fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NSA and CISA share Kubernetes security recommendations

NSA and CISA share Kubernetes security recommendations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published comprehensive recommendations for strengthening the security of an organization’s Kubernetes system.

Kubernetes is a popular open-source solution for deploying, scaling, and managing containerized apps in the cloud, making it an attractive target for cyber attacks.

Kubernetes architecture

Also Read: Don’t Be Baited! 5 Signs of Phishing in Email

Hackers are constantly hitting Kubernetes environments, their motivation varying from stealing data, to cryptocurrency mining, to denial-of-service (DoS) that could act as a diversion for other operations.https://www.ad-sandbox.com/static/html/sandbox.html

To help companies make their Kubernetes environment more difficult to compromise, the NSA and CISA released a 52-page cybersecurity technical report that offers guidance for admins to manage Kubernetes securely.

The NSA says that the main three causes for a compromised Kubernetes environment are supply-chain attacks, malicious actors, and insider threats.

While administrators can’t prevent all three risks, they can harden the security of a Kubernetes cluster by avoiding common misconfigurations and applying mitigations to minimize security risks.

The agency notes that supply-chain attacks “are often challenging to mitigate,” adding that a malicious threat actor’s way in is typically exploiting a vulnerability or leveraging misconfigurations.

“Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges” – the National Security Agency

In broad strokes, the defensive actions against this these threats is to scan containers and Pods for bugs and misconfigurations; use the least privileges to run run Pods and containers (unless higher permissions are needed), and use network separation, strong authentication, properly configured firewalls, and audit logs.

Kubernetes cluster components

Admins should also review all Kubernetes settings regularly and ensure that the system benefits from the latest updates, patches, and available upgrades.

Titled “Kubernetes Hardening Guidance,” the document goes through each of the following security recommendations, with examples:

Kubernetes Pod security:

Use containers built to run applications as non-root users 

  • Where possible, run containers with immutable file systems 
  • Scan container images for possible vulnerabilities or misconfigurations 
  • Use a Pod Security Policy to enforce a minimum level of security including:

– Preventing privileged containers
– Denying container features frequently exploited to breakout, such as hostPID, hostIPC, hostNetwork, allowedHostPath 
– Rejecting containers that execute as the root user or allow elevation to root 
– Hardening applications against exploitation using security services such as SELinux, AppArmor, and seccomp

Network separation and hardening:

  • Lock down access to control plane nodes using a firewall and role-based access control (RBAC)
  • Further limit access to the Kubernetes etcd server
  • Configure control plane components to use authenticated, encrypted communications using Transport Layer Security (TLS) certificates
  • Set up network policies to isolate resources. Pods and services in different namespaces can still communicate with each other unless additional separation is enforced, such as network policies
  • Place all credentials and sensitive information in Kubernetes Secrets rather than in configuration files. Encrypt Secrets using a strong encryption method

Authentication and authorization:

  • Disable anonymous login (enabled by default)
  • Use strong user authentication
  • Create RBAC policies to limit administrator, user, and service account activity

 Log auditing:

  • Enable audit logging (disabled by default)
  • Persist logs to ensure availability in the case of node, Pod, or container level failure
  • Configure a metrics logger

Upgrading and application security practices:

  • Immediately apply security patches and updates
  • Perform periodic vulnerability scans and penetration tests
  • Remove components from the environment when they are no longer needed

Read the full Kubernetes Hardening Guidance document [PDF] from the NSA and CISA.

Also Read: Data Protection Policy: 8 GDPR Compliance Tips

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us