Meanwhile in Security

for a chance to form those foundational security memories! Jesse keeps us up to date on your summer security needs as cloud-native micro services become even more complex. The key, Cloud Security Posture Management or CSPM.

In the news: four factors you certainly should include in your cybersecurity strategy, 1 TB data breach cuases leaks in the world of oil, the future of FedRAMP, and more!

Show Notes

Links:
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.


Jesse: As more services are delivered by cloud-native microservices with dynamic scaling, compliance management and monitoring becomes terrifyingly complex and difficult. The way around this is to implement processes and tools that can continuously monitor and manage compliance-related configurations using automated analysis and reporting of your cloud-native services. This collection of processes and tools is called Cloud Security Posture Management, or CSPM. CSPM generally involves a fair amount of automation to ensure secure practices are used and compliance requirements are continuously met. Implementing CSPM alongside DevSecOps and an organizational focus on shifting left in services development rounds out a tripod to support your cloud initiatives.


Meanwhile, in the news. 4 Factors that Should Be Part of Your Cybersecurity Strategy. Our security perimeters are no longer controlled by our organizations. With so many people working remote, every device on their network has become part of the threat landscape, from connected fridges to game consoles.


‘Software Bill of Materials’—not just good for security, good for business. SBOMs, as they’re called, are coming. Even if there is never a law forcing SBOMs like food ingredients labels, there could be an ever-increasing requirement for vendors to supply them. It might be a good idea 
to start building these, even if they’re only supplied when legally or contractually required.


Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant. This case study is like slowing down to see the aftermath of a crash and trying to piece together what happened. Given the breach came from a vendor, it’s a sideways attack on Aramco. Are you sure your vendors are secure? Thoroughly analyze all your third-party tools and services to ensure they aren’t the weaker link.


Federal Tech Leaders Outline Future of FedRAMP. Changes to FedRAMP are a big deal if they open up options for US federal agencies, or if the FedRAMP process—or its replacement—speed up certification. Many FedRAMP SaaS services lag their commercial counterparts because it takes so long to jump through the FedRAMP approval process. This hurts the market and the federal agencies.


‘Holy moly!’: Inside Texas’ fight against a ransomware hack. Learn from the plight of others before others learn from your plight. Reading case studies of disclosed incidents gives us insight into how doomed we are if we don’t get our act together.


Firefox 90 Drops Support for FTP Protocol. [sigh]. This is the end of an era of wide-open access and abuse. But I’m a little sad and nostalgic for my early computing days. I remember using FTP to get things to my internet-connected host account where I could then use Zmodem or Kermit to download things to my local machine. I remember when using HTML sites were new, but you could still get everything from FTP sites. Ugh, the bad old days.


Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.


Jesse: Lower-Level Employees Become Top Spear-Phishing Targets. We always protect the big fish but the better target for phishing are the people not being closely monitored. If you can trick a system into lateral movement or privilege escalations, you can start with any non-admin user and infiltrate silently. This is why good SIM tools and behavior analysis mechanisms are critical to modern security.


U.S. Government unlikely to ban ransomware payments. Now, this is a relief. This is like making it illegal to pay a kidnapper, even when the kidnapper is not within the U.S. Please try to solve your ransomware problems without paying, but if you must, you must.


The Power of Comedy for Cybersecurity Awareness Training. The Duckbill Group’s own Corey Quinn is the living embodiment of teaching through humor. When we laugh, we remember. Also, there’s a lot of hilarity in security if you lean back and see it all at once. Aren’t we just a series of bad sitcom reruns where all the same tropes are trotted out every season, and you can’t even tell a rerun from a first-run? It’s the same attacks and mostly the same old tired defenses, day in and day out.


Inside the Famed Black Hat NOC. I was inside the DEFCON SOC once and the concentration of security skill and experience in the room was amazing. They were friendly and collegial and great to work with. If a couple dozen people can build a world-class SOC or NOC for an event that lasts only a few days, we can all make some great improvements with the limited resources at home.


Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling. When shifting left and doing DevSecOps, there has to be methods for assessing security issues faced by the systems you build. If you don’t have at least a flashlight, you won’t notably improve security.


5 Benefits of Disaster Recovery in the Cloud. When I first worked with disaster recovery and business continuity, we would ship tapes to a vendor who sets up hardware we were using for recovery from backups exercise on bare-metal systems. Whoo. Wow, have times changed. DR in the cloud could be more about distributed active sites split across regions, and other such fun things instead of slow hardware solutions.


Black Hat USA 2021 and DEF CON 29: What to expect from the security events. The last week of July and/or the first week of August each year is ‘Security Summer Camp’ in Las Vegas, Nevada, in the United States of America. We’ve called this week that for years because in the 
same week in the same city, there is Black Hat, one of the largest security conferences in the world, DEF CON the largest hacker conference in the world, and besides—although this year it’s virtual again—as well as a variety of other events.


And now for the tip of the week. Use Kubernetes. If you want to decouple your services delivery from the underlying systems and infrastructure, look to Kubernetes. If you are building a multi-cloud hybrid strategy, using Kubernetes is likely a great option to reduce your complexity and overhead. And that’s it for the week. Securely yours, Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

What is Meanwhile in Security?

Cloud security is a minefield of news that assumes the word "Security" is lurking somewhere in your job description. It doesn't have to be this way. Weekly cloud security news for people with other jobs to do. Cloud Security For Humans.