Cloud Security

You've probably seen the news: Oracle Cloud got popped, exposing 6 million records from over 140,000 tenants. The breach came to light after user "rose87168" dropped the loot on Breach Forums. The alleged attacker disclosed to Bleeping Computer that they used a known vulnerability to hit Oracle Cloud's SSO endpoint at login.<region>.oracle.com. Chances are, it was either CVE-2021-35587 or CVE-2022-21445. Both issues were discovered and reported by our very own Đức Nguyễn, together with Jang Nguyen, who's also joined our red team on many fun adventures. Duc found the bugs before he even joined the team. As Duc explained in his blog (link in comments), these are monster bugs, affecting a wide swath of Oracle products and companies. During their research, Jang and Duc even managed to pwn multiple systems under oracle.com, including the SSO endpoint at login.oracle.com (see the picture below). In 2023, we used the same vuln to compromise an Oracle BI instance buried deep inside a bank during a beautiful money heist simulation. Oracle products are notoriously complex, and Oracle is not exactly famous for fast patching. It took them more than six months to fix CVE-2021-35587 and CVE-2022-21445. Some deprecated product lines never got patches at all. As a result, many Oracle systems are left outdated and vulnerable. At this point, if you're running Oracle, it's probably safer to assume you're already breached, and plan your defense accordingly.

AI is not failing because of bad ideas; it’s "failing" at enterprise scale because of two big gaps: 👉 Workforce Preparation 👉 Data Security for AI While I speak globally on both topics in depth, today I want to educate us on what it takes to secure data for AI—because 70–82% of AI projects pause or get cancelled at POC/MVP stage (source: #Gartner, #MIT). Why? One of the biggest reasons is a lack of readiness at the data layer. So let’s make it simple - there are 7 phases to securing data for AI—and each phase has direct business risk if ignored. 🔹 Phase 1: Data Sourcing Security - Validating the origin, ownership, and licensing rights of all ingested data. Why It Matters: You can’t build scalable AI with data you don’t own or can’t trace. 🔹 Phase 2: Data Infrastructure Security - Ensuring data warehouses, lakes, and pipelines that support your AI models are hardened and access-controlled. Why It Matters: Unsecured data environments are easy targets for bad actors making you exposed to data breaches, IP theft, and model poisoning. 🔹 Phase 3: Data In-Transit Security - Protecting data as it moves across internal or external systems, especially between cloud, APIs, and vendors. Why It Matters: Intercepted training data = compromised models. Think of it as shipping cash across town in an armored truck—or on a bicycle—your choice. 🔹 Phase 4: API Security for Foundational Models - Safeguarding the APIs you use to connect with LLMs and third-party GenAI platforms (OpenAI, Anthropic, etc.). Why It Matters: Unmonitored API calls can leak sensitive data into public models or expose internal IP. This isn’t just tech debt. It’s reputational and regulatory risk. 🔹 Phase 5: Foundational Model Protection - Defending your proprietary models and fine-tunes from external inference, theft, or malicious querying. Why It Matters: Prompt injection attacks are real. And your enterprise-trained model? It’s a business asset. You lock your office at night—do the same with your models. 🔹 Phase 6: Incident Response for AI Data Breaches - Having predefined protocols for breaches, hallucinations, or AI-generated harm—who’s notified, who investigates, how damage is mitigated. Why It Matters: AI-related incidents are happening. Legal needs response plans. Cyber needs escalation tiers. 🔹 Phase 7: CI/CD for Models (with Security Hooks) - Continuous integration and delivery pipelines for models, embedded with testing, governance, and version-control protocols. Why It Matter: Shipping models like software means risk comes faster—and so must detection. Governance must be baked into every deployment sprint. Want your AI strategy to succeed past MVP? Focus and lock down the data. #AI #DataSecurity #AILeadership #Cybersecurity #FutureOfWork #ResponsibleAI #SolRashidi #Data #Leadership

