Profile picture
Dino A. Dai Zovi
@dinodaizovi
, 3 tweets, 1 min read Read on Twitter
Let’s talk about security measures that didn’t seem to be in place, based on my reading of the CapitalOne case.

1) Lots of PII, SSNs, etc not individually encrypted or tokenized. At-rest encryption of these is necessary, but not sufficient.
2) Use of IAM role creds from *outside* the cloud env was not detected.

3) Access of what appear to be logging S3 buckets, also from outside the cloud env, was not detected.

CloudTrail event monitoring is your friend and should be your #1 priority for AWS security.
4) AWS Macie would have identified massive amounts of PII and other sensitive info in the S3 buckets.

5) AWS GuardDuty would have alerted on some of this too (e.g. S3 access by Tor exit node).

Turn these on, send alerts to your security team *and* team that owns the AWS asset.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Dino A. Dai Zovi
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dinodaizovi see all

Profile picture
Dino A. Dai Zovi
@dinodaizovi
Tweeting an IRL rant from the last week, the biggest reason that many orgs are having trouble keeping up with cybersecurity IMHO is that attack surface scales with software, but their security orgs try to secure it by scaling with human toil. That's the opposite of leverage.
Until we treat securing the org as a problem that we build and maintain custom in-house software to manage, we'll fail to keep up. That means treating security experts as product owners for cross-functional agile software engineering teams that own security management systems.
The problem with toil is that it's addictive. You feel like you are making progress because you are busy fighting fires. But it doesn't scale and when you take a few steps back, you can see that you aren't keeping up. You have to measure and cap toil time to be able to engineer.
Read 4 tweets
Profile picture
Dino A. Dai Zovi
@dinodaizovi
Doug McIlroy on the Unix Philosophy:

"(i) Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new features."
"(ii) Expect the output of every program to become the input to another, as yet unknown, program. Don't clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don't insist on interactive input."
"(iii) Design and build software, even operating systems, to be tried early, ideally within weeks. Don't hesitate to throw away the clumsy parts and rebuild them."
Read 5 tweets

Related threads

Profile picture
Jake Williams
@MalwareJake
Takeaways from #CapitalOne:
1. Having a disclosure program may have saved them. I'm FAR less likely to report to an org that lacks a disclosure policy.
press.capitalone.com/phoenix.zhtml?…
Read 7 tweets
Profile picture
17thCenturyShytePost
@17cShyteposter
George Kennan wrote this in 1986
I'm going to turn this into a Kennan thread, because I'm going to need it.

This is about the Sacco and Vanzetti murder case, back when the nation cared about law and order. Listen closely, and you can hear the echoes of the left regarding the border crisis going on right now!
Kennan, the 26-year-old incel in 1931, lamenting tfw no gf, but also unwilling to avail himself of the degeneracies of his fellow international diplomats.

...but have hope, lads! That very year, Kennan met a 20-year-old Norwegian girl. Their marriage lasted 73 years.
Read 30 tweets
Profile picture
Blogger Me
@BloggerMe3
"Understanding #encryption & the #aabil" for #dumbbastards like me
.#Encryption & #privacy are strongly & deeply connected.
"Privacy", as understood in AU, is an individual's #humanright to #privacy, as enshrined in legislation, created in the @Parliament's, both federal & states, to guarantee individuals their #HumanRight as detailed by the @UN & interpreted by our legislators & the courts
Read 27 tweets
Profile picture
Darren T💈
@drnten_
How I raised £225,000 7 days before my company @Trimit_app was about to die. Now we are in a new office and @LdnNafe cried in front of his parents and an audience of 50+, when he deeped how far we’ve come. 

- A THREAD -
Here’s one thing I need to make clear before I start:

Glory be to god; I prayed a simple prayer, “God reveal yourself in a way that is undoubtable you.”
For those that don’t know, @Trimit_app , is the UK first app powered mobile barbershop. Through our app you can book a barbershop to come to you. Currently based in London.
Read 24 tweets
Profile picture
Bruno Brunelli
@Bruno_Brunelli
Automotive blockchain platform opens new opportunities for connected vehicles

#blockchain #vehicles #connectedvehicles #IoT #BlockletTVA

smart2zero.com/news/automotiv…
IBM, Seagate partner on blockchain anti-counterfeiting project

#blockchain #security #technology #harddrive

smart2zero.com/news/ibm-seaga…
SpaceChain blockchain-based satellite network a step closer to reality

#blockchain #satellite #networks #opensource

smart2zero.com/news/blockchai…
Read 5 tweets
Profile picture
Mike Amundsen
@mamund
well, ok, @devcorpio and @mathiasverraes by request: thread coming.
heads up for anyone interested in @fielding, #REST, #GraphQL, #CRUD, #SOAP, #Reactive 1/10
per @fielding's disseration, in order to achieve his desired architectural properties (chap02) and meet the WWW's domain requirements (chap04), he wanted to establish a set of required constraints (chap05). most ppl just focus on chap05 and i recommend focusing on chap02. 2/10
there @fielding makes a case that arch properties are induced by the set of contraints you select. thus, he creates his set of contraints for inducing his desired properties and names that #REST. 3/10
Read 10 tweets

Trending hashtags

#problem #Terrorism #RukbanSuffers #Euphrates #EBS #Hamadaniyah #Naour_Shatha #DrlytleNG #security #FOSS #Lebanese #whitel #American #harassment #apprentice #AVs #cultism #ISIL #EuropeanUnion #DemDebate2 #Hasakeh #SafetyOverSpeed #serviceproviders #connectedvehicles #Americans
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!