Meanwhile in Security

Jesse Trucks

Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans. read less

Our Editor's Take

The importance of cloud security has grown as the world becomes more dependent on technology and cloud-based services. The Meanwhile in Security podcast brings listeners the latest news in the field.

Like the tech it complements, cloud security is evolving all the time. There is never a shortage of industry updates. And such developments are pertinent to both businesses and consumers. Cloud security impacts everyone who owns a mobile phone or a computer, whether they realize it or not. So most folks have something meaningful to gain by tuning in to this show.

Indeed, Meanwhile in Security makes complex cloud-centric conversation and makes it relatable. Its audience can expect pro tips on how to craft the right cybersecurity strategy. They can also listen to wisdom from experts that ranges from basic to advanced. It's both a crash course for beginners and a chance to review for those with experience. The show takes care to retain its broad appeal by using applications anyone can follow.

Episodes of Meanwhile in Security clock in at under 15 minutes, so it's an easy listen to fit into a busy schedule. No matter one's lifestyle or occupation, there's a lot to learn about modern-day technology from this podcast. The vast majority of the information is easy to apply to daily life. And yet businesses can still learn plenty to strengthen their data security systems.

With proper cloud security, everyone wins. Meanwhile in Security aims to deliver such a victory to its entire listenership.

read less
TechnologyTechnology
NewsNews
Tech NewsTech News

Episodes

Standing in the Rain Isn't Diving in the Sea
Sep 2 2021
Standing in the Rain Isn't Diving in the Sea
Links:Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases: https://www.darkreading.com/cloud/microsoft-azure-cloud-vulnerability-exposed-thousands-of-databasesGoogle, Amazon, Microsoft Share New Security Efforts After White House Summit: https://www.darkreading.com/operations/google-amazon-microsoft-share-new-security-efforts-post-white-house-summitNew Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations: https://www.darkreading.com/cloud/new-data-driven-study-reveals-40-of-saas-data-access-is-unmanaged-creating-significant-insider-and-external-threats-to-global-organizationsResearchers Share Common Tactics of ShinyHunters Threat Group: https://www.darkreading.com/attacks-breaches/researchers-share-common-tactics-of-shinyhunters-threat-groupHow to automate forensic disk collection in AWS: https://aws.amazon.com/blogs/security/Confidential computing: an AWS perspective: https://aws.amazon.com/blogs/security/New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost: https://aws.amazon.com/blogs/security/amazon-security-awareness-training-and-aws-multi-factor-authentication-tokens-to-be-made-available-at-no-cost/Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail: https://aws.amazon.com/blogs/security/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won’t fully halt your business operations.However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you’ll like it so much you will push everything else up to the cloud that isn’t a laptop, tablet, or phone.Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I’m sure the fighting amongst those companies will make this initiative die on the vine, but I hope I’m wrong.New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don’t be stupid. Also, when we’re talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to effectively secure the data therein.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is...
Can You Hear Me, Can You See My Screen?
Aug 26 2021
Can You Hear Me, Can You See My Screen?
Links:How to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkward5 Vexing Cloud Security Issues: https://www.itprotoday.com/hybrid-cloud/5-vexing-cloud-security-issuesAttackers Increasingly Target Linux in the Cloud: https://www.darkreading.com/threat-intelligence/attackers-increasingly-target-linux-in-the-cloudTop 5 Best Practices for Cloud Security: https://www.infosecurity-magazine.com/magazine-features/top-5-best-practices-for-cloud/Zix Releases 2021 Mid-Year Global Threat Report: https://www.darkreading.com/cloud/zix-releases-2021-mid-year-global-threat-reportThe big three innovations transforming cloud security: https://siliconangle.com/2021/08/21/big-three-innovations-transforming-cloud-security/The Benefits of a Cloud Security Posture Assessment: https://fedtechmagazine.com/article/2021/08/benefits-cloud-security-posture-assessmentHow to Maintain Accountability in a Hybrid Environment: https://www.darkreading.com/cloud/how-to-maintain-accountability-in-a-hybrid-environment6 Cloud Security Must-Haves–with Help from CSPM, CWPP or CNAPP: https://www.eweek.com/security/6-cloud-security-must-haves-with-help-from-cspm-cwpp-or-cnapp/The hybrid-cloud security road map: https://www.techradar.com/news/the-hybrid-cloud-security-road-mapHow Biden’s Cloud Security Executive Order Stacks Up to Industry Expectations: https://securityintelligence.com/articles/biden-executive-order-industry-expectations/Cloud Security: Adopting a Structured Approach: https://customerthink.com/cloud-security-adopting-a-structured-approach/The Overlooked Security Risks of the Cloud: https://threatpost.com/security-risks-cloud/168754/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.Jesse: It is 2021. Conference calls and remote meetings have the same decade-old problems. Connection drops, asking if anyone can hear us, asking if anyone can see our screen, even though we can clearly see the platform is in sharing mode with our window front and center. Why is this so hard? We live in the golden age of the cloud.Shouldn’t we be easily connecting and sharing like we’re in the same room rather than across the planet? Yes we should. Sure, there have been improvements, and now we can do high-quality video, connect dozens or hundreds of people from everywhere on a webinar, and usually most of us can manage a video meeting with some screen sharing. I don’t understand how we can have Amazon Chime, WebEx, Teams, Zoom, Google Meet—or whatever it’s called this month—GoToMeeting, Adobe Connect, FaceTime, and other options, and still not have a decent way for multiple people to see and hear one another and share a document, or an application, or screen without routine problems. All of these are cloud-based solutions.Why do they all suck? When I have to use some of these platforms, I dread the coming meeting. The worst I’ve seen is Amazon Chime—yes, that’s you, Amazon—Microsoft Teams—as always—and Adobe Connect. Oof. The rest are largely similar with more or less the same features and quality, except FaceTime, which is still only a personal use platform and not so great for conferences for work. I just want one of these to not suck so much.Meanwhile in the news. How to Make Your Next Third-Party Risk Conversation Less Awkward. You know that moment. Someone asks a question at the networking event. The deafening silence while you stare at the floor trying to find a way to get out of embarrassing yourself. Do your future self a favor and do some work before this happens again. You’ll feel better and you’ll have better visibility while improving your security posture.5 Vexing Cloud Security Issues. Unlike the tips and best practices list, this one is a ‘don’t be stupid’ type list. Some of these are foundational basic security steps. Watch out for the zombies.
Attacks, Tools, and Ails
Aug 19 2021
Attacks, Tools, and Ails
Links:AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19: https://www.crn.com/news/cloud/aws-cancels-re-inforce-security-conference-in-houston-due-to-covid-19Cloud-native security benefits and use cases: https://searchcloudsecurity.techtarget.com/tip/cloud-native-security-benefits-and-use-casesThe state of cloud security: IaC becomes priority one: https://techbeacon.com/security/state-cloud-security-iac-becomes-priority-oneTakeaways from Gartner’s 2021 Hype Cycle for Cloud Security report: https://venturebeat.com/2021/08/12/takeaways-from-gartners-2021-hype-cycle-for-cloud-security-report/IBM upgrades its Big Iron OS for better cloud, security, and AI support: https://www.networkworld.com/article/3626486/ibm-upgrades-its-big-iron-os-for-better-cloud-security-and-ai-support.htmlSecuring cloud environments is more important than ever: https://federalnewsnetwork.com/commentary/2021/08/securing-cloud-environments-is-more-important-than-ever/The Misunderstood Security Risks of Behavior Analytics, AI & ML: https://www.darkreading.com/risk/the-misunderstood-security-risks-of-behavior-analytics-ai-mlAccenture Says it ‘Detected Irregular Activity,’ Restored Systems from Backup: https://www.darkreading.com/attacks-breaches/accenture-detected-irregular-activity-Google Releases Tool to Help Developers Enforce Security: https://www.darkreading.com/application-security/google-releases-tool-to-help-developers-enforce-securityHow to Make Your Next Third-Party Risk Conversation Less Awkward: https://www.darkreading.com/vulnerabilities-threats/how-to-make-your-next-third-party-risk-conversation-less-awkwardCost of Cyberattacks Significantly Higher for Smaller Healthcare Organizations: https://www.darkreading.com/threat-intelligence/healthcare-sees-more-attacks-with-costs-higher-for-smaller-groupsTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.Jesse: There are many types of attacks that result in security breaches. To understand how many of them work, you need to understand how software languages function and how the hardware operations work in memory and in the CPU. However, you can learn a lot about security without having to learn those things. You can look at some of the attack vectors and gain a high-level understanding of what is happening. For example, man in the middle, or MITM, attacks are when someone inserts malicious code into the communication of two entities. That MITM service will capture communications, make a copy, then send it along like normal.A buffer overflow happens when the allocated memory space for some type of input–whether its contents of a file or dialog boxes and the like—is less than the amount of input. In simpler terms, there is a bucket available for input. The attacker pours more water into the bucket than the bucket can handle. The result is that code in memory could be overwritten and become executable. So, you can learn about security flaws without digging under the surface to see what is actually happening. However, I strongly urge anyone doing security-related things to learn more about these attack types, and the others.Meanwhile in the News. AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19. The closings have begun. Dust off those creator lights, and prep that mic on your desk. In the wake of last year’s lockdowns and sudden remote working, there was a huge spike in phishing and other scams. Don’t be caught in this round.Cloud-native security benefits and use cases. If you have a multi-cloud or a hybrid SaaS and self-managed systems in cloud providers or in data centers, it’s possible you need different security tools. Don’t go all cloud-native just because you have an initiative to do so. Slow down and ensure your security meets the needs of all your technology and services, not just the new and shiny ones.The state of cloud security: IaC becomes priority one...
