Episode Summary
This week in security news: some serious money gets throw into security, NSA and CISA drop some guidelines, some crucial security questions for your Salesforce application, and more!
Episode Show Notes & Transcript
Links
- $1.3 billion in funding: https://www.reuters.com/technology/cloud-security-startup-lacework-valued-83-bln-after-mammoth-funding-round-2021-11-18/
- NSA and CISA: https://www.csoonline.com/article/3640576/6-key-points-of-the-new-cisansa-5g-cloud-security-guidance.html
- Fined by Singapore’s regulatory authority: https://www.theregister.com/2021/11/18/redoorz_fined_for_massive_data_leak/
- 4 Security Questions to Ask About Your Salesforce Application: https://www.toolbox.com/it-security/security-vulnerabilities/guest-article/security-questions-to-ask-about-salesforce-application/
- Managing temporary elevated access to your AWS environment: https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/
- Everything you wanted to know about trusts with AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/
- Trailscraper: https://github.com/flosell/trailscraper
Transcript
Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.
Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.
Corey: Happy Thanksgiving. Lacework raised an eye-popping $1.3 billion in funding last week. I joke about it being a result of them sponsoring this podcast, for which I thank them, but that’s not the entire story. “Why would someone pay for Lacework when AWS offers a bunch of security services?” Is a reasonable question. The answer is that AWS offers a bunch of security services, doesn’t articulate how they all fit together super well, and the cost of running them all on a busy account likely exceeds the cost of a data breach. Security has to be simple to understand. An architecture diagram that looks busier than a London Tube map is absolutely not that. Cloud services are complex, but inside of that complexity lies a lot of room for misconfiguration. Being condescendingly told after the fact about AWS’s Shared Responsibility Model is cold comfort. Vendors who can simplify that story and deliver on that promise stand to win massively here.
Now, let’s see what happened last week. The NSA and CISA have a new set of security guidelines for 5G networks. I’m sorry, but what about this is specific to 5G networks? It’s all about zero trust, assuming that any given node inside the perimeter might be compromised, and the like. None of this is particularly germane to 5G, so I’ve got to ask, what am I missing?
A company called RedDoorz—spelled with a Z, because of course it is—was fined by Singapore’s regulatory authority for leaking 5.9 million records. That’s good. The fine was $54,456 USD, which seems significantly less good? I mean, that’s “Cost of doing business” territory when you’re talking about data breaches. In an ideal world it would hurt a smidgen more as a goad to inspire companies to do better than they are?
Am I just a dreamer here?
Am I just a dreamer here?
I found a list of 4 Security Questions to Ask About Your Salesforce Application, and is great, and I don’t give a toss about the Salesforce aspect of it. They are, one, who are the users with excessive privileges? Two, what would happen if a legitimate user started acting in a suspicious way? Three, what would happen if a threat actor gained access to sensitive data through a poor third-Party integration? And, four, what would happen if your incident log is not properly configured? These are important questions to ask about basically every application in your environment. I promise, you probably won’t like the answers—but attackers ask them constantly. You should, too.
Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.
Corey: Now, from the mouth of AWS horse, there was an interesting article there. Managing temporary elevated access to your AWS environment. Now, this post is complicated, but yes, ideally users shouldn’t be using accounts with permissions to destroy production in day-to-day use; more restricted permissions should be used for daily work, and then people elevate to greater permissions only long enough to perform a task that requires them. That’s the Linux ‘sudo’ model. Unfortunately, implementing this is hard and ‘sudo zsh’ is often the only command people ever run from their non-admin accounts.
And one more. Everything you wanted to know about trusts with AWS Managed Microsoft AD. Look, I don’t touch these things myself basically ever. I haven’t done anything with Active Directory since the mid-naughts, and I don’t want to know anything about them. That said, I do accept that others will care about it and that’s why I mention it. I’m here for you.
