Show Notes
Links:
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at
Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit
lacework.com. That’s
lacework.com.
Jesse: Last April, I went to a secret training camp. We studied the entire AWS functional objection orientation language services—or FOOLS—suite of tools and APIs. The first public rollout of AWS FOOLS-supported products is already an amazing success. AWS Infinidash took the internet by storm. This product is such an amazing way to quickly dash into production all your FOOLS-coded projects.
I’m looking forward to the UDB service, AWS Infinitdiscus, where you toss your data to the cloud, the automated problem-solving tool, AWS Infinihurdle, where you leap over virtual objects, and the non-ephemeral cloud-native microservice, AWS Infinimarathon, where you can run microservices for long-running batch jobs. Sadly, I suspect the all-in-one API product AWS Infinitriathlon won’t see the light of day because the project participants keep dropping out before it’s finished. I hope they finish someday. I feel like it’s a new day dawning with AWS FOOLS. This is a watershed moment as momentous as the day we discovered Agile over waterfall.
Meanwhile, in the news.
Fake Amazon cloud service AWS InfiniDash quickly goes viral. [laugh]. This turned into a fantastic and fun internet meme that won’t be going away anytime soon. Also, everything I said above about AWS FOOLS is a joke. This is not real. I’m sure there will be reports about AWS FOOLS soon enough, now.
7 Unconventional Pieces of Password Wisdom. Passwords suck. We all know they suck. We all hate them. However, we will always need to memorize a few passwords. Set passwords you can remember but are hard to guess and make them as long as the site or application will allow. Passphrases are far superior, of course.
SolarWinds Discloses Zero-Day Under Active Attack. Okay, let’s be honest. If I gave you every urgent patch announcement, this whole publication would be a boring list of stuff to install. Be sure to watch your vendors for patches and everything else.
Autonomous Security is Essential if the Edge is to Scale Properly. Mobile edge computing—or MEC—and other edge service delivery models are turning into more critical as we move to more cloud-native applications with low latency needs. These applications operate at speeds humans can’t ever track, so automated responses are the only way to keep them monitored or secure.
Announcer: If you have several PostgreSQL databases running behind NAT, check out
Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at
goteleport.com. That’s
goteleport.com.
Jesse:
Digital Habits During Pandemic Have Lasting Impact. The gin isn’t merely out of the bottle. The bottle is shattered, melted down, and reformed into artwork to remind us of the distant past. People changed how they use their computers and personal devices, and their online behavior is now forever altered. Don’t expect a return to historical behaviors to come with a return to offices.
Are Security Attestations a Necessity for SaaS Businesses? There's a fair amount of debate as to whether security adaptations of compliance to things like SOC 2 levels or ISO 27001 have any value. My general approach is to indicate they are necessary when it makes an impact on your business or mission, otherwise, it doesn’t really matter much.
How to Improve Cybersecurity for Your Business? We security people never get tired of reminding everyone how some basic concepts implemented into business practices and production systems makes for far better security than the world’s most crazy and new SIM, or honeypot, or red team. I figure if I keep reminding everyone of this in different ways, someone out there might just follow the advice. Also, I’m sure most of you won’t, or your organizations won’t let you.
CISA Analysis Reveals Successful Attack Techniques of FY 2020. Imagine my not surprise when phishing links are at the top, followed by application exploits, and then fishing attachments. Knowing the popular attack methods helps you guide your defenses and your security with more effectiveness and efficiency.
How Predictive AI will Change Cybersecurity in 2021. AI is an overused marketing buzzword, but doing tons of math can make sense of the world. The volume and complexity of security operations today makes doing cybersecurity impossible without lots of math.
And now for the tip of the week. Taking a lesson from the whole AWS Infinidash meme, don’t use a cloud service, software, systems, or even a coding library unless you really need to use it. Less is more here, as in, less things to secure is more security without having to work as hard. Everything that happens to the computerized ecosystem must be secured in some fashion. This means controlling account, authentication, and access authorization.
This includes ensuring data integrity at every step of data being written or read, this encompasses every single bit of code that runs every time something executes within the ecosystem, on behalf of the ecosystem, or for outside services, and touches the data in and related to the ecosystem. This means every single thing you use you don’t need is added risk and additional ways someone can attack and breach your systems and get at your resources and data. If you don’t need it, don’t use it. If you no longer need something, turn it off and stop using it. What’s better than turning off services you don’t need? Never turning them on in the first place. And that’s it for the week, folks. Securely yours Jesse Trucks.
Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.
Announcer: This has been a HumblePod production. Stay humble.