DevOps people are the worst offenders
A new report has identified how supply chain security oversights compromise telco clouds and stop others adopting them. As cloud security specialist Lacework launched a new security efficacy testing tool, it revealed that multi-vendor supply chains are ‘scaling up’ the number of vulnerabilities in a telco network. To make matters worse, just as mobile operators are leaving more doors open, the cloud gives hackers better tools for finding and opening them.
The findings of the Laceworks security study are that attackers are automating key discovery software to find the minutest chinks in the armour of a telco’s cloud. Mistakes are then efficiently exploited. First they are instantly converted into misconfigurations that attackers use to compromise cloud identity. That ‘door’ into the compromised cloud will be held ajar for ever unless it is discovered, according to James Condon, Director of Threat Research at Lacework. Rogue accounts are set up with ruthless efficiency and used by the parasites for the reconnaissance and probing of S3 buckets (cloud object storage utilities) as well as cryptojacking (digital currency fraud) and steganography (cryptic message hiding).
Laceworks aims to help telcos address this with its new open-source Cloud Hunter tool, which helps teams shut the stable doors quicker. By then it is too late for many. Lacework automates cloud security by analysing all the disparate data from a company’s AWS, Azure, GCP and Kubernetes systems and spotting the important security events. “Our research shows an increasingly more sophisticated attack landscape,” said Condon.
Eilon Elhadad, Senior Director of Supply Chain Security at Aqua Security said supply chain security problems will block the broader adoption of telco clouds by creating compliance or risk issues. “Developing a security programme and a bridge between security teams, DevOps and developers and staying agile at the same time is not an easy task,” said Elhadad. Aqua Security launched its own ‘end-to-end software supply chain security in September. The system promises to protect across the entire software development lifecycle and helps organisations nip supply chain attacks on cloud native applications in the bud.
Companies should minimise the complexity of the process, choose as few security vendors as possible and build adoption programmes that will support it, said Elhadad. “We fully support the UK Government’s [recent] guidance to help organisations gain confidence and assurance that mitigations are in place for the many vulnerabilities associated with working with suppliers.”