Amazon Web Services (AWS) Security 101

Cloud computing. Or as I like to call it, “computing.”

Who are we fooling, folks? It doesn’t matter if it’s sitting in our data center, in someone else’s data center, or under a desk in our basement: a computer is a computer is a computer. Whether or not the data on that computer is secure, however… that depends pretty heavily on whose job it is to secure it.

Amazon Web Services (AWS) has established themselves as a leader in the “computer in someone else’s data center” market. Despite a few high profile outages every now and then, the fact remains that companies aren’t shying away from moving business critical apps to Amazon’s cloud.

But who’s responsible for securing that infrastructure?

If you answered, “Amazon, of course. Isn’t that what we’re paying them for?” then you’d only be partially correct. Scratch that. You’d be wrong. Just plain wrong.

While cloud security is “job zero” at AWS (their words, not mine), the truth of the matter is that “AWS and its partners offer hundreds of tools and features to help you meet your security objectives around visibility, auditability, controllability and agility,” (again, their words, not mine).

Hundreds. Let that sink in for a sec.

It’s easy to get distracted all those bright, shiny tools, so easy that you might overlook that fact that someone has to spend time CONFIGURING those tools properly.

That someone, dear reader, is you.

To be fair, some (most?) of the tools come with some basic security features enabled out of the gate. Still, anyone with sec ops experience can tell you that properly configuring, tuning, and maintaining one security tool can take considerable effort.

So how much effort would it take to manage hundreds of security tools?

My best estimate to date is one metric $#!%-ton, but your mileage may vary.

If you have any… ANY business critical processes that rely on AWS, then it would be in your best interest (and your customers’… and your shareholders’…) if you were to familiarize yourself with some basic AWS security do’s and don’ts.

The good news is that Amazon has gone out of their way to make sure you have the info you need.

First and foremost, I strongly recommend that you register for and attend Amazon’s AWS Security Fundamentals online course. Three hours of training, straight from the source, split into five modules:

  • Introduction to Cloud Computing and AWS Security
  • Access Control and Management
  • AWS Security – Governance, Logging, and Encryption
  • Compliance and Risk Management
  • Auditing Your AWS Security Architecture


Did I mention that this particular training is free? Because it is. That’s a tough deal to beat.

If you want to go all in, there’s also the three day Security Operations on AWScourse. This one is not free (sorry), but holy criminy, it covers EVERYTHING. If you’ve got a significant investment in your AWS cloud infrastructure, then you should seriously consider setting aside some training dollars for this course.

If you’d rather do a little light reading, AWS has plenty of whitepapers on the topic. The three that I recommend you bump to the top of your list:


If conferences are more your thing, you could always hit up the Amazon Web Services YouTube channel. There, you can watch the 29 videos in their Security & Compliance | AWS re:Invent 2015 playlist. Pick your poison, plug in your headphones, and absorb some critical security knowledge at your leisure in one-hour snippets.

Amazon has a considerable amount of additional training materials available, including self-paced labs and professional certifications, but these options are pay-to-play. Make sure you’re being honest with yourself about the ROI.

Finally, I recommend that you spend a little time on the AWS Security Services page, reading up on those hundreds of tools that Amazon touts (both free and paid). Start with these seven tools:

  • Amazon Virtual Private Cloud (VPC) – Enables you to build and restrict access to your own private cloud (hence the incredibly appropriate name).
  • AWS Trusted Advisor – Includes 40 checks to make sure your AWS deployment is properly configured, focusing on cost optimization, security, fault tolerance, and performance improvement.
  • Amazon Inspector – A more in-depth AWS security controls assessment tool (still in preview, as of February 2016).
  • Scout2 – Okay, so I lied. This isn’t one of Amazon’s tools, but while their Inspector tool is still in preview, you might find this alternative pretty handy.
  • S2N – An AWS implementation of SSL/TLS. Encrypt all the things!
  • AWS Key Management Services (KMS) – Their encryption key management solution. Again, encrypt all the things!
  • Security Monkey – Another lie. You caught me. This one’s a Netflix tool, but given Netflix’s investment in AWS, it should come as no surprise that theyroll their own tools.


If your budget won’t allow for the hands-on labs, you could always sign up for theAWS Free Tier and create your own labs. The free tier will give you twelve months of access at no cost (hence the name), and it includes access to KMS and Trusted Advisor.

I know I’ve just scratched the surface here, but I’m gonna go ahead and wrap it up before your brain explodes.

AWS security can be big and scary and ridiculously complicated, but it doesn’t have to be. Break it down into bite-sized chunks, start eating that elephant one bite at a time, and… voila: you’re on your way to a secure AWS implementation.

Good luck!

What You Don’t Know About OSINT Can Hurt You

First things first: Open Source INTelligence

It’s okay if you didn’t already know the acronym. InfoSec folks love our TLA’s (Three Letter Acronyms), or in this case, FLA’s. We need to speak faster! No time for love, Dr. Jones!

Sorry. Back on topic…

Any penetration tester worth his/her salt absolutely loves OSINT. Why? Because OSINT activity doesn’t show up in the target’s logs. (Well, hardly ever, but I’ll get to that in a minute.)

When an authorized attacker (i.e., pen tester) or an unauthorized attacker (i.e., criminal) turns to OSINT, that attacker scours publicly available information for tasty little tidbits that can be used to stage an attack that’s likely to be both quick and effective.

How, exactly, do they do this? I’m glad you asked.

For starters, they profile the company by developing an understanding of how the company makes money. They turn to resources like Google Finance, Hoovers, and EDGAR to begin painting that picture.

After profiling the company’s financials, it’s time to start profiling the employees. LinkedIn is an absolute treasure trove of employee info, including names, titles, history with the company, and in the case of many IT employee profiles, a list of the technologies in play on the company’s internal network.

While LinkedIn provides insights into the employees’ lives at work, their lives at home are all over Facebook, Twitter, Pinterest, Tumblr, and Instagram. Info like birthdays, phone numbers, schools attended, family members… in other words, the answers to all their secret questions, are there for the taking.

How well has the company defended themselves against breaches in the past? If the breach has been publicly disclosed, chances are that a summary has been published to the Privacy Rights Clearinghouse. If the company doesn’t know that they’ve been breached yet, then maybe, just maybe, some of the stolen info (i.e., user credentials) has been posted to Pastebin.

Mobile apps? Search iTunes and Google Play. You’d be amazed at what an attacker can learn by pulling down a copy of your Android app and combing through the source code. (Just ask Lenovo…)

Want to know whether or not they do a decent job of protecting encrypted data in transit? Qualys SSL Labs will answer that question for you.

What about web app vulnerabilities? PunkSPIDER will hook you up with the details.

Is their DNS server leaking internal network information? UltraTools Zone File Dump will tell you.

And let’s not forget the mother of all online OSINT tools… SHODAN!!! Details on all the systems the company has connected to the Internet (including open ports), there for you to peruse at your pleasure.

Even if the only thing an attacker knows is your company’s primary Internet domain, that attacker can spend a little time with Netcraft, whois, ARIN, Robtex, and the Hurricane Electric BGP Toolkit, and develop a pretty comprehensive picture of your company’s Internet footprint.

The scariest part? Attackers can gather all of this information… ALL OF IT… without ever touching your network.


So how do we defend against this? The answer is rock simple, folks.


You don’t need to buy anything to gather the exact same OSINT on your own company. Keep in mind you have a key advantage over the attackers: your inside knowledge. Combining that knowledge with your OSINT findings will enable you to close these gaps before an attacker can take advantage of them.

Unauthorized ports open on Shodan? Close them.

Web app vulnerabilities on PunkSPIDER? Fix them.

Zone transfers were successful? Disable them.

Passwords on Pastebin? Change them.

Users oversharing on social media? Train them.

We’re not talking rocket science here, folks. We’re talking InfoSec 101.

And don’t tell me you don’t have enough time to do this. I’m not buying it, not when you can use Maltego and recon-ng to automate the process.

