Cybersecurity

Security Diaries #2

Lucas Bernardo

Lucas Bernardo

5 min read
Security Diaries #2

How are organisations supposed to monitor and secure their ever increasing cloud environments? Zip files can be used to destroy data in a completely different directory than it was installed in!? What is the purpose of digital signatures?

These are all statements or questions that you may have asked yourself, or upon reading it are interested to know the answer. This week, I'll be answering that, and more!

Securing Cloud Environments

To those unaware, the cloud can be thought of as a pay-as-you-go datacentre, that you rent and use for all your needs. There's no big commitments, no unnecessary wastage of buying massive GPUs you'll never use. You rent exactly what you want, when you want, and configure it (almost) how you want to.

As more and more companies move to the cloud to take advantage of low costs, high availability, and to improve their security, naturally you will still need to protect all your systems in there.

One of the most common tools that is used to protect these environments are called CNAPPs AKA Cloud Native Application Protection Platforms. It's quite a complex name for an all inclusive set of tools that will help you defend your cloud environments. There are two key components to CNAPPs, so let me explain each one briefly.

  1. Cloud Workload Protection Platform (CWPP) - These are scanners that scan your compute resources such as Virtual Machines (VMs), Containers, Serverless Workloads, etc. This has typically been done with a mixture of Agent-Based (installing an application in your environment) or Agentless (Scanning the system from an outside perspective) scanners.
  2. Cloud Security Posture Management (CSPM) - Now, with CWPP you can scan the specific compute resources running your code base. But you still need ways of monitoring your entire cloud accounts, as there can be ample of opportunities that can be exploited to destroy your security posture. Introducing CSPM, a tool that scans your cloud accounts against misconfigurations to ensure no vulnerabilities are present. Whilst CWPP takes a more in-depth view at your compute workloads, CSPM takes a more holistic view of your cloud account.

Many tools often offer extra features alongside these two including:

  • Cloud Infrastructure Entitlement Management (CIEM) - A tool that helps manage access and permissions across cloud services.
  • Infrastructure as Code scanning - Scanning your IAS code for any misconfigurations and potential attack vectors.
  • Pipeline scanning - Scanning pipelines that are being used to build and deploy applications for any vulnerabilities.
  • Data Security Posture Management (DSPM) - Securing sensitive data in cloud environments by continuously monitoring and managing risks across structured and unstructured data sources.
  • Kubernetes Security Posture Management (KSPM) - Specialised tool dedicated to handling security for Kubernetes clusters.

The list goes on and on as more and more CNAPP products try and compete against each other.

Some CNAPPs to look into include:

  • Orca -> Using a really interesting patented technology to do CWPP using mostly agentless scanners, whilst only using agent-based scanning to carry out runtime checks.
  • Wiz -> One of the most popular & arguably the best CNAPP products out there, recently acquired by Google, their incredibly clean UI and advanced functionality sets them apart from other competitors.

If you're interested in learning more about CNAPPs, I would highly recommend Wiz's CNAPP 101 Article, that includes plenty of detail on what CNAPPs are, how they work, with video explanations for each piece of functionality a CNAPP provides. It even includes a 12-minute demo for their product which I would also recommend watching.

CNAPP 101: An Intro to Cloud Native Application Protection Platforms | Wiz
Cloud native application protection platforms (CNAPPs) are essential, both for organizations and for the future of cloud security. Find out more in our latest.
Wiz.io

Don't trust Zip Files by default!

Something I came across at work was an interesting named attack called Zipslip. At first, I thought it didn't have much functionality, but then I started thinking about what it could actually do.

Simply put Zipslip attacks use Zip files and directory navigation to amend a file that is on a target's system. When a file is being extracted, instead of the file being extracted in the intended location, it is extracted in a directory predetermined by the attacker. If the directory location exists original file will be overwritten and replaced with the newly extracted information.

At first, I thought this was kind of useless. Unless you are someone who firstly knows that a file exists in a users system, and secondly simply want to delete their information, this seemed more like an attack inconvenient to the user more than anything.

But then I thought, what if the Zipslip targeted a popular application that a user uses on a day to day basis. Maybe outlook. Then it amended one of the executed by Outlook when it is opened. Amended it to include the same functionality, with some extra functionality that opened a backdoor for the attacker.

Suddenly this attack that seemed a bit useless, turns into an incredibly useful tool.

Below is a really useful video on What zipslips are, and examples of it being used.

What are Digital Signatures?

Have you ever signed a contract using DocuSign? Have you wondered how they can verify that you are the one who signed it. Well thanks to digital signatures this is all possible.

Firstly, it's important to highlight a few key properties of digital signatures:

  • Integrity - Digital signatures verify that the message originally sent has not been altered.
  • Authentication - Ensures that the message you received came from the intended user.
  • Non-repudiation - The signature is not fake.

All of this is possible thanks to Asymmetric Encryption.

Let me break down the process:

  1. Let's imagine we have Alice and Bob communicating with each other, and that Alice is going to send Bob a message. In the background when creating a digital signature this is what happens.
  2. A hashing algorithm is used to turn the message into a hash digest.
  3. The hash digest is then encrypted using Alice's private key. This makes up the Digital Signature.
  4. The message and Digital Signature is sent together.
  5. Bob receives the message and digital signature.
  6. Bob can use Alice's public key to decrypt the digital signature and retrieve the hash digest.
  7. Bob can then run the message Alice sent through the same hash function, and if both hashes are the same, then this proves integrity, authentication, and non-repudiation.

There's a really good video on this made by Professor Messer for the CompTIA Security+ Course.

Final Thoughts

If you've read through this entire article, thank you. Let me know if there is anything you want me to look at and explain, especially if you think it would help others out too.

Thanks for reading this edition of Security Diaries. My goal is to document the progress I make learning more about technology and cybersecurity, with the hopes of inspiring others, informing others, and show that I know what I claim to know.

Other resources:

Read more