The Castle is Lost
Aug 12 2021
The Castle is Lost
Links:Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578?Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilitiesManaged Private Cloud: It’s all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-reportNSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risksRansomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.htmlTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.This is why zero trust and cloud native applications and services go so well in these hard times. If you can’t trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn’t change your operations or exposure much if at all.Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn’t a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applicatio...
Security Summer Camp
Aug 5 2021
Security Summer Camp
Links:4 Factors that Should Be Part of Your Cybersecurity Strategy: https://www.csoonline.com/article/3625254/4-factors-that-should-be-part-of-your-cybersecurity-strategy.htmlSoftware Bill of Materials’—not just good for security, good for business: https://thehill.com/opinion/cybersecurity/564787-software-bill-of-materials-not-just-good-for-security-good-for-businessThird Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant: https://www.cpomagazine.com/cyber-security/third-party-security-failure-caused-1-tb-data-breach-at-saudi-aramco-hackers-play-puzzle-games-with-oil-giant/amp/Federal Tech Leaders Outline Future of FedRAMP: https://governmentciomedia.com/federal-tech-leaders-outline-future-fedramp‘Holy moly!’: Inside Texas’ fight against a ransomware hack: https://apnews.com/article/technology-government-and-politics-business-texas-hacking-47e23be2d9d90d67383c1bd6cee5aef7Firefox 90 Drops Support for FTP Protocol: https://www.securityweek.com/firefox-90-drops-support-ftp-protocolLower-Level Employees Become Top Spear-Phishing Targets: https://www.darkreading.com/attacks-breaches/lower-level-employees-become-top-spearphishing-targetsU.S. Government unlikely to ban ransomware payments: https://U.S. Government unlikely to ban ransomware paymentsThe Power of Comedy for Cybersecurity Awareness Training: https://www.darkreading.com/careers-and-people/the-power-of-comedy-for-cybersecurity-awareness-trainingInside the Famed Black Hat NOC: https://www.darkreading.com/edge-articles/inside-the-famed-black-hat-nocCloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling: https://cloudsecurityalliance.org/press-releases/2021/07/29/cloud-security-alliance-releases-guide-to-facilitate-cloud-threat-modeling/5 Benefits of Disaster Recovery in the Cloud: https://securityboulevard.com/2021/08/5-benefits-of-disaster-recovery-in-the-cloud/Black Hat USA 2021 and DEF CON 29: What to expect from the security events: https://www.techrepublic.com/article/black-hat-usa-2021-and-def-con-29-what-to-expect-from-the-security-events/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.Jesse: As more services are delivered by cloud-native microservices with dynamic scaling, compliance management and monitoring becomes terrifyingly complex and difficult. The way around this is to implement processes and tools that can continuously monitor and manage compliance-related configurations using automated analysis and reporting of your cloud-native services. This collection of processes and tools is called Cloud Security Posture Management, or CSPM. CSPM generally involves a fair amount of automation to ensure secure practices are used and compliance requirements are continuously met. Implementing CSPM alongside DevSecOps and an organizational focus on shifting left in services development rounds out a tripod to support your cloud initiatives.Meanwhile, in the news. 4 Factors that Should Be Part of Your Cybersecurity Strategy. Our security perimeters are no longer controlled by our organizations. With so many people working remote, every device on their network has become part of the threat landscape, from connected fridges to game consoles.‘Software Bill of Materials’—not just good for security, good for business. SBOMs, as they’re called, are coming. Even if there is never a law forcing SBOMs like food ingredients labels, there could be an ever-increasing requirement for vendors to supply them. It might be a good idea to start building these, even if they’re only supplied when legally or contractually required.Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant. This case study is like slowing down to see the aftermath of a crash and trying to piece together what happened. Given the breach came from a vendor, it’s a sideways attack on Aramco. Are you sure your vendo...
All Roads Lead to Cloud
Jul 29 2021
All Roads Lead to Cloud
Links:What does it Take to Secure Containers?: https://www.darkreading.com/cloud/what-does-it-take-to-secure-containers-Critical ICS vulnerabilities can be exploited through leading cloud-management platforms: https://threatpost.com/industrial-networks-exposed-cloud-operational-tech/168024/Kaseya Obtains Universal Decryptor for REvil Ransomware: https://threatpost.com/kaseya-universal-decryptor-revil-ransomware/168070/Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows: https://threatpost.com/kubernetes-cyberattacks-argo-workflows/167997/Cloud security is like an ‘all-you-can-eat buffet’: https://statescoop.com/cloud-security-is-like-an-all-you-can-eat-buffet/Cloud security in 2021: A business guide to essential tools and best practices: https://www.zdnet.com/article/cloud-security-in-2021-a-business-guide-to-essential-tools-and-best-practices/GitHub boosts supply chain security for Go modules: https://www.zdnet.com/article/github-boosts-supply-chain-security-for-go-modules/Cloud (in)security: Avoiding common cloud misconfigurations: inhttps://www.ironnet.com/blog/cloud-insecurity-avoiding-common-cloud-misconfigurationsAkamai Edge DNS outage knocks out multiple major websites: https://siliconangle.com/2021/07/22/multiple-major-websites-taken-offline-widespread-internet-outage/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Building new things in the cloud is often a fun and exciting process, however moving a legacy application or infrastructure is usually a difficult and stressful process. There are several ways to implement a migration of something to run in the cloud. Which cloud migration strategy you choose largely depends on timeline and available resources. Some ways to accomplish an application migration are: one, rehost, aka lift-and-shift; two, refactor; three, rebuild; and four, replace. Rehosting, or lifting and shifting, simply means replicating your current legacy infrastructure on systems in the cloud, then cutting over from production. You spin up cloud systems in something like AWS EC2, install the OS and supporting middleware, add your application and data on top, then cut to prod.Refactoring means rewriting your application to run in at least partially cloud-native services, but you can shortcut some of this by using container or middleware services, such as cloud-native databases offered from your cloud provider. Doing this means you largely use your codebase unchanged, but the underlying infrastructure is more scalable and is at least partially like a cloud-native product.Rebuilding means writing a cloud-native app to be truly cloud-native. This is much like writing a new application as cloud-native, but you have an existing codebase—and possibly compatibility issues to contend with—from which to pull.Replacing simply means implementing a SaaS tool that meets the same business requirements as the legacy application without migrating any of the old code. For example, moving to use Salesforce instead of a legacy CRM product or custom-built sales process tracking systems.You can, of course, do some of these in stages as iterative steps. To do this, you could lift-and-shift your existing systems, then slowly work out replacing individual pieces with cloud-native solutions over time. Then you eventually get to a place where you can do very little work to yank out your final EC2 or container systems. At that point, you have a fully cloud-native application. If you don’t have much, or any, cloud application experience in your organization, follow the path of stepping through these processes as you grow your organization’s cloud skill-base and experience. Your people will migrate with your applications.Meanwhile in the news. What does it Take to Secure Containers? Using containers isn’t instant security. They’re easier to lock down in terms of services and such, but it isn’t a silver bullet. The vampires are still going to storm the house if you invite them in.Critical ICS vulnerabilities can be exploited through leading cloud-management platforms. Industrial control systems, or ICS, are notoriously insecure by default and often difficult to secure at all. Modern paradigms of locking down access to these infrastructures and tunneling all access through management and monitoring platforms is great. However, that platform is now the keys to the whole kingdom, so secure your cloud management apps and dial up the monitoring.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.Kaseya Obtains Universal Decryptor for REvil Ransomware. This is amazing that Kaseya got their hands on the bits to unlock REvil things. If you are their customer, go get this right away. This doesn’t get you off the hook, though. There are likely time bombs...