Side note: If you want to include some activity that will show up in the logs, toss in a little metadata analysis with FOCA and some Google Hacking, and you’re all set. (It’s still going to look like benign web traffic, but at least it’s a start.)

Another side note: What I’ve outlined here is a brief intro to OSINT, what I consider to be the fundamentals. If you’re hungry for more, head on over to Online Strategies and check out a list of OSINT resources long enough to make your eyes water.)

Take a few minutes, try a few links, and get a feel for what your company looks like from an OSINT perspective. You might be surprised at what you find.

Want to Fail at Security? COMPLY!


Take a deep, cleansing breath, and say it with me: “Compliance is not security.”

Good. One more time. “Compliance is not security.”

It’s okay. We’re all friends here. No need for false pretenses. We all know how much truth is contained in those four simple words.

Information Security is a tricky business, due largely in part to the fact that both the good guys and the bad guys are an innovative, creative, and (sometimes) devious bunch.

A compliant organization can demonstrate that they have implemented the bare minimum in information security controls. That, or they can sweet talk an auditor into believing that the “compensating controls” are strong enough to meet the intent of the compliance requirement.

Not that it matters, though, since compliance is not security.

You protect your servers with a locked door. I bypass the lock with a lock pick (or a modified hotel keycard, or a coat hanger, or… you get the point). So what do you do? You replace the pin and tumbler lock with something stronger.

Well, shucks. I guess I’m out of luck. Time to throw in the towel (said no determined criminal EVER).

You install a stronger lock, I adapt with a stronger (more devious) attack. Motion and heat sensors? No problem. I’ll just use a Mylar balloon, a warm washcloth, and a little bit of helium (props to Chris Nickerson).

Let’s shift gears and talk about more technical controls. You patch your operating systems? Fine. I’ll target the desktop applications. You keep those patched, too? Well, smell you! Sounds like your web apps might be my best bet, except that your security-minded developers test both their code and their deployed apps for vulnerabilities.

Fine. It looks like you’ve decided to give me a run for my money. I guess I’ll have to resort to (gasp) SOCIAL ENGINEERING.

If I want in… if I really want to deface the website / steal the data / encrypt all the things and then extort payment… then compliance isn’t going to stop me.

Security, though… that’s another matter.

It is absolutely possible (even probable) that a security-minded organization, one that chooses to go above and beyond compliance, will know when they’re being attacked and be able to prevent, detect, and respond to the attack in a manner that minimizes the damage.

So how do we get from here to there? The answer has been right in front of us the entire time: assessments.

Notice I said assessments (plural).

Attackers are going to look at your business, your customers, your employees, your locations, and your infrastructure from multiple perspectives. They’ll keep at it until they find the chink in your armor.

In order to effectively (and proactively) defend against those attacks, you should be doing the following:

  • Compliance Assessment(s). Wait a minute. I JUST said that compliance is not security. I also said that compliance is the bare minimum. Love ’em or hate ’em, compliance requirements like PCI, HIPAA, and NERC/CIP are based on leading information security practices. If you want a good baseline for how prepared you are to defend against attackers who want your data, start with a compliance assessment.
  • Security Controls Assessment. The next assessment you should perform is a security controls assessment based on the security framework that your organization aligns with. NIST (FISMA) is popular among companies who do business with the U.S. Federal Government, while the ISO 27000 series works well for organizations with an international footprint. The CIS Critical Security Controls are another fan favorite, although smaller organizations may find the Common Sense Security Framework a little easier to tackle.
  • Risk Assessment. These assessments are a little trickier. The goal of a risk assessment is to identify potential threats to your organization, to determine how likely it is that those attackers could do damage, and how bad would it be if they were successful. Risk assessments can cover everything from the physical safety of your employees to the mobile apps you have in iTunes and Google Play.
  • Vulnerability Assessments / Penetration Tests. This is where the rubber meets the road. By the time you get to these assessments, you should have a decent understanding of where you’re most exposed (and where an attacker could do the most damage). Vulnerability Assessments help you validate that all your technical controls are working as intended (e.g., your patch management solution is really patching your Internet-facing servers).Penetration Tests allow authorized (ethical) attackers to test your defenses and identify gaps that have gone unnoticed by your security team (and, hopefully, by your attackers).

If you’re doing all of these assessments on a regular basis, then the bad guys are going to have a HELLUVA time getting what they’re after. If you’re skipping any of these assessments, then you have a blind spot, one that criminals won’t hesitate to exploit.

Depending on your organization’s business model, a Privacy Assessment might also be on the table, but that’s an article for another day.

Once you find an assessment process and schedule that works for your organization, turn your attention to automation. There’s no reason to exhaust your people (and your budget) with manual processes that can be replaced by a very small shell script.

Don’t automate everything, though, ESPECIALLY the pen test. If you think automated pen tests are sufficient, then it’s only a matter of time before your organization ends up on a list of publicly disclosed data breaches.

The short version: assess all the things! Your employees, your customers, and your shareholders will thank you for it.

The Curse of the Information Security Professional


Time magazine recently published an article summarizing CareerCast’s research on the most/least stressful jobs.

At the top of the Most Stressful list: Enlisted Military Personnel. That makes PERFECT sense. High physical and travel demands, ridiculously low salary, and life-threatening situations that leave many physically and mentally scarred for the rest of their lives.


What caught my eye, though, was the profession topping the list of least stressful jobs. Drumroll please…

Information Security Analyst.

… what?

I did a little digging into CareerCast’s methodology, and in that context, it actually makes sense. InfoSec pros don’t put their lives on the line day in and day out. We’re paid well, and there’s such a RIDICULOUS shortage of qualified information security professionals that the job market is, well, pretty damned spectacular.

There’s one important factor that I wish CareerCast had included in their methodology, though: Appreciation.

Had CareerCast found a way to measure that variable, I think the end results of their survey would have been a little different.

Let me offer a bit of perspective.

I went to school to be a music teacher. I’ve studied multiple instruments over the course of my life, including piano, trumpet, guitar, bass guitar, and voice, and I love both teaching and making music. When a musician delivers a performance, that musician leaves something with the audience: a memory, an emotion, a connection.

Other artists produce more tangible artifacts. Our society has preserved sculptures, statues, and paintings for literally thousands of years. Filmmakers and recording artists have produced visual and audio creations that we repeatedly enjoy, whether in a movie theater surrounded by hundreds of other moviegoers or in our favorite solo spot with nothing but our headphones for company.

Artists produce artifacts.

But what about folks who work in other industries? What do they produce?

Quite a bit, actually.

If you work in manufacturing, that’s a gimme. Medical? You produce life-altering, often life-saving, medications and procedures. Utilities? The power that keeps the zombie apocalypse at bay is kind of important.

Even if you work in a back office or shared services role, it’s likely that you produce something.

HR? I’d argue that you produce jobs. You help people get hired. Finance? You produce budgets that pay for all the things. Payroll? You produce paychecks. ‘nuff said. IT? As unappreciated as you are, the fact remains that you produce systems and applications that end users rely on.

But what do information security professionals produce?


Wait, wait, wait… Calm down. Unclench your fists and bear with me for a sec.

When we’re on our game, it’s business as usual. Nothing bad happens.

On a good day, the bad guys don’t circumvent application vulnerabilities or system misconfigurations and steal the keys to the kingdom. Websites don’t go down due to denial of service attacks or hardware failures. Malicious employees don’t abuse their access to change data, and overly-trusting employees don’t click on malicious links in unsolicited emails, no matter how desperately they want that $100 Amazon gift card.

Nothing. Bad. Happens.

In other words, information security professionals comes in early, stay late, work through lunch, work crazy on-call hours, attend professional meetings, attend conferences, attend training classes, chase certifications, read blogs, and practice hacking virtual machines in their home labs (Yeah, we have home labs. Big whoop. Wanna fight about it?), all with one goal in mind:

To make sure that nothing bad happens.

And at the end of another day when nothing bad happened, when we don’t have anything tangible to show for our efforts, that desire for appreciation (both from others and from ourselves) is often left wanting.

That, folks, is the curse of the information security professional. The fortunate few get decent paychecks and recognition from the powers that be, but all of us… ALL OF US… put in the blood, sweat, and tears necessary to keep the lights on, to keep the websites up, to keep the personal data safe, regardless of whether or not that recognition ever materializes.

We put in the extra hours, driven by a passion to do the right the thing, and we both acknowledge and embrace the stress and burnout that comes with the gig. We support each other both online and in person (no easy task for a bunch of socially awkward introverts), and we keep at it day in and day out to ensure that… You guessed it:

Nothing. Bad. Happens.

Personally, I think a career in information security is time well-spent. It’s a stressful gig in an important industry, and I’m grateful to be a part of it. Even more importantly, I encourage folks who want to help out to learn more about working in InfoSec and then apply for one of the hundreds of thousands of open jobs that we’re trying to fill.

And to all my fellow InfoSec pros out there, know this: I appreciate what you do. So do the folks who depend on you, even if they can’t always find the words to express that appreciation.

That said, I hope you can find some small comfort in reciting the successful InfoSec pro’s mantra.

“Do you remember that awful, horrible, expensive incident that NEVER happened? You’re welcome.”

How to Kickstart a Career in Application Security

OWASP NYC (Photo credit: dailylifeofmojo)

A friend and fellow geek recently reached out for some career advice. He’s currently working as an app developer, and he was wondering what steps he could take to steer his career more toward application security.

Since I’m a geek with a degree in music education now working as an information security consultant who also teaches infosec classes all over the world, he thought I might have a tip or two I could share.

Turns out, he was right. 😉

I’ll tell you the first thing I told him: Check out my blog post on how to land a job in information security. While the post isn’t specific to app developers, it does contain some foundational knowledge for anyone debating a move. (Considering how starved the industry is for full-time infosec professionals, I’d appreciate it if you could share that post with anyone you might know who might be interested.)

The next thing I told him was that he should start attending the local OWASP chapter meeting. If you want a career in application security, you need to talk to other security-minded developers, find out what they’re doing in their day-to-day work. Side note: if your city doesn’t have a local OWASP chapter, start one.

I also told him to download some free appsec tools like Burp Suite or Samurai WTF and just start playing around. Another tool I use frequently is OWASP Mantra, a tricked-out version of Firefox that gives you an incredible amount of control over (and ability to interact with) web applications and the infrastructure they reside on.

There are also a TON of hackable practice apps available for you to practice on, including:

If you’re interested in the appsec tool space, NIST’s SAMATE site has an extensive list tools, broken down by a taxonomy designed to help you find the right tool(s) for your organization . I dig this list because it includes source code security analysis tools as well as web application vulnerability scanners.

Running tools is one thing, but developers who are familiar with the OWASP Testing Guide can dive so much deeper than those who react to only the vulnerabilities that an automated scanner identifies. If you want to test your application security skills, pick a site (that you’ve been authorized to test) and walk through the entire testing guide. Eye-opening…

I also sent him a copy of a presentation I’ve been working on for integrating application security into the software development lifecycle (SDLC). As of this writing, I haven’t posted the presentation to my SlideShare account, but feel free to drop me a line if you want a copy.

If you’re hungry for more application security knowledge, you can also hit up your local library for a few excellent books, including:

Finally, I told him he should ultimately apply that book and lab knowledge toward some real world work. Growing security companies (like the one I work for) are always on the lookout for security talent, and the sooner he (and you) can join in the fight to help these companies secure their web apps, the better.

Your planet needs you. Would you like to know more?

Enhanced by Zemanta

How Much Does and Infosec Pro Make, Anyway?

Money (Photo credit: 401(K) 2013)

First things first: if the only reason you’re considering a career in infosec is the money, maybe infosec isn’t the right career choice for you.

Information security professionals are a passionate lot. If you don’t believe me, attend any infosec convention (Black Hat, DEFCON, ShmooCon, GrrCON, CanSecWest, DerbyCon… the list goes on and on) and attend a talk from someone who’s worked in the trenches for a few years. Better yet, strike up a hallway conversation with another con attendee. You’ll find out exactly how passionate infosec pros are about their jobs in no time.


