Meanwhile in Security

Natural events certainly have their effect on security, and this week Jesse tells us how in the aftermath of Hurricane Ida. The two most pressing components that natural events effect? Connectivity and business continuity. Jesse breaks down the importance of the two in regards to your security needs.

In the news: Microsoft Azure Cloud’s security soft spot exposed, Shinyhunter Treat Group on the prowl, some new AWS security training coming in the fall, and more! Tune in for the rest!

Show Notes

Links:

Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.


Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won’t fully halt your business operations.


However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you’ll like it so much you will push everything else up to the cloud that isn’t a laptop, tablet, or phone.


Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.


Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I’m sure the fighting amongst those companies will make this initiative die on the vine, but I hope I’m wrong.


New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don’t be stupid. Also, when we’re talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to 
effectively secure the data therein.


Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That’s goteleport.com.


Researchers Share Common Tactics of ShinyHunters Threat Group. Put Indicators of Compromise—or IOC—data for the latest APT group or malware into your monitoring tool or tools. It’s possible, depending on the vendor, that there are already detections you can add to your production monitoring. Save some time and look for those pre-made searches, configurations, and scripts before you make your own.


How to automate forensic disk collection in AWS. Automating forensic data gathering is incredibly valuable. This not only has obvious value in security incident response, but it has value in teaching us how these parts in AWS work. This is worth a close read—several times if you need to—to understand how EBS, S3, automating EC2 actions, CloudWatch logging—among other services—operate. There are other pieces to the glue here to learn, as well.


Confidential computing: an AWS perspective. If you use EC2, you need to understand the AWS Nitro System. Their hardware-based approach to their hypervisor for virtualization combined with hardware-based security and encryption is quite well made. Everyone worried about security at all while using EC2—which I argue should be all of you—should know the concepts of how Nitro works.


New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost. Now, this has value. Free basic security training for average users on fundamental computer security, including things like phishing and social engineering, is an amazing gift. Also, how many times have I wanted to point someone into an easy-to-understand multi-factor authentication tutorial? Oh, not often; only every single day.


Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail. Creating solid IAM access policies is hard because you have to know all things an account needs to touch to perform an operation or deliver a service. The IAM Access Analyzer is a total game-changer.


You can review the activity to ensure you don’t see anything nefarious happening, then apply the config generated. Now, you have a working app that has the bare minimum permissions required to function, but blocking all operations outside those things. This prevents many malware from sneakily doing other things.


And now for the tip of the week. Know your compliance requirements; are you a school, preschool, K-12, college? FERPA; are you a medical facility? HIPAA; are you a US government entity? FISMA; are you conducting credit card transactions? PCI; are you storing data on an EU citizen? GDPR. The list goes on, and on, and on.


You need to know every single one of the compliance requirements your systems and people touch. Most of these compliance rules and laws cover a fair amount of the same ground, so compliance with several of them isn’t an order of magnitude more work than compliance with one or two of them. However, it is critical that you have clear documentation for each one on how you are compliant and what processes, or data, or report proves compliance. If you build these processes into your IT or security operations monitoring or reporting system, your life will be far better off than doing it by hand every single time someone asks—or demands—proof of compliance. And that it for the week, folks. Securely yours, Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

What is Meanwhile in Security?

Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.

Jesse: Disaster befell much of the middle south of the US when Ida slammed into the coast and plowed its way up north through the land. What does a hurricane have to do with security? Business continuity. Business continuity is the discipline of maintaining business operations, even in the face of disasters of any kind, such as a hurricane-driven storm surge running over the levees and flooding whole towns. If you have all your computing systems in the cloud in multiple regions, then such a disaster won’t fully halt your business operations.

However, you still might have connectivity issues and possibly either temporary or permanent loss of non-cloud systems. Be sure your non-cloud systems have appropriate backups off-site to another geographically disparate location. Better yet, push backups into your cloud infrastructure and consider ways to utilize that data with your cloud systems during a crisis. Hmm, perhaps you’ll like it so much you will push everything else up to the cloud that isn’t a laptop, tablet, or phone.

Meanwhile in the news, Microsoft Azure Cloud Vulnerability Exposed Thousands of Databases. Security for cloud providers can potentially have catastrophic and large scale repercussions. Keep an eye out for any problems that come up that might affect your operations and your data. Do keep in mind your platform has a direct impact on your own risk profile.

Google, Amazon, Microsoft Share New Security Efforts After White House Summit. The National Institute of Standards and Technology—or NIST—is building a technology supply chain framework with the big tech companies, including Apple, Amazon, Google, IBM, and Microsoft, and this is a big deal. I’m sure the fighting amongst those companies will make this initiative die on the vine, but I hope I’m wrong.

New Data-Driven Study Reveals 40% of SaaS Data Access is Unmanaged, Creating Significant Insider and External Threats to Global Organizations. Back to basics: secure your data; lock down those buckets; don’t be stupid. Also, when we’re talking cloud apps and services, there should be no assumption that anyone accessing the application via an obfuscated link or permissions too broad to
effectively secure the data therein.

Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com. That’s goteleport.com.

Researchers Share Common Tactics of ShinyHunters Threat Group. Put Indicators of Compromise—or IOC—data for the latest APT group or malware into your monitoring tool or tools. It’s possible, depending on the vendor, that there are already detections you can add to your production monitoring. Save some time and look for those pre-made searches, configurations, and scripts before you make your own.

How to automate forensic disk collection in AWS. Automating forensic data gathering is incredibly valuable. This not only has obvious value in security incident response, but it has value in teaching us how these parts in AWS work. This is worth a close read—several times if you need to—to understand how EBS, S3, automating EC2 actions, CloudWatch logging—among other services—operate. There are other pieces to the glue here to learn, as well.

Confidential computing: an AWS perspective. If you use EC2, you need to understand the AWS Nitro System. Their hardware-based approach to their hypervisor for virtualization combined with hardware-based security and encryption is quite well made. Everyone worried about security at all while using EC2—which I argue should be all of you—should know the concepts of how Nitro works.

New in October: AWS Security Awareness Training and AWS Multi-factor Authentication available at no cost. Now, this has value. Free basic security training for average users on fundamental computer security, including things like phishing and social engineering, is an amazing gift. Also, how many times have I wanted to point someone into an easy-to-understand multi-factor authentication tutorial? Oh, not often; only every single day.

Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail. Creating solid IAM access policies is hard because you have to know all things an account needs to touch to perform an operation or deliver a service. The IAM Access Analyzer is a total game-changer.

You can review the activity to ensure you don’t see anything nefarious happening, then apply the config generated. Now, you have a working app that has the bare minimum permissions required to function, but blocking all operations outside those things. This prevents many malware from sneakily doing other things.

And now for the tip of the week. Know your compliance requirements; are you a school, preschool, K-12, college? FERPA; are you a medical facility? HIPAA; are you a US government entity? FISMA; are you conducting credit card transactions? PCI; are you storing data on an EU citizen? GDPR. The list goes on, and on, and on.

You need to know every single one of the compliance requirements your systems and people touch. Most of these compliance rules and laws cover a fair amount of the same ground, so compliance with several of them isn’t an order of magnitude more work than compliance with one or two of them. However, it is critical that you have clear documentation for each one on how you are compliant and what processes, or data, or report proves compliance. If you build these processes into your IT or security operations monitoring or reporting system, your life will be far better off than doing it by hand every single time someone asks—or demands—proof of compliance. And that it for the week, folks. Securely yours, Jesse Trucks.

Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.

Announcer: This has been a HumblePod production. Stay humble.