The aftermath of the WannaCry ransomware attack continued to dominate the headlines this past week, where the conversation ranged from who should be responsible to what can be done to stop future attacks. There were more than enough opinion pieces to get through, and I tend to favor the thoughtful analysis over the impulsive fear-mongering. A couple pieces I came across were of the former. Dennis Fisher of On the Wire points out that we expected something like this, but we’re really at the beginning of a trend as the attacks will only get better with each passing attempt.
Last week was the Rocky Mountain InfoSec Conference in Denver, where I gave a talk about BeyondCorp to a fully captivated audience – always a good feeling as a speaker. I wrote up a quick blog post about the event, with the slides from my presentation. Have a look: https://www.scaleft.com/blog/a-call-for-proactive-security-at-rocky-mountain-infosec-2017/ Now it goes without saying that the big story over the past week has been the WannaCry ransomware attack. As he often does, Troy Hunt gives a solid breakdown of what happened (in case you’ve been living under a rock).
Wheels up… I am in the air on my way to Denver for the Rocky Mountain InfoSec Conference. I’m giving a talk tomorrow from 2-3 PM titled BeyondCorp - Google Security For Everyone Else. I’ll share my presentation materials after the fact, but I first wanted to mention something that I thought of while preparing my slides - which I still have 27 hours to finish before going on stage… every minute counts!
I’m just returning from a few days at Disney World with my future in-laws from Brazil, and it was in a word - magical! (Yes, I have to say that if I want to keep my wedding plans in tact). It’s been nearly 30 years since my grandparents took me as a bright eyed child, and while the attractions had a familiar feel, the park experience was a whole new world.
One of the guiding principles of BeyondCorp is how access decisions are made based on dynamic user and device conditions as opposed to traditional network-based methods. Within Google, their own Trust Inferer system continuously collects employee device data, which is then processed to determine its Trust Tier. Through configurable Access Policies, each resource is assigned a minimum Trust Tier based on the sensitivity of the data. To be granted access to a resource, the device Trust Tier must meet that of the resource.
The Shadow Brokers leaks have certainly dominated the headlines, bringing out all the security researchers to investigate the scope of vulnerabilities – most notably the SWIFT network and a number of Windows 0-days. A good list of all the exploits is up on GitHub here. What still seems to be unclear, however, is when and how Microsoft was alerted to the numerous CVEs affecting their products given that they were able to patch the exploits a month before the leaks surfaced.
I’m just returning from Austin, where I attended the InfoSec Southwest Conference over the weekend. It was great to mingle with the local community, and to converse about corporate security architectures. While BeyondCorp was only known by a small percentage of attendees, the principles resonated well to the folks working in InfoSec teams. Generally speaking, architectural patterns such as Zero Trust sit with IT, so it will take some awareness campaigns to spread further.
VPNs have been dominating the headlines lately, but for far different reasons than the outcome of BeyondCorp I often talk about here. On the contrary, in fact. With personal information seemingly up for grabs between governments and hackers, the average Internet user is wrought with concern. Many opportunists have used that fear to push personal VPN services. I’ll defer to Brian Krebs on whether or not it’s worth the effort.
As promised last week, I have videos to share. First, I will shamelessly plug my own talk during the BeyondCorpSF Meetup held at Heavybit Industries earlier this month. The key theme was how Zero Trust is changing our notion of Identity & Access, and what this means from a broader market perspective. Have a watch. http://www.heavybit.com/library/blog/beyondcorp-meetup-google-security-for-everyone-else/ For a more technical deep dive, Evan Gilman and Doug Barth gave a talk about network design at last week’s SREcon.
The video from last week’s BeyondCorpSF Meetup is still in post-production, so it’ll be in next week’s newsletter. Until then, I wanted to take a brief moment to share a thought on the community. It was only a few month ago that BeyondCorp was only barely known outside of Google as a couple of research papers. Now it’s capturing the attention of IT & Security professionals from all sorts of organizations across the globe.