Compliance, Ransomware and Privacy, Oh My!
Jul 22 2021
Compliance, Ransomware and Privacy, Oh My!
Links:How to Bridge On-Premises and Cloud Identity: https://www.darkreading.com/vulnerabilities—threats/how-to-bridge-on-premises-and-cloud-identity-/a/d-id/1341512How AWS is helping EU customers navigate the new normal for data protection: https://aws.amazon.com/blogs/security/how-aws-is-helping-eu-customers-navigate-the-new-normal-for-data-protection/Cloud security should never be a developer issue: https://www.securitymagazine.com/articles/95641-cloud-security-should-never-be-a-developer-issueTool Sprawl & False Positives Hold Security Teams Back: https://www.darkreading.com/application-security/tool-sprawl-and-false-positives-hold-security-teams-back/d/d-id/1341517The what and Why of Cloud-Native Security: https://containerjournal.com/editorial-calendar/cloud-native-security/the-what-and-why-of-cloud-native-security/OSPAR 2021 report now available with 127 services in scope: https://aws.amazon.com/blogs/security/ospar-2021-report-now-available-with-127-services-in-scope/Researchers Create New Approach to Detect Brand Impersonation: https://www.darkreading.com/endpoint/researchers-create-new-approach-to-detect-brand-impersonation/d/d-id/1341549Privacy Law Update: Colorado Privacy Bill Becomes Law: How does it Stack Up Against California and Virginia?: https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/CISA Launches New Website to Aid Ransomware Defenders: https://www.darkreading.com/threat-intelligence/cisa-launches-new-website-to-aid-ransomware-defenders/d/d-id/1341539stopransomware.gov: https://stopransomware.govTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: There are several larger topics within the realm of cybersecurity that come up constantly. Subscribers of MiS are likely seeing these emerge from topics I cover. Some of the most common themes lately are compliance, privacy, ransomware, and DevSecOps. So, we are all working from common definitions, let’s elaborate a bit on each.Compliance is the process of meeting some list or lists of requirements, usually have an outside agency of some sort. Most people think about this in terms of laws like GDPR, SOC, HIPAA, FERPA, and others. These are great examples, but compliance includes meeting certification requirements like SOC 2, various ISO certifications, or PCI.Privacy gets broad in terms of implementation, but at its core, it means the protection of information related to a person or organization. Basically, don’t collect or disclose things you don’t absolutely need to, and always ensure you have permission before any collection or disclosure of information.Ransomware is the software that will destroy or disclose—or both—your data if you don’t pay someone. DevSecOps is the methodology of writing software with secure practices and systems in mind from the start. It’s that whole shift-left thing.Meanwhile in the news. How to Bridge On-Premises and Cloud Identity. Identity and access management, or IAM, is difficult without introducing wholly different environments. We have to pick an IAM solution, so we choose what works across all our environments and services. Of course, ultimately, this means implementing Single Sign-On, SSO, of some sort as well.Sophisticated Malware is Being Used to Spy on Journalists, Politicians and Human Rights Activists. Not all horrible software sneaking into our devices and systems are from hidden criminal or enterprises or nation-state sponsored groups. Some of it sadly comes from for-profit companies. Just like a hammer can be used for horrible things, so can some security software.A Complex Kind of Spiderweb: New Research Group Focuses on Overlooked API Security. APIs run our whole cloudy world. They’re the glue and crossovers communication mechanisms rolled into one conceptual framework. However, while we may introduce security flaws in our use of the billion APIs we have to use, the APIs themselves might have security vulnerabilities as well. I’m interested in the output from this practical research group to see if this bolsters API use and implementation in general.How AWS is helping EU customers navigate the new normal for data protection. Managing regulatory compliance is a circus act on a good day. On a bad day, it’s a complex web of sometimes conflicting and sometimes complementary solutions. Many organizations worldwide need to meet EU regulations, so be sure to know if you must as well.Cloud security should never be a developer issue. I first thought this was the counterargument to the shift-left and DevSecOp movements, but this piece support...
Who's Fooling Who?
Jul 15 2021
Who's Fooling Who?
Links:Fake Amazon cloud service AWS InfiniDash quickly goes viral: https://siliconangle.com/2021/07/05/fake-amazon-cloud-service-aws-infinidash-quickly-goes-viral/7 Unconventional Pieces of Password Wisdom: https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom/d/d-id/1341400Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft: https://www.usnews.com/news/business/articles/2021-07-06/pentagon-cancels-disputed-jedi-cloud-contract-with-microsoftSolarWinds Discloses Zero-Day Under Active Attack: https://beta.darkreading.com/threat-intelligence/solarwinds-discloses-zero-day-under-active-attack98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey: https://securityboulevard.com/2021/07/98-of-infosec-pros-say-multi-cloud-environments-create-additional-security-challenges-reveals-survey/Autonomous Security is Essential if the Edge is to Scale Properly: https://www.darkreading.com/endpoint/autonomous-security-is-essential-if-the-edge-is-to-scale-properly/a/d-id/1341391Digital Habits During Pandemic Have Lasting Impact: https://securityboulevard.com/2021/07/digital-habits-during-pandemic-have-lasting-impact/Are Security Attestations a Necessity for SaaS Businesses?: https://www.darkreading.com/risk/are-security-attestations-a-necessity-for-saas-businesses/a/d-id/1341426How to Improve Cybersecurity for Your Business?: https://www.ccsinet.com/blog/how-to-improve-cybersecurity-for-your-business/CISA Analysis Reveals Successful Attack Techniques of FY 2020: https://beta.darkreading.com/threat-intelligence/cisa-analysis-reveals-successful-attack-techniques-of-fy2020How Predictive AI will Change Cybersecurity in 2021: https://insidebigdata.com/2021/07/09/how-predictive-ai-will-change-cybersecurity-in-2021/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Last April, I went to a secret training camp. We studied the entire AWS functional objection orientation language services—or FOOLS—suite of tools and APIs. The first public rollout of AWS FOOLS-supported products is already an amazing success. AWS Infinidash took the internet by storm. This product is such an amazing way to quickly dash into production all your FOOLS-coded projects.I’m looking forward to the UDB service, AWS Infinitdiscus, where you toss your data to the cloud, the automated problem-solving tool, AWS Infinihurdle, where you leap over virtual objects, and the non-ephemeral cloud-native microservice, AWS Infinimarathon, where you can run microservices for long-running batch jobs. Sadly, I suspect the all-in-one API product AWS Infinitriathlon won’t see the light of day because the project participants keep dropping out before it’s finished. I hope they finish someday. I feel like it’s a new day dawning with AWS FOOLS. This is a watershed moment as momentous as the day we discovered Agile over waterfall.Meanwhile, in the news. Fake Amazon cloud service AWS InfiniDash quickly goes viral. [laugh]. This turned into a fantastic and fun internet meme that won’t be going away anytime soon. Also, everything I said above about AWS FOOLS is a joke. This is not real. I’m sure there will be reports about AWS FOOLS soon enough, now.7 Unconventional Pieces of Password Wisdom. Passwords suck. We all know they suck. We all hate them. However, we will always need to memorize a few passwords. Set passwords you can remember but are hard to guess and make them as long as the site or application will allow. Passphrases are far superior, of course.Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft. If you wonder what happens when a trillion-dollar company takes you to court, just recall how AWS managed to kill this massive contract with Microsoft. Don’t tangle with AWS, Google, or Microsoft unless you know what you’re doing.SolarWinds Discloses Zero-Day Under Active Attack. Okay, let’s be honest. If I gave you every urgent patch announcement, this whole publication would be a boring list of stuff to install. Be sure to watch your vendors for patches and everything else.98% of Infosec Pros Say Multi-Cloud Environments Create Additional Security Challenges, Reveals Survey. Using more than one public or private cloud combined into one infrastructure or service delivery platform is difficult for IT, of course. For security, the tools used in one cloud stack are different than another cloud stack. This makes it hard to do a single comprehensive solution that works seamlessly between them all. Shift farther left on these things.Autonomous...
