Well How CAN I Harden My Cloud Server?
Last week I wrote about how long it takes hackers to find “secrets” that are left accidentally (hopefully) exposed in the cloud. The answer was scarily short – as little as two minutes.
This prompted one reader to ask “well how should I harden my cloud server”. Here are some tips.
Most of the time you are not up against the NSA or KGB. Just some hacker breaking into servers, hoping to find something interesting.
So what if they find a way in. Maybe they compromised Joe’s login because he thought Passw0rd was a good password and multi-factor authentication was a hassle. So, they start looking around. Many times there are config files with credentials or SSH keys just laying around because, after all, we are not that important a target. Many times it is as simple as that.
Here are some hardening tips:
- Everyone has to use multi-factor authentication. It is not optional and not just for admins. Also, strong passwords. Passw0rd does not cut it.
- Create security groups to restrict access. That config file I was talking about. It should be protected by access control rules.
- Don’t leave “secrets” like keys and passwords stored in plain text.
- Do not leave admin portals exposed to the Internet. See CISA’s Binding Operational Directive 23.02.
- Of course, keep all of your patches up to date, including application updates. Remember that hackers can weaponize patches in as little as a few hours.
- Encrypt data at rest as well as in motion. That way, if a hacker steals data they may not be able to read it.
- Implement intrusion detection solutions. They generate an alert if the see suspicious activities inside a system, even if it is by an authorized person.
- Implement regular backups. Make sure the backups are not accessible if the system is hacked. Also implement a disaster recovery program. And test it.
- Implement event logging and generate alerts when unexpected events occur.
- Perform regular vulnerability assessments and mitigate the issues found.
- Implement employee security training.
- Attempt to phish employees. Better they fall for your tests than the real thing.
- Implement the principles of “least privilege”. Give users the least permissions that still allow users to do what they need to do.
- Implement secure software development practices.
- Conduct regular security assessments.
- Leverage the security features available from your cloud service providers like Microsoft and Amazon.
- Consider using containers with their security features.
- Conduct security assessments of third party providers. Third parties are often the source of beaches.
- Test your disaster recovery plan. Regularly.
- Create and test your cyber incident response program. Again, do this regularly.
- Finally, stay informed about what is going on with the hackers. Read this blog regularly, for example.
These are just some ideas. If you need help implementing some of these items – or just don’t understand what they mean, please contact us.