Meanwhile in Security

In an age of fail themed YouTube compilations and memes, do we even fail gracefully anymore? If we do, or ever did, what does it mean to do so? Join Jesse this week as he ponders pontifically on the possibilities of how to do just that. Jesse asks why do we let the old systems crash and burn, instead of a gentle bow as they leave the stage? Turn in to a success compilation on the how's and why's to do so.

Following on with the latest in security news: how is the world of cyber security reacting to John McAfee’s death, avoid the dangers of cloud migration, Zoom’s onslaught of security challenges in lieu of the pandemic, and much more.

Show Notes

Links:

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.


Jesse: I’ve heard the term ‘fail gracefully’ hundreds of times. What the heck does that really mean? Most people don’t think too hard on how their system should gracefully bow out rather than the old school method of complete failures and horrible restarts. Resilient software engineering is the discipline of making software and systems fail in ways that minimize and isolate failures while continuing to deliver service and availability. Basically, it means if you have a failure from hardware or dependencies, like a database, your service continues to work correctly and the broken parts just get shut down and replaced.


Cloud-native software using microservices or even dynamically deployed containers or systems is the perfect way to implement resiliency in your operations. Look toward the next development cycle of your software and systems to begin implementing this immediately if you don’t already have this in place. None of this really makes sense until you see an example, so think of it this way: you have a web-based service for customers to see their account profile and order history. It’s built to scale with containers using AWS Elastic Kubernetes service—or EKS—and it is designed so when a system throws errors of any kind, that container is closed down. Then the Aws Elastic Load Balancer—or ELP—service points all subsequent requests to a different container instance in EKS.


In that scenario, if a container is breached in a security event, or if something simply fails due to a software bug or data corruption, the service recovers by tossing a new system while yanking out the old system. This is security by designing self-healing IT systems. You get both security and stability for the same effort. This is DevSecOps in practice and shows how a shift-left mindset for your organization is the best possible approach for your business or mission.


Jesse: Meanwhile, in the news. Cybersecurity industry reacts as antivirus pioneer John McAfee found dead. Sure John McAfee was clearly in his own blend of strange and eccentric, but he launched an entire industry vertical 34 years ago. The computer age has been around long enough now that the founders of the early megacorps are all fading away. Don’t forget our history, and if you ever asked yourself, “What would John McAfee do?” Please go do the opposite unless you plan on launching a successful business.


Storms & Silver Linings: Avoiding the Dangers of Cloud Migration. This reminds me of the weeping and gnashing that happened every time some new wiki went up at various jobs and projects. I learned to hate wikis because they were always horribly organized and always out of date. Heed the advice here: if it’s out of date, archive it somewhere else and don’t migrate to your shiny new cloud.


7 ways technical debt increases security risk. Fixing old software in a fast-moving world is like the scope creep of how much stuff we acquire between moving houses or offices. You can either take advantage of touching everything to purge and organize, or you can blindly shove it all in a box and move it. We all think we’ll get around to fix it later. Nope. We don’t. We increase our risk in ways we can’t see. Go fix your stuff.


New DNS Name Server Hijack Attack Exposes Businesses, Government Agencies. There is so much information someone can gather about your organization by collecting information that was supposed to go to you. AWS closed this hole, but not all DNS services have. DNS is a resilient service, but it was never designed with modern attacks in mind. I love DNS and I hate DNS. You should too.


CISO Jason Lee on Zoom’s response to its pandemic security challenges. Explosive growth is scary; 30X growth in months is terrifying. Zoom did it. Can you? Very few companies can stay functioning, let alone secure in those situations.


Software-Container Supply Chain Sees Spike in Attacks. I don’t think I’ve beat the drum of supply-chain attacks enough. These are on the rise now that there is a great example of how effective these are. I sure hope you’ve secured your supply chain. I’m sure you haven’t, but we can always hope.


Four states propose laws to ban ransomware payments. This is a bit like making it illegal to pay kidnappers or terrorists. I know many companies will get owned and pay anyway, and regulations to stop money flowing to criminals is nothing new. There will be loopholes found and exploited, like in all things. Keep up with what laws affect your organization and how you perform security. To stop ransomware pandemic, start with the basics. We security people repeat ourselves constantly because implementing the basic security defenses mitigates most risk for most organizations. Please go do at least the [CIST 00:05:51] top five if you can’t do all of them.


Senators propose bill to help tackle cybersecurity workforce shortage. The US federal government is pushing hard on cybersecurity now that they were owned in front of the whole world by the SolarWinds and MS Exchange debacles. Like most companies, cybersecurity seems to be an afterthought in budgets and priorities, until the media gets to pummel them for weeks on end in the news.


Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.


Jesse: Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021. Much of the advice I see for mitigating any horrific attack is a huge amount of labor, but all the work is necessary. Ransomware can wipe out whole backups, destroy codebases that aren’t recoverable, it can steal, or even worse, publicly disclose your secrets. Don’t think you are ready for a large ransomware attack. These things are driven by people who have studied your systems and might have been in them for weeks.


What Lies Ahead for K-12 Cybersecurity? As the president and principal of a small elementary school and a technologist, I’ve implemented mostly cloud services to support the school operations and classroom work. Many of us in tech who work with large organizations in state, local, and higher ed—called SLED—national, or federal governments, and large corporations forget that there are small and mid-sized businesses—or SMBs—and K through 12 schools that also have the same concerns we do. After all, we all run Windows, Mac OS, Unix, and Linux, middleware and cloud services.


How to Protect Healthcare Data from Ransomware Attacks. If all of us protected our data like we ought to for protected or personal health information—or PHI—and personally identifiable information—or PII—then we’d have far less breaches and even less exfiltration and disclosure of our private information.


And now for the tip of the week. Introducing software resiliency is far from trivial, so let’s look at how to get started understanding this. First, to understand what this all means, read some primers like System Resilience: What Exactly Is It? from the Carnegie Mellon University Software Engineering Institute and Resilience Engineering: An Introduction from BMC’s DevOps blog. Then look at how to implement this. Charting a path to software resiliency is a Medium piece written for the Walmart Global Tech blog and 7 Best Practices to Build and Maintain Resilient Applications and Infrastructure, a piece on the new stack by Kris Beevers of NS1. There are hundreds of quality resources out there on these subjects, but this should get you started on your new path to a brighter, cloudier future. And that’s it for the week, folks. Securely yours Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

What is Meanwhile in Security?

Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.