Information security is a challenging, sometimes frustrating, often times thankless job. However, information security plays a critical role in the global economy, protecting the systems and networks that form the foundation of the Internet, not to mention the systems inside each organization’s network perimeter. The need for information security professionals continues to rise, with a projected 10-year job growth of 23%. This increase has resulted in a dramatically low unemployment rate for information security professionals.

In a field where the demand for qualified professionals is greater than the supply, salaries tend to be very competitive.


According to, here are the median annual salaries (U.S. National Averages) for a few different information security job roles:

  • Data Security Analyst: $74,334 (up to $95,220)
  • Data Security Analyst Senior: $92,317 (up to $113,790)
  • Data Security Manager: $108,982 (up to $136,758)
  • Information Security Director: $143,107 (up to $177,126)
  • Chief Information Security Officer: $168,545 (up to $238,099)


These are attractive salaries, to be sure, but don’t fool yourself into thinking they’ll come easy. These salaries come with experience, dedication, and hard work. Once you decide that you’re ready to pursue a career in information security, the next step is to learn the tools of the trade, and ultimately submit your infosec job application.

Happy job hunting!





Enhanced by Zemanta

How to Land a Job in Information Security

Information Security Wordle: FFIEC IT Examiner...
Information Security Wordle: FFIEC IT Examiner’s Handbook (Photo credit: purpleslog)

In July of 2011, the unemployment rate reported by information security analysts was a striking 0%. Not only were information security analysts reporting steady employment, they even reported an increase of 6,000 jobs between the first and second quarter of the same year. Two and a half years later, the Pentagon announced that it planned to add thousands of jobs of new cybersecurity jobs.

Sounds like a great time to be employed in the field of information security, doesn’t it?

Understand this: a career as an information security professional isn’t easy. Aspiring infosec professionals struggle to break in to the industry, unsure of what skills they need or how to attain those skills. The lucky few who do break into the industry find themselves in fast-paced, constantly changing industry, where the quest for knowledge is constant, as is the need to sharpen your skills.

It’s a busy, active, frequently stressful career, and most information security professionals wouldn’t change it for the world.

But how does someone outside of the field land a job in information security?

First and foremost, aspiring information security professionals need to understand and be able to explain the foundational concepts of information security. When you find yourself in a job interview with a security manager, you’ll need to be able to explain the CIA triad, the concept of defense-in-depth, and the step-by-step process that you would follow if you were tasked with securing a system or application.

Once you have a solid grasp of basic information security concepts, you need to know which information security job is right for you. Infosec professionals aren’t all cut from the same cloth. Some want to be heads down technicians, hacking away at target systems and finding ways around existing controls. Others want to spend their time writing policies and procedures, ensuring that the security of their organization is sustained through consistent, repeatable procedures. Other information security professionals want to interact with people on the business side of the organization, identifying security requirements and making the case for information security controls when the value of those controls isn’t readily apparent to non-security employees.

A job applicant with a basic understanding of information security frameworks and standards will send a clear message to the hiring manager that he or she understands what external compliance requirements will impact a retail organization versus a home healthcare provider. That same hiring manager is likely to be impressed by a job applicant who comes to the interview already speaking the organization’s internal security language.

For the more technically-oriented positions, job applicants will be expected to demonstrate a hands-on understanding of some of the more common information security tools. If a hiring manager asks you about Nmap, Wireshark, or BackTrack Linux, and you respond with a blank stare, that hiring manager is going to wonder how serious you are about the job.

Finally, an aspiring information security professional who already has one or more industry certifications will have a much easier time getting through the HR screening process and making it to the interview with the hiring manager. While a certification doesn’t automatically make you a security professional, it does send a message that you’ve studied the material and that you’ve retained an understanding of what you studied. More importantly, when you want to make the move to a senior level information security role, the right certifications speak volumes.

When you feel you’re ready to begin applying for information security jobs, visit the job board to see what jobs are currently available in each state. Narrow down your search to positions that fit your interests and your personality, and then submit your application.

Good luck!

Enhanced by Zemanta