2018-07-24
技术推动了更快的协作和数据传输,也使网络犯罪分子能够迅速地传播勒索软件。
业内专业人士表示:“您能做的最重要的事情就是保护云计算机层。自动化很容易实现,创业公司和大企业都能轻松实现。”
保护计算层将确保系统和数据的可用性,并防止威胁源利用你的计算能力在整个组织中传播恶意软件。他还认为,组织首先要做的是,向个人分配SSH密钥来启用安全登录。
相关专家建议了解正式和非正式资产所在的位置,这是规划勒索攻击应对方案时非常重要的一步,但是经常被忽视。
例如,许多开发人员正在云端的服务器上进行快速测试,但是并不完全了解这样做的安全性和合规性。有时他们会暴露生产数据库的完整副本,这种错误会在勒索软件和可用性问题之外增加保密性问题。
至于存储,该专家建议使用廉价的云存储来存储截图、文件、文件夹以及重建您的操作所需的任何东西。将它们冷存储在一个单独的MFA(多因素身份验证)保护的账户中。
“这是灾难恢复的问题,而不仅仅是PII(个人身份信息)被盗、网络和数据不受破坏的入侵事件。”
有人还建议分离数据存储,特别是脱机备份,以便在发生攻击时保护备份。
“我们都在使用实时云存储,这是很棒的,”他说,“但是快速自动同步意味着所有的副本都被感染,所以我们需要采取额外的措施进行定期备份。”
业内专业人士表示,既然现在的架构已经合适,企业应该利用这个机会对网络进行分段。这样可以限制和遏制勒索攻击的传播。
他以Target泄露事件为例进行解释:“如果我生活在一个非分段网络中,我的整个网络都会在本地暴露。”攻击者只需要感染HVAC系统就能执行灾难性的攻击。
在云中,安全团队可以使用架构在关键活动之间设置“门”。如果发生攻击事件,组件周围的墙壁和隔离区可以保护它们。
有关专家认为身份管理是继保护云计算层之后第二大重要措施。
他说:“如果没有强大的身份管理,您就不了解谁在关键安全层之外做什么。一旦你设置了核心安全层,就能了解人们的特性和正常的行为模式,这可以帮助你做出更明智的业务决策。”
越来越多的人随时随地使用云处理工作,因此身份管理变得越来越重要。分散的劳动力使得监控活动和寻找异常行为“非常重要”。“身份管理也延伸到企业的围墙外了。”
除了采用复杂、安全的密码和多因素身份验证外,企业还应限制员工对敏感信息的访问。员工只能访问他们工作所需的账户和系统。这会限制攻击者访问账户时能够执行的攻击规模。
身份和访问管理(IAM)策略和访问控制列表可以帮助企业组织和控制云存储的权限。桶策略可以帮助企业根据账户、用户或条件(如IP地址或日期)设置或拒绝权限。
业内专家还强调了监控用户活动和账户权限的重要性。勒索软件攻击者的目标是获取目标账户的更高访问权限。如果他们获得了权限,就可以在系统上创建不应该存在的账户。
在管理方面,保护特权账户是相对简单的。“我可能无法覆盖数千个用户账户,但我可以覆盖200个管理账户。”他说。
跳转主机位于不同的安全区域,提供了访问系统中其他服务器或主机的唯一方法。有人认为,“从管理的角度来看,这是一种一站式入站访问方法,”并指出它已经存在了一段时间了,但还没有被广泛采用。
该主机是单一的管理入口点。它配置了标准的DNS名和IP地址,并且只允许企业IP登录,然后才会授予更广泛的访问权限。
因为跳转主机是单一入口点,所以它简化了保护服务器和维护严格访问控制的流程。 如果这个服务器被跳过,我们很容易创建一个新的服务器。
“跳转主机也不能免疫攻击,但是能够将攻击面减小到一个非常小的接入点。”保护一台服务器的安全比保护数千台更容易,特别是在新兴的攻击中。
业内专家指出最重要的问题之一是:我们越来越难确定哪些端点容易受到勒索软件攻击,更别提安装安全软件来保护它们了。
他建议企业实施基于云的安全即服务(security-as-a-service)解决方案,该方案共享一个共同的威胁情报库,可以阻止勒索软件下载。虽然他没有具体介绍该解决方案,但是指出需要安全Web网关和CASB类型的功能。
在(系统)管理程序级别管理防火墙,使安全领导者能够制定关于谁可以发送、接收和访问入站和出站数据,哪些数据可以发送,以及发送多少的明确规则。
许多专家在设置出站规则方面颇为犹豫,但这是很重要的,因为勒索软件会导致知识产权的暴露。如果您可以在防火墙上编写实时监控和执行操作,您就能够更好地在整个环境中保持一致性。
还有专家补充说,领导者应该执行入口和出口过滤。“监控C&C活动,只允许符合规定的流量出站。”
相关专家警告,不要让服务与诸如Github这样的SaaS服务通信。一旦威胁源访问了您的Git库,当服务与Github通信时,他们就能感染和访问更多的公司系统。
他建议企业将Git或代码库存储在自己的云环境中,但是指出这种做法可能需要时间来适应。
“人们很难采用这一方法,”他承认,“随着服务越来越好,还有更多的自主托管选项,公司可以更好地控制离开其环境的数据。”
《9 Ways to Protect Your Cloud Environment from Ransomware》
6/27/2017
08:00 AM
The same technology driving faster collaboration and data transfer also enables cybercriminals to quickly spread ransomware.
