Understanding and Preparing for Container security threats

Threat landscape

The rapid growth of vulnerabilities in cloud containers can be a significant security risk for organizations worldwide. Cloud containers initially gained adoption because they are lightweight and facilitates the deployment of an application as a collection of microservices. Its speed and simplicity successfully led to the replacement of traditional VMs in many cloud computing deployments. However, experts suggest that such ease of deployment and basic misconfiguration practices can also lead to frequent security lapses in modern containers.

For example, known vulnerabilities from old container images may quickly get replicated and deployed throughout a public, private, or hybrid cloud infrastructure during deployment.

According to a study by Skybox Security, vulnerabilities in container software have increased by 46% in the first half of 2019 as compared to the same period in 2018, and by 240% compared to the two years ago figures.

Attacks and other critical findings

The adoption of cloud computing has skyrocketed in the past few years among DevOps users due to its ease to deliver code fast to virtual environments. The wide user-base has managed to pull the attention of cybercriminals. Some of the recent hack incidents for containers are as follows:

• Docker Hub confirmed a hack in April that exposed sensitive data from approximately 190,000 accounts.
• Also, in January this year, researchers could hack the Docker test platform ‘Play-with-Docker’ which provided them with access to data and ability to manipulate any test Docker containers running on the host system.
• Last year, 17 malicious docker images were found available on Docker Hub that allowed hackers to earn $90,000 in cryptojacking profits.

In June this year, Palo Alto Networks’ Unit 42 threat intelligence research team identified more than 40,000 unique container hosting devices with default container configurations. Further research by Unit 42 revealed sites exposing database instances and exposing personal information to the public.

Docker security best practices

It's vital that security operation teams implement management tools to automate the security of containers and networks, or they may face massive security breaches in record time. Below are some

• Docker host protection: If an attacker could compromise the host, all your containers are at risk. Along with securing the containers, the host machines also require some level of security; use secure, up to date OS and kernel versions.
• Use only trusted Docker images: not all Docker images are created equal, and a malicious user could create an image that includes backdoors and malware to compromise your network.
• Avoid running Docker containers using –privileged: The –privileged flag gives full capabilities to containers, including access to kernel capabilities that could be dangerous.
• Save data in Docker Volumes: This enhances data security and ensures data persists even if the container is removed. Docker volumes enable secure data sharing between containers. Also, contents in volumes can be encrypted for secure storage at 3rd party locations.
• Establish basic authentication requirements for Docker and Kubernetes containers.

Other valuable recommendations include avoiding misconfigurations such as using default container names and leaving default service ports exposed to the public, and limiting the system resources consumed by containers; it will limit the impact if a web server is compromised.