Middle of the night alert from my @Synology. "Security risk found!"

The risk in question: I haven't bound SSH to a non-standard port.
Security myth: binding SSH to a non-standard port is somehow safer.

In practice, use keypair auth only; then the only benefit of a non-standard port is that your logs don't fill up with brute force attempts.
Security myth: rotate your @awscloud IAM credentials frequently so your console doesn't yell at you.

In practice, compromised keys are exploited in less time than it takes to microwave a burrito. Use role assumption if you can, but rotating keys is busywork.
Security myth: everything should be encrypted at rest.

In practice, if you can bust into an AWS datacenter, grab all of the drives needed to reconstitute my data, and escape alive? You've earned it.

But it's easier to enable it than to win the auditor argument.
Security myth: your greatest threat comes from state actors and advanced threats.

In practice, your CEO's password is `Kitty!` and is written in sharpie on their laptop being used mid-airport.
Security myth: NAT isn't a security measure.

In practice, sure it is!
Security myth: firewalls aren't relevant in 2020.

In practice, firewalls aren't relevant in 2020 but good luck getting your @RSAConference talk accepted without the word "firewall" in the title.
Security myth: cloud virtualization isn't sufficient, so you should only use dedicated instances for sensitive data.

In practice, if someone has a working EC2 hypervisor escape they'd be complete idiots to waste it on YOU.
Security myth: you should have different security levels in different AWS accounts.

In practice, of course you should but good freaking luck migrating 8 petabytes dating back to 2008, so now you're stuck with building internal-to-the-account access controls.
Security myth: password managers work because they make it easy to not reuse passwords.

In practice, password managers work because they won't fill in a site's password into a phishing site.
Security myth: passwords display as asterisks on your screen to prevent "shoulder surfing."

In practice, your computer is swearing at you.
Security myth: you lose a lot of performance when Intel's speculative execution patches are applied.

In practice, you don't get to install Norton Antivirus and then whine about hardware performance.
Security myth: training prevents security breaches.

In practice half of your staff would tell me their passwords for $8 and a candy bar.
Security myth: certifications means that your infosec staff is up to speed on the latest security trends.

In practice,
Security myth: a breach is the death knell of your company.

In practice, tell that to Equifax, Target, Heartland, Marriot or--hah, can you believe I almost said "Yahoo?"
Security myth: A CISO's job is to guide the company's security posture.

In practice the CISO's role is to be publicly fired after a breach.
Security myth: you must have a physical security token for your @awscloud root account that you store in a safe.

In practice, you won't remember where you put the safe when you need to log into the AWS root account.
Security myth: you can migrate your whole stack to IPv6 to avoid portscanning and brute force attempts.

In practice, don't you have real work to do?
Security myth: enable all of the appliance's rules so you catch everything.

In practice,
Security myth: after 5 failed login attempts, lock user accounts and require a manual unlock by the helpdesk.

In practice, this policy gets overturned damned quick after you intentionally lock out the CEO's email a few dozen times in an afternoon.
Security myth: security isn't something you can buy.

In practice, there sure are an awful lot of companies who would like to sell it to you.
Security myth: "Security by obscurity" is a trash methodology.

In practice, nobody ever exploits SNMP.
Security myth: Security is very important to you.

In practice, you only tell me that directly after you've suffered a security breach because security wasn't very important to you.
Security myth: people who leave open S3 buckets are idiots.

In practice, go grant access to an S3 bucket in your account to a user in my account. I'll wait until you give up and open the bucket so we can get our work done.
Security myth: something like fail2ban that parses your ssh logs and blocks brute force attempts is a good plan.

In practice there have been CVEs around this because "code that parses arbitrary strings from logs" is its own form of exploit.
Security myth: drug testing your staff leads to a better company.

In practice, drug testing your board of directors would lead to a better company.
Security myth: your corporate controls are iron clad.

In practice, email a few fake invoices to Google and Facebook and they'll apparently just go ahead and wire you $100 million.

independent.co.uk/news/world/ame…
Security myth: You shouldn't use your pet's name as a password.

In practice, be sure to change your pet's name every 60 days.
Security myth: @awscloud's Shared Responsibility Model is deeply complex and takes an hour and seven slides to explain.

In practice, it's that way because telling a customer who just got breached that it was their fault needs way more of a song and dance than... well, this:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with HydroxyCoreyQuinn

HydroxyCoreyQuinn Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @QuinnyPig

22 Oct
It's time again for a "Cooking with Corey" tweet thread, since I still have to eat while out on parental leave.

I'm no @darth, but today's episode focuses on potato chips. Let's begin.
We start with the noble potato. Scrub it thoroughly; it's been in the dirt for way longer than five seconds. Image
Next it's time for the Deadly Mandoline. Wear hand protection unless you don't want to have that hand intact anymore. Image
Read 10 tweets
22 Oct
In which @monkchips tries to convince us that Giraffes (along with their query language) are real. Image
The search for a multi-cloud success story continues. Image
My computer grows scared of what @monkchips might say next. Image
Read 14 tweets
25 Sep
Anomaly Detection for @awscloud bills is stupidly hard to get right. I’m optimistic about what they’ve built—now let’s see how it works in the wild! aws.amazon.com/blogs/aws-cost…
Me: “How hard could it possibly be?!”
@mike_julian, monitoring wizard: “Oh my sweet summer child.”
...there might be some @awscloud UX teething issues. ImageImage
Read 11 tweets
24 Sep
I'm about to make fun of everything sacred when I commandeer a @ChaosSearch webinar. chaossearch.io/data-lakes-2.0…
Judging by the pictures, one of us enjoys this. The other enjoys this not at all. Image
The platypus in the corner is the only image on this slide that has any spirit whatsoever. Image
Read 5 tweets
23 Sep
Roses stay red
Whether expert or beginner
People like shitposts
Read 11 tweets
22 Sep
Azure: "You write code in Code that lives in GitHub and deploys with Actions seamlessly to Azure. See, notice how easy it is?"

AWS: "We offer seven services starting with 'Code', an IDE that isn't one of them, and a bunch of prescriptive blueprints for how to do it all."
Any complaint you have about @Azure is going to look pretty silly in five years. This is a long term play that's going to yield dividends.
Here's a five year prediction for you:

$7.5 billion to acquire @GitHub was an absolute bargain.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!