Controlling Risks with CyberOne’s End-to-End GRC SAAS Platform
Author: Steven (Ryan) Corbin, Software Engineer at Virescit Tactical Systems
“Ransomware” and “data breach” have quickly become common terms throughout the realm of Cyber Security, and data is becoming the currency of the 21st Century. Companies’ data storage is constantly under attack by bad actors, looking to turn vulnerabilities into profit. Recently we have seen attacks that have resulted on losses of data and intellectual property through misconfigured databases and Virtual Private Networks (VPNs). Kraken group, a cyber-crime threat actor, has been selling a script to exploit misconfigured databases1.
On July 1, 2020, Zero Day reported, 23,000 misconfigured MongoDB databases, exposed to the internet, were victims of ransomware. The attackers deleted the database contents and left a ransom note. The ransom note demanded payment of bitcoin within 48 hours or else the data would be lost, and the companies local General Data Protection Regulation (GDPR) enforcement authority would be contacted. Previous use of this attack has shown that payment did not result in the database being restored. The July attack represents 47% of all MongoDB databases currently exposed online2, revealing a concerning practice of companies not securing databases properly.
GDPR is a regulation governing data protection and privacy issues in the European Union3. The U.S. in recent years has had its own debates and Congressional inquiries regarding data and privacy. Although the U.S. has not established policy similar to GDPR, the EU policy extends to companies worldwide who process data from E.U. citizens3. Congressional inquiry, public sentiment, and international trade pressure suggest that the U.S. may soon adopt similar privacy regulations.
While the MongoDB attack reported by Zero Day focuses on databases that do not have basic authentication implemented, this is by no means the only vulnerability being exploited. Ransomware has caused an increase in data redundancy, but the evolution of Ransomware, into the realm of extortion and easy to use scripts, makes this a continued and growing threat to Companies that deal with data.
Ransomware and the new extortion threat shine a light on the importance of auditing security practices and policies in every organization. Databases are often exposed online through web services and REST APIs to store, query, and provide information to client applications, and some may be exposed for maintenance purposes. The security configuration of the database is the biggest thing preventing criminals from accessing this data. Unfortunately, many databases are configured based on poor tutorials with the bare minimum established to get the database operational, or have been modified to implement a specific feature which leaves the entire database vulnerable. MongoDB has modified its default settings to make the database secure on install, but the problem persists.
This is where the CyberOne Platform can assist security conscious companies. CyberOne helps clients strategically and proactively manage enterprise risk. The CyberOne Integrated Risk Management Software Suite provides a unified view of operational and cyber security priorities and controls as well as the evidence that enables you to understand enterprise risks while leverage existing work across programs4. CyberOne is designed to assist with a large set of cybersecurity management tasks, and includes a power-user and lite-user portal.
The CyberOne Platform comes preloaded with several Obligations from governing bodies. This includes an Obligation related to GDPR. On the power-user portal, navigate to the “Obligations” tab under the “Policy Management” module. Here you will find the preloaded obligations, as well as an option to create a new obligation. You can select the GDPR obligation to view its details. MongoDB provides a security checklist for securing a MongoDB database.
To create a new obligation based on the MongoDB Security Checklist, select the “New Obligation” button above the column headings. Name, Version, and Description are required fields for creating a new obligation. The version number is user defined, and for the MongoDB Security Checklist the “Last Updated” date found in the MongoDB Manual is used. This allows the power-user to easily identify when the obligation needs to be updated.
Inside the new obligation, we can create obligation sections. Obligation sections can be used to create controls that are mapped to policies, assessments, and findings. An obligation section is a requirement defined in the referenced material. In the case of the MongoDB Security Checklist, obligation sections correspond to checklist items. To add a new obligation section, select “New Obligation Section” under the “Obligations Sections” area in the Obligation record. Obligation and Section name are required fields for this form. The description field can be used to define tasks associated with the obligation section. A content source can be defined to create a group that contains all forms associated with the obligation. The content source can then be used in the search function to bring up all records associated with the obligation, or when creating custom views.
