Stop Using Passwords, No Really, Stop
Join Jesse as he explains why you should stop using passwords and use a password vault instead, why you should use passphrases when you have to memorize one and what those passphrases should look like, how password vaults are life-changing in remote environments, yet another reason why security teams should shift left, how cybersecurity is an arms race and why teams should implement algorithmic analysis of environments to find suspicious behavior, how there are 193 billion credential stuffing attempts each year, why you should encrypt all data in transit, and more.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
- Password strength XKCD: https://xkcd.com/936/
- Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM: https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/
- Misconfiguration of third party cloud services exposed data of over 100 million users: https://blog.checkpoint.com/2021/05/20/misconfiguration-of-third-party-cloud-services-exposed-data-of-over-100-million-users/
- Cost Savings, Better Security Drive Adoption of Emerging Technologies: https://www.darkreading.com/risk/cost-savings-better-security-drive-adoption-of-emerging-technologies/d/d-id/1341081
- Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime and APT Groups: https://www.darkreading.com/attacks-breaches/cobalt-strike-becomes-a-preferred-hacking-tool-by-cybercrime-apt-groups/d/d-id/1341073
- Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws: https://beta.darkreading.com/threat-intelligence/attackers-took-5-minutes-to-start-scanning-for-exchange-server-flaws
- Credential Stuffing Reaches 193 Billion Login Attempts Annually: https://www.darkreading.com/cloud/credential-stuffing-reaches-193-billion-login-attempts-annually/d/d-id/1341064
- How Ransomware Encourages Opportunists to Become Criminals: https://www.darkreading.com/attacks-breaches/how-ransomware-encourages-opportunists-to-become-criminals/a/d-id/1340953
- American insurance giant CNA reportedly pays $40m to ransomware crooks: https://www.theregister.com/2021/05/22/in_brief_security/
- 79% of observed Microsoft Exchange Server exposures occurred in the cloud: https://www.scmagazine.com/home/security-news/cybercrime/udpos-malware-spotted-exfiltrating-credit-card-data-via-dns-server/
- Google Cloud CISO: Usability must be baked into design of security tools: https://www.scmagazine.com/home/2021-rsa-conference/google-cloud-ciso-usability-must-be-baked-into-design-of-security-tools/
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: Stop using passwords. No really, stop using passwords; use a password vault. Although, when you have to memorize a password to access something that you can’t use the vault to look up, such as to get into your phone or computer to access your vault, use a passphrase. A passphrase is a group of words or a full sentence. See the famous password strength XKCD comic for how to understand, passphrase is better.
Pro-tip: do not use easy-to-guess phrases. Don’t use your dog’s name, kid’s name, and your favorite sports team. A good one is ‘dolphinstrollthroughmountains.’ [unintelligible 00:01:38] the period in the end. A bad one is ‘SpotKarengiants.’ I want everyone to know that neither of these have ever been nor ever will be a passphrase used by me, you shouldn’t use them either. At least a few of you will, but you’ve been warned.
Also, my dogs aren’t named Spot. I don’t have a family member named Karen—that I know of—and I don’t really know anything about the Giants except that I think they’re a football team. A password vault is software that stores your passwords in an easily accessible manner. There are several cloud-based services with client software and/or browser plugins, and all of these have family, team, and business or enterprise service levels that allow easily sharing password entries or creating shared vaults for storing accounts. Password vaults are generally between only $4 and $10 per user, per month, even at the family and at the business level, which is a trivial cost even for small businesses. Even my tiny nonprofits use a cloud password vault service, it’s worth every single penny. This will change your life and transform your business, especially in a remote world.
Meanwhile, in the news. Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM. I talk all the time about the value zero trust architecture—ZTA—and the importance of shifting left to make your applications and services more secure. Building cloud-native software with ZTA integrated at the API call layer is the best way to secure your operations.
Misconfiguration of third party cloud services exposed data of over 100 million users. On cue, there is yet more research showing that cloud apps and services are exposing access credentials or keys to user or service data. If these app developers shift left and integrate better authentication and authorization mechanisms, they could use this for marketing, and gain users and customers.
Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.
Jesse: Cost Savings, Better Security Drive Adoption of Emerging Technologies. I love surveys like this because it gets me a peek into what other people think. This particular one is worth logging into ISACA to download because it shows the importance of organizations and their staff getting proficient with cloud technologies as something to adopt to future-proof your apps and services.
Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime and APT Groups. PowerShell is amazing, but it’s a security nightmare. Attackers use it regularly to set up shop inside your network to own all the things. You should learn about the tactics, techniques and procedures—or TTP—and tools they like to use without having to dive into weedy details.
Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws. Cybersecurity is an arms race. We’re losing the war, you know. Attackers develop new tools faster than we can develop detections and protections. For this reason, we should all be implementing algorithmic analysis of activity in our environments to find suspicious behavior, even when it
isn’t tied to a known attack.
isn’t tied to a known attack.
Credential Stuffing Reaches 193 Billion Login Attempts Annually. If you need some more incentive to shift left and implement CTA, let the number one hundred ninety-three billion password attempts sink in. One hundred ninety-three billion. Also, if you aren’t using a password vault, you might as well just use your hamster’s name with some numbers after it that you keep on a public website, so you can find it easily for all of your passwords.
How Ransomware Encourages Opportunists to Become Criminals. We have cloud this and cloud that, and we call it ‘X as a Service.’ But the bad actors have SaaS offerings, too. Like cloud has revolutionized our businesses and missions, it has done the same for them. Ransomware as a Service? That terrifies me more than almost anything else that has come from the dark underbelly of the interwebs for a very, very long time.
American insurance giant CNA reportedly pays $40m to ransomware crooks. See, it’s the old extortion play, done online. Even if you aren’t a juicy target, are your customers. Long ago, I lost count to the number of very secure enterprises that were breached through a vendor connection of some sort. Treat all things as hostile. Yes, this is another way for me to beat the ZTA drum.
79% of observed Microsoft Exchange Server exposures occurred in the cloud. We all need to stop treating systems run in cloud environments like they’re sitting in our data centers or under our desks. Yes, I used to have a production system under my desk. Oh, the bad old days. You need to do those basic system security steps we’ve talked about for decades when something is out there exposed to the world. Lock down your ECT or equivalent systems, please.
Google Cloud CISO: Usability must be baked into design of security tools. Some of us few in cybersecurity have been screaming to the chiller fans for decades that most security tools are hard to understand and use. For example, the technology for widespread sending of encrypted emails has been around for over 20 years. I’ve used it. However, the tools are so hard to use for the average computer user, nobody does use them. Our security monitoring and control systems need to be easy to use, or no amount of shifting left will improve your security because nobody will climb the cliff to figure
And now for the tip of the week. Encrypt all data in transit. Period. It’s trivial to implement transport encryption. That just means any data that enters or leaves by the network—thus being transported—is encrypted. Recall the shared responsibility model that separates what you and your cloud provider must secure and manage.
This means you must secure your data at rest and in transit. And you have zero control over what route your data takes between even your own cloud systems or services, which is different than in our own data centers, quite often. So, if you send something, encrypt it. Use TLS, or SSH, or VPN tunnels—which usually use things like TLS and SSH—or any other standardized encryption methods in your systems, available to your APIs, and in your coding libraries. If an app or service doesn’t do this now, go slap in an encrypted tunnel and get that fixed immediately.
And that’s a wrap for the week. Securely yours Jesse Trucks.
Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.
Announcer: This has been a HumblePod production. Stay humble.
Join the newsletter
Cloud Security For Humans
Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.© The Duckbill Group, 2021