Using unverified container images, over-permissioning service accounts, postponing network policy implementation, skipping regular image scans and running everything on default namespaces…. What do all these have in common ? Bad cybersecurity practices! It’s best to always do this instead; 1. Only use verified images, and scan them for vulnerabilities before deploying them in a Kubernetes cluster. 2. Assign the least amount of privilege required. Use tools like Open Policy Agent (OPA) and Kubernetes' native RBAC policies to define and enforce strict access controls. Avoid using the cluster-admin role unless absolutely necessary. 3. Network Policies should be implemented from the start to limit which pods can communicate with one another. This can prevent unauthorized access and reduce the impact of a potential breach. 4. Automate regular image scanning using tools integrated into the CI/CD pipeline to ensure that images are always up-to-date and free of known vulnerabilities before being deployed. 5. Always organize workloads into namespaces based on their function, environment (e.g., dev, staging, production), or team ownership. This helps in managing resources, applying security policies, and isolating workloads effectively. PS: If necessary, you can ask me in the comment section specific questions on why these bad practices are a problem. #cybersecurity #informationsecurity #softwareengineering

🚨NSA Releases Guidance on Hybrid and Multi-Cloud Environments🚨 The National Security Agency (NSA) recently published an important Cybersecurity Information Sheet (CSI): "Account for Complexities Introduced by Hybrid Cloud and Multi-Cloud Environments." As organizations increasingly adopt hybrid and multi-cloud strategies to enhance flexibility and scalability, understanding the complexities of these environments is crucial for securing digital assets. This CSI provides a comprehensive overview of the unique challenges presented by hybrid and multi-cloud setups. Key Insights Include: 🛠️ Operational Complexities: Addressing the knowledge and skill gaps that arise from managing diverse cloud environments and the potential for security gaps due to operational siloes. 🔗 Network Protections: Implementing Zero Trust principles to minimize data flows and secure communications across cloud environments. 🔑 Identity and Access Management (IAM): Ensuring robust identity management and access control across cloud platforms, adhering to the principle of least privilege. 📊 Logging and Monitoring: Centralizing log management for improved visibility and threat detection across hybrid and multi-cloud infrastructures. 🚑 Disaster Recovery: Utilizing multi-cloud strategies to ensure redundancy and resilience, facilitating rapid recovery from outages or cyber incidents. 📜 Compliance: Applying policy as code to ensure uniform security and compliance practices across all cloud environments. The guide also emphasizes the strategic use of Infrastructure as Code (IaC) to streamline cloud deployments and the importance of continuous education to keep pace with evolving cloud technologies. As organizations navigate the complexities of hybrid and multi-cloud strategies, this CSI provides valuable insights into securing cloud infrastructures against the backdrop of increasing cyber threats. Embracing these practices not only fortifies defenses but also ensures a scalable, compliant, and efficient cloud ecosystem. Read NSA's full guidance here: https://lnkd.in/eFfCSq5R #cybersecurity #innovation #ZeroTrust #cloudcomputing #programming #future #bigdata #softwareengineering