Use a Vault Before Ransomware Does It For You
Jul 8 2021
Use a Vault Before Ransomware Does It For You
Links:Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers: https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/House lawmakers introduce bill to increase American awareness of cyber threats: https://thehill.com/policy/cybersecurity/560077-house-lawmakers-introduce-bill-to-increase-american-awareness-of-cyber5 Mistakes that Impact a Security Team’s Success: https://www.darkreading.com/edge/theedge/5-mistakes-that-impact-a-security-teams-success/b/d-id/1341470Google Working on Patching GCP Vulnerability that Allows VM Takeover: https://www.itsecuritynews.info/google-working-on-patching-gcp-vulnerability-that-allows-vm-takeover/NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs: https://www.darkreading.com/attacks-breaches/nsa-and-cisa-issue-warning-about-russian-gru-brute-force-cyberattacks-against-us-global-orgs/d/d-id/1341458$70 Million Demanded as REvil Ransomware Attackers Claim 1 Million Systems Hit: https://www.forbes.com/sites/daveywinder/2021/07/05/70-million-demanded-as-revil-ransomware-attackers-claim-1-million-systems-hit/?sh=7517b8f957c0How to monitor and track failed logins for your AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/how-to-monitor-and-track-failed-logins-for-your-aws-managed-microsoft-ad/Six ways businesses can reduce their cyber security risk as incidents rise: https://www.newshub.co.nz/home/money/2021/06/six-ways-businesses-can-reduce-their-cyber-security-risk-as-incidents-rise.htmlHow to get a lucrative job in cybersecurity: https://www.bbc.com/news/business-57663096Why MTTR is Bad for SecOps: https://threatpost.com/mttr-bad-secops/167440/What is the dark web? How to access it and what you’ll find: https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.htmlTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: What? Your backups are really just diversified pools of production data across multiple cloud provider regions, or stores with no space wasted on offline or non production data? That’s awesome. You are a beautiful target for ransomware. Best practices from a production infrastructure view don’t always match up to best practices for security.However, there are ways to provide data protection and redundancy as ransomware impact mitigation while still providing dynamic operational systems. Once again, this solution is to shift left and design security into every single interaction and layer of your systems and infrastructure.Meanwhile, in the news. Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers. I know of organizations that have purposefully reduced spending on their cybersecurity programs in favor of hefty cyber breach insurance. It seems at first like a great balance sheet move, but in the long run it doesn’t pay. Just build adequate security programs, please.House lawmakers introduce bill to increase American awareness of cyber threats. Wow, so now the whole nation will be subjected to useless clickthrough CBT experiences that don’t change their behavior? Excellent. I’m sure the APTs of the world are shaking in their VR headsets already.5 Mistakes that Impact a Security Team’s Success. Call them fiefdoms, silos, or something else, whatever name you use, operating in any way but cooperatively is horrible and unprofessional. If you are frustrated by other people doing this to you, think about the ways you can bridge the divide and draw them into a shared success model where everyone wins by working together.Google Working on Patching GCP Vulnerability that Allows VM Takeover, AWS users rejoice. Finally a cloud security problem you can ignore. GCP users, it’s your turn to panic and question your choices. Now, you know what it feels like to be everyone else using cloud services. Being in the cloud doesn’t reduce your risks inherently; it merely shifts the focus of some of your risks.NSA & CISA Issue Warning About Russian GRU Brute-Force Cyberattacks Against US, Global Orgs. Cyber attacks are becoming more frequent and more automated. Even the human-driven APT attacks are using scalable cloud technologies to do their dirty work. Monitor your cloud and service or system usage for anomalous behavior, as well as known attack profiles.
Thesauruses are fun: Adaptable Durable Flexible
Jul 1 2021
Thesauruses are fun: Adaptable Durable Flexible
Links:Cybersecurity industry reacts as antivirus pioneer John McAfee found dead: https://www.csoonline.com/article/3623188/cybersecurity-industry-reacts-as-antivirus-pioneer-john-mcafee-found-dead.htmlStorms & Silver Linings: Avoiding the Dangers of Cloud Migration: https://beta.darkreading.com/cloud/storms-silver-linings-avoiding-the-dangers-of-cloud-migration7 ways technical debt increases security risk: https://www.csoonline.com/article/3621754/7-ways-technical-debt-increases-security-risk.htmlNew DNS Name Server Hijack Attack Exposes Businesses, Government Agencies: https://www.darkreading.com/vulnerabilities—threats/new-dns-name-server-hijack-attack-exposes-businesses-government-agencies/d/d-id/1341377CISO Jason Lee on Zoom’s response to its pandemic security challenges: https://www.csoonline.com/article/3622671/ciso-jason-lee-on-zooms-response-to-its-pandemic-security-challenges.htmlSoftware-Container Supply Chain Sees Spike in Attacks: https://beta.darkreading.com/cloud/software-container-supply-chain-sees-spike-in-attacksFour states propose laws to ban ransomware payments: https://www.csoonline.com/article/3622888/four-states-propose-laws-to-ban-ransomware-payments.htmlSenators propose bill to help tackle cybersecurity workforce shortage: https://thehill.com/policy/cybersecurity/560318-senators-propose-bill-to-help-tackle-cybersecurity-workforce-shortageExpecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021: https://beta.darkreading.com/vulnerabilities-threats/expecting-the-unexpected-tips-for-effectively-mitigating-ransomware-attacks-in-2021What Lies Ahead for K-12 Cybersecurity?: https://securityboulevard.com/2021/06/what-lies-ahead-for-k-12-cybersecurity/How to Protect Healthcare Data from Ransomware Attacks: https://www.ccsinet.com/blog/data-from-ransomware-attacks/System Resilience: What Exactly Is It?: https://insights.sei.cmu.edu/blog/system-resilience-what-exactly-is-it/Resilience Engineering: An Introduction: https://www.bmc.com/blogs/resilience-engineering/Charting a path to software resiliency: https://medium.com/walmartglobaltech/charting-a-path-to-software-resiliency-38148d956f4a7 Best Practices to Build and Maintain Resilient Applications and Infrastructure: https://thenewstack.io/7-best-practices-to-build-and-maintain-resilient-applications-and-infrastructure/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: I’ve heard the term ‘fail gracefully’ hundreds of times. What the heck does that really mean? Most people don’t think too hard on how their system should gracefully bow out rather than the old school method of complete failures and horrible restarts. Resilient software engineering is the discipline of making software and systems fail in ways that minimize and isolate failures while continuing to deliver service and availability. Basically, it means if you have a failure from hardware or dependencies, like a database, your service continues to work correctly and the broken parts just get shut down and replaced.Cloud-native software using microservices or even dynamically deployed containers or systems is the perfect way to implement resiliency in your operations. Look toward the next development cycle of your software and systems to begin implementing this immediately if you don’t already have this in place. None of this really makes sense until you see an example, so think of it this way: you have a web-based service for customers to see their account profile and order history. It’s built to scale with containers using AWS Elastic Kubernetes service—or EKS—and it is designed so when a system throws errors of any kind, that container is closed down. Then the Aws Elastic Load Balancer—or ELP—service points all subsequent requests to a different container instance in EKS.In that scenario, if a container is breached in a security event, or if something simply fails due to a software bug or data corruption, the service recovers by tossing a new system while yanking out the old system. This is security by designing self-healing IT systems. You get both security and stability for the same effort. This is DevSecOps in practice and shows how a shift-left mindset for your organization is the best possible approach for your business or mission.Jesse: Meanwhile, in the news. Cybersecurity industry reacts as antivirus pioneer John McAfee found dead. Sure John McAfee was clearly in his own blend of strange and eccentric, but he launched an entire industry vertical 34 years ago. The computer age has been around long enough now that the founders of the early megacorps are all fading away. Don’t forget our history, and if you ever asked yourself, “What would John McAfee do?” Please go do the opposite unless you plan on launching a successful business.
Real Risk vs Movie Risk
Jun 24 2021
Real Risk vs Movie Risk
TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Don’t be stupid. Focus on your real risks, not hacker movie risks. It is easy to get caught up in a type of advance for persistent threats and the latest in obscure attack methodologies to the point where you spend all of your energy and time hunting for these in your systems. This stuff is right out of the latest bad hacking movie. It’s a colossal waste of time for most of us. Spend your time on learning and monitoring things based on your real risk, not your overblown sense of self-importance that the latest international crime ring of nation-state-backed hackers wants to breach your defenses. News flash: APTs probably don’t care about you. If you make it fairly easy to get your data and use your resources, of course you’ll get popped. That’s like leaving your wallet on a bench in the park; of course someone will take it. Raise the barrier to entry for obtaining your resources and you reduce opportunistic crime, just like locking your car at night protects from casual pilfering through your things.Meanwhile, in the news. Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns. Tangential to cloud security, these types of networks worry me for privacy and physical security concerns more than cybersecurity for the device and users. As this article says, privacy and security are separate issues. Conflating the two can compromise one or the other or both. Don’t confuse privacy and security as being one and the same.This Week in Database Leaks: Cognyte, CVS, Wegmans. I routinely hammer on securing your cloud storage and other ways to minimize self-exposure of sensitive data for a reason. You should be scared of the implications of these exposures in terms of business risk, reputation loss, and regulatory violations and fines. In other words, don’t be stupid.Data is Wealth: Data Security is Wealth Protection. Ignore the schilling of services as usual and take in the message: protecting your data is your prime directive. Ask yourself every morning, “How will I protect my data today?” Doing anything else is doing it wrong.Google Workspace Adds Client-Side Encryption. This means you can store encrypted data in your Google accounts without Google having access to the contents of your data. This is a big deal. Take advantage of this if you use Google for document creation and storage.Corey: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial.Jesse: Cybersecurity Tips for Business Travelers: Best Practices for 2021. I plan to avoid a return to routine business travel, but if you want to, or don’t have a choice not to get back on the road, do it safely. If you don’t want the US Customs and Border Patrol agents searching your devices, wipe your phone before reaching customs. You can set your device to wipe on too many failed passcode entries then backup your phone right before boarding or departing the plane and wipe it on the way to the customs by tapping one number over and over as you walk off the plane.2021 Verizon Data Breach Incident Report insights. The annual Verizon data breach incident report—known as DBIR—has incredible and useful insights for all tech workers, not just security practitioners. Once again, humans are the weak link. I know spending more time educating your people than hunting for ABTs is boring sauce, but you’ll be better off.One in Five Manufacturing Firms Targeted by Cyberattacks. If you create real-world goods, you are a prize target. Don’t be fooled into thinking you’re safer because it’s harder to steal things in meatspace than in cyberspace.Confidential Computing: The Future of Cloud Computing Security. Using hardware-level security is still possible in the cloud. Most of us don’t need to encrypt everything on a system or everything running in memory, but some of us do need to be that paranoid. However, don’t do this unless you really truly have a business case for it, and to implement checkout services like AWS CloudHSM for encryption of in-use memory and data.Many Mobile Apps Intentionally Using Insecure Connections for Sending Data. Don’t use insecure transport in your apps. Encrypt your data in transit. Eventually, consumers will have ways to disable all apps that don’t use basic security measures like proper authentication without stored credentials or using unencrypted channels. Don’t be stupid. Are you sensing a theme of the week?The Art and Strategy of Becoming More Cyber Resilient. Resiliency in IT architectures and applications is becoming the only way to survive the modern distributed world, especially in cybersecurity. You need to change your whole paradigm to be risk and recovery-based, not just the old-school defender attitude of building lots of walls.Cyber is the New Cold War & AI is the Arms Race. The whole AI marketing trope gets old. Ugh. But the message is accurate. There is too m...
You Down with ATP? Yeah, You Know Me
Jun 17 2021
You Down with ATP? Yeah, You Know Me
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Show Notes:Links:ABT1 Report: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdfSecuring Your Cloud Transformation Journey: https://onwireco.com/2021/06/08/securing-your-cloud-transformation-journey/TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements: https://securityboulevard.com/2021/06/teamtnt-strikes-again-a-wake-up-call-to-start-securing-cloud-entitlements/Secure Access Trade-offs for DevSecOps Teams: https://beta.darkreading.com/vulnerabilities-threats/secure-access-trade-offs-for-devsecops-teams?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simpleCyber Gangs: Who are they in 2021 and what do they Want?: https://securityintelligence.com/articles/cyber-crime-gangs-who-are-they-today/Required MFA is not Sufficient for Strong Security: A Report: https://www.darkreading.com/cloud/required-mfa-is-not-sufficient-for-strong-security-report/d/d-id/1341263With Cloud, CDO and CISO Concerns are Equally Important: https://www.itsecuritynews.info/with-cloud-cdo-and-ciso-concerns-are-equally-important/Colonial Pipeline CEO: Ransomware Attack Started via Pilfered ‘Legacy’ VPN Account: https://beta.darkreading.com/attacks-breaches/colonial-pipeline-ceo-ransomware-attack-started-via-pilfered-legacy-vpn-accountCloud Security: Why Being Intentional in Encryption Matters: https://securityintelligence.com/articles/cloud-security-intentional-encryption/CSPM explained: Filling the gaps in cloud security: https://www.csoonline.com/article/3620049/cspm-explained-filling-the-gaps-in-cloud-security.htmlFive worthy reads: Confidential computing–the way forward in cloud security: https://securityboulevard.com/2021/06/five-worthy-reads-confidential-computing-the-way-forward-in-cloud-security/Data Protection in the K-12 Cloud: https://securityboulevard.com/2021/06/data-protection-in-the-k-12-cloud/Cybersecurity Executive Order 2021: What it Means for Cloud and SaaS Security: https://thehackernews.com/2021/06/cybersecurity-executive-order-2021-what.htmlHackers Can Exploit Samsung Pre-Installed Apps to Spy On Users: https://thehackernews.com/2021/06/hackers-can-exploit-samsung-pre.htmlTop 10 security items to improve in your AWS account: https://aws.amazon.com/blogs/security/top-10-security-items-to-improve-in-your-aws-account/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn’t get in the way. Download Teleport at goteleport.com. That’s goteleport.com.Jesse: Us security people and the general news media like talking about APT this and APT that however, like most things with cybersecurity, the term isn’t even explained. The term is Advanced Persistent Threat—or APT—and it came from Kevin Mandia, founder of Mandiant, a security company, in the famous ABT1 Report as it’s called, released in early 2013, is a fascinating read. Well, maybe some of us love reading these things.There’s a lot of hype around APTs and what it all means. An APT is essentially a well-funded hacking group, usually with nation-state backing. This means some government is funding and/or training and otherwise supporting the efforts of what amounts to a criminal enterprise attacking assets. Most of us shouldn’t care much about APTs though, as long as we secure our cloud accounts and use properly configured multi-factor authentication, or MFA.Meanwhile, in the news. Securing Your Cloud Transformation Journey. Plan, build, run, repeat. Plan, build, run, repeat. It’s so simple, however, the details are complex and varied at every one of these stages to reduce the possibility of something catastrophic happening.TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements. If you don’t secure your IAM credentials for cloud services, the keys to your kingdom will be shared about by nefarious actors. I’ve recently pointed out that this ABT group, the TeamTNT, was harvesting easy-to-obtain credentials. I love a chance to hammer on basic protocols a...
