July 31, 2017
Many companies have been performing DevOps successfully for roughly a decade. The issue has been how to integrate security within the DevOps process. Most companies, that I have seen, struggle with this since there are so many silos built up. This causes teams not to talk to one another. The developers build this beautiful thing that takes code seamlessly from conception through an automated deployment process and finally to the web for consumer consumption. Most of the time the only part missing is the Security Team.
Over the years the Security Team has done a rather fine job of isolating themselves and not participating in the development process. They only seem to exist to make sure nothing really bad happens. They do their normal vulnerability patching and scanning. However, we need to take them out of this silo and integrate them with the development team. This is where we will see the most bang for the buck, especially in the DevOps culture.
With an integrated Security Team, we can have security tools integrated within the deployment pipeline to ensure the code is secure. We can have discussions with developers regarding planned code changes and redirect issues (if found) prior to code getting developed or deployed.
Let's get rid of those silos and integrate teams.
This article was inspired by DARKReading.
July 31, 2017
The 3 biggest mistakes companies make with container security:
View the original article at HELPNETSECURITY.
July 26, 2017
Even though it is reported that nearly 60% of companies don't encrypt corporate emails, it feels like the process to enable this technology might be in place but not used. From what I have seen within companies that have this feature enabled most either don't know it's enabled or does not know how to use it. I would guess that 60% is a little low of a number.
While encrypting email in flight provides confidentiality, integrity, and verification of the sender most people still find it cumbersome to figure out. PGP and S/MIME are the two cryptographic ways to encrypt native email communication but it also has to be setup on the receiving parties end and I have found that this isn't normally the case.
Some companies try to overcome this by creating secure email portals to exchange information. This is where parties have to log in to an account on the Internet over an SSL encrypted tunnel to view and send an email (only within this protected system). There are many security companies that offer this service and other companies that have built them in-house. Are they secure? Probably as secure as the next application.
I truly believe that the most secure way to send sensitive data is by using PGP or S/MIME based encryption.
The originally article and my idea for this post originally appeared on the TechRepublic.
July 25, 2017
Adobe has finally set a date at which they are going to kill Flash. While Flash was known as the animation king when it first came out, hackers have been using it as an avenue of attack for many years. Today, we can replace Flash with HTML5 and still have wonderfully rich websites with minimal security risks to the users.
I personally, can't wait for Flash to be gone and I think a date of 2020 is just too long to wait.
July 25, 2017
There are many cloud applications out there that folks like to use for both personal and business. The one thing that we must remember is that almost all cloud applications have very good security built right into them. However, the default configurations for these security features maybe not what you always desire. Last week I was reading about AWS S3 buckets that by default allow anyone with an AWS account to have read access. Today, in the news there is a leak due to Google Groups not having the appropriate permissions set. Go through your cloud applications, read the documents, and set the security to the needs of your business.
Let me know if you need any assistance as I would be more than happy to help.
July 24, 2017
"Hackers have lifted not only the social security numbers and personal information of half a million job seekers in Kansas – but also records on more than five million people from nine other US states." According to The Register.
The sad part about it is the server wasn't taken offline for two days after they noticed the breach. Additionally, since Kansas has no official data breach notification laws, and they also claim not to have enough information to contact every individual, they have only sent out 260,000 emails to victims.
The compromised database belonged to the Kansas Department of Commerce and was setup as a job search database. This is where people could upload their information and potential employers could peruse it for their next employee. The service serviced other states to include: Arkansas, Arizona, Delaware, Idaho, Kansas, Maine, Oklahoma, Vermont, Alabama, and Illinois.
July 24, 2017
The fact that most people feel vulnerable to data threats isn't surprising with the increase of attacks against retail and the ever increasing threat of ransomware. This is according to the Thales 2017 Data Threat Report. One item of interest was that spending on IT Security was expected to increase. We need to look at the trends of malware and spend wisely. It's time to adapt our security protection landscape to combat the current and evolving threats and not just upgrade the security appliances of the past.
July 24, 2017
Looks like back in 2015 Sweden had a huge data leak due to inapropriately handling data. Instead of performing an appropriate cleanup they just told folks to delete what they had received and sent the good data.
The leak potentially exposes sensitive information about every car owner in Sweden. To include, "police and military registrations, plus details of individuals on witness protection programs. Individuals in the database include members of the military, including members of special forces units whose identity and photographs are supposed to be secret". This is according to the The Register.
July 23, 2017
This tricky trojan makes it very hard to spot that anything malicous is happening. The coder of the malware is very creative by using special javasript injection in order to perform a man in the middle attack and stealing banking credentials. On a positive note, variants of the malware have been around since mid-2016 and there should be good antivirus protection. However, like we've seen in the past, authors usually change the malware to get past antivirus. So, 100% protection isn't garanteed.
User training is key. Don't click on links in email from you bank. Instead, type the url for you bank into the address bar.
July 21, 2017
How many companies can answer yes to all of these questions? The article that I'm linking to has to do with small to medium sized businesses. However, I have worked in many different sizes of companies and I don't think that any one of them could say, yes we do all of this. I think it's a great list and something that we should all strive for.
Here is the list:
I encurage you to read the full article at darkreading.