Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

How & Why Cloud Security Will Empower Users

50%
50%

Dramatic growth in cloud computing means big changes for enterprises of all sizes and in all markets this year. Bill Kleyman explains why thats a good thing.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
1/27/2014 | 10:48:24 AM
Re: Biggest gotchas for empowering users in cloud?
@Marilyn - There's good news and bad news. Organizations can be proactive and deploy best practices around their cloud and infrastructure security environment.

The bad news is that bad guys are usually not far behind -- and in many cases ahead. In creating a good security platform, there are several things to consider. Compliance and regulation aside, some of the biggest mistakes I've seen revolve around lapsed policies, reactive thinking, and no security testing.

Honestly, it's the little things that can hurt a business. Forgetting to renew an SSL cert, leaving a port open, or not having proper security services running internally. Also, checking your sources helps a lot as well. Let me give you an example, a friend of mine ran an experiment as a part of some research he was working on. He built an Amazon Machine Image (AMI) of a popular penetration testing platform -- which was previously unavailable on EC2. One of his additions to the AMI was a backdoor which would basically just communicate back to his own server, indicating that somebody had turned on his backdoored instance. He could have just as easily built a reverse shell into the image. This basically comes back around to the discussion of data security, as all of your encryption keys, VPN configurations, and potentially passwords are protected by unknown controls, which are of unknown resiliency.

In creating the optimal security platform, consider best practices and also consider the target. This also means constant testing and log keeping. There are a lot of proactive things you can do around security that will certainly help.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/27/2014 | 10:11:03 AM
Biggest gotchas for empowering users in cloud?
Hi Bill. Can you elaborate on what organizations need to do to optimize user security in the evolving cloud infrastructure? In your work with customers, what are the biggest mistakes you've seen IT departments and CSPs make?
CHIRSCHMAN1337
50%
50%
CHIRSCHMAN1337,
User Rank: Apprentice
1/27/2014 | 9:55:14 AM
RSS feeds
Please indicate that content is video in RSS feeds!
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.
CVE-2012-6071
PUBLISHED: 2019-11-19
nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.
CVE-2012-6135
PUBLISHED: 2019-11-19
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.
CVE-2016-10002
PUBLISHED: 2019-11-19
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.