Discovering the unknown unknowns
Why testing your cloud estate can help protect your business.
As security specialists, one of the things we fear is unknown unknowns. The risks we aren’t aware of, so can’t mitigate against.
But helping multinational organisations discover those risks is my job.
Digital transformation is something many organisations are undertaking. Not every transformation goes perfectly – defining cloud policies and architecture is hard, estates are complicated and murky, and resistance is common. How do you know if your transformation is on track?
Exploration and discovery
My team of ethical hackers use exploration, policy review, and testing to help global organisations understand what the bad guys might be able to see.
For example, recently we were asked to do a bit of asset discovery and cloud exploration. Lifting systems and services into the cloud is complicated and the customer was worried that a policy misconfiguration might bleed private data onto the open internet. Using reconnaissance and information gathering – effectively the first stage of an attack – we investigated what we could find on the open internet.
The customer had shared a list of what they expected us to find – the assets and information they knew about. But within a few hours we discovered enough public information to be able to successfully phish or otherwise manipulate people into giving us access, effectively establishing a foothold, and raise privacy complaints due to private information bleed. From private contracts in a publicly viewable folder visible to anyone searching Google, to private notes and correspondence in internal document repositories that had been misconfigured.
And when we started looking at the new applications and testing the policies, we found application and service version numbers, names of key people involved in the project, and private folder systems accessible to anyone on the internet.
Honesty is the best policy
Ethical hacking is emotionally challenging for customers. Testing your own homework is hard, so we often need bring empathy to the table to have an honest and sensitive conversation with customers. In this example, they’d assumed the transformation was going well because policies were documented and in place and people were genuinely hard working and smart. Yet a few minor one button mistakes could have led to catastrophic problems.
Why you should regularly review your estate
Digital transformation and moving to the cloud can be difficult for customers but exciting for hackers. The major providers – Amazon and Microsoft for example – have a vested interest in maintaining security. Yet the complexities of enterprise requirements means the amount of configuration and policy creation is vast and difficult. It also changes fairly often as the providers enhance their capability, and each provider is different.
To ensure changes or policies don’t have undesired consequences, you need to continuously review your estate. Understand the assumptions your policies and architecture are making and then test those assumptions.
My team does that with customers, and then helps them put mitigation plans in place. Find out how secure your organisation is.