Pirates and Castles

Join Jesse as he talks about the two types of security mindsets and why both are wrong, why you should embrace the principle of least privilege, why you’re going to get owned sooner or later if you don’t secure your credentials, why we should teach kids about cybersecurity so they don’t make dumb decisions when they’re adults, how only 17 percent of organizations are encrypting at least half of their data in the cloud, why zero trust is a horrible name for the concept of dynamic contextual authorization, and more.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.


Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: Every week, I read dozens of articles, hundreds of social media posts on several platforms, and thousands of private messages about cybersecurity. There is one single most pervasive theme from all of them: security messaging is binary; there are generally only two mindsets about security. Both of these are wrong.

First, there’s the sensationalists who dream of being Case, the antihero in Gibson’s novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don’t get me wrong, I love being a defender. It’s just not strapping a saddle onto a missile and riding into the sunset.

Second, there’s the cyber-doomers who spread fear, uncertainty, and doubt—we call it FUD—about how cyberspace has already collapsed and we’re all on life support while the hackers outside [unintelligible 00:02:06] run amok in pure cyber-anarchy. These purveyors of apocalyptic doomscapes assure us all that culture of no is the only answer to keeping sanity and safety within our control. They live on and trade in fear, but all this does is cost more money and hinder the mission in business. Kelly Shortridge calls this YOLOsec and FOMOsec and does a much better job at this than I can. Go read her blog entry.

Meanwhile, in the news. Why the Worst Cloud Security Predictions Might not Come True. We security people are usually gloom and doomers. It’s our stock and trade.

However, the migration to cloud is moving the exposed attack surfaces. This may not mean an increase in risk for many organizations. This could simply be a shift in risk categories.

First Known Malware Surfaces Targeting Windows Containers. If you run Windows systems in Kubernetes clusters, you may get popped by this one. Once again, following the basic best practices of running everything—yes, I do mean everything—using the minimal amount of permissions possible in your environment, managing your cloud resources is likely your protection. This is called the principle of least privilege.

Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang. This one just feels good. Recovering a few million dollars from ransomware groups is barely a rounding error, but it’s like getting your five pennies back from that bully who stole $25 in 
lunch money from you and your friends.

Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.

Jesse: TeamTNT attacks IAM credentials of AWS and Google Cloud haven’t I been on message about securing your credentials? I don’t ever believe someone deserves to be attacked and breached, but if you don’t secure your accounts and use the principle of least privilege, you’re likely to get owned sooner rather than later. Stopping the low-hanging fruit.

School Cybersecurity: How Awareness Training Removes Attackers’ Options. The only path to long-term change for things like getting people to stop using links in phishing emails is to teach children not to do these stupid things when they are young. More people won’t do 
stupid security things as adults if they spend their childhood learning how to be smarter about their computer use.

Only 17% of organizations encrypt at least half of their sensitive cloud data. Really people? This is a combination of laziness and not shifting left with security in your development and deployment processes. If your data is encrypted and the inevitable—or pervasive, depending on how bad your security practices are—access misconfiguration exposing your data won’t be catastrophic.

Return to Basics: Email Security in the Post-COVID Workplace. One thing almost every security person agrees on—and data supports—is that there are a handful of basic best practices that mitigate almost all risks. Email is the scourge of modern life—God I hate it—and is full of nasty phishing junk. Get your people to not be stupid about email.

Zero Trust or Bust: What it is and Why it Matters to Data Security. You know I can’t pass up an opportunity to hammer on zero trust. As a co-panelist with me at a conference said to me yesterday, zero trust is a horrible name for the concept of dynamic contextual authorization, but it’s the name that stuck. Whether you’ve heard my soapbox rants on zero trust or not, your homework is to read another pushy article about implementing zero trust.

What the FedEx Logo Taught Me About Cybersecurity. Do you see the arrow? I’ve done some detours through design and logo development, and I’ve seen the FedEx arrow forever now. Go look at the logo they have. Whitespace in visual design being overlooked by most people is a great analogy to explain newer algorithmic security analyses.

How the Rise of the Remote SOC Changed the Industry. This is a cool peek behind the curtain of cybersecurity profession and the dangers. This article brings up ethics, which is something most articles ignore, but most of us in security think about the ethical ramifications of our work every single day.

Organizations Shift Further Left in App Development. This is another topic I like beating on. It’s like I’m building a one-person band of security methodologies. Actually, I’m quite musically inept, so if you really want to have [laugh] some musical fun in cloud security, go listen to Kate Turchin Wang, the cloud security singer on YouTube. She’s awesome.

The Misaligned Incentives for Cloud Security. I often say economics drives behavior. There’s a whole field of study on this called behavioral economics. This article is dry and dense, but it lays out how cloud providers aren’t given reasons to work that hard on security. If you want to follow the rabbit down the hole about behavioral economics and cybersecurity, follow Kelly Shortridge on Twitter, she’s @swagita_. She is both amazing and entertaining.

And now for the tip of the week. This one is easy. Well, maybe not for some of us. Work with me here. Put down your tools. Set aside your technical mission for the moment. Go ask your organizational leaders what they care about in your business or mission. Really talk to them. Send them an email. Be curious and be genuine. You will learn vast amounts more about what your security focus should be and should not be by learning the business.

That’s it for the week, folks, securely yours Jesse Trucks.

Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.

Announcer: This has been a HumblePod production. Stay humble.

Join the newsletter

Cloud Security For Humans

checkmark Got it. You're on the list!

Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.

© The Duckbill Group, 2021