Let’s face it- nobody’s production environment is completely pristine and secure. Ideally, we try to embrace security as a cultural component or state of mind, and we create processes to cover our asse(t)s and hope that we don’t hobble our productivity in the process. Security Automation (SA) and Software-Defined Security (SDSec) are the new hotness, but what do those buzzwords mean to the people who have to translate a broad concept into a process that makes them more effective? To help us illustrate the practical application of these broad and somewhat abstract terms we’ll draw parallels with older and more established concepts. Within the IT and infrastructure management disciplines there exists the concept of Network Access Control, or NAC. One of NAC’s purposes is to validate that the connecting host complies with the company’s security policy before being admitted to the network. Translating that concept to the cloud, we’ll introduce the concept of Application Membership Control with CloudPassage Halo by automating the admission of workloads into a tightly-controlled application environment, but only if they’re compliant with your configuration policies.
We’re not going to rehash the minute details of CVE-2014-3566, otherwise known as POODLE. If you’ve found your way here, you’re likely looking for a method to reliably detect and remediate.
Background: POODLE affects the Secure Sockets Layer (SSL) protocol version 3. The danger is that an attacker who can manipulate network traffic and intercept packets from an SSLv3-encrypted datastream can potentially determine the repeated contents of the datastream (like a session key in a cookie).
As of Friday, Red Hat, Ubuntu, Amazon and other vendors have released updates to address the CVE-2014-6271 vulnerability, also known as “Shellshock”. This vulnerability allows remote attackers to execute arbitrary code on servers from a variety of vectors and affects a substantial number of servers running on the Internet. As of Friday, Sept 26th at 11:30am PDT, all CloudPassage production systems have been patched and are no longer susceptible to Shellshock.
A serious vulnerability, CVE-2014-6271, being variably referred to as Shellshock or Shellshocked, was just reported in the Bourne-Again Shell (bash) that affects most *NIX-based systems. Because the bash shell is so prevalent on *NIX systems, the vulnerability can be leveraged in many different ways to allow unauthorized access and modification of computers remotely. See the NIST vulnerability summary to learn more about this vulnerability and the systems it affects.
If you are a Halo user, you can quickly find out which of your servers have this vulnerability present using the newly-released Reports page in your Halo portal, or using the Halo API.
Using the Halo UI to find vulnerable servers
First, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page. Select all of your servers and click “Launch scan” from the Actions menu. Your scan should be completed within a few minutes.
Once you have run your scans, navigate to the Reports page.
Search by CVE Reference Number - From the Search Criteria selector on the top right, enter CVE-2014-6271, and click submit. You’ll get a list of servers that found that vulnerability on their latest software scan.
You can export these results as a PDF report or to a CSV file using the buttons on the top right of the search results. For more information about how to use the Reports page, please see our documentation.
Using the Halo API to find vulnerable servers
Again, since this is a recently-released vulnerability, you’ll want to run a fresh scan on your servers from the snapshot page, or run the script to launch new scans across all servers posted on GitHub.
Once your scans have completed, make this simple call:
Note: This call will only return active servers by default – to get servers in a different state like “deactivated”, specify the state (/v1/servers?state=deactivated&cve=CVE-2014-6271)
Your list of servers will be returned in JSON format. If you’d prefer the list of servers in CSV format, simply append .csv to “servers”:
For more information about what filters are available for the servers endpoint, please see our API Documentation. If you have used the script on github to find vulnerable CVEs on your servers, you can still use that as well.
Today’s public cloud infrastructure is built on elasticity as a core value proposition which brings incredible benefits of being dynamic. However, failure is inevitable, occurs regularly, and often in unpredictable ways. To use a clichéd saying, the computing forecast for tomorrow is “cloudy with a chance of failure.”
In the face of such inevitable and unpredictable failure, how can you write a reliable program that provides the high level of availability your users want?
