Q&A: 5 vectors of cybersecurity vulnerabilities your agency shouldn’t overlook
FEDTECH: What is the second most overlooked vector of security?
Sabaj: The second major overlooked security vector is cloud security. As part of the federal government, FedRAMP Certification goes beyond the security cloud providers already offer, which is great. But once you’re in the cloud environment, there’s the whole shared security model. Cloud providers are responsible for the security of cloud platforms, but once you have your own infrastructure within one of the cloud service providers, you are responsible for the security of everything you put into it. infrastructure. Many people are still unaware of this fact.
FEDTECH: How does zero trust work in a multicloud environment, where information can be stored in any number of places?
Sabaj: When you enter a multicloud and hybrid cloud environment, you may have data in Amazon Web Servicesyou can have it in Microsoft Azureyou can have it in Google Cloud Platform. You may be using cloud services such as drop box Where Box. You might have a hybrid cloud where you do virtualization in your own environment. You need a system that can understand all of this and provide consistent security controls across a hybrid, multi-cloud environment, not just rely on information provided by individual cloud providers. Not that they don’t provide great information, but AWS isn’t going to monitor Azure for you, and vice versa.
DISCOVER: What security issues need to be considered in a zero-trust environment?
From a cloud security perspective, the most important thing people can do is implement some type of security posture management tool. Simply understanding and knowing your cloud footprint is the first step to securing your cloud, and you need to have a posture management tool to do that.
We have a cloud solution we call CloudGuard Security Posture Management. It is a multi-cloud hybrid cloud solution that allows you to gain visibility and perform security monitoring and automatic remediation of your entire cloud environment. He will enter and analyze the cloud environment and perform asset discovery, security best practices, and ongoing monitoring of that cloud environment for security issues. It also tells you how your cloud environment is interconnected and can show you blind spots where you have no visibility.
FEDTECH: So what is number 3?
Sabaj: The next overlooked vector of security is the combination of open source, supply chain, and DevOps security. We are no longer content to develop applications, test them, put them into production, maintain them and then update them regularly. It’s all continuous integration and continuous development, left shift, DevSecOps, DevOps, whatever industry terms you want to use. This introduces the concept of infrastructure as code, applications, and entire environments are launched in seconds using training scripts or templates that can also bring third-party libraries and applications. This opens several different security vulnerabilities: malicious code insertion or supply chain attacks and non-malicious, poorly written code that may contain security vulnerabilities. Through automation and continuous development, insecure code can be automatically deployed in tens or even thousands of places.
From an open source/DevSecOps/supply chain issue perspective, you need to introduce security into your shift or DevSecOps process. This comes in the form of Infrastructure as code scanning. Most cloud environments are scripted and come from training models or Ansible Scripts or whatever tools you use that pull information from different sources and automatically create your cloud environment. It is very easy to introduce security issues into these templates and then automatically create an insecure environment in the blink of an eye. [hat].
You need security that continuously monitors your code development to learn best practices for including vulnerable third-party libraries in your code, to perform operations such as embedding encryption keys or authentication; once that code is exposed, people can compromise authentication and throw your zero-trust principles out the window. Just like the security posture management tool, they are continuous tools that rotate constantly. You can detect these vulnerabilities as they occur, and it also makes your developers more security aware. It creates that same constant user awareness where, in this case, the user is a developer, not just an average end user.
LEARN MORE: Keep an eye on the patched Log4j software for future vulnerabilities.
FEDTECH: I was surprised by the number of commercial IT products that relied on Log4j. Was this a generally known fact before the vulnerability was discovered?
Sabaj: Log4j has been used in literally millions of applications out there. Really, any Java application that did logging used Log4j. It wasn’t malicious; it was a library that was started many years ago and was maintained by a few people who did it in their spare time, without pay. This raises the question of who is ultimately responsible for open source security.
You had many commercial applications using Log4j. Many security vendors used it. Check Point was using it, but we were using a different version of the vulnerable version. It’s not that we saw a specific problem with this version of Log4j, but we thought a different version was more secure, and we were right. Again, this raises the question of who is ultimately responsible for the security of all these commercial applications using open source. I would like to think that commercial operators should do their due diligence and not rely on some really nice guys who have maintained this code for free for many, many years.
We have an application security product called CloudGuard AppSec. It is an AI-based application security platform that primarily runs in the cloud, but can also run in a hybrid cloud. It was really the only solution we know of that could detect Log4j even before it was known. Now, we didn’t detect it as Log4j, we detected it as a possible cross-site scripting attack, which it basically did, but we detected Log4j before it was even known with this solution powered by the ‘IA.