AWS Certified Architect Associate Database Study Sheet

Amazon Databases

RDS

Amazon RDS ( Relational Database Service ) has operational benefits; simplifies setup, scaling and ops of a relational DB in AWS. Ideal for users to spend more time focusing on application itself; while RDS offloads admin tasks, like backups, patching, scaling and replication.

Currently supported MySQL, PostGreSQL, Maria DB, Oracle, SQL Server and Amazon Aurora. Built on Amazon Elastic block storage and can scale up to 4 to 6 TB in provisioned storage and up to 30,000 IOPS;

Amazon RDS supports three Storage types:

-Magnetic: Cost effective Storage that is ideal for apps with light I/O requirements

-General Purpose ( SSD ) faster than magnetic, burst to meet spikes; good for small to med DB

-Provisioned IOPS SSD designed for I/O intensive workloads, random I/O throughput

Min Size for SSD EBS: 1 GiB

Max Size for SSD EBS: 16 TiB

Amazon Aurora DB:

Commercial grade database; cost effective and open source. 5 X Performance of mySQL. Aurora consists of a Primary Instance for READ WRITE and an Amazon Aurora Replica with is a RO. Aurora Scaling: 2 copies of your data in each AZ, with a min of three availability zones, 6 copies of your data.

Backups and Restore

RPO – Recovery Point Objective is defined as the max time of data loss that is ok in the event of a failure or outage event.

RTO – Recovery Time Objective is defined as the max amount of downtime that is permitted to recover from backup and get back to normal ops.

Automated backups feature for RDS: Enables point in time recovery of DB istance. RDS does a Full Daily Back up ( during your preferred back up window ) + captures transaction logs.  Once a day backups will be retained by default; min default retention is 7 days; max retention period is 35 days.  Will occur during a pre-defined 30 min window

** When you delete an RDS instance; all backups are deleted by default** 

You are given the chance to create a snapshot when you delete an RDS instance.

Manual snapshots are not deleted, however. .

Manual Snapshots: Can be performed at any time.  Can only be restore to point in time they were created. Kept until you explicitly delete them.

High Availability and Multi-AZ

Multi-Az deployments allow you to create a DB cluster across, well, you guessed it – Multiple Availability Zones.  This is to increase availability, not performance. DB Failure over in the event of an outage is fully automatic and requires no administrative intervention. Replicates from master DB to to slave instance using synchronous replication.  Route 53 will resolve the new address in event of failover.

Amazon RDS will initiate a failover in the event of:

Loss of availability in Primary AZ.

Loss of Network connectivity to primary DC.

Compute unit failure in primary DB

Storage failure on primary DB

Read Replicas for Increased Performance Horizontally Scaling

  • Read replicas are not for Availability – for increased READ performance 
  • Scale beyond the capacity of a single DB instance for read -heavy workloads.
  • Handle read traffic while DB instance is unavailable
  • Offload reporting adjacent a replica instead of primary
  • Uses asynchronous replication when there is change to the Primary
  • Read Replicas are for these three RDS types: MySQL, MAriaDB and PostGreSql

 Multi-AZ RDS instances + Backups:

When Multi AZ is used on an RDS instance, I/O is not suspended on primary during a backup, since the backups are taken from standby.

AWS DB Security

 

Use IAM Policies with fine-grained access that limit what DB adminstrators can do

Deploy RDS instances into a VPC private subnet

Restrict access to DB using ACL

Restrict access with Security Groups

Rotate Keys and Passwords

AWS RedShift Datawarehouse

OLTP – Online transaction Processing – operations that are frequently writing and changing data. Actions performed on standard DBs.

OLAP – Online Analytical Processing – For datawarehouse. Complex query against large datasets. ” For example, where online transaction processing (OLTP) applications typically store data in rows, Amazon Redshift stores data in columns, using specialized data compression encodings for optimum memory usage and disk I/O”

AWS Redshift is a fast, powerful, fully managed petabyte scale DWH service in the Cloud. Give fast querying abilities over structured data using standard SQL commands to support interactive queying over large datasets.

 

NoSQL Database and Amazon Dynamo DB

 

Traditional DB; tables have a pre-defined schema, table name, primary key, column names and data types.

NoSQL DB are non-relation DBs; no existing traditional table for data stores. Example formats:

-Document DB

-Graph Stores

Key/VAlue Stores

Wide Column Stores

DynamoDB is an AWS NoSQL Service; fully managed, extremely fast with predictable performance by automatically distributing data and traffic for a table over multiple partitions.  All data on high performance SSD drives.  Protects data by replicating data across multiple AZ within an AWS Region.

DynamoDB only requires you have a primary key attribute ; but you don’t need to define attr names and data types in advance. Each attr in an item is a key value pair / can be single valued or multi-valued

{

CarName = “Red5”

CarVendor = “Suzuki”

CarVIN = “12345678890abcdefg”

}

Eventually consistent reads: When data is read; the repsonse may not reflect the results of a recently completed WRITE.

Strongly consistent READS: When this type of request is given; Dyanmo DB returens  a response with most up to date writes

 

AWS Certified Architect Associate S3 Study Sheet

AWS S3

Amazon S3 is durable, scalable Cloud object Storage based on key-value pair . Number of objects you can store is unlimited; largest object size is 5 TB; largest single PUT is 5 GB.

A Bucket is a logical container for objects stored on S3; simple flat folder with no system hierarchy. ( however there is a logical hierarchy, like [ Folder/File ] Objects in AWS S3 buckets are automatically replicated on multiple devices in multiple facilities within a region.  100 buckets per account by default. Buckets have unique names. Can be 63 characters. Prefixes and delimiters may be used in key names. Data is managed as objects using an API; buckets can host STATIC web content only. S3 buckets support SSL encryption of data in transit and data at rest.

AWS Objects are private by Default and only accessible to the owner

AWS S3 Storage Classes

Standard S3 Storage [ default Storage Class ] is 99.9999999%Durability and 99.99% Available [ don’t confuse the two ] Low Latency and high throughput.  Supports SSL in transit and at rest.  Supports LifeCycle Management for migration of Objects.

Standard IA Storage ( Infrequently Accessed ) is optimized for long lived and infrequently accessed data. 99.9999999% Durability and 99.90% Availability. Min object size 128KB and greater than 30 days  Ideal for long term storage, backups and as a data store for DR. Supports SSL in transit and at rest.  Supports LifeCycle Management for migration of Objects.

Reduced Redundancy Storage ( RRS ) is optimized for non-critical, reproducible data,that is stored at lower levels of redundancy. Reduced Storage Cost. 99.99% Durable and 99.99% Available. 99.99% Durability and 99.99% Availability. Designed to sustain the loss of a single facility.

Use Cases: ( thumbnails, transcoded media or other processed data that can be reproduced easily )

Amazon Glacier is optimized for Data Archiving. Extremely Low Cost. Retrieval can be up to several hours/ Vault Lock feature enforces compliance via a lockable key. [ 3 -5 hour retrieval ]

Glacier Uses cases include: [ Media Asset Archiving, Healthcare Information Archiving, Scientific Data Storage, Digital Preservation, Magnetic Tape Replacement ].  You can restore up to 5% of your data for free each month [ you can set up data retrieval policy to eliminate going over free-tier ]

Glacier as a Standalone Service: Data is stored in encrypted archives that can be as large as 40TB Vaults are containers for Archives and vaults can be locked for compliance

All Classes Support AWS Life Cycle Management Polices; transition to different class; and expiration of objects.

S3 supports Multi Factor  (MFA ) Delete – to protect form accidental deletes. MFA Delete can only be enabled by the root account.

S3 DATA CONSISTENCY MODELS

  • S3 provides for read after write consistency for PUTS of new objects
  • S3 provides for eventual consistency for overwrite PUTS and DELETES

AWS S3 Security

Bucket Policies – JSON language to create; you can grant permissions to users [ allow / deny ] to perform specific actions all or part of objects in buckets. Broad Rules across all requests. Can restrict http referrer or IP

Bucket ACL – Grant specific permissions R, W and Full_control to specifc users

IAM Policy – grant IAM users fine-grained control to thier S3 buckets while maintaining full control of everything else

Encryption

SSE-S3 Keys – Check box style encryption solution where AWS is responsible for key mgmt and key protection. All objects are encrypted with a unique key. The actual object is then encrypted further by a separate master key.; a new mater key is issued monthly; with AWS rotating keys.

SSE-KMS – Amazon handles key mgmt and protection for S3, but you manage the keys. Separate permissions for master key; and provides auditing so you can see who access the object with the key.; allows you to view any failed attempts.

SSE-C Used when customer wnats to maintain keys; but does not want to maintain an encryption library. AWS will encrypt and decrypt objects; while customer maintains full control of keys.

Client Side Encryption

This is sued when you want to encrypt data BEFORE sending it to AWS S3. Client has most control; maintains end-to-end control of encryption process. You have two options:

Use an AWS KMS managed customer master key

Use a client side master key

Pre-Signed URLs: Use Pre-signed URLS for time-limited download access

Bucket Versioning

Allows you to preservice, retrieve and restore every version of every object stored in the bucket. Once version is turned on; it cannot be turned off, only disabled.

Cross Region Replication

Allows you to asynchronously replicate all new objects in the source host bucket in one AWS Region to a target bucket in another region. And metadata and ACL associated with the object are part of the replication. If CRR is enabled while objects are in the bucket; it won’t affect those; only NEW objects.  Versioning must be enabled for both source and destination buckets for CRR to work + you must have an IAM policy to give permission to replicate objects on your behalf.

