A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Netflix patches Linux SACK vulnerability (SC Magazine, Jun 18 2019)
Netflix researchers uncovered several security vulnerabilities, within the TCP implementations on Linux and FreeBSD kernels. The most severe of the flaws is the SACK Panic vulnerability, which could allow an attacker to remotely induce a kernel panic within recent Linux operating systems, according to a June 17 OpenWall blog post.

Increasing endpoint security with the Center for Internet Security’s updated Chrome Browser Benchmark (Google Cloud Blog, Jun 18 2019)
“Many of our enterprise customers rely on the Center for Internet Security (CIS) Chrome Browser Benchmark for recommendations on which policies to configure to make Chrome Browser more secure and compliant for their environment. Over the past few months, the Google Chrome Browser security team has worked closely with CIS to launch the fully revamped CIS Benchmark 2.0 for Google Chrome Browser.”

The Security Pro’s Quick Comparison: AWS vs. Azure vs. GCP (Securosis Blog, Jun 12 2019)
“The problem for security professionals is that security models and controls vary widely across providers, are often poorly documented, and are completely incompatible. Anyone who tells you they can pick up on these nuances in a few weeks or months with a couple training classes is either lying or ignorant. It takes years of hands-on experience to really understand the security ins and outs of a cloud provider.”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Palo Alto Networks Reports Identify Container Security Concerns (Container Journal, Jun 13 2019)
A pair of reports published by Palo Alto Networks makes it apparent that the biggest issue in container security is not how secure the containers are, but rather how they are configured. Unit 42 researchers within Palo Alto Networks plugged simple search terms into a Shodan search engine to discover 20,353 Kubernetes containers globally, along with another 23,354 Docker containers.

Securing multi-cloud environments: assurance through consistency (SC Magazine, Jun 13 2019)
Meeting the security and compliance needs across different cloud service providers (CSP), and an organization’s own data center, remains a thorny challenge. Today, many enterprises are migrating business-critical workloads to the cloud, or have done so recently. Others are taking a ‘lift-and-shift’ approach for select applications, leveraging new integrations for legacy systems.

Security First in the Cloud Wars (SecurityWeek, Jun 13 2019)
“The Cloud Wars” may be dominating IT news headlines, but what does this phrase actually mean? And is it something that an enterprise needs to be concerned with? 

The Life-Changing Magic of Tidying Up the Cloud (Dark Reading, Jun 17 2019)
Most companies’ cloud security operations would benefit significantly from clean-up, alignment, and organization.

What does runtime container security really mean? (Help Net Security, Jun 17 2019)
End-to-end protection for containers in production is required to avoid the steep operational and reputational costs of data breaches. As news of container attacks and fresh vulnerabilities continues to prove, short cuts (or incomplete security strategies) aren’t going to work. Runtime container security means vetting all activities within the container application environment, from analysis of container and host activity to monitoring the protocols and payloads of network connections.

Microsoft Urges Azure Customers to Patch Exim Worm (Infosecurity Magazine, Jun 17 2019)
Threat is targeting millions of globe’s email servers

As Cloud Adoption Grows, DLP Remains Key Challenge (Dark Reading, Jun 18 2019)
As businesses use the cloud to fuel growth, many fail to enforce data loss prevention or control how people share data.

Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources (AWS Security Blog, Jun 17 2019)
When organizations first adopt AWS, they have to make many decisions that will lay the foundation for their future footprint in the cloud. Part of this includes making decisions about the number of AWS accounts you choose to operate, but another fundamental task is constructing practical access control policies so that your application teams can’t affect each other’s resources within the same account. With AWS Identity and Access Management (IAM), you can customize granular access control policies that are appropriate for your organization, helping you follow security best practices such as separation-of-duties and least-privilege.

The DevOps Security Stack (DevOps, Jun 13 2019)
“This article walks through those challenges to highlight what it takes to secure a DevOps workflow. I won’t focus on specific tools because DevOps is not about specific tools; rather, I’ll focus on the components of DevOps workflows that present special security challenges and explain how to address them.”

Critical flaw found in Evernote Web Clipper for Chrome (Naked Security – Sophos, Jun 14 2019)
Anyone using it in its unpatched state is at risk not only of a compromise of their Evernote account but, potentially, of third-party accounts too.

Web-based DNA sequencers getting compromised through old, unpatched flaw (Help Net Security, Jun 17 2019)
Unknown attackers are trying to exploit a vulnerability in dnaLIMS, a Web based bioinformatics laboratory information management system, to implant a bind shell into the underlying web server.

Evite hit with data breach (SC Magazine, Jun 14 2019)
Online invitation company Evite announced it was affected by a data breach involving the unauthorized access of customer information. Evite learned of the incident in April 2019…

Free Cloudflare Tool Helps CAs Securely Issue Certificates (SecurityWeek, Jun 18 2019)
Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.

Google Targets Deceptive Sites with New Chrome Tools (Dark Reading, Jun 18 2019)
A new extension and browser alert aim to help users report deceptive sites and prevent them from encountering fraud.