Q&A: 5 Cybersecurity Vulnerability Vectors Your Agency Shouldn’t Overlook

FEDTECH: What’s the second most overlooked security vector?

Sabaj: The second major overlooked security vector is cloud security. In the context of the federal government, FedRAMP certification goes above and beyond the security that the cloud providers are already providing, which is great. But once you’re in the cloud environment, there’s the whole shared security model. The cloud providers are responsible for the security of the cloud platforms, but once you have your own infrastructure within any of the cloud service providers, you’re responsible for the security of anything that you put in the cloud infrastructure. A lot of people still overlook that fact.

FEDTECH: How does zero trust work in a multicloud environment, where information could be stored in any number of places?

Sabaj: When you get into a multicloud and hybrid cloud environment, you may have data in Amazon Web Services, you may have it in Microsoft Azure, you may have it in Google Cloud Platform. You may be utilizing cloud services like Dropbox or Box. You could have a hybrid cloud where you’re doing virtualization in your own environment. You need a system that’s able to understand all of that and provide consistent security controls across a hybrid and multicloud environment, and not just rely on the information that the individual cloud providers are providing. Not that they don’t provide great information, but AWS isn’t going to monitor Azure for you, and vice versa.

DISCOVER: What security issues must be considered in a zero-trust environment?

From a cloud security perspective, the biggest thing that people can do is implement some type of security posture management tool. Just understanding and knowing your cloud footprint is the first step to securing your cloud, and you need to have a posture management tool to do that.

We have a cloud solution that we call CloudGuard Security Posture Management. It’s a multicloud, hybrid cloud solution that allows you to gain visibility and do security monitoring and automatic remediation of your entire cloud environment. It will go in and scan the cloud environment and do asset discovery, security best practices and continuous monitoring of that cloud environment for security concerns. It also tells you how your cloud environment is interconnected and it can show you blind spots that you have no visibility into.

FEDTECH: So, what’s No. 3?

Sabaj: The next overlooked security vector is the combination of open-source, supply chain and DevOps security. We’re no longer just developing applications, testing them, putting them into production, maintaining them and then updating them on a regular basis. Everything is continuous integration and continuous development, shift left, DevSecOps, DevOps, whatever industry terms you want to use. This introduces the Infrastructure as Code concept, entire applications and environments are spun up in seconds using formation scripts or templates that may be also bringing in third-party libraries and applications. That opens several different security vulnerabilities: insertion of malicious code or supply chain attacks and nonmalicious, poorly written code that may contains security vulnerabilities. Through automation and continuous development, insecure code can be automatically deployed in dozens to thousands of places.

From an open source/DevSecOps/supply chain issue perspective, you need to introduce security into your shift left or DevSecOps process. This comes in the form of Infrastructure as Code scanning. Most cloud environments are scripted and come from formation templates or Ansible scripts or whatever tools you’re using that are pulling information in from different sources and building your cloud environment automatically. It’s very easy to introduce security issues into those templates and then automatically spin up an insecure environment at the drop of a [hat].

You need security that is constantly monitoring your code development for best practices for including vulnerable third-party libraries into your code, for doing things like embedding encryption keys or authentication keys; once that code’s exposed, people can compromise authentication and throw your zero-trust tenets out the window. Just like the security posture management tool, these are continuous tools that are constantly running. You can catch these vulnerabilities as they happen, and it also makes your developers more security aware. It creates that same constant user awareness where, in this case, the user is a developer, not just an average end user.

LEARN MORE: Keep an eye on patched Log4j software for future vulnerabilities.

FEDTECH: I was taken aback by how many commercial IT products relied on Log4j. Was that a generally known fact before the vulnerability was discovered?

Sabaj: Log4j was used in literally millions of applications out there. Really, any Java application that was doing logging used Log4j. It wasn’t malicious; it was a library that was created many years ago that was maintained by a few individuals who did this in their spare time, unpaid. It brings up the issue of who’s ultimately responsible for the security of open source.

You had lots of commercial applications using Log4j. Many security vendors were using it. Check Point was using it, but we were using a different version than the vulnerable one. It wasn’t that we saw a specific issue with that version of Log4j, but we thought a different version was more secure and we were right. Again, it brings up the question of who's responsible at the end of the day for the security of all these commercial applications using open source. I would like to think the commercial operators should be doing their due diligence and not relying on a couple of really nice guys that maintained this code for free for many, many years.

We have an application security product called CloudGuard AppSec. It’s an artificial intelligence-based application security platform that mainly runs in the cloud but can also run in hybrid cloud. It was really the only solution that we know of that was able to detect Log4j before it was even known. Now, we didn’t detect it as Log4j, we detected it as a possible cross-site scripting attack, which essentially it was, but we were detecting Log4j before it was even known with this AI-powered solution.

FEDTECH: How about No. 4?

Sabaj: The fourth one is the Internet of Things, which is a huge issue. Most agencies have no idea what IoT devices are in their environment. IoT can range from things that power smart buildings to industrial controls and medical IoT, even simple things like printers and fax machines and digital assistants. Most people don’t know what those devices should be communicating with or what vulnerabilities may exist in those devices; they’re almost impossible to update and patch. You need to be able to virtually patch those IoT devices because they are prime targets for bot networks.

You need tools that will help you discover your IoT landscape and then use those tools to create basic access control policies. A human being isn’t going to be able to create a zero-trust policy around IoT devices. You need to be able to automate that. Check Point provides this functionality with our IoT Protect solution, both natively and through partnerships with IoT discovery providers. The identification of IoT is critical because you can’t create a zero-trust policy around things you don’t know.

FEDTECH: What is the final overlooked security vector?

Sabaj: The combination of advanced email phishing and social engineering is the last overlooked vector. Signature-based email security is still needed because it is the easiest way to catch known issues. With phishing campaigns lasting only a matter of hours or minutes, signature-based phishing protection is less effective. You really need a system that looks at the heuristics and uses artificial intelligence and machine learning to identify these types of attacks as they are happening. Then there is also the social engineering aspect of email. People are still the weakest link in any organization. It’s a lot easier to fool a person than it is to hack a computer system. You need to constantly train your employees through security awareness and interactive self-teaching security controls. Check Point Harmony Email & Collaboration can provide both best-in-industry security controls and security awareness training.

EXPLORE: How you can modernize your cyber resilience with today’s tape innovations.

FEDTECH: A lot of these are issues that people don’t even know that they need to think about; Log4j was just uncovered at the end of last year. How do you uncover unknowns?

Sabaj: Implementing zero trust obviously does not reduce the number of vulnerabilities that exist in the world, but it protects you against the impact of some of those vulnerabilities that you may not even know about yet. You’ll never be able to stop every single cyber incident on the planet, but a zero-trust architecture or zero-trust philosophy will minimize the impact when you do eventually have an issue.

The second biggest thing is knowing your environment. Whether it is in the cloud or whether it is your physical network, know what types of devices, applications and users are connecting into your environment. You cannot secure something that you do not know exists.

Then, it comes down to security awareness. Your end users are by far the weakest link in your organization. Unless you are a security or IT professional, you are more vulnerable to social engineering and being tricked into clicking on something malicious. It doesn’t mean the end users are unintelligent. It just means that they’re people who are far better at other things than cybersecurity.

Brought to you by: