Monthly Archives: September 2017

A Realistic Process for Dealing with Cloud Breaches

Given how cloud breaches are becoming more and more common, I would like to present a realistic process for dealing with them. I say realistic because this is probably already what is going on, but is not documented. So, here goes:

It starts with a proper management reaction when the vendor informs the firm regarding the breach:

Then your management will then need to do this privately:

But this should be their public reaction to the vendor’s notification:

Your developers will do this as they inspect the code:

Your security team will do this as they look at how the breach was done:

And then do this after they’re told they have to help clean up the mess:

Next, your developers will work hard on a new solution:

The security team will look over the developers’ solution and offer constructive feedback:

So the developers will take that feedback and refine their solution:

The network team may have some concerns on what the developers are hoping they can do in the datacenter:

Management may also have to deal with increased budget requests to implement the more secure solution:

And all the former employees are doing this as they hear the rumors and read the headlines:

And that, my friends, is how we can realistically deal with a cloud breach! I thank you for your time in reading this and hope it helps. 🙂

The Internet of No Fun

Little Bobby rushed in with the speed and joy that told the world he was five and a half years old and loving it. “Dad! A drone fell into our backyard! Can we keep it?”

Dad leaned out to the right to look at Bobby around his monitor. “Hold on there, sonny… have you done a VA scan on it?”

Bobby looked at the ground the way only a five and a half year old whose dreams were being confronted with harsh reality could do. “No…”

“What is our rule about bringing devices on to our wireless network?”

“No devices on the network until we’ve done a VA scan.”

“And?”

“And we’ve either patched or otherwise mitigated the vulnerabilities.”

“And?”

“And we’ve filed the change request documentation.”

“… And?”

“And we’ve got the change window scheduled, gosh, dad, you make all this no fun!” Bobby looked like he was ready to cry. Or update his resume and start looking for a new dad.

Dad knew that it was pretty much the same everywhere. Not wanting to see any turnover in the kid department, he worked on a consoling angle. “You think this is no fun? Then maybe it’s time I had you sit with me doing all the qualification testing so you’ll see just how much no fun this is for me, too!”

The shared experience reminded Bobby that he was in this together with everyone else. It’s not uncommon for five and a half year olds to express contrition and Bobby did just that. “Sorry, dad… I’ll go fire up the Kali Linux box…”

“There’s a good boy. Daddy has to go to a meeting now with Uncle Frank about next year’s family IT budget.”

“Are we gonna get a new firewall?” That exuberance again. Kids sure do bounce back, don’t they?

“Well, we’re still paying for Grandpa’s unexpectedly high syslog generation, but I think we might get a new firewall in Q2 next year.”

Bobby ran laughing down the hallway. “Yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay!!!”

The meeting with Uncle Frank went well and Dad was happy that there were a few more goodies in the budget besides the firewall that he’d be able to announce at the family Q4 wrap-up meeting on 25 December. Dad had just enough time to type a few lines of code and then Sara stomped in the way only a 13 year old expecting to be disappointed could do. “Dad, can I go to a friend’s house now?”

“Did you finish ringfencing all your old wearables?”

Exasperation permeated the room. “Yes. Dad.”

“OK, did you also wipe the config on our old perimeter router like I’ve been telling you to do for the last three days?”

“Yes. Dad. I did it. It’s all wiped. Are you happy?”

“Sara, don’t take an attitude with me or you’re not going out.”

“Sorry.” Not very sincere, but a dad couldn’t expect much better from 13 years old.

“All right, that’s better. Which friend did you want to go see?”

“Veronica.”

Dad was concerned. He really didn’t want Sara hanging out with Veronica. Veronica’s family didn’t have very good change management processes and it was common knowledge around town that they weren’t necessarily up to date on their patch management. “I would be happier if she came over here.”

“Oh God, not this again.”

“Well, Sara, you tell me. If I try to RDP to Veronica’s family’s domain controller, am I going to get blocked, or am I going to get a login screen?”

“Dad, they have a really secure password on it!”

“That’s not my point, Sara. You know as well as I do that I shouldn’t even be able to reach that server, let alone via RDP. Now am I able to reach that server or not?”

“Fine. You win. I’ll just rot away here.”

“Sara, that’s not a win for me. I just want you to be safe, that’s all. Even if you left your cell phone home, your shoes are still exposed. As are your pants, your shirt, those earrings, am I right?”

Sara rolled her eyes with the wild, limbic-system fueled thinking so prevalent amongst the 13 year old set.

Dad tried to persuade. “And what happens to the rest of your clothes if the ones you’re wearing now are compromised?”

“Dad! That happened ONE TIME when I was eleven! Why do you have to keep bringing it up?”

“Well, you seem to be on track to have it happen again, when you’re 13. I’d rather not have to deal with another breach.”

“What. Ever.” Sara exhaled hard, but then had an idea. “What if I put all my clothes on airplane mode, will that be OK?”

Dad considered. That was reasonable. “OK. You put them all on airplane mode and you can go to Veronica’s. Get mom to take you, though.”

“She can’t dad. She’s on a sev one TAC call with the refrigerator vendor. There was a problem with our proxy and now the licensing on the fridge is all messed up.”

“OK, let me just wrap up this IPS signature modification and I’ll take you, just as soon as I get it into production.”

Dad was ready to get out and drive around for a while, anyway. Drive wasn’t really the right word, since the car did it all itself, but it was best to have a parent go with a kid, just in case. Gary Rasmussen’s daughter knew how to hack past parental controls on cars and could go pretty much anywhere unsupervised. Then there was that fight that Linda Hartford’s son got into where he and that other kid, Jerry something or other, kept hacking the speed governors on each other’s cars so they’d barely crawl. Having a parent ride along tended to keep those kinds of teenage shenanigans from happening.