This week I had long discussion on container security with one of our client. I decided to put some of the base ideas in the below post. I hope this set of security tips helps readers to improve container and golden image security.

Tips 1 – Select wisely your Base Image

• Use Minimal Base Images: Start with a minimal base image to reduce the attack surface. Try to avoid base image directly downloaded from non trusted vendors.

• Trusted Sources: Always use base images from trusted sources and verify their integrity. Try to build a process to vet your image providers.

Tip 2 – Use hardening baseline and security standard Benchmarks

• Hardening of golden image: Follow the Center for Internet Security (CIS) Benchmarks for hardening guideline or create your own standard hardening baseline. These baselines provide detailed recommendations for securing container images. Some vulnerability management tool on the market allow to scan golden images against specific hardening baseiling. Look for those on the market or contact us for more information on possible tools.

• Compliance Standards: Ensure compliance with relevant standards such as PCI DSS, NIST, and DISA STIG when possible

 Tip 3 – Clean and Manage your image

• Remove Unnecessary Packages: Only include necessary packages and dependencies to minimize vulnerabilities.

• Regular Updates: Keep all packages and dependencies up to date with the latest security patches in your image.

• Unmutable containers: Ensure all your containers are unmutable and use regular release process when you re-build containers.

Tipe 4 – Do not forget to tune permissions

• Non-Root User: Avoid running containers with root user or privileged users. Create and use a non-root user with limited permissions.

• File Permissions: Set appropriate file permissions to restrict access to sensitive files.

Tip 5 – Look at Network Security

• Limit Network Exposure: Configure network settings to limit exposure. Use network policies to control traffic between containers.

• Disable Unused Ports: Close any unnecessary ports to reduce potential entry points for attackers.

• Isolation: Use container isolation features like namespaces and cgroups to limit the impact of a compromised container. Mind also to correctly manage the isolation of the conainer management infrastructure itself.

Tips 6 – Monitor your container infra

• Enable Logging: Ensure that logging is enabled for monitoring container activities. If you have a SOC or security provider supporting you, ensure specific use cases related to containers are available. If not look to create these use cases with your security experts.

• Centralized Monitoring: Use centralized monitoring tools to collect and analyze logs for suspicious activities.

·        Security Policies: Implement runtime security policies to detect and prevent malicious activities.

Tip 7 - Ensure Vulnerability Scanning of your images

• Regular Scans: Perform regular vulnerability scans using tools like Trivy or Clair to identify and remediate vulnerabilities. Try also to perform scan against your hardening baseline.

• Automated Scanning: Integrate automated scanning into your CI/CD pipeline to catch vulnerabilities early.

Tip 8 - Manage the Configuration of your containers

• Immutable Infrastructure: Treat your container images as immutable. Avoid making changes to running containers; instead, rebuild and redeploy.

• Configuration Files: Secure configuration files and avoid hardcoding sensitive information.

Further reading.

CIS Hardening: CIS Hardened Images 

Build CIS hardened golden images: : Building CIS Hardened Golden Images 

In December 2024, a critical vulnerability known as CVE-2013-3900 was identified in Microsoft systems. This vulnerability affects the WinVerifyTrust function, which is responsible for signature validation. To mitigate this issue, you need to modify the Windows registry to enable certificate padding checks. Below is a step-by-step guide to help you resolve this vulnerability.

Step-by-Step Procedure

1. Open Registry Editor

To begin, you need to access the Registry Editor:

• Press Win + R, type regedit, and press Enter.

2. Navigate to the Appropriate Path

Depending on your system architecture, navigate to one of the following paths:

• For 64-bit systems: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config

• For 32-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config

3. Create the Necessary Keys

If the Config key does not exist, you need to create it:

• Right-click on Wintrust (or Wow6432Node\Wintrust for 32-bit systems) and select New > Key.

• Name the new key Config.

4. Add the Registry Value

Next, add the required registry value:

• Right-click on the Config key, select New > DWORD (32-bit) Value, and name it EnableCertPaddingCheck.

• Set the value of EnableCertPaddingCheck to 1.

5. Restart Your Computer

To ensure the changes take effect, restart your computer.

