Including Security In DevOps

July 31, 2017

devops

Many companies have been performing DevOps successfully for roughly a decade. The issue has been how to integrate security within the DevOps process. Most companies, that I have seen, struggle with this since there are so many silos built up. This causes teams not to talk to one another. The developers build this beautiful thing that takes code seamlessly from conception through an automated deployment process and finally to the web for consumer consumption. Most of the time the only part missing is the Security Team.

Over the years the Security Team has done a rather fine job of isolating themselves and not participating in the development process. They only seem to exist to make sure nothing really bad happens. They do their normal vulnerability patching and scanning. However, we need to take them out of this silo and integrate them with the development team. This is where we will see the most bang for the buck, especially in the DevOps culture.

With an integrated Security Team, we can have security tools integrated within the deployment pipeline to ensure the code is secure. We can have discussions with developers regarding planned code changes and redirect issues (if found) prior to code getting developed or deployed.

Let's get rid of those silos and integrate teams.

This article was inspired by DARKReading.


Tips on Container Security

July 31, 2017

flash-RIP

The 3 biggest mistakes companies make with container security:

  • Not tracking known vulnerabilities
  • Allowing containers to run as privileged
  • Failing to integrate containers into a continuous security loop, including image provenance, patching, and security scanning and policy-based monitoring

View the original article at HELPNETSECURITY.


Nearly 60% of companies don't encrypt corporate emails

July 26, 2017

flash-RIP

Even though it is reported that nearly 60% of companies don't encrypt corporate emails, it feels like the process to enable this technology might be in place but not used. From what I have seen within companies that have this feature enabled most either don't know it's enabled or does not know how to use it. I would guess that 60% is a little low of a number.

While encrypting email in flight provides confidentiality, integrity, and verification of the sender most people still find it cumbersome to figure out. PGP and S/MIME are the two cryptographic ways to encrypt native email communication but it also has to be setup on the receiving parties end and I have found that this isn't normally the case.

Some companies try to overcome this by creating secure email portals to exchange information. This is where parties have to log in to an account on the Internet over an SSL encrypted tunnel to view and send an email (only within this protected system). There are many security companies that offer this service and other companies that have built them in-house. Are they secure? Probably as secure as the next application.

I truly believe that the most secure way to send sensitive data is by using PGP or S/MIME based encryption.

The originally article and my idea for this post originally appeared on the TechRepublic.


Flash to be killed by 2020

July 25, 2017

flash-RIP

Adobe has finally set a date at which they are going to kill Flash. While Flash was known as the animation king when it first came out, hackers have been using it as an avenue of attack for many years. Today, we can replace Flash with HTML5 and still have wonderfully rich websites with minimal security risks to the users.

I personally, can't wait for Flash to be gone and I think a date of 2020 is just too long to wait.


Ensure your G-Suite is Secure

July 25, 2017

g-suite

There are many cloud applications out there that folks like to use for both personal and business. The one thing that we must remember is that almost all cloud applications have very good security built right into them. However, the default configurations for these security features maybe not what you always desire. Last week I was reading about AWS S3 buckets that by default allow anyone with an AWS account to have read access. Today, in the news there is a leak due to Google Groups not having the appropriate permissions set. Go through your cloud applications, read the documents, and set the security to the needs of your business.

Let me know if you need any assistance as I would be more than happy to help.


Hackers snatch 5.5 million social security numbers

July 24, 2017

"Hackers have lifted not only the social security numbers and personal information of half a million job seekers in Kansas – but also records on more than five million people from nine other US states." According to The Register.

ssn

The sad part about it is the server wasn't taken offline for two days after they noticed the breach. Additionally, since Kansas has no official data breach notification laws, and they also claim not to have enough information to contact every individual, they have only sent out 260,000 emails to victims.

The compromised database belonged to the Kansas Department of Commerce and was setup as a job search database. This is where people could upload their information and potential employers could peruse it for their next employee. The service serviced other states to include: Arkansas, Arizona, Delaware, Idaho, Kansas, Maine, Oklahoma, Vermont, Alabama, and Illinois.


