Catching up: on-demand sessions from (ISC)² Security Congress 2022

Screenshot of the (ISC)2 Security Congress 2022 virtual conference entry hall.  There are people walking around.

(ISC)² make session recordings available after the event, and with a number of sessions of interest going on simultaneously these are invaluable.  Any sessions I watched prior to the end of December I received CPE / CPD credits for, but the recordings are around afterward too.  Here's some summary notes from the recordings I've watched so far.

Top public cloud security fails and how to avoid them

Karl began with an important thought: breaches are more likely to happen due to misconfiguration rather than attacks.  This is something that has been touched on in other sessions too, as a misconfiguration in the cloud potentially exposes resources directly to the public Internet (rather than in a traditional data centre where at least have to update a firewall and configure NAT mappings).  Karl then went on to describe his top five cloud failures to avoid:

  1. Lack of cloud native security architecture
  2. Cloud credential creep
  3. Broken data plane access control
  4. Exposed public endpoints
  5. Mismanaged misconfiguration management

My key takeaway from this session was that controlling user access would reduce a lot of the risk and issues.  Karl shared that many user accounts are provisioned with too great a level of privilege, or that accounts sit unused.  This isn't a uniquely cloud problem (I've worked at organisations where I had 180 defunct user accounts deleted in my first two months), but it is something that needs to be tackled.  Fortunately, there are tools to help identify dormant and overpowered accounts.  It's also worth remembering to avoid using root or owner privileged accounts wherever possible.

Publicly exposed endpoints are definitely a problem and can easily lead to information leakage (or worse).  Using policies to prevent people creating exposed endpoints, be they storage buckets, security groups allowing inbound connections, or servers, is a great way to reduce the risks.  You can even use policies to mandate logging, so you actually have logs to refer to in the event of an incident.

During the questions at the end there was a query about getting credentials created.  We were advised to ensure the process to obtain appropriate credentials was easy, ideally automated or with a quick turnaround, to stop colleagues going rogue and using shadow IT assets to solve their problems.

Best Practices for Managing and Preventing Insider Threats from Interviewing Experts

This talk was about some research that Mike had done as part of his work.  He talked to twenty five professionals as part of his qualitative research that had an average of over eleven years of experience each.  He went on to define three types of insider:

  • Malicious insiders
  • Negligent insiders
  • Accidental insiders

As expected, malicious insiders were intentionally destructive.  Negligent insiders might be aware of the risks but continue the dangerous behaviours, for example military personnel that know GPS tracking on their phones can map military bases but instead of disabling the feature start a FitBit exercise that records the exercise on a map.  Accidental insiders might be people that have been fooled by attackers, despite being trained.  Mike highlighted that having the training may not be enough to protect a colleague from an attacker (and this is something I agree with, having seen people I know have attended training fall for phishing exercises).

Mitigations are really important here, and behavioural analysis can be particularly useful.  For example, if an employee that doesn't usually download much suddenly starts downloading lots of data, they could be putting it on memory sticks to exfiltrate.  Similarly, if they don't normally upload much they could be transferring your data to a third party.

We were reminded that staff can suffer from "training fatigue", where they're forced to sit through yet another security training course.  While it's not uncommon to have to resit these yearly, it's important to strike a balance and to ensure the courses are still current!

Don't forget security is a team sport.  We need management buy in (rather than apathy), the security team, and our colleagues to be on their guard for suspicious behaviours - both from external attackers and against mistakes or malicious insiders.

Imposter Syndrome…it’s Not Just You

I picked this talk because imposter syndrome is something I struggle with, so seeing this title was reassuring.  Our speaker, Larry, explained that he didn't think he'd experienced imposter syndrome until he started speaking to others, when he realised he'd certainly felt it too.

Larry covered some myths early on in the talk:

  • Myth: It's not real
  • Myth: It's a mental health issue
  • Myth: Only felt by women
  • Myth: Successful / confident people don't experience it

At the heart of it, imposter syndrome is doubting yourself which includes feeling that you have a job because you've fooled others.  There are several ways to combat this, which I'll paste as bullet points from my notes for easy reading:

  • The first step is to recognise it
  • Separate feelings from facts – you've done the work to be where you are
  • Don't compare yourself to others – if you're in the room with these people, then that's where you belong
  • Don't expect perfection
  • Celebrate your successes – write them down
  • Share failures, as we all fail sometimes
  • Talk to others about it
  • Give yourself some grace

Remember: you're not alone, and imposter syndrome doesn't discriminate based on race, age, gender etc.

Banner image: Screenshot of the virtual conference venue landing page.