Pirates and Castles
Jun 10 2021
Pirates and Castles
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Links:Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-surfaces-targeting-windows-containers/d/d-id/1341230Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/TeamTNT attacks IAM credentials of AWS and Google Cloud: https://www.scmagazine.com/home/security-news/cloud-security/teamtnt-attacks-iam-credentials-of-aws-and-google-cloud/School Cybersecurity: How Awareness Training Removes Attackers’ Options: https://securityintelligence.com/articles/how-awareness-training-improves-school-cybersecurity/Only 17% of organizations encrypt at least half of their sensitive cloud data: https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/Return to Basics: Email Security in the Post-COVID Workplace: https://beta.darkreading.com/vulnerabilities-threats/return-to-basics-email-security-in-the-post-covid-workplaceZero Trust or Bust: What it is and Why it Matters to Data Security: https://securityintelligence.com/posts/zero-trust-why-it-matters-data-security/What the FedEx Logo Taught Me About Cybersecurity: https://www.darkreading.com/vulnerabilities—threats/what-the-fedex-logo-taught-me-about-cybersecurity/a/d-id/1341118How the Rise of the Remote SOC Changed the Industry: https://securityintelligence.com/articles/work-from-home-remote-soc/Organizations Shift Further Left in App Development: https://www.darkreading.com/application-security/organizations-shift-further-left-in-app-development/d/d-id/1341219Kate Turchin Wang YouTube: https://www.youtube.com/c/KeynoteSingerThe Misaligned Incentives for Cloud Security: https://securityboulevard.com/2021/05/the-misaligned-incentives-for-cloud-security/Kelly Shortridge Twitter: https://twitter.com/swagitda_TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Every week, I read dozens of articles, hundreds of social media posts on several platforms, and thousands of private messages about cybersecurity. There is one single most pervasive theme from all of them: security messaging is binary; there are generally only two mindsets about security. Both of these are wrong.First, there’s the sensationalists who dream of being Case, the antihero in Gibson’s novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don’t get me wrong, I love being a defender. It’s just not strapping a saddle onto a missile and riding into the sunset.Second, there’s the cyber-doomers who spread fear, uncertainty, and doubt—we call it FUD—about how cyberspace has already collapsed and we’re all on life support while the hackers outside [unintelligible 00:02:06] run amok in pure cyber-anarchy. These purveyors of apocalyptic doomscapes assure us all that culture of no is the only answer to keeping sanity and safety within our control. They live on and trade in fear, but all this does is cost more money and hinder the mission in business. Kelly Shortridge calls this YOLOsec and FOMOsec and does a much better job at this than I can. Go read her blog entry.Meanwhile, in the news. Why the Worst Cloud Security Predictions Might not Come True. We security people are usually gloom and doomers. It’s our stock and trade.However, the migration to cloud is moving the exposed attack surfaces. This may not mean an increase in risk for many organizations. This could simply be a shift in risk categories.
Caution with Automation
Jun 3 2021
Caution with Automation
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Links:Autonomous drone attacked soldiers in Libya all on its own: https://www.cnet.com/news/autonomous-drone-attacked-soldiers-in-libya-all-on-its-own/3 SASE—or ‘sas-ee’-Misconceptions to Consider: https://www.darkreading.com/cloud/3-sase-misconceptions-to-consider-/a/d-id/1341088Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs: https://www.darkreading.com/attacks-breaches/chinese-apt-groups-continue-to-pound-away-on-pulse-secure-vpns/d/d-id/1341174Cybersecurity M&A Roundup: 36 Deals Announced in May 2021: https://www.securityweek.com/cybersecurity-ma-roundup-36-deals-announced-may-2021The VC View: Identity = Zero Trust for Everything: https://www.securityweek.com/vc-view-identity-zero-trust-everythingThree Things Holding Back Cloud Security: https://securityboulevard.com/2021/05/three-things-holding-back-cloud-security/What does the Future Hold for Cloud Security: https://hackernoon.com/what-does-the-future-hold-for-cloud-security-i82e35mdReport: Cloud Security Breaches Surpass On-Prem Ones for the First Time: https://www.mariakorolov.com/2021/report-cloud-security-breaches-surpass-on-prem-ones-for-the-first-time/What is DevSecOps, and how Can it Improve Your Security: https://biztechmagazine.com/article/2021/05/what-devsecops-and-how-can-it-improve-your-security-perfconState of Security Research Zeroes in on Data Strategies: https://www.splunk.com/en_us/blog/leadership/state-of-security-research-zeroes-in-on-data-strategies.htmlTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Automation of processes is crucial for speed and reliable repeatability. However, automating tasks and procedures should be done with a certain amount of caution. Start by automating discrete tasks, then group or chain those tasks after thorough testing for safety. As you build experience and confidence in these groups of tasks, you can automate larger collections of operations. This is where security orchestration, automation, and response—or SOAR platforms—are critical to maintain automated operations in a cost-effective manner with minimal overhead.In large-scale dynamic cloud deployments, whether using full-system stacks, containers, or cloud-native microservices, automating security operations is a requirement for functional response. This necessitates a high level of trust in your automation. Likely you’ll migrate into more machine learning and fuzzy-logic-based decision criteria that could have unintended consequences if you don’t put the right guardrails in place. Unfettered machine-based decision-making is how Skynet [laugh] is born. Please do be careful on your testing and implementation and production.Meanwhile, in the news. Autonomous drone attacked soldiers in Libya all on its own. This is Skynet straight out of a Terminator movie. Remember this story when you are implementing automation in your environment. Unchecked and unmonitored automation can cause serious problems where there were none.3 SASE—or ‘sas-ee’—Misconceptions to Consider. If you thought this was about self-addressed stamped envelopes, you are at least as old as I am. It’s pronounced ‘sas-ee’, which is all wrong phonetically. SASE, like my dog named Sassy, is a very valuable member of the family, but it won’t cure all your woes.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.Jesse: Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs. I hope you’ve patched your Pulse Secure VPN because if you haven’t, a nation-state will own you soon. Go patch it and turn up monitoring if you haven’t already.Cybersecurity M&A Roundup: 36 Deals Announced in May 2021. None of us should wonder why the cybersecurity vendor market is so confusing after seeing the list of mergers that happen routinely. Just like with other tech markets, the big companies are slowly eat...
Stop Using Passwords, No Really, Stop
May 27 2021
Stop Using Passwords, No Really, Stop
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Links:Password strength XKCD: https://xkcd.com/936/Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM: https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/Misconfiguration of third party cloud services exposed data of over 100 million users: https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-cloud-services-exposed-data-of-over-100-million-users/Cost Savings, Better Security Drive Adoption of Emerging Technologies: https://www.darkreading.com/risk/cost-savings-better-security-drive-adoption-of-emerging-technologies/d/d-id/1341081Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime and APT Groups: https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws: https://beta.darkreading.com/threat-intelligence/attackers-took-5-minutes-to-start-scanning-for-exchange-server-flawsCredential Stuffing Reaches 193 Billion Login Attempts Annually: https://www.darkreading.com/cloud/credential-stuffing-reaches-193-billion-login-attempts-annually/d/d-id/1341064How Ransomware Encourages Opportunists to Become Criminals: https://www.darkreading.com/attacks-breaches/how-ransomware-encourages-opportunists-to-become-criminals/a/d-id/1340953American insurance giant CNA reportedly pays $40m to ransomware crooks: https://www.theregister.com/2021/05/22/in_brief_security/79% of observed Microsoft Exchange Server exposures occurred in the cloud: https://www.scmagazine.com/home/security-news/cybercrime/udpos-malware-spotted-exfiltrating-credit-card-data-via-dns-server/Google Cloud CISO: Usability must be baked into design of security tools: https://www.scmagazine.com/home/2021-rsa-conference/google-cloud-ciso-usability-must-be-baked-into-design-of-security-tools/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Stop using passwords. No really, stop using passwords; use a password vault. Although, when you have to memorize a password to access something that you can’t use the vault to look up, such as to get into your phone or computer to access your vault, use a passphrase. A passphrase is a group of words or a full sentence. See the famous password strength XKCD comic for how to understand, passphrase is better.Pro-tip: do not use easy-to-guess phrases. Don’t use your dog’s name, kid’s name, and your favorite sports team. A good one is ‘dolphinstrollthroughmountains.’ [unintelligible 00:01:38] the period in the end. A bad one is ‘SpotKarengiants.’ I want everyone to know that neither of these have ever been nor ever will be a passphrase used by me, you shouldn’t use them either. At least a few of you will, but you’ve been warned.Also, my dogs aren’t named Spot. I don’t have a family member named Karen—that I know of—and I don’t really know anything about the Giants except that I think they’re a football team. A password vault is software that stores your passwords in an easily accessible manner. There are several cloud-based services with client software and/or browser plugins, and all of these have family, team, and business or enterprise service levels that allow easily sharing password entries or creating shared vaults for storing accounts. Password vaults are generally between only $4 and $10 per user, per month, even at the family and at the business level, which is a trivial cost even for small businesses. Even my tiny nonprofits use a cloud password vault service, it’s worth every single penny. This will change your life and transform your business, especially in a remote world.Meanwhile, in the news. Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM. I talk all the time about the value zero trust architecture—ZTA—and the importance of shifting left to make your applications and services more secure. Building cloud-native software with ZTA integrated at the API call layer is the best way to secure your operations.Misconfiguration of third party cloud services exposed data of over 100 million users. On cue, there is yet more research showing that cloud apps and services are exposing access credentials or keys to user or service data. If these app developers shift left and integrate better authentication and authorization mechanisms, they could use this for ...
A Jump To The Left Not A Step To The Right
May 20 2021
A Jump To The Left Not A Step To The Right
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Show Notes:Links:Report finds old misconfiguration woes continue to hammer corporate clouds: https://www.scmagazine.com/home/security-news/cloud-security/report-finds-old-misconfiguration-woes-continue-to-hammer-corporate-clouds/Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight: https://www.wsj.com/articles/pentagon-weighs-ending-jedi-cloud-project-amid-amazon-court-fight-11620639001Netflix Exec Explains Where Infosec Pros are Going Wrong: https://www.infosecurity-magazine.com/news/netflix-exec-infosec-pros-going/Firms Struggle to Secure Multicloud Misconfigurations: https://www.darkreading.com/cloud/firms-struggle-to-secure-multicloud-misconfigurations/d/d-id/1341008Researchers Create Covert Channel Over Apple AirTag Network: https://nmap.online/news/2021/researchers-create-covert-channel-over-apple-airtag-networkRansomware is Getting Ugly: https://www.schneier.com/blog/archives/2021/05/ransomware-is-getting-ugly.htmlTry this One Weird Trick Russian Hackers Hate: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/Attorneys share worst practices for data breach response: https://searchsecurity.techtarget.com/news/252501054/Attorneys-share-worst-practices-for-data-breach-responseRansomware Guidance and Resources: https://www.cisa.gov/ransomwareHow to Get Employees to Care About Security: https://www.darkreading.com/theedge/how-to-get-employees-to-care-about-security-/b/d-id/1341058Corey Quinn’s Twitter: https://twitter.com/QuinnyPigTranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: All the rage is DevOps, for good reasons: it works. You can’t do good cloud work without a flexible and functional DevOps operation. Similarly, you can’t do good security in the cloud without DevSecOps. However, [laugh] security people love their cryptic and geeky terms, so you hear, “You should shift left.” This is derived from the left shift bitwise operators that do binary math that moves values to the left. I told you it’s geeky.This moving left translates to moving security integration into a project farther left in the development process when you start on the left and move to production on the right. Ultimately, this means you bring security into the very beginning of your conceptual designs, and write your first lines of code with security processes and methods in mind from the very start. Use more security tools, authentication and authorization hooks, and more granular encryption methods in your underlying services structures through your more complex processing. More work on literally coding security in at the start could save you several orders of magnitude of direct and indirect costs in the future. Don’t get owned, don’t get ransomed.Meanwhile, in the news, Report finds old misconfiguration woes continue to hammer corporate clouds. If you haven’t heard me and countless others rant about going back to basics of cloud security, you haven’t been listening. This article should scare you into finally checking your basic permissions on things like storage and services so you don’t get pwned by being stupid.Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight. When a nearly $2 trillion company drags anyone into court, things will change. The largest move to cloud services by the US Department of Defense might not happen because Amazon got pissed and sent lawyers. Watch how this unfolds to learn both how Amazon the company operates and how the market moves toward or away from cloud in general and either Azure or AWS specifically as a result of this legal challenge.Netflix Exec Explains Where Infosec Pros are Going Wrong. Most of us who work in cybersecurity will read this piece and have one of two strong reactions. People like me and everyone who isn’t a security professional will nod and smile and agree that times are changing and security needs to get with the times. Everyone else in security will scowl, and pout, and get mad.Firms Struggle to Secure Multicloud Misconfigurations. We all struggle to secure all the things, but this report shows that most of us struggle to secure any of the things. Back to basics; I keep hammering on this because things like shutting down or securing ports and services and locking up cloud storage objects get you the biggest improvement in security posture out of almost anything else you do.<...
The Grid Has Fallen and It Can't Get Up
May 13 2021
The Grid Has Fallen and It Can't Get Up
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Show Notes:Links:Here’s the hacking group responsible for the Colonial Pipeline shutdown: https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.htmlBiden says ‘no evidence’ Russia involved in US pipeline hack but Putin should act: https://www.theguardian.com/us-news/2021/may/10/colonial-pipeline-shutdown-us-darkside-messageColonial Pipeline CEO warns of possible fuel shortages following cyberattack: https://www.foxbusiness.com/technology/colonial-pipeline-ceo-warns-of-fuel-shortages-following-cyberattackColonial Pipeline hackers apologize, promise to ransom less controversial targets in future: https://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigationOver 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys: https://thehackernews.com/2021/05/over-40-apps-with-more-than-100-million.htmlRed Hat bakes cloud security into the heart of Red Hat OpenShift: https://siliconangle.com/2021/04/27/red-hat-bakes-cloud-security-heart-openshift/Amazon debuts CloudFront Functions for running lightweight code at the edge: https://siliconangle.com/2021/05/03/amazon-debuts-cloudfront-functions-running-lightweight-code-edgeCritical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack: https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.htmlNew Amazon FinSpace Simplifies Data Management and Analytics for Financial Services: https://aws.amazon.com/blogs/aws/amazon-finspace-simplifies-data-management-and-analytics-for-financial-services/Spectre Strikes Back: New Hacking Vulnerability Affecting Billions of Computers Worldwide: https://scitechdaily.com/spectre-strikes-back-new-hacking-vulnerability-affecting-billions-of-computers-worldwideAmerica Hacks Itself. Waiting for the Cyber-Apocalypse: https://tomdispatch.com/waiting-for-the-cyber-apocalypse/Wanted: The (Elusive) Cybersecurity ‘all-Star’: https://www.darkreading.com/operations/wanted-the-(elusive)-cybersecurity-all-star/d/d-id/1340929How to Solve the Cybersecurity Skills Gap: https://securityboulevard.com/2021/05/how-to-solve-the-cybersecurity-skills-gap/Most Organizations Feel More Vulnerable to Breaches Amid Pandemic: https://www.darkreading.com/risk/most-organizations-feel-more-vulnerable-to-breaches-amid-pandemic/d/d-id/1340954How the COVID-19 Pandemic is Impacting Cyber Security Worldwide: https://innovationatwork.ieee.org/how-the-covid-19-pandemic-is-impacting-cyber-security-worldwide/Impact of COVID-19 on Cybersecurity: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.htmlBiden on cyber security after 100 days: A good start, but now comes the hard part: https://securityboulevard.com/2021/05/biden-on-cyber-security-after-100-days-a-good-start-but-now-comes-the-hard-part/Why Software Supply Chain Attacks are Inevitable and what you Must do to Protect Your Applications: https://securityboulevard.com/2021/05/why-software-supply-chain-attacks-are-inevitable-and-what-you-must-do-to-protect-your-applications/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.Jesse: Infrastructure security, including both critical physical systems that make our modern human lives possible, and supply chain on critical software systems is the theme of the week—maybe month, or a year—and we need to sit up and pay attention. Our electrical grids, telco systems, fuel pipelines, water supplies, and more, are delicate flowers ready to be stomped by anything with brute force, or eaten away by a swarm of tiny insects. These systems lurk online in the background where most of us don’t see them. However, all these are managed by computerized systems and they aren’t as air-gapped as we would hope they are. Internet of Things—or IoT—operational technology—or OT—and industrial control systems—or ICS—aren’t new security problems to solve. These have been highly vulnerable forever, but now we’re seeing how IoT, OT, ISS security lags far behind mainstream cybersecurity. This is a rapidly changing trend, but we should be worried over the ne...
