In the RSA security conference, held just a few days ago in San Francisco, many discoveries related to cybersecurity came to light, according to The Register. Both locally and in the cloud. Among them is the confirmation, by the Wiz researchersabout what virtually all cloud providers are installingwithout the knowledge or consent of its clients, middleware and similar tools. That is, software that is installed and deployed between the provider’s application layer and the operating system and network layers.
These researchers, who not long ago announced the discovery of four serious security flaws in the Azure Open Management Infrastructure (OMI) agent, which they called OMIGODwere in charge of confirming that practically all cloud service providers have this type of agent installed without those who contract their services, in many cases, knowing it.
So much nir ohfeld What Shir Tamaru, the researchers, pointed out at the RSA event that the agents that are installed in this case are of the middleware type, and are responsible for acting as a bridge between the clients’ virtual machines and the rest of the provider’s managed services. These agents, yes, are necessary to be able to deploy advanced virtual machine services. These include log collection, automatic updating, and configuration synchronization. The downside is that they also add potential attack surfaces, since clients don’t know they exist, and can’t defend against attacks on them because of it.
In the case of OMIGOD, security issues included a bug with a 9.8 out of 10 index score CVSS (Common Vulnerability score System, i.e. Common Vulnerability Scoring System), which means that an attacker could remotely access root and execute code on it. Microsoft patched the vulnerabilities, but most had to be applied by hand.
From Wiz they have published a page on GitHub with a list of a dozen secretly installed agents, such as OMI, in Azure, AWS and Google Cloud. And they have already hinted that it is likely not all of them.
On the other hand, also at the RSA conference, Trend Micro has released the results of a surveyto which indicate that most companies and organizations do not understand what their attack surfaces are. Overall, 73% of the 6,297 enterprise IT and technology decision makers surveyed said they were concerned about the increase in vulnerability surface attacks, and only 51% could fully demilitarize it. Around a third said their security infrastructure was complex and constantly evolving, while 43% admitted their attack surface was getting “fast out of control.”
Cloud environments are considered the most opaque, and given that we have just seen how most providers secretly install middleware in them, it is easy to come to that conclusion. On the other hand, the study also offers several reasons why visibility has not improved. For example, due to opaque supply chains, shadow IT services, remote employees and constant technical changes in suppliers’ products, among other causes.
Request for more public-private collaboration
In another vein, a list of activist groups in the online sector and private companies in the sector that are calling for “more public-private collaboration to improve the nation’s cybersecurity readiness«. According to the petitioners, who believe that the Biden Administration has taken steps to strengthen public-private cooperation, it has not done enough in this regard.
In addition, the signatories of the petition point out that “actively seek to engage U.S. government partners in ideas and initiatives to strengthen national cyber resilience«. For this they have made five proposals. The first is to strengthen the scope of the Joint Cyber Defense Collaborative (JCDC)which the applicants say they will achieve by working with them and with the Security and Infrastructure Security Agency.
The second is the development of a threat understanding group by supporting «tools, technology, incentives, business processes and legal frameworks» necessary to do so. As for the third, it is the improvement of contingency plans, by identifying the five most important that may constitute a risk to national security, and developing proactive response plans.
The fourth is to improve legal frameworks by identifying laws and regulations that impede progress. Finally, the fifth is to improve teamwork by creating opportunities for long-term exchanges between government and private sector cybersecurity professionals. And the signatories seem to be in luck, because they have been mentioned by leaders of CISA and the NSA; as well as Chris Inglish, of the National Cyber Directorate, during his presentation at the RSA conference; in relation to the collaboration between both areas in online security.
New multi-factor and multi-layer authentication system
Meanwhile, the single sign-on provider xage announced at the RSA conference a new multi-layer and multi-factor authentication system (MFA)which is also distributed and capable of withstanding the action of prompt bombs such as the one that allowed the Laspsu$ group to access Okta earlier this year.
MFA bombardment is not such a sophisticated hacking technique, as it aims to overcome the resistance of a site by repeatedly trying to connect to it through one of the accounts that have multi-factor authentication enabled. While the victim receives a barrage of verification requests, the attacker calmly waits for the attacker to accidentally tap on the button or option that accepts the connection. With just such a simple mistake, the attacker will be free to do whatever he wants with the account the victim has access to.
Xage’s solution puts in place, for all these intents and purposes, a hybrid system between MFA and network segmentation. So, “users reconfirm their identity, and are then granted access to each layer of privilege, allowing independent user verification at the level of an entire operation, website, or even a single asset«.
The bad thing about the system is that although having a different type of MFA at each control, which this new system offers, adds an additional layer of security, it is not known whether users are going to adapt well to the deterioration that it would cause in the experience of user by having to perform a different way of MFA for each granular access request.
