Rackspace Cybersecurity Challenge I
Introduction
For this challenge, my role as a Client Cyber Security Engineer at Rackspace, I was tasked with assisting Cymbal Bank in identifying and remediating security threats within their cloud infrastructure. This involved collaborating closely with my team to ensure that all security measures were effectively implemented. Below, I outline the structured approach I took to address the critical findings, including strategically placed screenshots to enhance clarity and help visualize the process and results.
Screenshot 1: The Google Security Command Center dashboard.
Challenge Overview
Misconfigured storage bucket: Sensitive customer documents were at risk of unauthorized access due to a misconfiguration.
Anomalous Activity Detection: Chronicle SIEM flagged an external email access issue where an external email account (cymbal.analyst.demo@gmail.com) was granted excessive privileges.
Step 1: Check for Threats and Review Security Compliance Status
First, I accessed the Threats dashboard within the Security Command Center (SCC). This dashboard is vital for monitoring potential security issues and compliance status
I opened the SCC dashboard and selected the Threats section. Then conducted a real -time scan to detect any ongoing threats. Next, I checked the security compliance status against the ISO/IEC 27001:2013 standards to ensure all necessary measures were in place.
Step 2: Remediate a Vulnerable Cloud Storage Bucket Finding
Next, I addressed the misconfiguration of a Cloud Storage bucket containing sensitive customer documents.
Remove Public Access
I accessed the Cloud Storage settings and removed public access to the bucket as it posed a significant security risk.
Switch to Uniform Access Control
I changed the access control to uniform and applied this as a policy constraint to limit interaction to authorized users only.
Step 3: Create a Custom Role to Address the IAM Anomalous Grant Threat
In response to the IAM anomalous grant identified earlier, I created a custom IAM role to provide the necessary permissions for the data analyst contractor.
Create Custom Role
I defined the role titled "Cymbal Analyst -Read Only" with a description that clarified its purpose.
Step 4: Revoke Existing Permissions and Assign the Custom Role
To further secure the environment, I revoked any excessive permissions from the data analyst's account.
Revoke Permissions
I, then, assigned specific permissions to the role, focusing on read-only access. I accessed the IAM settings and removed the Editor role assigned to the external user.
Assign the Custom Role
I then assigned the newly created "Cymbal Analyst-Read Only" role to ensure that the analyst had the appropriate access without excessive privileges.
Step 5: Analyze the Changes to the IAM Roles Policy
Finally, I used the Google Cloud Policy Analyzer to confirm that the IAM role changes were effective.
Below you can see the created query, used to review the current permissions for the external data analyst's account. Here we can see that the external email account associated with the excessive privileges has been remediated and given the custom role that limited their access previously defined.
Conclusion
In this lab, I demonstrated proficiency in applying ISO/IEC 27001:2013 standards and best practices to a real-world cloud security scenario. I successfully detected an IAM anomalous grant threat reported by Google Cloud SCC's Event Threat Detection service, implemented corrective measures for a Cloud Storage bucket misconfiguration, and verified the effectiveness of my solutions. These skills are crucial for any organization aiming to reduce cybersecurity risk and align with industry-leading security practices.
By following a structured approach and utilizing the appropriate tools, I was able to effectively mitigate potential threats, ensuring the security and integrity of Cymbal Bank's sensitive data.
