Amazon Web Services (AWS) Security 101

Cloud computing. Or as I like to call it, “computing.”

Who are we fooling, folks? It doesn’t matter if it’s sitting in our data center, in someone else’s data center, or under a desk in our basement: a computer is a computer is a computer. Whether or not the data on that computer is secure, however… that depends pretty heavily on whose job it is to secure it.

Amazon Web Services (AWS) has established themselves as a leader in the “computer in someone else’s data center” market. Despite a few high profile outages every now and then, the fact remains that companies aren’t shying away from moving business critical apps to Amazon’s cloud.

But who’s responsible for securing that infrastructure?

If you answered, “Amazon, of course. Isn’t that what we’re paying them for?” then you’d only be partially correct. Scratch that. You’d be wrong. Just plain wrong.

While cloud security is “job zero” at AWS (their words, not mine), the truth of the matter is that “AWS and its partners offer hundreds of tools and features to help you meet your security objectives around visibility, auditability, controllability and agility,” (again, their words, not mine).

Hundreds. Let that sink in for a sec.

It’s easy to get distracted all those bright, shiny tools, so easy that you might overlook that fact that someone has to spend time CONFIGURING those tools properly.

That someone, dear reader, is you.

To be fair, some (most?) of the tools come with some basic security features enabled out of the gate. Still, anyone with sec ops experience can tell you that properly configuring, tuning, and maintaining one security tool can take considerable effort.

So how much effort would it take to manage hundreds of security tools?

My best estimate to date is one metric $#!%-ton, but your mileage may vary.

If you have any… ANY business critical processes that rely on AWS, then it would be in your best interest (and your customers’… and your shareholders’…) if you were to familiarize yourself with some basic AWS security do’s and don’ts.

The good news is that Amazon has gone out of their way to make sure you have the info you need.

First and foremost, I strongly recommend that you register for and attend Amazon’s AWS Security Fundamentals online course. Three hours of training, straight from the source, split into five modules:

  • Introduction to Cloud Computing and AWS Security
  • Access Control and Management
  • AWS Security – Governance, Logging, and Encryption
  • Compliance and Risk Management
  • Auditing Your AWS Security Architecture


Did I mention that this particular training is free? Because it is. That’s a tough deal to beat.

If you want to go all in, there’s also the three day Security Operations on AWScourse. This one is not free (sorry), but holy criminy, it covers EVERYTHING. If you’ve got a significant investment in your AWS cloud infrastructure, then you should seriously consider setting aside some training dollars for this course.

If you’d rather do a little light reading, AWS has plenty of whitepapers on the topic. The three that I recommend you bump to the top of your list:


If conferences are more your thing, you could always hit up the Amazon Web Services YouTube channel. There, you can watch the 29 videos in their Security & Compliance | AWS re:Invent 2015 playlist. Pick your poison, plug in your headphones, and absorb some critical security knowledge at your leisure in one-hour snippets.

Amazon has a considerable amount of additional training materials available, including self-paced labs and professional certifications, but these options are pay-to-play. Make sure you’re being honest with yourself about the ROI.

Finally, I recommend that you spend a little time on the AWS Security Services page, reading up on those hundreds of tools that Amazon touts (both free and paid). Start with these seven tools:

  • Amazon Virtual Private Cloud (VPC) – Enables you to build and restrict access to your own private cloud (hence the incredibly appropriate name).
  • AWS Trusted Advisor – Includes 40 checks to make sure your AWS deployment is properly configured, focusing on cost optimization, security, fault tolerance, and performance improvement.
  • Amazon Inspector – A more in-depth AWS security controls assessment tool (still in preview, as of February 2016).
  • Scout2 – Okay, so I lied. This isn’t one of Amazon’s tools, but while their Inspector tool is still in preview, you might find this alternative pretty handy.
  • S2N – An AWS implementation of SSL/TLS. Encrypt all the things!
  • AWS Key Management Services (KMS) – Their encryption key management solution. Again, encrypt all the things!
  • Security Monkey – Another lie. You caught me. This one’s a Netflix tool, but given Netflix’s investment in AWS, it should come as no surprise that theyroll their own tools.


If your budget won’t allow for the hands-on labs, you could always sign up for theAWS Free Tier and create your own labs. The free tier will give you twelve months of access at no cost (hence the name), and it includes access to KMS and Trusted Advisor.

I know I’ve just scratched the surface here, but I’m gonna go ahead and wrap it up before your brain explodes.

AWS security can be big and scary and ridiculously complicated, but it doesn’t have to be. Break it down into bite-sized chunks, start eating that elephant one bite at a time, and… voila: you’re on your way to a secure AWS implementation.

Good luck!

What You Don’t Know About OSINT Can Hurt You

First things first: Open Source INTelligence

It’s okay if you didn’t already know the acronym. InfoSec folks love our TLA’s (Three Letter Acronyms), or in this case, FLA’s. We need to speak faster! No time for love, Dr. Jones!

Sorry. Back on topic…

Any penetration tester worth his/her salt absolutely loves OSINT. Why? Because OSINT activity doesn’t show up in the target’s logs. (Well, hardly ever, but I’ll get to that in a minute.)

When an authorized attacker (i.e., pen tester) or an unauthorized attacker (i.e., criminal) turns to OSINT, that attacker scours publicly available information for tasty little tidbits that can be used to stage an attack that’s likely to be both quick and effective.

How, exactly, do they do this? I’m glad you asked.

For starters, they profile the company by developing an understanding of how the company makes money. They turn to resources like Google Finance, Hoovers, and EDGAR to begin painting that picture.

After profiling the company’s financials, it’s time to start profiling the employees. LinkedIn is an absolute treasure trove of employee info, including names, titles, history with the company, and in the case of many IT employee profiles, a list of the technologies in play on the company’s internal network.