In CyberOne, policies are the company guidance concerning compliance with an obligation. A new policy can be created by selecting “New Policy” under the “Policies” tab of the Policy Management” module. The first step in creating a policy is to select the policy record type. CyberOne provides a list of definitions for the provided types, but custom types can be added by contacting CyberOne. The policy regarding MongoDB Security is a Level 2 record, because it may be of interest to regulators but is not explicitly required. The record type will allow power users to identify which policies are most important regarding regulations, scope, and responsibility.
The policy can be written in the portal or uploaded from an external source. Uploading a policy from an external source does not currently auto-parse into the form, so the information will have to be copied over manually. A name and description of the policy are required for creation, as well as an author and a reviewer. The CyberOne platform allows multiple users to collaborate on a policy although only one individual will be assigned as the author. The reviewer will suggest edits and ultimately approve the policy for publication.
Collaborating on a policy is accomplished by adding “Policy Contacts” to the policy. Power users listed as contacts can view and edit the policy in the power user portal. Lite users will only receive notifications when events occur, such as submission, approval, or rejection. Signed copies of the policy can be uploaded to the system under the “Policy Documents” Section of the policy.
The policy author will submit the policy to the reviewer for publication. To submit the policy for review select “Submit for Approval” from the buttons at the top of the policy record form. Once submitted, only the reviewer will be able to unlock the record for edits. The reviewer will then Reassign, Reject, or Approve the policy for publication.
Once a policy has been published, it should no longer be edited. To update a published policy, a power user should select “Clone with Child” on the original policy record and go through the publication process. Once the updated policy has been published, the previous version’s status will automatically change to “Archived”
Internal controls can be added to a policy during creation or after publication. Internal controls are requirements that should be checked periodically for compliance. To create a new internal control, select “New Internal Control” under the Internal Control section of the policy. You can copy policy statements into the control description and provide a name to easily identify the control. Provide a control frequency to require actions and send notifications when the control needs to be checked. A predefined security category can be selected for use in custom views and searches. Additional guidance related to the control can be added to the record to provide tactics, tips, and procedures for complying with the control.
Once the policy has been established, compliance should be monitored to ensure that security safeguards established in the policy remain in place. Policy compliance begins on the CyberOne platform by defining “Control Activities” and mapping them to the previously established controls. For the purposes of this section, we will focus on the “Configuring Role Based Access Control” section of the “MongoDB Security Checklist”. This section is included in the previously created policy and internal control.
MongoDB allows inherited privileges, which allows a newly created role to inherit the privileges of other roles. According to the Security Manual5, “A privilege consists of a specified resource and the actions permitted on the resource.” Inherited privilege also allows roles created from the admin database to inherit roles from any database. This feature can easily create weaknesses as inherited privileges are compounded, and privileges should be checked periodically to ensure users and admins only have the privileges they need.
To easily implement these checks on the CyberOne platform, Select the “Control Activities” tab under the “Compliance Management” module. This tab tracks all control activities that have been created on the platform. To create a new activity, select the button labeled “New Control Activity”. This will open a form to create a new activity. For this example, A control is implemented to maintain a list of employees who have accounts with the “UserAdmin” role. This is a powerful role with a specific warning inside the MongoDB Manual:
It is important to understand the security implications of granting the userAdmin role: a user with this role for a database can assign themselves any privilege on that database. Granting the userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster. With admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.
The “Primary Control Owner” is the security manager who is evaluating the control. The “Target” is the asset being tested. Creating targets is not unique to a MongoDB database, and will not be covered in this article. A key control must be fully implemented and should be identified based on policy guidance. The “Test Procedure” should provide guidance on how evidence should be collected and reported. Remove any employee who no longer requires access and change password if list changes. Once the new activity is created, it should be mapped back to Internal control for MongoDB.
The CyberOne platform will automate the collection of evidence to assist in testing compliance. To begin the automation process, an Evidence checklist item must be created by going to the “Evidence Checklist” tab and selecting “New Evidence Checklist”. The assessor than fills out the form and creates a new checklist item. This item is then added to the control activity under “Evidence” as a “New Test Plan Evidence”. Once applied, go into the evidence item and select “Add New Document Request with Automation”. This will start the automation process, and send the primary contact a request according the defined frequency. The platform will also send reminders and escalate to the contacts manager if the request is not answered. Setting rules for reminders and escalation are outside the scope of this article.
