Security Scene: April 2021 Edition

Subscribe for more like this



Estimated reading time: 3 minutes

By Adair Thaxton, Internet2 Cyberinfrastructure Security Engineer

Security Scene illustration with lock

Spring is upon us, and I think it’s one of my favorite times of the year. I did floral design in college, and spring flowers are just the best. Ranunculus, daffodils, and dahlias? Yes, please. I guess I should try to relate this back to security in some way, huh?  Floral design has a “rule of threes,” at least three of each type of flower for best visual effect. Security has the three legs of the CIA triad (confidentiality, integrity, availability), three HIPAA components (administrative, physical, technical), and of course the informal rule about having three copies of important data. Boom, analogy!

This month in cloud security, research shows a Grand Canyon-sized gap between security teams’ confidence in their cloud security, and actual security practices. Despite roughly 90% confidence in their ability to protect the organization’s cloud resources, 55% of respondents had only middling visibility into their SaaS usage. Really, my favorite statistic was that almost 50% of respondents thought it was their job as customer to secure the cloud provider’s physical datacenter and its network.

Dark Reading brings us 7 Security Strategies as Employees Return to the Office.

I’m likely not the only person who thinks that articles focused on “traditional office environment” security are amusingly simplistic in higher education environments, but this one has some good points that apply to us as well. Particularly, “treat all returning endpoints as high risk” – you may plan for this to happen with student machines in August and January, but it’s not only student machines that have been off-campus for long periods of time. 

Are you protecting your staff and faculty endpoints the same way? Similarly, “watch out for intrusions with long dwell times.” If you couldn’t detect the initial intrusion while the employee was at home, how confident are you that you can detect the exploit activity months or weeks after the user returns to campus?

Many NetDevOps groups use the “netmask” package, which discovered a new vulnerability.

The first octet of an IP address can be passed in octal format – the “netmask” package would strip the leading 0 and treat the IP address literally, rather than parsing it into decimal value before evaluation. The big scary part for me was that 0254.17.0.1 would evaluate to, which should look awfully familiar to those of you running Docker! If you were using “netmask” to restrict traffic to your internal networks, using octal in the first octet would bypass that. If you’re using “netmask,” update it!

CISA’s Sparrow tool, which was released to detect threats following the SolarWinds compromise, now has a Splunk dashboard called Aviary, which can help detect compromised accounts and applications in Azure, Office365, and Microsoft365. The GitHub description explains that “the tool is intended for use by incident responders and focuses on the narrow scope of user and application activity endemic to identity and authentication-based attacks seen recently in multiple sectors.” Sparrow uses PowerShell on the scanning server to run its checks, and its output can be parsed by Aviary to make analysis easier.

Have a great spring!

Read previous Security Scene blog posts