Search Results for: cloud

Cloud: building from security

28 de September de 2020 Por

Continuing this series of posts related to the cloud, it’s time to talk about how to face the world of possibilities that the cloud offers. This article aims to shed some light on such a huge task and to show different aspects to be taken into account. It is an interesting path, with multiple options, which can bring enormous value both to the business and to our quality of life, as long as it is approached from an objective, realistic and critical point of view. We should not be reticent to change, but neither should we apply change for change’s sake.

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png

Leaving philosophical mantras aside, saying that the cloud is the panacea makes as little sense as saying that the cloud does not bring value to the business.

As always, and sorry for the insistence, it will depend on each organization and its needs. What is fundamental, within the analysis of the business case and in calculating the return on investment of the implementation of these new technological paradigms, is that the consequences, needs and capabilities of security are considered. Both in the process of migration to the cloud, as well as in the face of any technological change.

Having said this, and getting to the point, there is no doubt that migrating to the cloud has a significant cost. Whether this cost is greater or lesser will depend on how you compare, but it can be said that it is not a “cheap” decision. If we do the simple exercise of comparing a physical server to a cloud server, the difference is fairly clear. However, putting everything into context, and above all, emphasizing security, there are many other costs to be assessed.

[Read more…]

Cloud meets business continuity

17 de September de 2020 Por

Following the introductory cloud post a few days ago, and to avoid losing momentum, we are going to keep talking about the cloud, in an area where it seems particularly useful: business continuity. Along with other measures, it is clear that the existence of globally distributed datacenters (did someone say GDPR?), flexible system scaling and almost instantaneous deployment make a cloud infrastructure (on equal terms) more resilient to outages than an on-premise infrastructure. Of course, availability is not the only factor to consider, but we’ll talk about that another day.

However, to speak of the benefits of the cloud, the providers do themselves a pretty good job. What I want to talk about is some of the issues that must be considered before migrating an infrastructure to the cloud (although some of these points are also applicable to PaaS and SaaS). That is: the problems.

[Read more…]

There’s no cloud, it’s just…

15 de September de 2020 Por

By now, everyone knows what the cloud is. Many of our readers probably have hosted services in the cloud or projects underway to migrate to it. That is because, while it has changed significantly since Salesforce started with its SaaS in 1999, it’s a model that, as we know it today, has been around for well over a decade.

Sticker by Chris Watterson /  http://www.chriswatterston.com/blog/my-there-is-no-cloud-sticker

It is true that the number of players has grown significantly, processes have been consolidated and the number of services has increased (and continues to do so), and new standards, organizations and certifications have appeared (and continue to do so) linked to this new paradigm, but with more or less detail, we are now understanding what this “cloud” thing is all about.

And perhaps the problem is that “we are now understanding” or “with more or less detail”, because it is clear that, always generalizing, there is still a long way to go in the adoption and integration of purely cloud practices, and of course, in the implementation of the secure cloud. And that is precisely the idea of this series: to start from that “more or less detail” to gradually increase the degree of depth.

[Read more…]

Real Cloud Security

27 de November de 2012 Por

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)

Act I: The cloud

(In a small room we find the Chief Executive Officer (CEO), the Chief Security Officer (CSO) and the Chief Marketing Officer (CMO). The latter comes with a PC World magazine under his arm)

CMO: Blablablabla Cloud blablabla costs blablabla availability blablablabla Google.
CSO: Blablabla SLA blablabla, blablabla privacy, blablabla blablabla outsourcing, blablabla.
CEO: Blablablabla dollars, blablabla staff, IT blablabla servers. ¿Security? Blablablabla.
CSO: Blablabla, blablabla SOX, penalties, blablabla data theft blablabla, blablabla press. Blablabla impact and risk.
CMO: Insecure? Hahahaha, blablabla, blablabla and blablabla. CSO blablabla, distrust. Blabla, blabla, Gartner, blablabla?? Blablablabla. That does not happen.
CEO: blablablabla CIO, blablabla blablabla IT budget.
CSO: Alea jacta est.

Act II: Hunky-dory

(While the Chief Executive Officer looks at the Chief Marketing Officer tablet, they see the Chief Security Officer, who quickens the pace but is intercepted in the aisle)

CMO: Blablabla access, blablabla iPad, iPhone. Blablabla? CSO? Blablabla, this security guys blablabla. Access, blablabla, password blablabla, blablabla SSL.
CEO: Blablabla friendly, blabla, blablabla success. Blablablabla reason blabla costs, blablabla enterprise 2.0.
CSO: Pater Noster qui es in caelis, sanctificétur nomen Tuum

Act III: A small problem

(There is a problem in the Marshall Islands that has disabled the connection to the cloud provider, and althought it is not known yet, may have caused data loss)

CEO: Blablabla connection, blabla deletion, blablabla access. Blablablabla data, blablabla cloud!!
CMO: Blablablabla probability blabla blablablabla Gartner CIO, blabla CSO .
CSO: Blablabla risk, blablabla impact, blabla quality of service, blablabla Google.
CEO: Blablabla reputation, blablabla bussiness, blablabla Google!
CMO: …
CSO: …

Act IV: Choose Your Own Adventure

(Do you remember these books? ;)

Option #1

CSO: Blablabla backup, blabla fireproof, blablablabla recovery blablabla system.
CEO: Muacs.

