a high level of sophistication. But these types of vulnerabilities in cloud hypervisors or container platforms can be especially severe.

To mitigate these, the NSA advises enforcing encryption of data at rest and in transit. And for especially sensitive workloads, companies should use dedicated or bare-metal cloud instances.

If companies don’t use a dedicated instance, Christiansen suggests requiring that the cloud provider perform a forensic analysis of the logs, separating your logs from those of the other tenants. Organizations should write this into the contract when they initially buy cloud services, he said.

Supply Chain Security

Finally, the NSA says the No. 4 vulnerability — supply chain security flaws — remain rare, and require highly sophisticated attackers. But many threat hunters and security vendors agree supply chain security risks are becoming more common and they expect to see these types of attacks increase this year.

Supply chain vulnerabilities include inside attackers, intentional flaws and backdoors in hardware and software, as well as companies’ partners and suppliers whose security may not by up to par, and thus, allow attackers to access their targets’ cloud resources via their suppliers’ networks.

Christiansen agrees that attackers need be pretty sophisticated to pull off a supply chain attack, but says he was surprised to see it rated rare.

“You think about the big corporations and they have done a really good job of fortifying their security,” he said. “But then when they go to a third party, the third party doesn’t have the same level of security, and that’s when you are seeing the weakest-link problem. We’ve seen this as far back as the Target breach. It’s a very big attack surface, and I believe that third parties are absolutely a target for state-sponsored attacks and organized attacks.”

While cloud service providers “mitigate the risk of inside attackers through controls such as role separation, two-person integrity for especially sensitive operations, and alerting on suspicious administrator activities,” enterprises can improve their security posture against supply chain compromise, the report says. This includes encrypting data at rest and in transit, and also selecting cloud offerings that have had critical components evaluated against National Information Assurance Partnership (NIAP) Protection Profiles (PPs).

You Can’t Secure What You Can’t See

Christiansen suggests the NSA report could have included a couple additional pieces of cloud security guidance.

“The real salient parts are the right ones, and those are the things companies should be looking at when they evaluate their security strategy,” he said. “But where it’s less obvious” is in companies’ multi- and hybrid-cloud environment, where organizations may run some workloads on AWS, others on Azure, and still others in a private cloud. “How do we bring all these multi-cloud threat detection tools and be able to monitor these different environments? That point got a little lost. You have to look at not just one cloud provider, but all the cloud providers, and bring those all together in a single pane of glass.”

He also suggests putting controls in place to ensure that the security and IT teams know when a business unit uses a company credit card to purchase a new cloud instance or even software-as-a-service. “A business unit could do this, load confidential information on it, and it would be completely insecure because we didn’t even know about,” Christiansen said. “You can’t do all those things in the [NSA] guidance if you don’t know about it.”

Meet with the procurement and financial groups to review credit card statements and look for cloud purchases, he said. And then, implement a policy that says “thou shalt not do this, enforce that policy, and educate your staff.”



Scroll to top