And lastly, as far as tools go, have you ever tried to work with CloudTrail logs yourself? Yeah, you might have noticed the experience was complete crap. This is why I talk about trailscraper, which I discovered last week. It makes it way easier to look for specific patterns in your logs, or even just grab the logs in non-compressed format to work with more easily. And that’s what happened last week in the world of AWS security. Next week is re:Invent, and Lord alone knows what nonsense we’re going to uncover then. Strap in, it’s going to be an experience. Thanks for listening.
Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.
Announcer: This has been a HumblePod production. Stay humble.Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.
Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.
Corey: Happy Thanksgiving. Lacework raised an eye-popping $1.3 billion in funding last week. I joke about it being a result of them sponsoring this podcast, for which I thank them, but that’s not the entire story. “Why would someone pay for Lacework when AWS offers a bunch of security services?” Is a reasonable question. The answer is that AWS offers a bunch of security services, doesn’t articulate how they all fit together super well, and the cost of running them all on a busy account likely exceeds the cost of a data breach. Security has to be simple to understand. An architecture diagram that looks busier than a London Tube map is absolutely not that. Cloud services are complex, but inside of that complexity lies a lot of room for misconfiguration. Being condescendingly told after the fact about AWS’s Shared Responsibility Model is cold comfort. Vendors who can simplify that story and deliver on that promise stand to win massively here.
Now, let’s see what happened last week. The NSA and CISA have a new set of security guidelines for 5G networks. I’m sorry, but what about this is specific to 5G networks? It’s all about zero trust, assuming that any given node inside the perimeter might be compromised, and the like. None of this is particularly germane to 5G, so I’ve got to ask, what am I missing?
A company called RedDoorz—spelled with a Z, because of course it is—was fined by Singapore’s regulatory authority for leaking 5.9 million records. That’s good. The fine was $54,456 USD, which seems significantly less good? I mean, that’s “Cost of doing business” territory when you’re talking about data breaches. In an ideal world it would hurt a smidgen more as a goad to inspire companies to do better than they are? Am I just a dreamer here?
I found a list of 4 Security Questions to Ask About Your Salesforce Application, and is great, and I don’t give a toss about the Salesforce aspect of it. They are, one, who are the users with excessive privileges? Two, what would happen if a legitimate user started acting in a suspicious way? Three, what would happen if a threat actor gained access to sensitive data through a poor third-Party integration? And, four, what would happen if your incident log is not properly configured? These are important questions to ask about basically every application in your environment. I promise, you probably won’t like the answers—but attackers ask them constantly. You should, too.
Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.
Corey: Now, from the mouth of AWS horse, there was an interesting article there. Managing temporary elevated access to your AWS environment. Now, this post is complicated, but yes, ideally users shouldn’t be using accounts with permissions to destroy production in day-to-day use; more restricted permissions should be used for daily work, and then people elevate to greater permissions only long enough to perform a task that requires them. That’s the Linux ‘sudo’ model. Unfortunately, implementing this is hard and ‘sudo zsh’ is often the only command people ever run from their non-admin accounts.
And one more. Everything you wanted to know about trusts with AWS Managed Microsoft AD. Look, I don’t touch these things myself basically ever. I haven’t done anything with Active Directory since the mid-naughts, and I don’t want to know anything about them. That said, I do accept that others will care about it and that’s why I mention it. I’m here for you.
And lastly, as far as tools go, have you ever tried to work with CloudTrail logs yourself? Yeah, you might have noticed the experience was complete crap. This is why I talk about trailscraper, which I discovered last week. It makes it way easier to look for specific patterns in your logs, or even just grab the logs in non-compressed format to work with more easily. And that’s what happened last week in the world of AWS security. Next week is re:Invent, and Lord alone knows what nonsense we’re going to uncover then. Strap in, it’s going to be an experience. Thanks for listening.
Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign
up for the Last Week in AWS newsletter at lastweekinaws.com.
Announcer: This has been a HumblePod production. Stay humble.