My key takeaways
- Security in sprints vs whole security sprints?
-
Smaller activities from the very beginning. It is not full time, but always ongoing. And maybe, if the situation is very tricky, entire sprints might be necessary, too. — Thomas Fricke
-
- Kubernetes does its best to be secure inside. Unfortunatly it is not configured so by default. Challenge: every developer has learn what are the critical settings
- You can ask AWS if a bucket exists with
aws s3api get-bucket-acl --bucket <guessed bucket name>
- Use bucket logging to get notified if something was (maliciously) changed. Or get pwnd and have your bucket mine monero 😉
- Port 10250 can be Kublet, so Kubernetes
-
Infrastructure as code will lead to security by design – Dr. Morton Swimmer
kubectl auth can-i --list
will show the privileges for the Kubernetes service account- Kubernetes and containerization in general is one of the most important upcoming technologies. But it is also very complex and needs a whole new mindset about security compare to the on-prem-mindset
- we are in a transition period where management is used to on-prem and the next generation is already thinking in containers
- Edge computing brings back some computing power to a device on the edge of the network
-
Edge computing is a distributed architecture design that places computing nodes at the edge of the network. This brings them much closer to information-gathering sensors and devices, thereby eliminating the need to send large amounts of data to computational services in distant locations. As a result, latency and other issues that might hinder or slow down enterprise operations are resolved. — Trend Micro
-
- 3 questions to define a threat model:
- What are we protecting?
- What are we assuming?
- Protecting from whom?
- Pi 4 and Pi0W supports "gadget mode" on USB C port
- the open session idea is important for security people to keep up with developments
- IKEA believes that having one security savy person in each product team will go a long way
- What we can learn from Dale Carnegies "security hat" story: ask the user why not liking the idea and pointing out the advantages for the users
- very generic awareness trainings lead to security fatigue
- TPB: Theory of planned behavior
- positiv to the individium + social proof = motivation
- Motivation needs more:
- TPB + ability to do it + intention to comply
- But the indivdual cost-benefit-analysis per situation (productivity vs security) might outplay any motivation
- There is also a priorities triangle in security: Security <> Productivity <> Time
- What drives non-compliant behaviour:
- there is no reason to comply
- the cost of complying is to high
- inability to comply
-
To change a behavior, you first have to change the attitude, thoughs and feelings associated to it — Christina Lekati
- security initatives must be communicated as "enablers" not as "necessary evils"
- Germans are probably less prone to click on social media related phishing mails but highly affected by authoritive topcis and spear phishing
Env
- Provided by BSidesMEsh21
- Moderator:
- MUC:SEC e.V.
- Presenter:
additional links
- military template for DevSecOps
- https://github.com/thomasfricke/training-kubernetes-security
- Untangling the Web of Cloud Security Threats – Morton Swimmer, Fyodor Yarochkin, Joey Costoya, Roel Reyes
- https://kubestriker.io/
- https://github.com/vchinnipilli/kubestriker
- https://github.com/DissectMalware/XLMMacroDeobfuscator
- https://documents.trendmicro.com/assets/white_papers/wp-identified-and-authorized-sneaking-past-edge-based-access-control-devices.pdf
- Java on Pi
- Configure LUKS Network Bound Disk Encryption with clevis & tang server
- OWASP Security Pin
agenda
https://2021.bsidesmunich.org/agenda/
- 13:00 – 13:10
- Opening Day 1
- 13:10 – 13:45
- Elbsides Keynote – Practice DevSecOps and Beyond ; Thomas Fricke
- 13:45 – 14:05
- Dr.Morton Swimmer ; Vulnerable as a Service
- 14:05 – 14:40
- Vasant Chinnipilli & Pralhad Chaskar ; Demystifying the state of kubernetes cluster security – the cloud native way
- 14:40 – 15:00
- Coffee Break ;
- 15:00 – 15:23
- Sreenidhi Ramadurgam ; Abracadabra – A researcher’s reversing spell!
- 15:23 – 15:45
- Dr. Vincenzo Ciancaglini ; Joey Costoya ; On the edge with access control devices
- 15:45 – 16:15
- Tim Panton ; How to build better more secure KVM with off-the shelf hardware.
- 16:15 – 16:35
- Coffee Break ;
- 16:35 – 17:10
- Rise of the Cyber Jedi – Building a security community of practice ; Gustav Lundsgård
- 17:10 – 17:45
- “If Only They Would Take Us Seriously” : The Behavioral Science Influencing Your Cybersecurity Culture ; Christina Lekati
- 17:45 – 17:50
- Closing Day 1