Automating the Process with a .reg File

Alternatively, you can automate this process by creating a .reg file:

1. Create a new text file and paste the following content:

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
   "EnableCertPaddingCheck"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
   "EnableCertPaddingCheck"=dword:00000001
   

2. Save the file with a .reg extension (e.g., EnableCertPaddingCheck.reg).

3. Double-click the .reg file and confirm the prompts to add the entries to the registry.

4. Restart your computer.

Conclusion

By following these steps, you can effectively mitigate the CVE-2013-3900 vulnerability in your Microsoft system. Ensuring your system is protected against such vulnerabilities is crucial for maintaining security and integrity.

For more detailed information, you can refer to the following resources:

• CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability

• Resolving Microsoft WinTrust Verify Vulnerability Through GPO

• CVE-2013-3900: Authenticode Signature Verification - Certificate Padding

Find below 4 ideas to leverage your IT security in 2025.

Move to Zero Trust Architecture:

Zero trust eliminates the assumption of trust within a network. Every access request is verified, regardless of its origin. This model uses principles like least privilege and micro-segmentation to enhance security. Continuous monitoring and validation of user identities and devices are key. Implementing zero trust can significantly reduce the attack surface. Zero trust also involves strong authentication methods, such as multi-factor authentication (MFA), and the use of advanced analytics to detect and respond to threats in real-time. This approach ensures that even if an attacker gains access to one part of the network, they cannot move laterally to other parts.

Extended your antimalware solution with advanced detection and response (XDR):

XDR integrates multiple security tools into a unified system. It provides comprehensive threat detection across endpoints, networks, and cloud environments. By correlating data from various sources, XDR enhances threat visibility and response. Automated responses and advanced analytics improve incident management. XDR helps in quickly identifying and mitigating sophisticated attacks. It also offers a holistic view of the security landscape, enabling faster and more accurate threat detection and response. XDR platforms often include AI and machine learning capabilities to predict and prevent potential threats before they can cause harm.

Analyse your Identity and Access Management (IAM) maturity:

IAM ensures that only authorized users have access to critical systems and data. It involves implementing strong authentication methods like multi-factor authentication (MFA). Role-based access control (RBAC) helps in managing permissions effectively. Regular reviews and updates of access rights are necessary. IAM reduces the risk of unauthorized access and data breaches. Additionally, IAM systems can integrate with other security tools to provide a comprehensive security solution. They also support compliance with regulatory requirements by ensuring that access controls are properly managed and documented.

Offer Security Awareness Training to your workforce:

Continuous training programs educate employees about cyber threats. They help in recognizing phishing attempts, social engineering, and other common attacks. Interactive and engaging training sessions improve retention and effectiveness. Regular updates keep employees informed about the latest threats. A security-conscious culture is essential for overall organizational security. Effective training programs often include simulated phishing attacks and other practical exercises to reinforce learning. They also provide metrics to track progress and identify areas for improvement.

Check our managed service offering for XDR and Zero Trust and do not hesitate to contact us for a view on our IAM Maturity Assessment offering and our Security Awareness training offering.

info@srity.be

The US Cybersecurity & Infrastructure Security Agency (CISA) recently issued an advise to "highly targeted" individuals, such as senior officials, to avoid using personal VPNs following the "Salt Typhoon" hacks by Chinese state-sponsored attackers. They recommend assuming all mobile communications are at risk of interception and suggest using end-to-end encrypted messaging apps like Signal. Upgrading multi-factor authentication (MFA) to phishing-resistant methods, such as hardware security keys, is advised, along with avoiding text-message MFA and securing wireless accounts with a secondary PIN. CISA highlights the questionable security and privacy policies of many VPN providers and endorses using password managers, promptly installing software updates, and opting for newer smartphones with advanced security features. They explain that personal VPNs shift risks from ISPs to potentially insecure VPN providers, urging the adoption of more secure practices and tools to protect sensitive information.

At Srity we complete this advise by proposing a migration from traditional VPN to Zero Trust Network Access solutions.

Do not hesitate to contact us for details about replacing your traditional VPN by Zero Trust solution.

https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf