How can you help improve a relationship?

Leave a reply

Here are some of the responses to the comment “how can you help improve a relationship.” The responses are by various people from the community that literally “post it” there answers on a wall at a LDS visitor center. What is your response?

Please note that the comment focuses on a single relationship not several relationship. Is it a family member? Co worker? Boss? Friend? Neighbor?

How to engage cybersecurity customers

Leave a reply

Andrew Townley strikes again with a good piece of advice for engaging with cyber security customers.

1) the conversation isn’t about us, and
2) we need to dial down the jarg-o-meter and industry-speak distortion effects 3x lower than we probably think is necessary.

Speak in terms of outcomes and objectives – what they want and what things do – rather than what things are, how they work, or using “insider” kool kidz terms that keep your seat at the lunch table with your security colleagues and friends.

Side note – the above is from Andrew’s daily email from https://archistry.com/ (09/28/2021, “When it shouldn’t be dialed up to 11.”)

Architecture – A Definition by Andrew Townley

Leave a reply

Listen up architecture fans! I came across a great definition of architecture from Andrew Townley. I received this definition via email. I subscribe to receive emails from him. Enjoy!

The truth – and the problem – actually lies in the power of the thing the word “architecture” itself represents. The simplest version of the definition that is always guaranteed to be true is this one:

The structure of something.”

Many definitions – including mine – add the words “complex” or “carefully designed” to that definition, but they’re not necessary.

Because everything has an architecture.

Everything.

The question is the degree to which it

  1. exhibits complexity, and
  2. has been designed—carefully or otherwise.

Organizations have an architecture, but it isn’t the wires, cables and computers inside it. It’s the collection of governance structures that defines what it is and which work together to deliver the value it creates for its customers. Once you understand this critical point, getting what you want becomes a whole lot easier—

Including security, compliance and true governance.

Key Takeaways – Top Threats to Cloud Computing Report (2020)

Leave a reply

I just re-read the “Top Threats to Cloud Computing Egregious Eleven Deep Dive” (2020) by the Cloud Security Alliance. There is a lot of good stuff (or bad stuff depending on your vantage point). I like this report because it has use cases that illustrate real threats and weaknesses; it is also data driven not Elmer F.U.Dd driven! The report has “Key Takeaways” sections too.


Source: wikimedia.org

I highly recommend reading it and revise your architecture and processes as needed. I highlighted (in bold) a few key takeaways that are particularly important for you security architects to consider.

Summary

The authors make the following summary statement in the beginning of the report.

Identity and Access Management (IAM) controls were the most relevant mitigation in this year’s report, accounting for 8 of the 9 case studies. Security Incident Management, e-Discovery and Cloud Forensics (SEF), including planning for an attack fallout and executing on the plan was paramount to successfully dealing with all but one of the incidents cited. Both IAM and SEF accounted for 17 controls each.

Key Takeaways

The authors outline the following takeaways:

  1. Data inventory/lifecycle practices for archiving, disposal, and destruction limit data exposure.
  2. Be aware of the cloud service’s metadata that can be exposed with misconfigurations
  3. Over-privileged cloud apps allow access to too much data when compromised
  4. Enable Multi Factor Authentication(MFA) to ensure strong user authentication.
  5. Implement different set of login credentials for different services on the same platform to ensure compromise of one account does not affect the other services.
  6. User awareness campaign to ensure users follow security best practices such as use of strong and unique password per account.
  7. Data stored in the cloud should be secured through encryption and the use of IAM facilities
  8. 3rd party security service providers should be vetted to make sure they are trustworthy and follow standard security practices
  9. The agility of cloud services enables more human error, design flaws and policy violations. More investments into control and correction of existing and planned states are necessary
  10. Cloud services and assets exhibit a broader external attack surface, its discovery and reduction is key.
  11. Sound architecture & design of cloud systems, networks, accounts and identities, as well as other defense in depth considerations are beneficial even for smaller cloud-using organizations and environments..
  12. Consumers have to be aware of the hidden dangers of installing apps into their mobile devices without understand the true impact to their privacy
  13. Always protect sensitive data storage via encryption
  14. Have a detailed, tested incident response plan at the ready, including arrangements for additional network and filter capacity in an emergency
  15. Perform appropriate threat modeling
  16. Lower attack surface through best practice network design (ACLs, Firewalls, port and protocol blocking, deny)
  17. Proper threat modelling allows security architects and developers time to evaluate control gaps
  18. Security Protections built in not bolted on
  19. Service provider agreements should clearly state security responsibilities of the supplier
  20. Conduct periodic security assurance audits to verify vendor conformance against organizational policies, procedures and standards.

Krebs on Ransomware – Test Your Backups

Leave a reply

Like most people in the cybersecurity field, I follow Brian Krebs’ work. Brian posted an article on ransomware on July 19, 2021. Below are the excerpts that I found most interesting. As you reflect on your backup, recovery and testing plans for your personal information (or for your parents, 2nd cousin twice removed or kids) or the critical information for your business or employer, are you making an action plan to revise anything based on these insights (side note: make sure you backup and test the recovery of this new action plan!)?

  1. “the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organization bothered to test in advance how long this data restoration process might take
  2. “…victims that have off-site, encrypted backups of their data but discover that the digital key needed to decrypt their backups was stored on the same local file-sharing network that got encrypted by the ransomware.
  3. “…third most-common impediment to victim organizations being able to rely on their backups is that the ransomware purveyors manage to corrupt the backups as well.”

Side note – Check out this “old” ransomware “scenario” from Cisco Talos group. This sounds like a good script to base a purple pen test on.

Krebs, quoting Fabian Wosar from Emsisoft, writes that all “organizations need to both test their backups and develop a plan for prioritizing the restoration of critical systems needed to rebuild their network.” Of course, this is basic blocking and tackling. Some people may consider this blocking and tackling boring when compared to the pen testing of let’s say a Tesla, or the forensic analysis of a Drone. Let’s be honest (with some sarcasm, but not too much) that backup and recovery isn’t as glamorous or exciting when compared to security architecture. Let’s give a shout out to business requirements gathering, threat modelling, security design assessments, or architecture design documentation. Oh yeah!

But let’s be clear: no team every wins or makes it to the Super Bowl or the “neighborhood “championship” unless they get the basic blocking and tackling techniques down! And you can’t get basic the blocking and tackling down unless you make it a priority and practice it. Let’s repeat:

Prioritize it. Practice it.

Prioritize it. Practice it.

And as the saying goes, practice makes perfect (or at almost perfect since after all backups, recovery and test plans are still run by humans at least until Skynet comes online).

Security Architecture and Reference Architectures – Key Attributes

Leave a reply

I recently wrote about a definition and the key attributes of reference architectures. Interestingly, I read an email on July 6, 2021 by Andrew Townley (go to https://archistry.com to subscribe and receive daily updates) on the same topic. Below is an excerpt from the email. It lists other key attributes of a security architecture / reference architecture…enjoy and use it.

In short, a security architecture should not be a “documentation showpiece” like a Ferrari, but a workhorse like a Ford F150…The security architecture (and reference architectures in general)…

gets dirty.
And…most importantly…
It gets used.
It doesn’t sit on some shelf, forgotten and covered in dust.
It doesn’t sit behind glass, on display for all to see how much work was done to create it.
It’s dog-eared, scribbled over and pasted to the walls above everyone’s desk.
Because that’s where they need it.
And they need it because it helps them make the decisions they need to make to do their job every day of keeping the organization safe and serving its customers.