Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary weeks ahead.

Jesse: There are many types of attacks that result in security breaches. To understand how many of them work, you need to understand how software languages function and how the hardware operations work in memory and in the CPU. However, you can learn a lot about security without having to learn those things. You can look at some of the attack vectors and gain a high-level understanding of what is happening. For example, man in the middle, or MITM, attacks are when someone inserts malicious code into the communication of two entities. That MITM service will capture communications, make a copy, then send it along like normal.

A buffer overflow happens when the allocated memory space for some type of input–whether its contents of a file or dialog boxes and the like—is less than the amount of input. In simpler terms, there is a bucket available for input. The attacker pours more water into the bucket than the bucket can handle. The result is that code in memory could be overwritten and become executable. So, you can learn about security flaws without digging under the surface to see what is actually happening. However, I strongly urge anyone doing security-related things to learn more about these attack types, and the others.

Meanwhile in the News. AWS Cancels re:Inforce Security Conference in Houston Due to COVID-19. The closings have begun. Dust off those creator lights, and prep that mic on your desk. In the wake of last year’s lockdowns and sudden remote working, there was a huge spike in phishing and other scams. Don’t be caught in this round.

Cloud-native security benefits and use cases. If you have a multi-cloud or a hybrid SaaS and self-managed systems in cloud providers or in data centers, it’s possible you need different security tools. Don’t go all cloud-native just because you have an initiative to do so. Slow down 
and ensure your security meets the needs of all your technology and services, not just the new and shiny ones.

The state of cloud security: IaC becomes priority one. Cloud-native services are far too complex to do traditional cybersecurity. Truly cloud-native services need cloud-native monitoring systems. Consider Infrastructure as Code, or IaC, as part of a comprehensive solution in your process.

Takeaways from Gartner’s 2021 Hype Cycle for Cloud Security report. If you only read this one because the headline is awesome, I think that’s okay. Gartner’s evaluations are often seen as a deep truths into impenetrable markets. Don’t forget though, Gartner simply looks at all the parameters that are quantifiable and makes a judgement of comparison between products. They are valuable reports, yes, but it should never be the only deciding factor in making decisions on products to use.

IBM upgrades its Big Iron OS for better cloud, security, and AI support. Don’t worry if you aren’t running z/OS. Most people aren’t. However, if you are using z/OS, this looks to be a solid upgrade, assuming your systems meet the requirements et cetera, et cetera, et cetera.

Securing cloud environments is more important than ever. I post a lot of foundational articles that talk about different—and sometimes the same—aspects of cybersecurity. I do this because there are so many of you who haven’t implemented even one of my suggestions yet. Please 
read this one if you’ve ignored my earlier warnings.

Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, teleport is open-source and a pleasure to use. Download teleport at goteleport.com that’s goteleport.com.

The Misunderstood Security Risks of Behavior Analytics, AI & ML. Finally someone with a realistic view of artificial intelligence—or AI—and machine learning—or ML. First, there is zero AI in generally available security software. None. They are not autonomous machines with the ability to think for themselves and make nuanced judgements. ML implies a feedback loop for self-tuning, based on the calculated confidence interval of the results. This is a lot to do on the fly with security data feeds, but some products do implement some ML, or at least make it available. The upshot is this: AI and ML are marketing terms. Grill your vendor on what the math is doing.

Accenture Says it ‘Detected Irregular Activity,’ Restored Systems from Backup. Oops. Don’t forget, we all get popped someday. Please remember, we’ll all get embarrassingly owned someday. How you recover, how fast you detect, and how fast you identify root causes are far more important than a tiny news article talking about how you got popped.

Google Releases Tool to Help Developers Enforce Security. Yay, automated code analysis and testing. This is great. If you are running Google products and services, this helps your transition to shift left and introducing true DevSecOps.

How to Make Your Next Third-Party Risk Conversation Less Awkward. Talking to vendors or open-source project teams about security issues in their code or services can be tough. You don’t want to come off as completely suspicious and untrusting, however, you shouldn’t come across as not caring or implying security isn’t important, either.

Cost of Cyberattacks Significantly Higher for Smaller Healthcare Organizations. Take heed, you smaller healthcare organizations. Ransomware tends to target critical infrastructure and hospitals because there is a higher probability of getting paid than there is for different verticals.

And now for the tip of the week. You should have a network scanner that performs routine scans all the time. This is true of cloud-hosted systems, as well. Don’t scan at the exact same time or in the same order in a day. Splay the times so it’s a bit less predictable.

Bring the scan data results into your SIEM and use it to help baselines, produce alerts, and generally to improve visibility of the current risk levels and overall security posture. Active scanning like this is valuable in several ways, such as enumerating what devices are answering on your network or networks. This can be input into your configuration management database, or asset list as well. Also, either the SIEM or the scanner will likely provide a way to map findings to the known security flaws in your systems. And that’s it for the week, folks. Securely yours, Jesse Trucks.

Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.

Announcer: This has been a HumblePod production. Stay humble.