Firms Push for CVE-Like Cloud Bug System, Hacks, Malware, Vulnerabilities, Web Security, Mobile Security, Privacy

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Big gaps exist in the 22-year-old Common Vulnerability and Exposures (CVE) system that do not address dangerous flaws in cloud services that drive millions of apps and backend services. Too often, cloud providers needlessly expose customers to risk by not sharing the details of bugs discovered on their platform. A CVE-like approach to cloud bug management must exist to help customers weigh exposure, impact and mitigate risk.

That is the opinion of a growing number of security firms pushing for a better cloud vulnerability and risk management. They argue because of CVE identification rules, which only assign CVE tracking numbers to vulnerabilities that end-users and network admin can directly manage, the current model is broken.

MITRE, the non-profit organization behind the CVE system, does not designate CVE IDs for security issues deemed to be the responsibility of cloud providers. The assumption is that cloud providers own the problem, and that assigning CVEs that are not customer-controlled or patched by admins falls outside of the CVE system purview.

[Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story]

“[It is a false] assumption that all issues can be resolved by the cloud provider and therefore do not need a tracking number,” wrote Scott Piper, a cloud-security researcher with Summit Route, in a recent blog. “This view is sometimes incorrect, and even when the issue can be resolved by the cloud provider, I still believe it warrants having a record.”

Piper’s critiques are part of his introduction to a curated list of dozens of documented instances of cloud-service provider mistakes that he says prove the point.

Over the past year, for example, Amazon Web Services snuffed out a host of cross-account vulnerabilities. As well, Microsoft recently patched two nasty Azure bugs (ChaosDB and OMIGOD). And, last year, Alphabet’s Google Cloud Platform tackled a number of bugs, including a policy-bypass flaw.

“As we uncover new types of vulnerabilities, we discover more and more issues that do not fit the current [MITRE CVE reporting] model,” wrote cloud researchers Alon Schindel and Shir Tamari with the cloud security firm Wiz, in a post. “Security industry call to action: we need a [centralized] cloudvulnerability database.”

The researchers acknowledged that cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues. However, the process of identifying, tracking and helping those affected to assess risk needs streamlining.

Firms Push for CVE-Like Cloud Bug System, Hacks, Malware, Vulnerabilities, Web Security, Mobile Security, Privacy

An example: When researchers found a series of cross-account AWS vulnerabilities in August, Amazon moved quickly to mitigate the problem by changing AWS defaults and updating the user set-up guides. Next, AWS emailed affected customers and urged them to update any vulnerable configurations.

“The problem here is that [many] users weren’t aware of the vulnerable configuration and the response actions they should take. Either the email never made it to the right person, or it got lost in a sea of other issues,” Schindel and Tamari wrote.

In the context of cloud, affected users should be able to easily track a vulnerability and whether it has already been addressed in their organizations, as well as what cloud resources have already been scoped and fixed, the researchers said.

The CVE approach to cloud bugs also has the support of the Cloud Security Alliance (CSA), which counts Google, Microsoft and Oracle as executive members.

Cloud Bug CVE Approach: Shared Industry Goals

The efforts share many of the same goals, including:

  • Standardized notification channels to be used by all cloud service providers
  • Standardized bug or issue tracking
  • Severity scoring to help prioritize mitigation efforts
  • Transparency into the vulnerabilities and their detection

In August, Brian Martin, on his blog Curmudgeonly Ways, pointed out that MITRE’s history covering cloud vulnerabilities is mixed.

“At times, some of the CVE (editorial) Board has advocated for CVEs to expand to cover cloud vulnerabilities, while others argue against it. At least one who advocated for CVE coverage said they should get CVE IDs, [with] others that supported and disagreed with the idea saying that if cloud was covered, [those bugs] should get their own ID scheme,” he wrote.

Martin also pointed out that even if a CVE-like system were created, the question remains: Who will run it?

“The only thing worse than such a project not getting off the ground is one that does, becomes an essential part of security programs, and then goes away,” he said.

