SecPro Community Wisdom#10: S3 Buckets, Programming Blunders, and the First Steps for CISOs
Here is another issue, filled to the brim with wisdom from people who have been working in cybersecurity and related industries for a long time. Thank you to everyone who responded – we will be selecting winners from the pool of respondents tomorrow and sending out emails to the winners of our competition.
As always, if you have any extra comments that you would like to share, send them to me and I will try to work them into our newsletter. We are grateful for all the replies we receive and want to make sure that our community sees its voice represented in everything we put out.
Top Questions This Week
1. What are the security recommendations for public S3 buckets?
Configuration — basic security configurations based on your business needs.
Encryption — encrypt data at rest.
Role-based access — restrict access through least privilege role-based access.
Multiple Layers — utilize multiple layers of security and multi-factor authentication.
Logging and Auditing — be able to detect and follow up when attacked.
1) If exposing a public bucket, ensure the contents are reviewed for sensitive information.
2) Ensure buckets are encrypted at rest and during transit.
3) Enable the CloudTrail service to record bucket events.
4) CloudWatch should also be utilised for monitoring and alerting purposes.
5) Run AWS automated security testing tools on a periodic basis to catch any potential vulnerabilities.
The most important security configuration of an S3 bucket is the bucket policy. It defines which AWS accounts, IAM users, IAM roles and AWS services will have access to the files in the bucket (including anonymous access ) and under which conditions. Pro tip: you should remove public access from all your S3 buckets unless it’s necessary.
2. What are the worst programming practices you’ve seen regarding security?
The worst programming practices I have recently come across is developers storing credential material in cleartext within GitHub repositories. This included Active Directory credentials and application keys.
Failing to enforce policies, failing to properly set security policies, neglecting to train anyone with access to computers, and especially declining to enforce an established policy.
It’s a truism that you get what you reward for and don’t see as much of what you forbid. So if your organization wants good security practices, it must establish a clearly enunciated set of policies. Among other things, these policies must define basic usage rules, such as never opening strange e-mails, surfing random sites on personal business, or downloading files from the Web.
3. Which are the firsts steps for a CISO when try to implement an ISMS?
The first step would be to first of all determine if a Information Security Management System if required at all. Following this, I would start to reach out of different ISMS providers to gather which one would suit the business best.
Planning the role, understanding the role, creating a masterplan, working on improvements, getting proof and evidence of security measures if that worked.
1. Perform risk assessment
2. Define policy and scope of implementation
3. Get Board Approval
4. Hold a townhall to announce the why/what/when of the ISMS
5. Assemble stakeholders
6. Have a continuous risk assessment/management/communication plan
7. Establish governance
4. What do you expect to be the next big challenge for cybersecurity professionals?
It’s hard to say, because cyber attacks have many attack vectors and the number of cybersecurity specialists is still small. for sure the speed of detection of attacks will be based on artificial intelligence
- Miro, Security Engineer