The good news is that the cloud service providers have done a very good job at providing a framework that enables us to design around such failures and create highly available and resilient applications in the cloud.
Obviously, we still have to design and write our programs to make use of it all.
In this blog, we will look at two things – how we made our Halo event connector highly available and techniques we have used for achieving high throughputs to enable the connector to handle volumes of events generated by large customer deployments. Read more >
Unlike traditional servers, cloud servers are pretty susceptible to outside attack if the right preparations are not made. The art of Feng Shui looks at ways to harmonize existence with the surrounding environment. In many ways this ancient art can be applied to cloud servers, harmonizing the workloads for their cloud environment through secure configurations.
Starting a cloud server workload without proper configuration is like putting out a beacon alerting hackers to an easy mark. In fact, a CloudPassage study called The Gauntlet showed that even a novice hacker can compromise a poorly configured cloud server in a matter of hours.
There are five important considerations in providing the common guidance for configuration of cloud servers. Read more >
What a month with basketball, baseball, hockey and now the soccer world-cup. Through all of these exciting games we are shown that team responsibility is a shared effort toward a singular goal. Teams come in all shapes and sizes. Whether you have a team great enough to make the play-offs or a team that is still under development, working together and balancing responsibilities is key for success. Everyone has an important role on a team. With the advent of cloud services, IT now gets to join Team Cloud! Like other teams, they have shared responsibilities, especially when it comes to security.
In the big leagues, Amazon Web Services has been able to highly operationalize computing and provide many IaaS options for business. In my opinion, very few businesses could honestly say that they could provide these services better. In professional sports, team players can be egotistical, unpredictable, and downright humanly frustrating. On Team Cloud, partnering with leading IaaS providers is a lot less challenging and stressful. For some companies, adopting cloud services is actually more secure than continuing to provide these operations themselves. In fact, according to a recent survey conducted by Microsoft, 94% of businesses reported that they saw an improvement in security after switching to cloud computing. Read more >
Businesses face a massive amount of pressure to stay competitive in their markets. Stakeholders, both internal policy-makers and external consumers demand speed, reliability, and convenience. Will SaaS save the day?
Consumers have become accustomed to personalized real-time engagements with businesses. Competitors are looking at ways to provide better availability, cost savings, innovations, greater efficiencies and an ability to scale as they grow. What are the biggest factors fueling this agility? Cloud adoption and SaaS offerings. In today’s market, operating without considering the cloud comprises significant disadvantages.
As businesses adapt to the changing landscape, they find themselves looking for ways to transform their products and services to fit their consumers and end-users’ expectations. Consumers embody a certain type of stubbornness, demanding to have it ‘their way,’ causing businesses to move themselves away from traditional infrastructures, and premise based applications and security. They are moving quickly into the cloud and developing or utilizing more SaaS applications to take advantage of a way to adapt and create the end-user experience in a timely manner that will work for the demands of their individualized business. Read more >
Do you like perusing around on eBay while listening to your playlist on Spotify? Both services were recently compromised and are requesting users to change passwords and update mobile applications. It seems like these announcements are popping up more frequently than ever. It does remind me of a digital version of whack-a-mole, where the last defense against the pesky re-appearing varmints is to reset passwords and applications for consumers. But how can organizations reduce the unforeseen or unprotected paths to compromise, especially when cloud services are involved and are scaling daily to adjust to the consumer demand? Read more >
We’re thrilled to announce that CloudPassage Halo, our security solution purpose-built for cloud environments, took home the 2014 Software & Information Industry Association (SIIA) CODiE Award for Best Security Solution!
This award recognizes CloudPassage Halo as the leading force in cloud security software. For that, we want to thank everyone — from the CODiE judges to our customers — for helping to make CloudPassage Halo what it is today.
The SIIA is the principal trade association of the software and digital content industries. Its annual CODiE Awards represent the consensus of industry experts, and is the only peer-recognized program in the content, education and software industries. Read more >