The Grid Has Fallen and It Can't Get Up
Join Jesse as he examines the importance of infrastructure security and touches upon why it’ll take months or years before it catches up to mainstream cybersecurity, why you should never put keys or passwords into your apps in ways that expose your sensitive data, why your team should be practicing DevSecOps if you aren’t already, why you should always assume your systems are flawed and breakable, the future of nation-state hacking and cracking, how there’s a talent shortage in the security space, why it’s important to understand the way government thinks about cybersecurity and tech, and more.
Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.
Show Notes:
Links:
- Here’s the hacking group responsible for the Colonial Pipeline shutdown: https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html
- Biden says ‘no evidence’ Russia involved in US pipeline hack but Putin should act: https://www.theguardian.com/us-news/2021/may/10/colonial-pipeline-shutdown-us-darkside-message
- Colonial Pipeline CEO warns of possible fuel shortages following cyberattack: https://www.foxbusiness.com/technology/colonial-pipeline-ceo-warns-of-fuel-shortages-following-cyberattack
- Colonial Pipeline hackers apologize, promise to ransom less controversial targets in future: https://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigation
- Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys: https://thehackernews.com/2021/05/over-40-apps-with-more-than-100-million.html
- Red Hat bakes cloud security into the heart of Red Hat OpenShift: https://siliconangle.com/2021/04/27/red-hat-bakes-cloud-security-heart-openshift/
- Amazon debuts CloudFront Functions for running lightweight code at the edge: https://siliconangle.com/2021/05/03/amazon-debuts-cloudfront-functions-running-lightweight-code-edge
- Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack: https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html
- New Amazon FinSpace Simplifies Data Management and Analytics for Financial Services: https://aws.amazon.com/blogs/aws/amazon-finspace-simplifies-data-management-and-analytics-for-financial-services/
- Spectre Strikes Back: New Hacking Vulnerability Affecting Billions of Computers Worldwide: https://scitechdaily.com/spectre-strikes-back-new-hacking-vulnerability-affecting-billions-of-computers-worldwide
- America Hacks Itself. Waiting for the Cyber-Apocalypse: https://tomdispatch.com/waiting-for-the-cyber-apocalypse/
- Wanted: The (Elusive) Cybersecurity ‘all-Star’: https://www.darkreading.com/operations/wanted-the-(elusive)-cybersecurity-all-star/d/d-id/1340929
- How to Solve the Cybersecurity Skills Gap: https://securityboulevard.com/2021/05/how-to-solve-the-cybersecurity-skills-gap/
- Most Organizations Feel More Vulnerable to Breaches Amid Pandemic: https://www.darkreading.com/risk/most-organizations-feel-more-vulnerable-to-breaches-amid-pandemic/d/d-id/1340954
- How the COVID-19 Pandemic is Impacting Cyber Security Worldwide: https://innovationatwork.ieee.org/how-the-covid-19-pandemic-is-impacting-cyber-security-worldwide/
- Impact of COVID-19 on Cybersecurity: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
- Biden on cyber security after 100 days: A good start, but now comes the hard part: https://securityboulevard.com/2021/05/biden-on-cyber-security-after-100-days-a-good-start-but-now-comes-the-hard-part/
- Why Software Supply Chain Attacks are Inevitable and what you Must do to Protect Your Applications: https://securityboulevard.com/2021/05/why-software-supply-chain-attacks-are-inevitable-and-what-you-must-do-to-protect-your-applications/
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.
Jesse: Infrastructure security, including both critical physical systems that make our modern human lives possible, and supply chain on critical software systems is the theme of the week—maybe month, or a year—and we need to sit up and pay attention. Our electrical grids, telco systems, fuel pipelines, water supplies, and more, are delicate flowers ready to be stomped by anything with brute force, or eaten away by a swarm of tiny insects. These systems lurk online in the background where most of us don’t see them. However, all these are managed by computerized systems and they aren’t as air-gapped as we would hope they are. Internet of Things—or IoT—operational technology—or OT—and industrial control systems—or ICS—aren’t new security problems to solve. These have been highly vulnerable forever, but now we’re seeing how IoT, OT, ISS security lags far behind mainstream cybersecurity. This is a rapidly changing trend, but we should be worried over the next few months and years, as the security for these things catch up to the rest of the world.
Meanwhile, in the news, “Here’s the hacking group responsible for the Colonial Pipeline shutdown.” And, “Biden says ‘no evidence’ Russia involved in US pipeline hack but Putin should act.” And, “Colonial Pipeline CEO warns of possible fuel shortages following cyberattack,” and, “Colonial Pipeline hackers apologize, promise to ransom less controversial targets in future.” I could list hundreds of more articles on the Colonial Pipeline breach. These are some choice ones you should read to understand the impact of this event. And also hacker groups with sort of a conscience? Hmm.
“Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys.” Wow, just wow. This is the modern equivalent of hard-coding a password in plain text into an app anyone can read. Please don’t be stupid. Don’t put keys or passwords into your apps in ways that expose your whole internal structure and customer or user data to the world.
“Red Hat bakes cloud security into the heart of Red Hat OpenShift.” DevSecOps is like DevOps, but integrating security into the entire process. If you aren’t doing DevSecOps already, you need to start. I like that Red Hat has an offering that makes it easier to adopt for organizations that need a managed service.
“Amazon debuts CloudFront Functions for running lightweight code at the edge.” Using a DevSecOps model is critical when you run code that calls someone else’s functions. CloudFront functions look useful programmatically to deliver a smooth and fast user experience, but be careful about your inputs and outputs and test your code well.
“Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack.” Finally, a patch to install if you use pulse secure. You need to know what’s happening and you need to install the patch. It’s still a good read even if you don’t use the product.
“New Amazon FinSpace Simplifies Data Management and Analytics for Financial Services.” Like many of us, I’m an armchair economist who likes to geeking out over market and economy analysis and trends. AWS FinSpace looks like a combination of a fantastic way to open opportunities for new players in the financial services industry—or FSI—but at the same time, this moves the trust of data integrity and availability into someone else’s hands. When I worked with supercomputers used by chemists, the accuracy and availability of computational results were the most important aspect of the work, so outsourcing some of the fundamental maths makes me fret.
Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.
Jesse: “Spectre Strikes Back: New Hacking Vulnerability Affecting Billions of Computers Worldwide.” Hardware flaws are both esoteric and terrifying. This shows that anything can be compromised given enough willpower and science. Always assume your systems are flawed and breakable and have multiple checks and balances to ensure the efficacy of operations and the integrity of your data.
“America Hacks Itself. Waiting for the Cyber-Apocalypse.” I’m a Cold War spy novel aficionado, and I can’t go a week without reading a story or novel about a dystopian nightmare. You know, like today’s news. Most of the former teaches us about the origins of the latter, and we are living in one of those nightmares now. If you want to understand more about nation-state hacking and cracking, this one is for you.
“Wanted: The (Elusive) Cybersecurity ‘all-Star’,” and, “How to Solve the Cybersecurity Skills Gap.” The whole point of Meanwhile in Security is to help people who don’t do security full time, and this piece expresses my thoughts on the cybersecurity labor market quite well. There are not enough experienced security people on the planet to meet the demands, so everyone has to learn more about security just to get through the day. Repeat this mantra when it gets you down. “I can do it. Security isn’t as hard as security people claim. Remember, I can do it. I can do it. I think I can. I think again.”
Cloud-native businesses struggle with security, you aren’t alone. As more things move to cloud services, security gets more complex and difficult for everyone. These are solvable problems, but it will take an industry shift for it to become easy. It looks worse now than it will be in the near-term future over the next couple of years. We’ll catch up to the bad guys’ methods and mindsets soon enough.
“Most Organizations Feel More Vulnerable to Breaches Amid Pandemic,” and, “How The COVID-19 Pandemic is Impacting Cyber Security Worldwide,” and, “Impact of COVID-19 on Cybersecurity.” There are tons of articles, and surveys, and studies out talking about how cybersecurity has become a larger problem during the global pandemic. It isn’t only SARS-CoV-2 rampaging through our human world. I find it important to understand trends in cybersecurity in any sector or vertical because it helps me understand how to gauge my own risk.
“Biden on cyber security after 100 days: A good start, but now comes the hard part.” It is important to understand how government policies and politics affects the tech industry, and cybersecurity is not any different. The speed of innovation in attacks and defenses usually leaves governments way behind. We should understand how government thinks about these things.
“Why Software Supply Chain Attacks are Inevitable and what you Must do to Protect Your Applications.” I wrote about supply chain attacks recently because it is a scary problem that has shown up in the news with catastrophic results. Everyone managing any type of infrastructure or service needs to understand the nature of the attacks and the associated risks.
And now the tip of the week. Remember the article about exposing AWS access keys? Yeah, don’t do those things. Even AWS tells you not to. Any app or service should be protected using the most limited IAM role you can possibly use, and keys allowing access to those roles should not be embedded directly into code.
Build a process to pull the access credentials when an app launches or connects to your service to initiate the access Instead of putting these things directly into the client systems. You should always be thinking of the ‘least privilege paradigm.’ This means you give a service or user the smallest possible set of access rights to do the job needed. For example, AWS allows you to use AWS Config to track what a service touches. So, in testing, use AWS Config to see what your service needs and limit access to only those minimal things it needs.
And that’s a wrap for the week, folks. Securely yours Jesse Trucks.
Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.
Announcer: This has been a HumblePod production. Stay humble.
Join the newsletter
Cloud Security For Humans
Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.
© The Duckbill Group, 2021