And then a not-a-miracle occurs…
It’s a perfect fall Sunday morning here in Phoenix. After a brutally hot summer the air is cool, the sky is clear, and the fresh air is drifting into the hotel ballroom while I wait for my daughter to take the stage in the Irish dance regionals competition. The schedule is a little behind, so I’m sitting here on my iPad catching up on the security newsletters and posts that usually pile up during the week when I’m more focused on my own deliverables. During the week I tend to do a decent job of keeping up with the latest cloud security feature releases, but I tend to fall behind on the breach and vulnerability reports. There are… a lot of breach and vulnerability reports. One of the wild things about having started early in cloud security is that I’ve witnessed the progression from a nascent technology that neither attackers nor defenders really had a good handle on, to our current high-stakes eternal cat and mouse game. As a defender I consider it absolutely essential to read every teardown of every breach I can get my hands on (usually published by incident response service companies), while also keeping up on the latest vulnerability research. Which brings me back to the ballroom. As I close the last browser tab, the accordion and keyboardist playing an Irish reel (or maybe a jig, I really am bad at music), I realized I was instinctively mentally sorting these reports into three buckets: Yada yada “exposed credentials” yada yada a complex series of steps yada yada. Yada yada “excessive privileges” yada yada a complex series of steps yada yada. Yada yada “public facing with a known vulnerability” yada yada a complex series of steps yada yada. Of the dozen reports I’ve sorted through today, a mix of breach walkthroughs and novel attack patterns from vulnerability researchers, every single one fit into these three buckets. Like they do every week. Look, learning about more advanced attack patterns is important. Knowing how to trace and contain an incident once it progresses past the initial access is an increasingly rare and valuable skill set. And finding and fixing all the drops of misconfigurations and exposures in my buckets, at scale, ain’t easy. But it’s all too easy to get lost in the complexity, especially when you haven’t been doing this cloud security stuff for a while. Just remember, this isn’t rocket science. Stamp out static credentials, turn on MFA, and stop putting vulnerable crap on the Internet. That should keep you busy for a while. Maybe someday Chris and I will need to re-prioritize the Universal Cloud Threat Model. But today I’ll watch a little dance, enjoy a little sun, and maybe catch up on some comic books during the breaks. Share: