Four Cloud Mistakes You Need to Avoid
At the 2015 Security B-Sides conference in San Francisco, I caught up with Dave Lewis (@gattaca), global security advocate for Akamai, and Bill Brenner (@billbrenner70), senior technical writer for Akamai, for a conversation about big cloud mistakes. Here are their four suggestions on what to avoid.
Not doing proper input sanitation
These are SQL injection problems and it’s a solvable problem that can be helped by a cloud provider, such as Akamai, but it’s also something that needs to be addressed by the application itself, “because you have to look at it as a defense-in-depth approach. You want to know your applications are taking security into account, when you’re writing them,” said Lewis.
Falling for social engineering tricks
“People are still very susceptible to clicking on links when somebody tries to trick them with a message of ‘You should see what somebody else is saying about you,’” said Brenner.
Poor password management
We’re all inundated with the need to manage multiple accounts with multiple IDs and passwords. It’s impossible to manage 60 or even hundreds of different accounts with passwords. To manage that complexity, people often use the same password or weak passwords, explained Brenner. “That really sets you up for someone to come in and really cause trouble with all your different accounts.”
Not locking down your registrar information
“Make sure your registrar information for your domain is locked down,” said Lewis. “You want to make sure that you have that sort of information set up in such a way that it’s not easily compromised. There are some registrars out there where you can send them a fax on falsified letterhead and actually change that data to point to a site that the customer no longer controls.”
Related Articles
How A CNAPP Can Take You From Cloud Security Novice To Native In 10 Steps
May 23, 2024Context is critical in cloud security. In a recent RSA presentation, Tenable's Shai Morag offered ten tips for end-to-end cloud infrastructure security.
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
Cybersecurity Snapshot: Tenable Report Warns About Toxic Cloud Exposures, as PwC Study Urges C-Suite Collaboration for Stronger Cyber Resilience
October 18, 2024Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros’ stress triggers.
At Nearly $1 Billion Global Impact, the Best Cloud Security Couldn’t Stop This Hybrid Attack Path. Takeaway: Map and Close Viable Attack Paths Before Breaches Begin.
October 16, 2024Conventional wisdom suggests best-of-breed is the only way to secure your clouds. But what of hybrid attack paths that cross security domains — like those exploited in the SolarWinds and Capital One breaches? Exposing the gaps attackers exploit to move laterally requires visibility and context across security silos.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
- Conferences