Pirates and Castles
Join Jesse as he talks about the two types of security mindsets and why both are wrong, why you should embrace the principle of least privilege, why you’re going to get owned sooner or later if you don’t secure your credentials, why we should teach kids about cybersecurity so they don’t make dumb decisions when they’re adults, how only 17 percent of organizations are encrypting at least half of their data in the cloud, why zero trust is a horrible name for the concept of dynamic contextual authorization, and more.
- Blog entry: https://swagitda.com/blog/posts/on-yolosec-and-fomosec/
- Why the Worst Cloud Security Predictions Might not Come True: https://securityintelligence.com/articles/worst-cloud-security-predictions-not-true/
- First Known Malware Surfaces Targeting Windows Containers: https://www.darkreading.com/vulnerabilities—threats/first-known-malware-surfaces-targeting-windows-containers/d/d-id/1341230
- Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang: https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/
- TeamTNT attacks IAM credentials of AWS and Google Cloud: https://www.scmagazine.com/home/security-news/cloud-security/teamtnt-attacks-iam-credentials-of-aws-and-google-cloud/
- School Cybersecurity: How Awareness Training Removes Attackers’ Options: https://securityintelligence.com/articles/how-awareness-training-improves-school-cybersecurity/
- Only 17% of organizations encrypt at least half of their sensitive cloud data: https://www.scmagazine.com/home/security-news/only-17-of-organizations-encrypt-at-least-half-of-their-sensitive-cloud-data/
- Return to Basics: Email Security in the Post-COVID Workplace: https://beta.darkreading.com/vulnerabilities-threats/return-to-basics-email-security-in-the-post-covid-workplace
- Zero Trust or Bust: What it is and Why it Matters to Data Security: https://securityintelligence.com/posts/zero-trust-why-it-matters-data-security/
- What the FedEx Logo Taught Me About Cybersecurity: https://www.darkreading.com/vulnerabilities—threats/what-the-fedex-logo-taught-me-about-cybersecurity/a/d-id/1341118
- How the Rise of the Remote SOC Changed the Industry: https://securityintelligence.com/articles/work-from-home-remote-soc/
- Organizations Shift Further Left in App Development: https://www.darkreading.com/application-security/organizations-shift-further-left-in-app-development/d/d-id/1341219
- Kate Turchin Wang YouTube: https://www.youtube.com/c/KeynoteSinger
- The Misaligned Incentives for Cloud Security: https://securityboulevard.com/2021/05/the-misaligned-incentives-for-cloud-security/
- Kelly Shortridge Twitter: https://twitter.com/swagitda_
First, there’s the sensationalists who dream of being Case, the antihero in Gibson’s novel, Neuromancer, which is, by the way, the greatest dystopian cyberpunk novel ever written. I will fight you on that. These jokers want the world to think they are the first and final defense against the alien invasion of sophisticated and powerful hackers. Really, most of these folks are trying to chase a non-existent adrenaline rush doing defensive security. Don’t get me wrong, I love being a defender. It’s just not strapping a saddle onto a missile and riding into the sunset.
lunch money from you and your friends.
stupid security things as adults if they spend their childhood learning how to be smarter about their computer use.
Only 17% of organizations encrypt at least half of their sensitive cloud data. Really people? This is a combination of laziness and not shifting left with security in your development and deployment processes. If your data is encrypted and the inevitable—or pervasive, depending on how bad your security practices are—access misconfiguration exposing your data won’t be catastrophic.
Return to Basics: Email Security in the Post-COVID Workplace. One thing almost every security person agrees on—and data supports—is that there are a handful of basic best practices that mitigate almost all risks. Email is the scourge of modern life—God I hate it—and is full of nasty phishing junk. Get your people to not be stupid about email.
And now for the tip of the week. This one is easy. Well, maybe not for some of us. Work with me here. Put down your tools. Set aside your technical mission for the moment. Go ask your organizational leaders what they care about in your business or mission. Really talk to them. Send them an email. Be curious and be genuine. You will learn vast amounts more about what your security focus should be and should not be by learning the business.
That’s it for the week, folks, securely yours Jesse Trucks.
Join the newsletter
Cloud Security For Humans
Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.© The Duckbill Group, 2021