#LockTheDoor already
You would think by now that nothing about security would surprise me.
Maybe it’s not that I’m surprised, but rather I’m disappointed.
Disappointed in the failure to adhere to even the most basic of security principles. You know, like lock the door.
A recent report from Lacework highlighted the need to reiterate one of the common core security rules:
THOU SHALT NOT LEAVE ADMIN CONSOLES OPEN
The report, which scanned the Internet, discovered “more than 21,000 container orchestration and API management systems” accessible.
That, in itself, is not concerning given that 95% of those were running in AWS. If you’re going to deploy containers and API gateways in the public cloud, you need to be able to manage them. That’s most frequently going to be accomplished via some sort of operational console.
What is concerning is that more than 300 of those dashboards were found to require absolutely no credentials to access.
I want to note that it isn’t just the Lacework report that notes this existential risk. Back in May 2017, the RedLock Cloud Security Report published its finding of hundreds of Kubernetes administrative consoles accessible over the Internet without requiring credentials.
So this not a new thing, but it is a thing we need to try to get ahead of before widespread adoption ramps up further. Because one of the things attackers do with these open consoles is fire up their own containers to conduct a variety of nefarious activities such as bitcoin mining and bot execution. They aren’t necessarily after your data, they want free compute and a fresh set of IP addresses that aren’t currently blocked on denylists across the Internet.
And they want the unfettered outbound access they all too often find in these environments. The most recent RedLock report found “85% of resources associated with security groups do not restrict outbound traffic at all. This reflects an increase from one year ago when that statistic was 80%.” With no restriction on outbound traffic, it’s no surprise the RedLock team also found about 39% of Amazon-deployed hosts it monitors “exhibiting activity patterns associated with instance compromise or reconnaissance by attackers.”
It should go without saying that if you’re running a web- or API-based console of any kind you need to lock it down. At a bare minimum you need to require credentials.
I know organizations have a zillion security rules and checklists that can seem overwhelming. But almost all of them can be generalized to fit these three core security rules:
1. Thou shalt not trust user input. Ever.
2. Thou shalt not hard code credentials. Ever.
3. Thou shalt not leave admin consoles open.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...