Option #2

10 CEO: …
20 CMO: …
30 CSO: …
goto 10

Option #3

CSO: Blablablabla ¿CIO?
CIO: Blablabla, Terms of Service, blablablabla complaint, blablabla compensation, blablablabla.
CEO: Blablabla data, blablabla available blablabla #@!*& blablabla ten dollars.

Well, how did finished the adventure in the cloud?

If you’ve been able to continue this conversation, you might like this video that our colleague Adrian has found:

Android Pentesting (I): Environment Configuration

2 de October de 2023 Por

In this article we will try to explain step by step in the simplest possible way how to create a working environment to perform an ethical hacking on an Android device application, so that it can be done by anyone regardless of the knowledge they have.

The first step is to create a working environment to start an audit of mobile applications on Android. To do this, we will look at several mobile device emulators and choose one in which to mount our environment.

Some emulators on the market

First, let’s explain what an emulator is. This word comes from the Latin word aemulātor (emulates), which means something that imitates the operation of something else. Wikipedia defines it as follows: “In computing, an emulator is software that allows programs or video games to run on a platform (either a hardware architecture or an operating system) different from the one for which they were originally written. Unlike a simulator, which merely attempts to reproduce the behavior of the program, an emulator attempts to accurately model the device so that the program works as if it were being used on the original device”.

[Read more…]

Health 4.0: the importance of cybersecurity in the healthcare area

11 de April de 2023 Por

The concept of Health 4.0 emerges as a specific derivation of Industry 4.0. But what is Industry 4.0? This concept arises in Germany in 2011, as a project to improve the industry but without a clear definition (see reference at the end of the article).

From this moment on, Industry 4.0 has been appearing with different interpretations, although there is a unified definition. Industry 4.0 is an umbrella that encompasses nine technologies that help in the transformation of industrial production and process automation.

These technologies are:

  • Big Data and Data Analysis
  • Simulation
  • Internet of Things (IoT)
  • Augmented Reality
  • Cloud Computing
  • Additive Manufacturing
  • Autonomous robotics
  • Cybersecurity
  • Integration systems
read more

10 tips for securing data hosted on Amazon S3

16 de November de 2022 Por

The use of Amazon Simple Storage Service S3 is becoming more and more widespread, being used in a multitude of use cases: sensitive data repositories, security log storage, integration with backup tools…, so we must pay special attention to the way we configure our buckets and how we expose them to the Internet.

In this post we will talk about 10 good security practices that will allow us to manage our S3 buckets correctly.

Let’s get started.

1 – Block public access to S3 buckets across the organization

By default, the buckets are private and can only be used by the users of our account, provided that they have set the correct permissions.

Additionally, the buckets have an “S3 Block Public Access” option that prevents the buckets from being considered public. This option can be enabled or disabled for each bucket in your AWS Account. To prevent a user from deactivating this option, we can create an SCP policy in our organization so that no AWS Account member of the organization can do so.

[Read more…]

OWASP Top 10 2021 News (III)

25 de May de 2022 Por

After discussing in the first post of the series some details about the new version of OWASP Top 10, and in the second one the new category A08, software and data integrity flaws, in this third and last post we are going to analyze the category A10: Server-Side Request Forgery (SSRF), as well as the possibilities of mitigating these types of vulnerabilities.

A10: (Server-Side Request Forgery, SSRF)

SSRF attacks are possible when an application allows a remote resource to be obtained without validating the URL provided by the user. This type of attack can bypass the protection provided by the firewall, VPN or access controls.

For example, when an application allows you to specify a URL to which the initial request will be redirected, if we do not filter the URL to which it will be redirected, the attacker could take advantage of this to enter a random address.

[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

9 de March de 2022 Por

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]

So you want to go into cybersecurity…

21 de January de 2022 Por

This post has been prepared with the invaluable (and necessary) help of Maite Moreno (@mmorenog) and the cybersecurity team of S2 Grupo.

One of the good things that Information Security shares with other IT disciplines is the wide variety of training resources available, both free and for tight budgets.

Without a large financial investment, anyone with time and desire (and a minimum knowledge of technical knowledge, for which there is another large number of resources that we will not cover here) can be trained from practically zero to expert levels in practically any area of cybersecurity.

Below are some of the resources available on the Internet for free or for a reduced cost, bearing in mind that:

  • This list is not intended to be exhaustive. Feel free to comment on any content you think is missing and we will add it as soon as we can.
  • Some platforms have a freemium approach, combining free content and functionalities with paid ones.
  • Although the less technical areas of Information Security such as GRC are less (very little) represented in the list, the more generalist training sites include courses on data protection, control frameworks, risk management, etc.
  • Most of the courses are in English, so a minimum level is required to understand instructions and texts. This level is essential nowadays in the field of information technology.
  • Blogs, vblogs and podcasts on Information Security are left out, but there are plenty of extremely useful resources. This includes the thousands of webinars on every conceivable topic.
  • Nor have we included more general platforms such as edX or Coursera, which nonetheless contain many courses from prestigious universities and organizations.
  • Finally, we have not included courses from the device manufacturers, software or cloud providers, which in some cases are free, and which sometimes also provide free versions (with limitations) of their products. AWS, Tenable or Splunk come to mind, but there are many others.
[Read more…]