The US Department of Homeland Security (DHS) has announced that its Cyber Safety Review Board (CSRB) will conduct a review on the cloud security practices following the recent hack of Microsoft Exchange Online by Chinese hackers. The hack, which was reported in July 2023, compromised the email accounts of several US government officials and other organizations.
What is the CSRB and what is its mission?
The CSRB is a public-private initiative that was established by President Joe Biden in 2021 through an executive order. Its purpose is to investigate significant cybersecurity incidents and issue recommendations to prevent future attacks. The board consists of 15 members from the government and the private sector, who have expertise in cybersecurity, technology, law, and national security.
The CSRB has already conducted two reviews on the Log4j vulnerabilities discovered in 2021 and the activities of Lapsus$, a global extortion-focused hacker group. The board released its second report on August 10, 2023, outlining 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups.
What is the scope of the CSRB’s review on cloud security?
The CSRB’s third review will focus on the malicious targeting of cloud computing environments, which are increasingly used by organizations of all kinds to deliver services to the public. The review will examine the approaches that government, industry, and cloud service providers (CSPs) should employ to strengthen identity management and authentication in the cloud.
The CSRB will also assess the recent Microsoft Exchange Online intrusion, which allowed Chinese hackers to access the email accounts of US Commerce Secretary Gina Raimondo, several officials at the US State Department, and other entities not yet publicly named. The hackers exploited a flaw in Microsoft’s cloud-based identity and authentication infrastructure, which Microsoft has since patched. The hackers also stole a key that enabled them to forge authentication tokens and access the email accounts as if they were the owners.
The DHS said that it began considering whether this incident would be an appropriate subject of the board’s next review immediately upon learning of it in July. The board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves. Once concluded, the report will be transmitted to President Biden through Secretary of Homeland Security Alejandro Mayorkas and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
Why is cloud security important and what are the challenges?
Cloud security is the backbone of some of the most critical systems, from e-commerce platforms to communication tools to critical infrastructure. Cloud computing offers many benefits such as scalability, efficiency, cost-effectiveness, and innovation. However, it also poses many challenges such as data protection, privacy, compliance, governance, and resilience.
Cloud security requires a shared responsibility model between CSPs and their customers. CSPs are responsible for securing the cloud infrastructure and services they provide, while customers are responsible for securing their data and applications they use on the cloud. However, there may be gaps or misunderstandings in this model, leading to vulnerabilities or misconfigurations that can be exploited by malicious actors.
Cloud security also requires a holistic approach that covers not only technical aspects but also human and organizational factors. For example, cloud security depends on strong identity management and authentication mechanisms that ensure only authorized users can access cloud resources. However, these mechanisms can be compromised by phishing attacks, credential theft, or insider threats. Therefore, cloud security requires continuous monitoring, auditing, training, and awareness.
How did the US government and Microsoft respond to the hack?
The US government and Microsoft have taken several steps to respond to the hack and mitigate its impact. The State Department detected the breach in June 2023 and notified Microsoft. Microsoft then notified its affected customers and issued a patch to fix the flaw. Microsoft also said it would provide free access to logs for all its cloud customers from September 2023.
The US government also launched an investigation into the hack and its implications for national security. The FBI issued an alert warning about the threat actors behind the hack and their tactics. The CISA issued guidance for federal agencies and private sector organizations on how to detect and respond to the hack. The DHS activated its Cybersecurity Emergency Response Team (CERT) to assist affected entities.
The US government also condemned China for its role in the hack and other malicious cyber activities. The White House issued a statement accusing China of using “contract hackers” to conduct cyber operations around the world for its own benefit. The US also joined its allies in imposing sanctions on Chinese officials and entities involved in cyberattacks.
What are some best practices for cloud security?
While the CSRB’s review is expected to provide more specific recommendations for cloud security, there are some general best practices that organizations can follow to enhance their cloud security posture. Some of these best practices are:
- Conduct a risk assessment before moving data or applications to the cloud. Identify what data or applications are sensitive or critical, what are the regulatory or compliance requirements, what are the potential threats and vulnerabilities, and what are the mitigation strategies.
- Choose a reputable and trustworthy CSP that meets your security and business needs. Review the CSP’s security policies, procedures, certifications, and service level agreements. Understand the CSP’s shared responsibility model and what security controls they provide and what you need to implement.
- Implement strong identity and access management (IAM) policies and tools. Use multi-factor authentication, password management, role-based access control, and identity federation. Monitor and audit user activities and access rights. Educate users on how to avoid phishing and other social engineering attacks.
- Encrypt data at rest and in transit. Use encryption keys that you control and store them securely. Use secure protocols such as HTTPS, SSL, or TLS for data transmission. Use data loss prevention (DLP) tools to prevent unauthorized data leakage or exposure.
- Backup and restore data regularly. Have a backup strategy that covers what data to backup, how often to backup, where to store backups, and how to restore backups. Test your backup and restore processes periodically. Have a disaster recovery plan that outlines how to resume operations in case of a major incident.
- Monitor and update your cloud environment continuously. Use security tools such as firewalls, antivirus, intrusion detection and prevention systems, vulnerability scanners, and log analyzers. Patch your cloud applications and systems regularly. Respond to security alerts and incidents promptly.