88% feel vulnerable to data threats

July 24, 2017

trickbot

The fact that most people feel vulnerable to data threats isn't surprising with the increase of attacks against retail and the ever increasing threat of ransomware. This is according to the Thales 2017 Data Threat Report. One item of interest was that spending on IT Security was expected to increase. We need to look at the trends of malware and spend wisely. It's time to adapt our security protection landscape to combat the current and evolving threats and not just upgrade the security appliances of the past.


Sweden leaked every car owners' details last year, then tried to hush it up

July 24, 2017

Looks like back in 2015 Sweden had a huge data leak due to inapropriately handling data. Instead of performing an appropriate cleanup they just told folks to delete what they had received and sent the good data.

sweden-data-leak

The leak potentially exposes sensitive information about every car owner in Sweden. To include, "police and military registrations, plus details of individuals on witness protection programs. Individuals in the database include members of the military, including members of special forces units whose identity and photographs are supposed to be secret". This is according to the The Register.


Trickbot Targeting US Banks

July 23, 2017

This tricky trojan makes it very hard to spot that anything malicous is happening. The coder of the malware is very creative by using special javasript injection in order to perform a man in the middle attack and stealing banking credentials. On a positive note, variants of the malware have been around since mid-2016 and there should be good antivirus protection. However, like we've seen in the past, authors usually change the malware to get past antivirus. So, 100% protection isn't garanteed.

trickbot

User training is key. Don't click on links in email from you bank. Instead, type the url for you bank into the address bar.


20 Questions for Improving SMB Security

July 21, 2017

How many companies can answer yes to all of these questions? The article that I'm linking to has to do with small to medium sized businesses. However, I have worked in many different sizes of companies and I don't think that any one of them could say, yes we do all of this. I think it's a great list and something that we should all strive for.

20-questions

Here is the list:

  1. Do we have the relationship we need with our executives and board, and are we regularly in communication with them?
  2. Do we understand the risks and threats that most concern our executives and board?
  3. Do we understand the specific risks and threats targeting our industry and/or geography?
  4. Do we understand what our customers, partners, and other stakeholders are concerned about and what could cause us to lose their trust?
  5. Do we understand which data under our custodianship is the most sensitive and where it resides?
  6. Do we understand the different vulnerabilities that exist within our environment and how those vulnerabilities introduce new or exacerbate existing risks and threats?
  7. If we do understand the risks and threats facing us from these different perspectives, have we taken time to prioritize them?
  8. Have we broken those risks and threats down into goals and priorities and developed a strategic plan to address them?
  9. Do we understand how to assess our current security posture and identify gaps that may keep us from meeting our goals and priorities?
  10. Do we understand how to benchmark ourselves against our peers or others within our industry, geography, or with similar security budgets to understand how we compare?
  11. Do we understand how to leverage the information gained from the benchmarking and assessment process to help us fill gaps and work towards our goals and priorities?
  12. Have we formulated meaningful metrics to help us assess our progress towards our goals and priorities?
  13. Do we have the budget we need to improve our security posture in accordance with our strategic plan?
  14. Do we understand how to show the board the value we currently provide, and how increasing budget will directly translate to mitigating additional risks and threats that the board is concerned about?
  15. Do we know how and where to invest our security budget to achieve the optimal results?
  16. Do we have the people we need to rise to the occasion to combat new and evolving threats?
  17. Do we know what policies and procedures we need to put in place to manage our environment properly?
  18. Are we working with the right partners and vendors to achieve our desired results?
  19. After the initial assessment, strategic planning, and plan implementation, do we have a plan to run security operations on a continual basis to ensure that the environment is monitored and protected at all times?
  20. Are we prepared in the event of a serious incident, and do we know what we would do and how we would handle it?

I encurage you to read the full article at darkreading.