Microservice architecture has become a cornerstone of modern, cloud-native application development. Let's dive into the key components and considerations for implementing a robust microservice ecosystem: 1. Containerization:    - Essential for packaging and isolating services    - Docker dominates, but alternatives like Podman and LXC are gaining traction    2. Container Orchestration:    - Crucial for managing containerized services at scale    - Kubernetes leads the market, offering powerful features for scaling, self-healing, and rolling updates    - Alternatives include Docker Swarm, HashiCorp Nomad, and OpenShift 3. Service Communication:    - REST APIs remain popular, but gRPC is growing for high-performance, low-latency communication    - Message brokers like Kafka and RabbitMQ enable asynchronous communication and event-driven architectures 4. API Gateway:    - Acts as a single entry point for client requests    - Handles cross-cutting concerns like authentication, rate limiting, and request routing    - Popular options include Kong, Ambassador, and Netflix Zuul 5. Service Discovery and Registration:    - Critical for dynamic environments where service instances come and go    - Tools like Consul, Eureka, and etcd help services locate and communicate with each other 6. Databases:    - Polyglot persistence is common, using the right database for each service's needs    - SQL options: PostgreSQL, MySQL, Oracle    - NoSQL options: MongoDB, Cassandra, DynamoDB    7. Caching:    - Improves performance and reduces database load    - Distributed caches like Redis and Memcached are widely used 8. Security:    - Implement robust authentication and authorization (OAuth2, JWT)    - Use TLS for all service-to-service communication    - Consider service meshes like Istio or Linkerd for advanced security features 9. Monitoring and Observability:    - Critical for understanding system behavior and troubleshooting    - Use tools like Prometheus for metrics, ELK stack for logging, and Jaeger or Zipkin for distributed tracing    10. CI/CD:    - Automate builds, tests, and deployments for each service    - Tools like Jenkins, GitLab CI, and GitHub Actions enable rapid, reliable releases    - Implement blue-green or canary deployments for reduced risk 11. Infrastructure as Code:    - Use tools like Terraform or CloudFormation to define and version infrastructure    - Enables consistent, repeatable deployments across environments Challenges to Consider: - Increased operational complexity - Data consistency across services - Testing distributed systems - Monitoring and debugging across services - Managing multiple codebases and tech stacks Best Practices: - Design services around business capabilities - Embrace DevOps culture and practices - Implement robust logging and monitoring from the start - Use circuit breakers and bulkheads for fault tolerance - Automate everything possible in the deployment pipeline

I've published a GitHub repository containing all the KQL threat-hunting queries I've developed so far based on real-world use cases across Microsoft Sentinel and Defender. This collection includes: - Threat-hunting queries for cloud and endpoint telemetry - Behavioral detection logic mapped to MITRE ATT&CK - Patterns for detection engineering and alert tuning - Practical KQL use cases from live environments If you're working in security operations, detection engineering, or cloud threat defense, feel free to explore, adapt, and contribute. Thank you, Rod Trent, for your article on common mistakes in KQL. It helped me a lot in some areas. GitHub repository: https://lnkd.in/gv5JE2C6 Website: https://lnkd.in/gGdJqJFf

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

The Silent Breach Vector: Misconfigured Firewalls In cybersecurity, it's not always the absence of controls that opens the door to attackers it’s their misconfiguration. Firewalls are supposed to be your first line of defense. But a single misconfigured rule can be the equivalent of handing out the keys to your network. Open ports left exposed, overly permissive access policies, or outdated rule sets quietly create a backdoor that attackers love. And here’s the kicker: these missteps rarely get caught during traditional compliance audits. They're operational issues, not just checkboxes. Real Talk: “Allow any/any” rules? That’s not flexibility. That’s a threat. Exposed management interfaces? That’s not convenience. That’s negligence. No rule cleanup process? That’s not legacy. That’s liability. At Careful Security, we’ve seen breach simulations where firewall misconfigs were exploited in minutes not hours. And yet, teams often discover them only after an incident. Don’t wait for a pentest report to tell you what you could fix today. • Regularly audit your firewall rules • Implement least privilege policies • Automate configuration checks • Tie firewall reviews to change management

Cloud security can cause so many problems at any startup. After looking at 100s of AWS accounts, here's what we usually see overlooked: 1. Access Management (Who exactly can log into your cloud accounts? Too many startups give everyone admin access because it's easier.) 2. Multi-tenancy Risks (Your data is sitting on the same servers as other companies. Make sure you understand how it's being isolated.) 3. API Security (All those convenient APIs connecting your systems are great but...they're also a potential door for someone to walk through.) 4. Shared Responsibility Model (AWS isn't responsible for securing your applications - just their infrastructure. The rest is on you) 5. Credential Management (Those AWS access keys you copied to your local machine? They're probably still there, and that's a problem.) 6. Cross-Cloud Security (AWS, GCP, and Azure each have different security models, and they don't automatically talk to each other!) 7. Compliance Foundation (If you're planning to sell to banks or healthcare, you need to build with compliance in mind from day one) It's not all "someone hacked my EC2 instance and started mining bitcoin" - some of these are simple best practices that go out the window when it's a team of 5. Understandable, and solvable. None of these are impossible problems, but each can get ugly fast. What did I miss?