Event takeaways: BSidesMeSh21 – day 1

My key takeaways

• Security in sprints vs whole security sprints?

  • Smaller activities from the very beginning. It is not full time, but always ongoing. And maybe, if the situation is very tricky, entire sprints might be necessary, too. -- Thomas Fricke

• Kubernetes does its best to be secure inside. Unfortunatly it is not configured so by default. Challenge: every developer has learn what are the critical settings
• You can ask AWS if a bucket exists with aws s3api get-bucket-acl --bucket <guessed bucket name>
• Use bucket logging to get notified if something was (maliciously) changed. Or get pwnd and have your bucket mine monero ;-)
• Port 10250 can be Kublet, so Kubernetes

• Infrastructure as code will lead to security by design - Dr. Morton Swimmer

• kubectl auth can-i --list will show the privileges for the Kubernetes service account
• Kubernetes and containerization in general is one of the most important upcoming technologies. But it is also very complex and needs a whole new mindset about security compare to the on-prem-mindset
  • we are in a transition period where management is used to on-prem and the next generation is already thinking in containers
• Edge computing brings back some computing power to a device on the edge of the network

  • Edge computing is a distributed architecture design that places computing nodes at the edge of the network. This brings them much closer to information-gathering sensors and devices, thereby eliminating the need to send large amounts of data to computational services in distant locations. As a result, latency and other issues that might hinder or slow down enterprise operations are resolved. -- Trend Micro

• 3 questions to define a threat model:
  • What are we protecting?
  • What are we assuming?
  • Protecting from whom?
• Pi 4 and Pi0W supports "gadget mode" on USB C port
• the open session idea is important for security people to keep up with developments
• IKEA believes that having one security savy person in each product team will go a long way
• What we can learn from Dale Carnegies "security hat" story: ask the user why not liking the idea and pointing out the advantages for the users
• very generic awareness trainings lead to security fatigue
• TPB: Theory of planned behavior
  • positiv to the individium + social proof = motivation
• Motivation needs more:
  • TPB + ability to do it + intention to comply
• But the indivdual cost-benefit-analysis per situation (productivity vs security) might outplay any motivation
• There is also a priorities triangle in security: Security <> Productivity <> Time
• What drives non-compliant behaviour:
  • there is no reason to comply
  • the cost of complying is to high
  • inability to comply

• To change a behavior, you first have to change the attitude, thoughs and feelings associated to it -- Christina Lekati

• security initatives must be communicated as "enablers" not as "necessary evils"
• Germans are probably less prone to click on social media related phishing mails but highly affected by authoritive topcis and spear phishing

Env

• Provided by BSidesMEsh21
• Moderator:
  • MUC:SEC e.V.
• Presenter:
  • Thomas Fricke
  • Dr.Morton Swimmer
  • vasant kumar chinnipilli
  • Pralhad Chaskar
  • Sreenidhi Ramadurgam
  • Dr. Vincenzo Ciancaglini
  • Joey Costoya
  • Tim Penton
  • Gustav Lundsgård
  • Christina Lekati

additional links

• military template for DevSecOps
• https://github.com/thomasfricke/training-kubernetes-security
• Untangling the Web of Cloud Security Threats - Morton Swimmer, Fyodor Yarochkin, Joey Costoya, Roel Reyes
• https://kubestriker.io/
• https://github.com/vchinnipilli/kubestriker
• https://github.com/DissectMalware/XLMMacroDeobfuscator
• https://documents.trendmicro.com/assets/white_papers/wp-identified-and-authorized-sneaking-past-edge-based-access-control-devices.pdf
• Java on Pi
• Configure LUKS Network Bound Disk Encryption with clevis & tang server
• OWASP Security Pin

agenda

https://2021.bsidesmunich.org/agenda/

• 13:00 - 13:10
  • Opening Day 1
• 13:10 - 13:45
  • Elbsides Keynote - Practice DevSecOps and Beyond ; Thomas Fricke
• 13:45 - 14:05
  • Dr.Morton Swimmer ; Vulnerable as a Service
• 14:05 - 14:40
  • Vasant Chinnipilli & Pralhad Chaskar ; Demystifying the state of kubernetes cluster security - the cloud native way
• 14:40 - 15:00
  • Coffee Break ;
• 15:00 - 15:23
  • Sreenidhi Ramadurgam ; Abracadabra - A researcher's reversing spell!
• 15:23 - 15:45
  • Dr. Vincenzo Ciancaglini ; Joey Costoya ; On the edge with access control devices
• 15:45 - 16:15
  • Tim Panton ; How to build better more secure KVM with off-the shelf hardware.
• 16:15 - 16:35
  • Coffee Break ;
• 16:35 - 17:10
  • Rise of the Cyber Jedi – Building a security community of practice ; Gustav Lundsgård
• 17:10 - 17:45
  • “If Only They Would Take Us Seriously” : The Behavioral Science Influencing Your Cybersecurity Culture ; Christina Lekati
• 17:45 - 17:50
  • Closing Day 1