DBO595

HB1PMS > TECH     04.02.20 10:35l 101 Lines 5082 Bytes #999 (0) @ WW
BID : 926HB1PMS
Read: GAST
Subj: NSA Releases Guidelines to Improve Cloud Security
Path: DBO595<DBX320<FRB024<BBS645<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200203/1526Z 6857@HB1BBS.ZL.NLD.EU BPQ6.0.19

Van: HB1PMS@HB1BBS.ZL.NLD.EU

NSA Releases Guidelines to Improve Cloud Security

January 29, 2020 | Strategy and Planning 

nsa,national,security,agency,snowden,edward,logo,surveillance,secret,usa,ser
vice,coat,american,politics,adler,america,amerikanisch,armes,berlin,deutschl
and,eagle,electronic,emblem,embleme,geheimdienst,german,germany,icon,interne
t,of,politik,sign,signage,wappen
The guidelines include mitigation techniques for cloud vulnerabilities other 
than the identification of cloud security components, threat actors and 
more.
NSA hopes that organizations can gain perspective on cloud security 
principles while addressing cloud security considerations to assist with 
cloud service procurement.
The National Security Agency (NSA) has released new guidelines to help 
organizations improve the security of data stored on the cloud. The 
guidelines include mitigation techniques for cloud vulnerabilities other 
than the identification of cloud security components, threat actors and 
more.

With the release of the guideline, NSA hopes that organizations can gain 
perspective on cloud security principles while addressing cloud security 
considerations to assist with cloud service procurement. The guide is 
designed both for the organizational leadership team and technical staff.

What are the major flaws?

According to the guide, cloud vulnerabilities can be divided into four 
categories: misconfiguration, poor access control, shared tenancy flaws, and 
supply chain vulnerabilities.

Misconfiguration: Termed as the most prevalent cloud vulnerability, a 
misconfiguration can enable attackers to access cloud data and services. In 
May 2017, this kind of security flaw had caused a large defense contractor 
to expose sensitive NGA data and authentication credentials to the public. 
Likewise, in September 2017, a security researcher had discovered CENTCOM 
data accessible to all public cloud users and in September 2019, sensitive 
travel details of Department of Defense (DoD) personnel were exposed due to 
the same security flaw. And there are countless examples of the same flaw 
impacting private companies as well.

Poor access control: This occurs when cloud services use weak authentication 
methods or include vulnerabilities that bypass these vulnerabilities. 
Weaknesses in access control mechanisms can allow an attacker to elevate 
privileges, resulting in the compromise of cloud resources. The cyberattacks 
in October 2019 by the Phosporous group on Microsoft customers and the 
attacks in March 2018 by the Iranian Mabna Institute where email accounts 
were compromised by bypassing multi-factor authentication, are examples of 
how this flaw can be exploited by threat actors.

Shared tenancy vulnerabilities: Cloud platforms consist of multiple software 
and hardware components. Adversaries who are able to determine the software 
of hardware used in a cloud architecture can take advantage of 
vulnerabilities to elevate privileges in the cloud. The occurrence of such 
attacks is estimated to be rare as the sophistication level is ‘high’.

Hardware vulnerabilities in processors can also have a large impact on cloud 
security. One such case is the flaws in chip design that can result in the 
compromise of tenant information in the cloud through side-channel attacks.

Supply chain vulnerabilities: Supply chain vulnerabilities in the cloud 
include the presence of insider threats and intentional backdoors in 
hardware and software. In addition to this, third-party software cloud 
components may contain vulnerabilities intentionally inserted by rogue 
developers to compromise the application. Inserting an agent into the cloud 
supply chain, as a supplier, administrator or developer, could be an 
effective means for nation-state attackers to compromise cloud environments.

Conclusion

Managing risks in the cloud is a responsibility on the shoulders of cloud 
service providers (CSPs). Thus, CSPs should deploy the right countermeasures 
to help customers harden their cloud resources. Security in the cloud is a 
constant process and customers should also continually monitor their cloud 
resources and work to improve their security posture.

73 Henk.

======================================================================
  _    _ ____  __ ____  ____   _____ 
 | |  | |  _ \/_ |  _ \|  _ \ / ____|  SYS: Henk (hb1nos@hb1bbs.com)
 | |__| | |_) || | |_) | |_) | (___    QTH: Ouwerkerk - JO11XO
 |  __  |  _ < | |  _ <|  _ < \___ \   BBS: HB1BBS.ZLD.NLD.EU
 | |  | | |_) || | |_) | |_) |____) |  QRV: 27.235 MHz (FM 1200bps)
 |_|  |_|____/ |_|____/|____/|_____/   WEB: www.hb1bbs.com

======================================================================

** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93  

======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed maandag 03 februari 2020  16:24 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU





Lese vorherige Mail | Lese naechste Mail