Data Manipulation: The Next Level of Cyberattacks
…properly configured.
In 2017, Twistlock released a joint study with Docker that found 60 percent of registries were not properly configured and enabled anonymous write access.
“In such cases, an attacker can manipulate the image in the registry so that once it is deployed it gives the attacker access to the server itself and other internal resources as well,” explained Dima Stopel, founder and vice president of research and development at Twistlock. “Protection from such scenarios requires a two-step approach. First registries should be properly configured to disable anonymous access. This is a compliance issue. Second image integrity should be validated between the point where the image was just created (CI) and the point it is deployed in production environment.”
Look to NIST for specific guidance. “U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53 includes the following controls that address integrity and may be directly reflected within software implementations,” says Jonathan Cran, head of research at Kenna Security.
- Tamper resistance and detection (SA-18)
- Transmission confidentiality and integrity (SC-8)
- Protection of information at rest (SC-28)
- Software, firmware and information integrity (SI-7)
- Information input validation (SI-10)
- Memory protection (SI-16)
Use tools in tight combinations. “From a tooling perspective, there are tools available to facilitate the creation of threat models,” says Tim Mackey, senior technical evangelist at Black Duck by Synopsys. “Static code analysis and fuzzing tools are readily available to validate threat vectors like SQL injection. Interactive analysis tools facilitate identification of privilege escalation scenarios, and log analysis services can detect malicious traffic patterns. When coupled with network protection tools like stateful web application firewalls and intrusion detection systems, visibility into the overall security of the application can be gained, monitored and managed.”
Use hashing. “Hashing is the main mechanism to ensure data has not changed,” says Alan Rynarzewski Jr, MIS, a faculty member at Purdue University Global and course lead for IT and cybersecurity. “We currently use hashing when downloading files form the internet. You can download the file and run the hashing algorithm against it. The hexadecimal value you get should match the value of where you downloaded it from. The data has been altered if the values do not match.”
“We can take that same technology and implement it on our files. Encrypt your file and hash it. The hash should not change. If it does, then someone has modified the file.”