All Changes Are Permanent Until Replaced
May 6 2021
All Changes Are Permanent Until Replaced
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.My recent experience prepping a commercial space for a state fire marshal office inspection and approval has me thinking about compliance and security and ever-present ‘temporary’ fix for things. How many times have we said, “Oh, I’ll just do this quick fix to get us by,” and that quick fix becomes the de facto supported production implementation? Repeat after me: all changes are permanent until replaced. All changes are permanent until replaced.Anything we alter at all, whether it in computing or in real life, is a permanent alteration until it is replaced by a new alteration, or by a natural corrective or evolutionary process, like decay. We cut our hair and it grows back. We weed our gardens and the weeds return. If you don’t want temporary changes happening in your environment, then implement hard controls that will correct any aberrations that come up. Cloud-native architectures give us the tools to force this by making it seamless to close down and erased from existence anything that veers from your ideal. Take advantage of this now.Meanwhile, in the news. Password reset code brute force vulnerability in AWS Cognito. If you use this AWS service, you should read this one. Although it is now patched, it’s good to understand how AWS Cognito works more closely, which is true for any other security service you rely upon that is hosted by your cloud provider or other vendor.Task force seeks to disrupt a ransomware payment. This is tangentially related to cloud security because both Amazon and Microsoft has joined up on this one, but I’m personally fascinated by strange frenemy combinations who work together on these things. I’m watching for either interesting things to happen with their recommendations that could have an impact on disclosure of ransomware incidents, or for it all to fizzle out to do nothing.Is your cloud raining sensitive data? Kubernetes generally needs securing like any other service. Time to stop ignoring your newest infrastructure and lock Kubernetes down. However, if you want real security for your Kubernetes clusters, you should look at a robust solution like Fairwinds Insights. I’m a big fan of outsourcing tool development to experts.Enterprise lift and shift to the public cloud requires a newer type of API and cloud security program to prevent data breaches. Ignoring some glaring editing mistakes, which is rather difficult for me to do, I’d like this easy-to-read case study of a traditional on-prem infrastructure going through a lift-and-shift cloud migration. This piece specifically addresses some of the serious security implications of doing this, and how your attack surface changes dramatically in the process.NOAA shifts some key environmental data processing to the cloud. This one is important to me personally. Years ago, when I was a security engineer for the United States Department of Energy Oak Ridge National Laboratory High-Performance Computing Group—boy, that’s a mouthful—I helped ensure security for one of the National Oceanic and Atmospheric Administration—or NOAA—supercomputers doing climate research. NOAA moving any of its compute systems supporting global research is a very big deal, and this is a great example of why AWS GovCloud is helping the US federal government modernize and move to the cloud. Also, mixing an acronym-heavy industry with government work turns into a pile of TLS so fast. Also, as another aside, this was back when I met The Duckbill Group CEO, Mike Julian, in Knoxville, Tennessee.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.ClearDATA expands flagship solution to facilitate health care’s adoption of containers and serverless tech. Speaking of outsourcing to experts, there are lots of compliance reporting options out there, and like my favorite, Qmulos. Full disclosure, remember I do work for Splunk. But there are less options for actively managing compliance in your cloud environment. Does anyone have experience with ClearDATA’s Comply offering? Email me, I want to know more.Expanding security, visibility, and automation across AWS environments. I’m most interested in the AWS Graviton to ARM-based security in the asset discovery for AWS environments announcements in this piece. First, I love me some chip geekery, especially when security-related, and second, the thing most of us suck at is tracking your assets. Any help managing an asset list for our security tools is gravy.As Microsoft nears a $2 trillion market cap, Amazon is most likely to reach that level next. I’m always looking at economics and how that drives both behavior and technology. Also, looking at how markets move and companies grow and die tells us more about trends in technology decisions and spend than many other indicators. Stop and think about the implications of this: four of the world’s five largest companies by market capitalization are us tech giants. Three of these are the parent companies of the three cloud giants: Microsoft, Amazon, and Alphabet or Google. It’s a cloudy forecast for sure.Seven modern-day cybersecurity realities. None of these are earth-shattering news, but at least some of these will make you cringe when you consider your own environment. Feeling uncomfortable thinking about any of these is a good thing if you act on that feeling. Go forth and fix things.The challenge of securing non-people ident...
Hooked on Compliance
Apr 29 2021
Hooked on Compliance
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.Show Notes:Links:Information Security Compliance: Which regulations relate to me: https://www.tcdi.com/information-security-compliance-which-regulations/TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: Low effort, high visibility, and detection. To learn more, visit lacework.com.Jesse: Compliance requirements are everywhere. I’ve been on both sides of the table for dozens of audits, and I’ve even worked on commercial building fire code compliance for data centers and even a school. Whatever your industry, there are compliance requirements lurking somewhere in your buildings, your data center, and your clouds. You should know what legal compliance mandates you must meet as well as industry standards or certifications you should meet. You don’t have to learn all the intricate details of any of these compliance laws or frameworks, however, you should at least know what the requirements you have and what frameworks you should use.You need to understand more than what your organization does at a high level. You also should know what general activities your organization performs, such as selling things, providing services to a public, or quasi-public entity, or government agencies, or schools, or managing investments or banking. Then go find out your compliance needs. An article called Information Security Compliance: Which regulations relate to me? By TCDI—which appears to be a consulting firm that I neither endorse nor know anything about at all—is a short primer on some common compliance programs that really should prove useful to you.Meanwhile, in the news, SANS cloud security curriculum gaining altitude. Become a SANS cloud ace. SANS and GIAC have the best security training and certifications, and now they’ve expanded their cloud courses, including some more foundational options non-security people should find valuable. The training is detailed, challenging, and rewarding, and will teach you far more than most other programs including hands-on exercises that are key to learning tech.Introduction to the NIST cybersecurity framework. I like the cybersecurity guidelines and frameworks NIST creates because they are useful and understandable tools for non-security and security people I like. I like this introductory primer to better understand structured security frameworks and to start learning how auditors think. Essentials to consider when choosing a cloud security posture management solution; whether your primary job is security or not, I always advocate for a centralized, simplified automation and standardization of security controls wherever possible. For multi-cloud environments, you can outsource to a cloud security posture management—or CSPM—provider, and this quick read has tips I like on some basics to consider for how to choose your solution.SOC 2 attestation tips for SaaS companies. Everyone should understand the basics of service organization control type two, more commonly known as SOC 2, as it is fundamental to doing business in the cloud. SOC 2 is especially important for SaaS providers because it shows there are certain safeguards for data confidentiality, integrity, and availability, among other things.Enterprises need to change passwords following ClickStudios’ Passwordstate attack. Tangentially related to cloud, password managers are great tools as long as they are secure, but if you use this one you need to know two things. First, you have to change all your passwords, and second, you need to search for indicators of compromise—or IOCs—for possible nasty things in your environment.Five objectives for establishing an API-first security strategy. With cloud-native services APIs become an easy target, so you need to know how to design their use securely. I would use these tips in designing a SaaS offering, so you should too. Hackers are exploiting a Pulse Secure Zero-Day to breach orgs around the world. You need to trust your zero trust solution, and if you use Pulse Secure, you need to know what to do about this right now. If you don’t use Pulse Secure, you should still understand what happened so you can be prepared for when this happens to you.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.Jesse: Man charged with planning to blow up Amazon Web Services data center in Virginia. You should always have your critical services and all of your data in multiple availability zones, and as much as possible spread across multiple regions. Someday, one of these nutters will succeed in disrupting AWS just enough to give you a bad day. Also, it’s easy to forget that most people don’t know how ‘the cloud’ and ‘the internet’ actually work. Heck, we barely know how these things work and we’re supposed to know this stuff.SalusCare, a health services provider, sues AWS over security response. Sure, anyone can sue anyone for anything, but you need to be careful with your data and even more careful with your customers’ data. Does your service agreement and licensing protect and indemnify you from things like this? Even a nuisance lawsuit is costly, so be informed.Risk, the misunderstood discipline. Security and finance people talk about risk constantly and some of us evaluate risk in our daily lives. Yep, I do every day at work and home. You need to understand some fundamentals of risk to know ...