Tag Archives: security

Amazon AWS Inspector Review

I was quite excited by the prospect of using AWS Inspector as it is supposed to replaced some of the expensive tools like Nessus, Expose, Qualys etc for getting a holistic view of your infrastructure from a security perspective. Usually, it is a challenge to scan the servers /assets in the cloud. The complexities of Instant provisioning, Virtual Private Circuits (VPCs), multiple regions, different availability zones add to the license restrictions of the tools. If you are using any of the tools listed above, you could use only one scanning engine and pay up for the additional scanners. There are certain workarounds to these situations, but the results are not optimum.

Using a native tool like AWS Inspector would not only help in overcoming the technical challenges but also sensible from a commercial standpoint. Although AWS Inspector does not advertise itself to be a full-fledged Vulnerability Assessment Scanner, it does claim to help one understand the risk posture of their servers, be it public facing or privately hosted.

In their own words:

“Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.”

Setting up AWS Inspector needed reasonable effort as it required agent installation, asset tagging and defining of roles. The instructions provided by AWS was easy to follow.

However, I felt the reporting was below average and needed considerable improvement.

Installation & Running the Assessments:

To get started one needs to install the software agent on all the servers (ec2- instances) and initiate the scan from the AWS Web Console. The agent can be installed via command line and it is available for Linux as well as Windows flavors. Amazon Inspector requires read-only access to resources in the account

Following are the supported Operating Systems:

Linux OS:

  • Amazon Linux (2015.03, 2016.03, 2016.09)
  • Ubuntu (14.04 LTS, 16.04 LTS)
  • Red Hat Enterprise Linux (7.2)
  • CentOS (7.2)

Windows OS:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Supported AWS regions:

  • US West (Oregon)
  • US East (N. Virginia)
  • EU (Ireland)
  • Asia Pacific (Incheon)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Sydney)

Scanning features

The assets can be scanned, based on what are called as Rules package. It is basically set of rules based on templates, similar to PCI, CIS benchmark etc . Following are the available ones at AWS currently:

· Common Vulnerabilities and Exposures

· Center for Internet Security (CIS) Benchmarks

· Security Best Practices

· Runtime Behavior Analysis

While the first two in the list are pretty much straight-forward, Security Best Practices lists out deficiencies based on the following categories:

Runtime Behavior Analysis provides insight on the following parameters:

NOTE: Currently, AWS does not allow custom or self-configured rules package.

Depth of scan:

Unlike the different scan templates available in the Vulnerability Assessment tools like Advanced Network Scan, Configuration Audits, PCI Scans and etc, AWS classifies its scanning depth based on the time! A point to note is that more the duration, the comprehensive will be its scan and consequently the outcome too.

You can set your duration to any of the following available values:

  • 15 minutes
  • 1 hour (recommended)
  • 8 hours
  • 12 hours
  • 24 hours

Scoring

Vulnerabilities determined from the scans are classified as following:

· HIGH

· MEDIUM

· LOW

· INFORMATIONAL

Pricing

Amazon Inspector is free for upto 250 agents for the first 90 days. The pricing differs post 90 days, more information on pricing here

Here is my analysis:

Limitations:

Maximum number of hosts that could be scanned in a single run is 50, however you can install Inspector on upto 500 instances. AWS calls this as running agents and it has a hard limit without any provisions to request the raise in this limit. If you compare this with tools like Nessus or Nexpose, then it is a big limitation as these tools allow upto 1024 IP addresses depending on the licenses

Report formats:

This is where I felt a big let down by AWS. The reports are neither readily consumable nor readily actionable. With AWS Inspector:

You can either view the results online or download it in CSV format. Only in the web console can you sort around based on parameters like HIGH, MEDIUM, LOW, INFORMATIONAL etc and you cannot use these to present an executive summary like in other tools.

The exported CSV file does not include the host name or the IP Addresses. Instead you will have to figure out the host based on the agent ID. Also, you will need to save it as spreadsheet (.xls, .ods etc ) to preserve the custom changes.

I had to play around with the pivot functionality to identify the host with maximum vulnerabilities or identify CVE which is prevalent across all the hosts.

Report includes the following information:

  • Severity
  • Date
  • Finding
  • Target
  • Template
  • Rules Package
  • ARN
  • Rule
  • AWS agent ID

AWS already provides many features and tools centered around various aspects of securely managing AWS instances and services like AWS Config, EC2 Systems manager, Cloudwatch, Cloudtrail, Trusted Advisor etc

I think AWS should consider improving the reporting functionality (executive summary, detailed summary, host IPs/names, top 10 machines with vulnerabilities, options to export report to PDF, xls, ods etc) if the AWS inspector is to provide meaningful and impactful inputs to the people using it. It has good potential to eat into the markets currently controlled by the likes of Nessus, Nexpose, Qualys and etc

#aws #awsinspector #vulnerabilityassessment #infosec #security

SEBI & MCA are causing a massive Personally Identifiable Information Leak

NOTE: I had published this article first here on Medium

I think when it comes to Privacy for Indian Citizens, the old adage “choosing between the Devil and the Deep Blue Sea” seems to hold true.

