Sekhar Sarukkai – McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Fri, 31 Jul 2020 17:41:11 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.2 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Sekhar Sarukkai – McAfee Blogs https://www.mcafee.com/blogs 32 32 Source Code Leak – What We Learned and How You Can Protect Your IP https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/ https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/#respond Fri, 31 Jul 2020 16:05:48 +0000 /blogs/?p=104367

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.   The latest leak appears to stem primarily from a misconfiguration of […]

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

]]>

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.  

The latest leak appears to stem primarily from a misconfiguration of SonarQube, an open-source tool for static code analysis, which allows developers to audit their code for bugs and vulnerabilities prior to deployment.  

Our own assessment found that SonarQube communicates on port 9000, which was likely misconfigured to be open to the internet for the breached companies, allowing researchers to gain access and discover the data now exposed in the leak.   

A search for SonarQube on the popular IoT search engine Shodan allows anyone to discover ports used by common software such as this. With this information so easily available, ports unintentionally left open can introduce a wide swath of intrusion attempts.  

Several of the source code repositories also contained hard-coded credentials, which open the door to accessing other resources and expansion of the breach. It is a best practice to never commit code with hard-coded/plaintext credentials to your repositories.   

How You Can Protect Your IP  

Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD.  

Our solution to this problem is MVISION Cloud, the multi-cloud security platform for enterprises to protect their data, prevent threats, and maintain secure deployments for their cloud-native apps.  

Audit Cloud Accounts for Misconfiguration 

With MVISION Cloud InfoSec teams can monitor their company’s public cloud accounts, like AWS, Azure, or GCP, for configuration mistakes that may expose sensitive data. In the example below, MVISION Cloud discovered that a resource in AWS EC2 was configured with Unrestricted Access to ports other than 80/443, opening up potential breach scenarios like we saw with the source code leak.  

Scan Application Code for Vulnerabilities  

Companies with active container deployments should take this one step further, auditing not only for misconfigurations but also CVEs in their container images. In the example below, MVISION Cloud discovered that one container image contained 219 code vulnerabilities, many of which could be exploited in an attack.  

Scan Repositories for Hard-Coded Credentials and Secret Keys 

To mitigate the risk of credential or secret key exposure, within MVISION Cloud you can easily scan your repositories for specific data types and take multiple levels of action. Below we’ve set up a policy to scan Bitbucket and Github with our Data Loss Prevention (DLP) data identifiers for AWS Keys and Passwords. With Passwords, we are using keyword validation, meaning we will only trigger an incident if a keyword like pwd, p, or password is nearby. We’ve chosen the least disruptive action here – notifying the end user to remediate themselves, however the option to delete the data is also available.   

The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach. We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development. 

For more on how MVISION Cloud can enable you to implement a DevSecOps practice, get in touch with us today.  

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/feed/ 0
Working from Home in 2020: Threat Actors Target the Cloud https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/ https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/#comments Mon, 22 Jun 2020 15:00:19 +0000 /blogs/?p=101994

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most […]

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

]]>

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most of the history of cybercrime, resources and infrastructure used to steal data targeted endpoint devices and network stores, using malware to land an attack, find data, and exfiltrate. That’s where the data was.   

Now, we have a dramatic shift of data moving to cloud service providers, held not within the confines of a customer’s managed network but instead a third party. The shift to working from home in early 2020 accelerated cloud use, just as it accelerated other trends like food delivery and telehealth. Read more about the increase in cloud use in our first post on this topic, here.  

With the acceleration of cloud adoption comes more data in the cloud, and in lockstep, threat actors shifting their attack resources to the cloudThrough the first months of 2020 as this shift occurred, we monitored attack attempts from external threat actors on our customer’s cloud accounts, which increased 630%: 

  

In this chart, we’ve plotted all threats across 30 million cloud end users, along with the two primary categories of external threat events targeted at cloud accounts. They are: 

  • Excessive Usage from Anomalous Location. This begins with a login from a location that has not been previously detected and is anomalous to the user’s organization. The threat actor then initiates high-volume data access and/or privileged access activity.  
  • Suspicious Superhuman. This is a login attempt from more than one geographically distant location, impossible to travel to within a given period of time. We track this across multiple cloud services, for example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later.  

The increase in threat events impacted some verticals more than others, with companies in Transportation/Logistics, Education, and Government agencies hit the hardest:  

 

Head over to the report below for more analysis on how specific verticals were targeted, where these attacks came from, and recommendations for how to protect your organization.  

 

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/feed/ 2