All Those Cybersecurity Controls are Important
I’m a long-time cybersecurity professional, deeply familiar with the requirements for many cybersecurity frameworks and the risks associated with ignoring them. Even still, I find myself disregarding some security controls just because ….. well, being lazy I guess.
I find myself spinning up compute instances in any number of cloud service provider architectures. Yes, I do apply a number of security controls right away, including firewall settings and service lockdowns. I have scripts for these purposes, and they do a good job.
When doing a vulnerability assessment against many of these, I tend to ignore the ‘mount’ issues for Linux instances. You know, /var should be on its own partition, so should /tmp, and if /tmp is on its own partition, set it to ban execution of files from it, etc. Yes, this is where interesting starts to happen…
I was engaged by a client to resolve some issues relating to their self-hosted wordpress instance in a cloud service provider. Yes, they’d been compromised through unverified/unreliable plugins that were causing havoc and chaos. Their wordpress instance had been set up, some time in the past, by someone else. No, no security controls had been applied, nor was it patched and/or updated.
So, after scrubbing the wordpress files and plugins, it looked like everything should be back to working right. But, there was a process that kept starting and consuming all available processing cycles. After tracking it down, guess where it was? Yes, right there in /tmp being dropped remotely and executing. It ended up being a Trojan launching a miner. Some more cleaning and installation of a reputable wordpress security plugin took care of the issue.
This really hit home. While I knew, intellectually, that this was possible, I’d never really given such a thing its due credit. Yes, there are many security controls that, together, decrease the chance of comprise and minimize impacts. But, neglect one and and that might be the door that an adversary can walk through. Yes, adding separate partitions to physical and virtual servers does take some extra time. That extra time, however, may mean the difference.