On one hand our Government is stripping privacy of citizens part by part by linking Biometrics with everything ranging from Airport to Stadium entry.

On the other hand we have to deal with sheer incompetency shown by the same Government Agencies that are supposed to keep the above data secure, are instead leaking them left, right and centre!

Here is what happened: SEBI and MCA in their eagerness to solve the fraudulent issues surrounding unclaimed/unpaid dividends relating to stocks and mutual funds had mandated that the investor details be put on the websites of all the listed companies and Mutual Fund Houses.

There are about 5800 Publicly traded companies at the BSE and almost every one of them have put a Spreadsheet or PDF document containing the following data accessible to the Public without any authentication or checks of any sort.

· Name of the Investor

· Address

· Name of Mutual Funds

· Amount

· Demat Numbers

· Folio Numbers

Full name and address together constitutes Personally Identifiable Information (PII). Some companies have also listed the Demat Account Numbers in addition to these Personally Identifiable Information. As these include financial information, it could be further classified as Sensitive PII. If you have ever traded for stocks on invested in mutual funds but have not received the dividends, chances are your PII may be put on website for everyone to see on the internet. Caveat: The above data is for those investors, whose bank details are not updated with the fund houses/publicly traded companies for them to transfer this money.

In my estimate, there are more than a million records of PII out there is public.

One of the file I downloaded had about 25000 entries. Yes, Personally Identifiable Information (PII) of 25,000 investors spread across not just India but different parts of the globe. This above file was for just 2015–16, all the publicly listed companies host these data from 2009! Another file from a different publicly traded company included 1100 page PDF with rows of information containing addresses, Folio numbers, Demat account numbers with names!! Here are some samples:

http://www.sonata-software.com/sites/default/files/Details%20of%20Unpaid%20Interim%20Dividend%202016-17.pdf

https://www.nmdc.co.in/Docs/Investors/Dividends/NMD_DIV23.pdf

http://3i-infotech.com/content/investors-2/details-of-unclaimedunpaid-dividend-with-the-company/

Background: The first of the notifications was made by Ministry of Corporate Affairs (MCA), Gazette of India G.S.R. 352(E) dated May 10, 2012

The Ministry of Corporate Gazette of India G.S.R. 352(E) dated May 10, 2012, notifying the Rule “Investor Education and Protection Fund (Uploading of information regarding unpaid and unclaimed amounts lying with Companies) Rules, 2012”. As per this Rule, companies have to identify and upload details of unclaimed dividend on their website.

SEBI notified a similar one in 2016 via SEBI/HO/IMD/DF3/CIR/P/2016/84 which makes it mandatory for all publicly traded / Mutual Fund houses to publish the list of the following details on their website:

“AMFI shall also provide on its website, the consolidated list of investors across Mutual Fund industry, in whose folios there are unclaimed amounts. The information provided herein shall contain name of investor, address of investor and name of Mutual Fund/s with whom unclaimed amount lies.”

I sent out emails to many of these publicly traded companies. Except for one, nobody bothered to respond. Even when they did respond, they mentioned that they are complying by the MCA diktat.

But the most callous response was from CERT-in. CERT-IN manages the Cyber Swachta Kendra which our minister launched with much fanfare and media blitz. Their response is above and you can make your opinions on how secure India’s infrastructure is going to be.

Probable Mitigation:

Instead of publicly listing the address, Demat IDs etc of people, these companies can send out the notifications to these investors. While researching on this topic I came to realise that there have been cases of some intermediaries transferring the unclaimed/unpaid dividends to themselves and it is scary to say the least. The sophistication and the amount of fraud is of unthinkable proportions. Some of the fund management companies transferred the amount to their friends, relatives while others showed it in P&L results!!

The public disclosure of addresses without the consent of the end users is violation of their privacy.

Every individual ranging from top ranked bureaucrat to minister needs to learn a lesson or two on Privacy. What is appalling is that none of the 5800 odd listed companies seem to have opposed this stupid directive. Everyone of them has complied by putting PII of its investors out there on public. I don’t know how their overseas clients are going to judge them on this.

#dividendleak #privacy #india #unclaimeddividends #millionrecords