While LinkedIn provides insights into the employees’ lives at work, their lives at home are all over Facebook, Twitter, Pinterest, Tumblr, and Instagram. Info like birthdays, phone numbers, schools attended, family members… in other words, the answers to all their secret questions, are there for the taking.

How well has the company defended themselves against breaches in the past? If the breach has been publicly disclosed, chances are that a summary has been published to the Privacy Rights Clearinghouse. If the company doesn’t know that they’ve been breached yet, then maybe, just maybe, some of the stolen info (i.e., user credentials) has been posted to Pastebin.

Mobile apps? Search iTunes and Google Play. You’d be amazed at what an attacker can learn by pulling down a copy of your Android app and combing through the source code. (Just ask Lenovo…)

Want to know whether or not they do a decent job of protecting encrypted data in transit? Qualys SSL Labs will answer that question for you.

What about web app vulnerabilities? PunkSPIDER will hook you up with the details.

Is their DNS server leaking internal network information? UltraTools Zone File Dump will tell you.

And let’s not forget the mother of all online OSINT tools… SHODAN!!! Details on all the systems the company has connected to the Internet (including open ports), there for you to peruse at your pleasure.

Even if the only thing an attacker knows is your company’s primary Internet domain, that attacker can spend a little time with Netcraft, whois, ARIN, Robtex, and the Hurricane Electric BGP Toolkit, and develop a pretty comprehensive picture of your company’s Internet footprint.

The scariest part? Attackers can gather all of this information… ALL OF IT… without ever touching your network.


So how do we defend against this? The answer is rock simple, folks.


You don’t need to buy anything to gather the exact same OSINT on your own company. Keep in mind you have a key advantage over the attackers: your inside knowledge. Combining that knowledge with your OSINT findings will enable you to close these gaps before an attacker can take advantage of them.

Unauthorized ports open on Shodan? Close them.

Web app vulnerabilities on PunkSPIDER? Fix them.

Zone transfers were successful? Disable them.

Passwords on Pastebin? Change them.

Users oversharing on social media? Train them.

We’re not talking rocket science here, folks. We’re talking InfoSec 101.

And don’t tell me you don’t have enough time to do this. I’m not buying it, not when you can use Maltego and recon-ng to automate the process.

Side note: If you want to include some activity that will show up in the logs, toss in a little metadata analysis with FOCA and some Google Hacking, and you’re all set. (It’s still going to look like benign web traffic, but at least it’s a start.)

Another side note: What I’ve outlined here is a brief intro to OSINT, what I consider to be the fundamentals. If you’re hungry for more, head on over to Online Strategies and check out a list of OSINT resources long enough to make your eyes water.)

Take a few minutes, try a few links, and get a feel for what your company looks like from an OSINT perspective. You might be surprised at what you find.

How to Land a Job in Information Security

Information Security Wordle: FFIEC IT Examiner...
Information Security Wordle: FFIEC IT Examiner’s Handbook (Photo credit: purpleslog)

In July of 2011, the unemployment rate reported by information security analysts was a striking 0%. Not only were information security analysts reporting steady employment, they even reported an increase of 6,000 jobs between the first and second quarter of the same year. Two and a half years later, the Pentagon announced that it planned to add thousands of jobs of new cybersecurity jobs.

Sounds like a great time to be employed in the field of information security, doesn’t it?

Understand this: a career as an information security professional isn’t easy. Aspiring infosec professionals struggle to break in to the industry, unsure of what skills they need or how to attain those skills. The lucky few who do break into the industry find themselves in fast-paced, constantly changing industry, where the quest for knowledge is constant, as is the need to sharpen your skills.

It’s a busy, active, frequently stressful career, and most information security professionals wouldn’t change it for the world.

But how does someone outside of the field land a job in information security?

First and foremost, aspiring information security professionals need to understand and be able to explain the foundational concepts of information security. When you find yourself in a job interview with a security manager, you’ll need to be able to explain the CIA triad, the concept of defense-in-depth, and the step-by-step process that you would follow if you were tasked with securing a system or application.

Once you have a solid grasp of basic information security concepts, you need to know which information security job is right for you. Infosec professionals aren’t all cut from the same cloth. Some want to be heads down technicians, hacking away at target systems and finding ways around existing controls. Others want to spend their time writing policies and procedures, ensuring that the security of their organization is sustained through consistent, repeatable procedures. Other information security professionals want to interact with people on the business side of the organization, identifying security requirements and making the case for information security controls when the value of those controls isn’t readily apparent to non-security employees.

A job applicant with a basic understanding of information security frameworks and standards will send a clear message to the hiring manager that he or she understands what external compliance requirements will impact a retail organization versus a home healthcare provider. That same hiring manager is likely to be impressed by a job applicant who comes to the interview already speaking the organization’s internal security language.

For the more technically-oriented positions, job applicants will be expected to demonstrate a hands-on understanding of some of the more common information security tools. If a hiring manager asks you about Nmap, Wireshark, or BackTrack Linux, and you respond with a blank stare, that hiring manager is going to wonder how serious you are about the job.

Finally, an aspiring information security professional who already has one or more industry certifications will have a much easier time getting through the HR screening process and making it to the interview with the hiring manager. While a certification doesn’t automatically make you a security professional, it does send a message that you’ve studied the material and that you’ve retained an understanding of what you studied. More importantly, when you want to make the move to a senior level information security role, the right certifications speak volumes.

When you feel you’re ready to begin applying for information security jobs, visit the job board to see what jobs are currently available in each state. Narrow down your search to positions that fit your interests and your personality, and then submit your application.

Good luck!

Enhanced by Zemanta