How Do I Urgently Harden Cloud Services?
This week the White House released a statement warning of potential cyber attacks. The statement was accompanied by a fact sheet outlining specific steps companies should take “with urgency” to “harden cyber defenses immediately.”
ScaleSec builds modern security programs with cloud customers. We offer this review of the White House Cybersecurity Statement to equip those who need answers and guidance immediately.
Many of our clients are already addressing the security steps outlined below. But many more start-ups and small-to-medium sized businesses are facing these challenges with staff stretched thin, in conditions where hiring is as difficult as it has ever been, and when technology is evolving faster and faster.
Major cloud providers include native security services and features that security administrators can use right away. Our team has pulled together a concise list of links to accelerate planning and implementation. We hope this encourages teams to further secure their cloud environments, and allows companies to stay as focused as possible on their businesses.
Part 1: For All Companies
We urge companies to execute the following steps with urgency:
Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
Google Cloud Identity and Google Workspace (G Suite) Enforce uniform MFA to company-owned resources | Cloud Identity
For a multifactor authentication device, we recommend use of hardware keys which have been shown to greatly reduce phishing.
Deploy modern security tools on your computers and devices to continuously look for and mitigate threats
Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities
and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
A password manager is useful here. Here are some:
Back up your data and ensure you have offline backups beyond the reach of malicious actors;
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
Understand the role your provider plays:
Note: The AWS Security Incident Response Guide includes notes about simulations Simulate - AWS Security Incident Response Guide
Note: CISA provides materials for tabletop exercises CTEP Package Documents | CISA
Review your support plans and make sure the support and SLAs meet your business needs.
Encrypt your data so it cannot be used if it is stolen;
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
- Training options https://www.google.com/search?q=employee+security+training
Anomaly detection in cloud:
Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.
Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
Part 2: For "Technology and Software Companies"
We encourage technology and software companies to:
Build security into your products from the ground up — "bake it in, don't bolt it on" — to protect both your intellectual property and your customers' privacy.
Start from the ground up by securing your cloud platform. Look for issues reported in the security dashboard for your cloud:
Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
Manage access control and other policies centrally with these cloud services:
Azure Overview of Azure Policy
Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
Code security scanning services:
Microsoft About GitHub Advanced Security
OWASP maintains a list here: Vulnerability Scanning Tools | OWASP Foundation
In-line web security services:
Operating system vulnerability management:
Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a "software bill of materials" in case one of those components is later found to have a vulnerability so you can rapidly correct it.
Microsoft Features · Security · GitHub
Get started with SBOM:
Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity.
We wrote about this EO here: Executive order | ScaleSec
The information presented in this article is accurate as of 3/23/2022. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.