"The most critical thing you can do, out the gate, is go and secure the cloud computer layer," says Tim Prendergast, founder and CEO at Evident.io. "It's easy to automate, easy to approach for startups and big enterprises alike."
Securing the compute later will ensure the availability of both systems and data, and prevent threat actors from leveraging your computing power to drive the spread of malware throughout your organization. To start, he says, enable secure login by issuing SSH keys to individuals.
Shpantzer advises knowing where your formal and informal assets are located -- a common oversight but important step in planning for and addressing a ransomware attack.
He explains how, for example, many developers are spinning up servers in the cloud for quick testing, but aren't fully aware of the security and compliance implications of doing so. Sometimes they expose full copies of production databases, a mistake that adds confidentiality issues in addition to the ransomware and availability issue.
"Know what's on your formal assets and understand shadow IT and how to mitigate it," Shpantzer says.
For restoration, he advises using cheap cloud storage to grab snapshots, files, folders, and anything you need to reconstitute your operations. Store them in cold storage on a separate MFA-protected account.
"This is about disaster recovery, not just an intrusion incident where someone merely copied PII and left your network and data otherwise intact."
Reavis also recommends separate data storage, specifically offline backups, to stay safe in the event of an attack.
"We are all using real-time cloud storage, which is great," he says. "But the fast autosyncing means that all your copies are infected as well, so it isn't a replacement for the extra effort to schedule backups regularly."
Pironti says businesses should take advantage of the opportunity to segment their networks, now that the architecture is available for them to do it. This can limit and contain the spread of a propagating ransomware attack.
"If I'm living in a non-segmented network, my whole network becomes exposed locally," he explains, using the Target breach as an example. Attackers needed only to compromise an HVAC system to conduct a disastrous incident.
In the cloud, Pironti continues, security teams can use architecture that enables them to put "gates" between critical activities. Walls and containment areas around components can protect them if they're in trouble.
Prendergast puts identity management next to securing the cloud compute layer as the second-most critical step in protecting the cloud against ransomware.
"Without strong identity management, you don't have an idea of who's doing what outside your critical security layers," he explains. "Once you have your core security layers in place, knowing people by uniqueness and their normal behavioral patterns, it helps you make smarter business decisions."
He says this is increasingly important as more people use the cloud to work from wherever they want. The distributed workforce is making a "huge difference" in the importance of monitoring activity and finding anomalies.
"Identity management extends outside the corporate walls as well," Prendergast notes.
In addition to enforcing complex, secure passwords and multi-factor authentication, businesses should also limit employees' access to sensitive information. People should only be able to access the accounts and systems they need to be productive. This limits the damage an attacker can do if they access an account.
Identity and Access Management (IAM) policies and Access Control Lists can help organize and control permissions to cloud-based storage. Bucket policies let you set or deny permissions by accounts, users, or conditions like IP address or date.
Pironti also emphasizes the importance of monitoring user activity and account permissions. Ransomware attackers aim to reach higher levels of privilege on target accounts. If they have the privilege, they can create accounts on the system that should not be there.
The challenge of securing privileged accounts may prove less of a challenge for security pros struggling with management. "I may not be able to cover thousands of user accounts, but I can cover 200 administrative accounts," he says.
A jump host sits in a different security zone and provides the only means of accessing other servers or hosts in the system. "It's a one-stop methodology for inbound access from a management perspective," says Prendergast, noting it has been around for a little while but has not been widely adopted.
The host is a single administrative entry point into the business. It is configured with a standard DNS name and IP address, and only accepts logins from corporate IPs before giving them broader access to the environment.
Because the jump host is a single entry point, it simplifies the process for protecting this server and maintaining strict access controls. If the single server gets jumped, it's easy to create a new one.
"It's not unhackable," says Prendergast of the jump host. "But you're reducing the attack surface to a very small access point." It's easier to secure one server than secure thousands, especially in an emerging attack.
One of the most important considerations, says Reavis, is to realize it's getting harder and harder to know which endpoints are vulnerable to ransomware -- let alone try to install security software to protect them.
He advises businesses implement a cloud-based security-as-a-service solution, which shares a common threat intelligence repository and can block ransomware downloads. While he doesn't mention specific solutions, he says Secure Web Gateway and CASB-type functionality are needed.
Managing firewalls at the hypervisor level enables security leaders to set definitive rules about who can send, receive, and access inbound and outbound data, which data can be sent, and how much.
Many pros are hesitant to set outbound rules, but they are important because ransomware threatens exposure of intellectual property. If you can write realtime monitoring and enforcement actions on the firewall, there is a better chance of maintaining consistency across the environment," says Prendergast.
Pironti adds that leaders should be doing ingress and egress filtering. "Monitor for command-and-control activity," he says. "Only traffic that should leave the environment leaves the environment."
Prendergast cautions against allowing services to call home to SaaS services like Github. Once a threat actor gets access to your Git repo, they can infect and potentially gain access to more corporate systems the next time one of those systems calls home.
He advises businesses to store their Git or code repositories in their own cloud environments but acknowledges this practice may take time to adopt.
"This is one that's extremely hard for people to not do," he admits. "As services get better and there are more self-hosting options, companies can have better control over data leaving their environment."
附件:
《9 Ways to Protect Your Cloud Environment from Ransomware》--原文.pdf
《9 Ways to Protect Your Cloud Environment from Ransomware》--译文.pdf
微信公众号