Once the document submissions are received, the assessor can begin identifying issues. In the example above the assessor would compare a list of employees with UserAdmin accounts with a list of employees and job titles for the applicable department. If an employee has left the company or changed roles and no longer needs the same level of access, the assessor can create a finding.
Findings can be created through manual review of evidence, control tests, assessments, or incidents. A finding will contain a description of the issue, recommendation for correcting the issue, and risk ratings that reflect the level before and after recommendations are implemented. The primary contact will be notified of the finding and can take steps to mitigate the risk. Findings can be used to analyze over all risk of a system through the CyberOne Platform.
CyberOne delivers multiple methods of varying complexity for continuously tracking the risk associated with misconfigured databases. Risk assessments are created using assessment questions and are periodically sent to users to complete. These assessments can auto-generate findings based on users responses and the assessments configuration.
A simple check of MongoDB authentication settings could have saved the victims of the MongoDB Hijacking script millions of dollars. The typical cost to recover from a ransomware attack is (US)$84,0007; assuming only 10% of the databases were production databases the cost of the attack would be (US)$ 192,360,000. Configuration settings do not change often, and this can cause complacency when it comes to securing systems and databases. People often assume that the person before them, or the files they download from the internet already addressed all obvious security concerns.
While writing this article, Twitter suffered a huge security event when many verified accounts were used to conduct a crypto scam. According to a ZDnet.com article, a hacker gained access to a Twitter slack channel where he discovered credentials for an internal twitter tool6. There is no further information on why the credentials were saved there but it appears that Twitter employees were sharing usernames and passwords. Even though the tool was protected by 2-factor authentication the hackers were still able to get through that security measure to access the tool6. This shows that some risk will always exists, and that basic low-tech cyber security practices are vital to protecting systems and data.
CyberOne provides tools for periodically assessing security vulnerabilities to avoid these incidents. The techniques described in this article easily extend to other products and processes companies use. Implementing and evaluating controls is a key component in risk management. Cyber attacks are constant and evolve quickly, cyber-security safeguards that cannot keep up will eventually crumble.
- Cyber Security should go beyond Government Regulation.
- Many companies are not following sound security principles.
- CyberOne offers a platform for managing regulation compliance and implementation of general cyber security principles and safeguards.
CyberOne SaaS Platform is a productivity SaaS software for managing enterprise risk and compliance. The CyberOne Integrated Risk Management Software Suite provides a unified dashboard view of operational gap analysis, priorities and control posture for global regulations and frameworks. Contact us for a demo.
1. Cimpanu, C., 2020. Kraken Group Puts Mongodb Hijacking Script Up For Sale. [online] BleepingComputer. Available at: <https://www.bleepingcomputer.com/news/security/kraken-group-puts-mongodb-hijacking-script-up-for-sale/> [Accessed 9 July 2020].
2. Cimpanu, C., 2020. Hacker Ransoms 23K Mongodb Databases And Threatens To Contact GDPR Authorities | Zdnet. [online] ZDNet. Available at: <https://www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/> [Accessed 9 July 2020].
3. General Data Protection Regulation (GDPR). 2020. General Data Protection Regulation (GDPR) — Official Legal Text. [online] Available at: <https://gdpr-info.eu/> [Accessed 9 July 2020].
4. Train.cyberonerisk.com. 2020. Log In ‹ C1train — WordPress. [online] Available at: <https://train.cyberonerisk.com/> [Accessed 22 July 2020].
5. Docs.mongodb.com. 2020. Security Reference — Mongodb Manual. [online] Available at: <https://docs.mongodb.com/manual/reference/security/> [Accessed 3 August 2020].
6. Cimpanu, C., 2020. How The FBI Tracked Down The Twitter Hackers | Zdnet. [online] ZDNet. Available at: <https://www.zdnet.com/article/how-the-fbi-tracked-down-the-twitter-hackers/> [Accessed 3 August 2020].
7. Mathews, L., 2020. Average Cost To Recover From Ransomware Skyrockets To Over $84,000. [online] Forbes. Available at: <https://www.forbes.com/sites/leemathews/2020/01/26/average-cost-to-recover-from-ransomware-skyrockets-to-over-84000/#3d8c5b8d13a2> [Accessed 3 August 2020].