• Digital Forensics and Incident Hotline: (405)562-9945

  • Cloud Security Part II

  • Security in the Cloud is a three part series about how to better protect your organization’s digital assets in the cloud. This is a continuation from part one of the series.

    Malware Defenses in the Cloud

    Malware defense is still an important consideration in cloud environments. Systems can still become infected with malware or be leveraged to spread malware. This is especially important if you are utilizing systems in the cloud as remote work stations.

    Your anti-malware should be centrally managed to enable ease of administration. This also enables you to have consolidated monitoring and logging of the logs and alert from the anti-malware application.

    Make sure that periodic updates and malware scans are enabled. Without the regular updates or scanning you will more than likely miss detecting current strains of malware and ransomware. If the anti-malware solution includes anti-exploit or CPU level inspection, be sure to enable this as well.

    DNS logging is another important aspect of malware detection and prevention. By monitoring and filtering DNS traffic you can detect or prevent malicious activity associated with certain malware variants.

    You also want to enable command line or power-shell logging. When an attacker gains access to a system one of the first things they interact with is the command line or start utilizing power shell. You’ll see activity like “ipconfig”, “netstat”, and other network discovery commands. Another good resource is to understand what commands an attacker might run is to take a look at the LOLBAS site (Living Off The Land Binaries and Scripts (and also Libraries) at: https://lolbas-project.github.io/.

    Limiting Network Protocol Ports and Services

    One of best things you can do to secure a network or system is to limit network traffic to only what’s needed for better cloud security. This can be by utilizing host based firewalls or firewall appliances. Some anti-malware solutions also provide the capability to configure host based firewalls as well.

    For example, if you have a web server, you might lock it down to ports 80 and 443. It’s not just the incoming port filtering that’s important though, you also need to consider blocking outbound ports. Limiting outbound ports narrows the monitoring area you need to pay attention to and can make it a little more difficult for an attacker if they gain access to that system.

    Once you have your network protocols and ports locked down, you should run periodic scans to monitor for changes in ports and protocols and investigate any deviations from baseline.

    Geolocation blocking is another activity we recommend. A lot of next generation firewalls have the ability to block countries based on location. If your systems only interact with clients in North America, limiting network traffic to North America only cuts out a lot of the noise and potential malicious activity from other parts of the world.

    Cloud Security Data Recovery Capabilities

    Backups are on the the activities we most often see overlooked when organizations move to the cloud. Moving to the cloud doesn’t not mean that your data is automatically being backed up or will be free from other threats.

    • Backup considerations in the cloud include:
    • Ensure your data is backed up on a regular basis
    • Test your backups on a regular basis
    • Protect your back ups by keeping them encrypted and offline when not in use

    Some cloud providers provide backup capability at an additional cost. This can be a good approach and aids in recovery speeds. Having the backups offline prevents an attacker from deleting the backups or encrypting them during a ransomware attack.

    Cloud Security Configurations

    When provisioning a new system or device in the cloud the default configuration may not include all the security you need in your environment.

    Maintaining the appropriate policies, procedures, guidelines, and baselines can help make sure your organization ensures the correct hardening and configuration of these new devices.

    Cloud providers provide secure images in some cases, but those might be too restrictive for your use case and require a custom configuration. This creates the potential for security misconfigurations which opens the door for an attacker.

    Some considerations to keep in mind are:

    • Document all system and device configurations
    • Utilizes multifactor authentication
    • Limit network and administration from a secure network
    • Encrypt all network traffic
    • Keep operating systems and software applications updated

    Check back next week for part 3 of this 3 part series.