It is in essential fitness of things that a robust cyber hygiene culture should be encouraged throughout the organization. This can be done by training employees and establishing a cybersecurity policy that all employees must follow, detailing not only what solutions should be used but also best practices like creating smart passwords and spotting phishing emails, says Kartik Shahani, Country Manager, Tenable India.
Kartik Shahani, in an interaction with CIO Axis, discusses the challenges posed by the complexity of Active Directory management, and the evolution of cybersecurity processes to be implemented by organizations utilizing DevOps and Infrastructure as Coded processes.
CIO AXIS: How dangerous is the Apache Log4J vulnerability?
Kartik Shahani: Log4Shell has been compared to Heartbleed and Shellshock, two major vulnerabilities that were disclosed over the last decade. The comparison is apt, but it would also be fair to say that Log4j is more devastating than the two because of a greater impact and ease of exploitation.
Many organizations in India and all over the world use Log4j in their own source code, it’s also used in many of the products these organizations acquire from third parties. Log4j is a library, or what coders call a code module and serves one purpose — keeping a log of what happens on a server. Attacks leveraging Log4j are not looking to target a specific organization but use it to install malware on entire servers. This means that attackers can take control of millions of servers, shut them down, install malware and send out ransom demands to multiple organizations at a time. That’s what makes Apache Log4J more dangerous than any other critical vulnerability discovered over the last decade.
CIO AXIS: What Is cyber hygiene and why is it important?
Kartik Shahani: Cyber hygiene is a set of practices organizations take to understand where they’re vulnerable and protect their networks and from cyberattacks and breaches. It starts with having a complete and continuous understanding of the attack surface, from on-premises to cloud infrastructure, from a remote or hybrid workforce to all users connected to the corporate network, especially in a perimeter-less world. Cyber hygiene fundamentals include identifying systems that could potentially compromise the environment, figuring out who has access to these systems and their roles in the organization. It’s also important to encourage better cyber hygiene throughout the organization by training employees and establishing a cybersecurity policy that all employees must follow, detailing not only what solutions should be used but also best practices like creating smart passwords and spotting phishing emails.
CIO AXIS: What are the ways cybercriminals exploit Active Directory causing drastic interruptions in business continuity?
Kartik Shahani: Active Directory is critical for organizations as it holds information as to where the keys to the proverbial kingdom are for every company and provides a map for how to find them. All it takes it for attackers to compromise one machine in a network to get access to AD and form there, an attacker can move laterally to any device, gain control of privileged accounts, leave backdoors, add new machines to the network, deploy ransomware, compromise sensitive systems and steal sensitive data. Attacks like DCShadow, DCSync or Golden Ticket attacks effectively hand over control of an organization’s entire IT infrastructure to bad actors.
CIO AXIS: Please delineate Tenable’s strategy to protect the Active Directory.
Kartik Shahani: Despite its criticality, managing and securing Active Directory is incredibly complex. It’s almost impossible to manage Active Directory securely at scale in an enterprise without a tremendous amount of expertise and constant attention. This is why we introduced Tenable.ad, to help organizations secure Active Directory environments and disrupt one of the most common attack paths in both advanced persistent threats and common hacks. Tenable.ad allows security and IT professionals to find and fix weaknesses in Active Directory before attackers can exploit them. And it allows incident responders to detect and respond to attacks as they’re happening.
At its core, Tenable.ad does an incredibly thorough job of auditing and assessing every configuration setting and every entry and relationship within Active Directory. Then, it simplifies these findings and creates prioritized recommendations for IT and security teams to address based on criticality, the relative ease of making configuration changes and the relative ease of implementing recommendations.
CIO AXIS: Why is DevSecOps becoming so important for cybersecurity professionals?
Kartik Shahani: Traditional modes of securing software are not enough to detect and prevent a breach, because software development and delivery have inherently changed with the move to the cloud and codification of cloud governance. Because by the time software reaches runtime, it’s already too late. The detection of cloud misconfigurations needs to move from reactive to proactive so that security teams don’t have to wait for infrastructure to be created in order for them to discover and mitigate vulnerabilities in code. This also means that security teams need visibility into the entire line of operations.
CIO AXIS: Tell us about Infrastructure as Code (IaC). How is it evolving?
Kartik Shahani: Infrastructure as a Code (IaC) is an IT practice that codifies and manages underlying IT infrastructure. IaC involves using software tools to automate specific tasks through a version control system. This means that an organization’s infrastructure can be written and described in code, and this code can be executed to make changes to the IT infrastructure. IaC allows organizations to build products that efficiently meet their customers’ needs in a timely manner. But the speed at which development teams are rapidly pushing out new products and features is outpacing security.
Enabling cloud-native security requires a fundamentally new approach that applies continuous assessment and automated remediation throughout the development lifecycle. To do this, organizations need developer-first security solutions that are compatible with their workflows to increase independence and deliver easily consumable code fixes rather than just identifying problems.