In July, under the auspices of CSA, the Global Security Database Working Group was chartered to go one step further than the idea of expanding CVE tracking. Its goal is to offer an alternative to CVEs and what the group called a one-size-fits-all approach to vulnerability identification. The working group believes the “on-demand” nature and continued growth of IT infrastructures brought on by cloud migration necessitate a corresponding maturity in cybersecurity.

“What we see is a need to figure out how to create identifiers for vulnerabilities in software, services and other IT infrastructure that is proportional to the amount of technology in existence,” said Jim Reavis, cofounder and chief executive officer of CSA, when introducing the working group. “The common design goal is for vulnerability identifiers to be easily discovered, fast to assign, updatable and publicly available” – not just in the cloud, but across IT infrastructure.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

TECH NEWS RELATED

Instagram tests AI tool for age verification

Image by Instagram Instagram is testing new options for users to verify their age. The photo-sharing social media platform began asking people to provide their age in 2019. Knowing people’s age allows Instagram to provide appropriate experiences to different age groups, for example, to prevent teens from unwanted contact ...

View more: Instagram tests AI tool for age verification

Crooks impersonate MetaMask to target crypto investors on Microsoft

Image by Shutterstock A credential phishing attack that spoofed popular crypto wallet MetaMask to bypass Microsoft 365 defenses has been detected by cyber watchdog Armorblox. The social engineering scam took the form of an email purporting to be from the crypto app’s support team, which urged the unwary to ...

View more: Crooks impersonate MetaMask to target crypto investors on Microsoft

Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers. Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. ...

View more: Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

Russia ramps up efforts to hack Ukraine’s allies, Microsoft says

Image by Shutterstock Russian cyber spies went into overdrive following Moscow’s invasion of Ukraine in February, launching multiple attacks against Kyiv’s allies. Estonia is a notable exception. Russian intelligence agencies had stepped up network penetration and espionage activities against 42 countries outside Ukraine since the war broke out, a ...

View more: Russia ramps up efforts to hack Ukraine’s allies, Microsoft says

Want to break into cybersecurity? Consider building your pentest lab

Many job applicants get rejected due to a lack of experience. One of the ways to break into cybersecurity and build authority is to create your own security lab. The sentiment highlighted below is very common amongst entry-level cybersecurity aspirants, whether you see it on Stack Overflow, LinkedIn, or ...

View more: Want to break into cybersecurity? Consider building your pentest lab

Historic college’s data leak leaves 24k students exposed

Image by Shutterstock Kenyon College in Ohio left more than 24,000 students at risk from a leaking database that exposed their personal information including passwords. A dataset, containing full student names, university addresses, and hashed passwords was left accessible to the public, the Cybernews team found. The 4,7GB-strong database, ...

View more: Historic college’s data leak leaves 24k students exposed

Microsoft quits its creepy, emotion-reading A.I.

Microsoft announced it will stop the development and distribution of controversial emotion-reading software as big tech companies pivot toward privacy and security. The company also says it will heavily restrict its own facial recognition platform. Microsoft’s shift away from emotional recognition software is another sign of big tech’s growing prioritization ...

View more: Microsoft quits its creepy, emotion-reading A.I.

QNAP NAS users should download this update immediately

PSA: Anyone using a QNAP NAS while running nginx and php-fpm should probably update its firmware now. QNAP has released a security update addressing an nginx vulnerability, the latest in a series of security issues facing the company since January. The NAS company announced this week that it has fixed ...

View more: QNAP NAS users should download this update immediately

Sniffing out your identity with breath biometrics

What was the first computer virus released in the wild?

Brave Now Lets You Customize Search Results—for Better or Worse

Privacy-focused Brave Search grew by 5,000% in a year

BlockFi Withdrawals Drop, Bitcoin Mining Difficulty, New NFT Wallets, 3 Crypto Films + More News

You’ve Been Warned: Overlook Security Basics at Your Peril

A simple tool to make websites more secure and curb hacking

Moon could have its own nuclear power plant by 2030

Scams and cryptocurrency can go hand in hand. How they work and what to watch out for

Gamification of Ethical Hacking and Hacking Esports

Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

Elusive ToddyCat APT Targets Microsoft Exchange Servers

OTHER TECH NEWS

Top Car News Car News