Event Notifications and Logging

Event notifications are set at the bucket level and can trigger a message in Amazon SNS or SQS or store an action in AWS Lambda in response to an upload or delete of an object (by PUT, POST, COPY, DELETE  or multipart upload completion). You can configure Event notifications through the S3 console, trough REST API or by using Amazon SDK.

Logging is off by default. When you enable logging for the source bucket; you must choose a target bucket.

Encrypt your AWS API Key with GPG

In AWS, when you create a user in IAM and you give that user ‘programatic’ access, AWS will give you that user’s API key. there are two major rules one must follow with the API key.

  1. NEVER hard code your API key into your code.
  2. Never store your API unencrypted.

To help with #2, in Linux you can just use GPG

First install it, for Ubuntu:

    sudo apt-get install gnupg2 -y

#or for RHEL:/Centos

 

    yum install gnupg2

 

and then just run it against the text file where your API keys are:

  1. Encrypt the file with the command
    gpg -c API.txt
  2. Enter a unique password for the file and hit Enter.
  3. Verify the newly typed password by typing it again and hitting Enter.

 

      4. Looking at the output of an an ls -hal the original file is still there; so

    rm -rf API.txt

      5. When ready, Decrypt the file with the command

    gpg API.txt

Crazy Ransomware based on NSA tool spreads across the Globe!

The Security Defenders are working overtime today to stop WCry [ WannaCry ]. Right now, 45,000 attacks of the WannaCry ransomware are reported in 74 countries around the world. This is pretty bad, there are reports of Hospitals being shut down due to this, Service Providers shutting down their computers and many other reports out there of companies affected.

According to Kaspersky, WCry is leveraging an SMBv2 Remote code execution, derived from the NSA Tool kit.    Here is the US-CERT Confirmation of WCry.

MS17-010 is the Patch MS released in April  to address the vulnerability this piece of ransomware is using and if this is not on your system; you are vulnerable.

Close Firewall ports 445/139 & 3389.

Here is a Live MAP at Malware Tech, monitoring the Spread

Kaspersky’s Global Lab has a Solid Write Forensic Up

Fig 1, Machine infected with WCry  Image via Twitter Malware Hunter Team.

 

Big Box Electronics Retailer has Vulnerable Cisco IP phones connected to their POS systems

You only have to go as far as your neighborhood electronics store to see poor Security practice. I snapped this photo below yesterday:


What’s wrong here, you ask? Well ,a couple of things. This particular Cisco phone was end of life in 2009, see link for verification:

http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7940g/end_of_life_notice_c51-526372.html

End of life in 2009 means that Cisco is no longer writing security patches or software updates for the phone since that time.  And because Cisco IP phones basically act as a 2 port switch, what this is at its most basic is a 11/12 year old network switch, one little blue ethernet cord going into the Electronic retailer’s internal network; and the other little blue cord going to the POS system.

Second, Cisco phone set ups like this [ where the phone is acting as a switch for another network endpoint/host ]  are actually poor choices for customer facing kiosks and counters due to the fact that the design exposes a physical ethernet port to the public and is open to tampering. Here, this poor choice has been compounded by the fact that this particular Electronics retailer has not engaged in a badly needed hardware refresh for 9 years, making the phone itself a target for a number of known public hacks.

To mitigate this; any Cisco phone that acts as a customer phone / public / lobby phone should not have another endpoint connected; and furthermore; the 2nd network port can and should be disabled on that phone. ( Cisco does allow the 2nd port to be disabled )

In this case, where the phones are obviously for both store employee AND customer access; any way to physically wall-off or protect those network ports from tampering would assist in mitigation. ( I’ve heard of people actually supergluing the ethernet cables in the phone ). Truth is, the over-all design of using of the 2nd ethernet port to connect to the POS system in area that is clearly accessible to the public was a huge disservice to this particular retailer by the vendor/company that sold them that design, regardless of how old the IP phone is. That second port on the phone is really meant to be used inside secure office buildings, at cubicles, in employer offices with their own physical controls in place..e.g.,  areas not accessible to the public.

These 7940 and 7960 phones were all over the store, connected to store POS systems, not just at the counter where I snapped the photo. Although theft customer credit card data does not really seem to raise eyebrows these days; so I will not go into that so much…,  however, I will touch on the point that these systems are used by employees to access all store inventory; [ e.g., at a fundamental level, modify a database and attributes of objects in a database ]. Anyone with knowledge of these systems could easily gain access by placing a remote tap on the ethernet port when no one is watching and with some work and a little reconnaissance, pretty much own the entire database. Worst case scenario, yes, but that is what I see in the picture above.

Until next time!

AWS Workshop Automating Security in the Cloud in Denver: Day 2

Day 2 – Another gorgeous day in Denver, looking west at the Rockies from main event room on the 11 floor of the Marriott. A great day to learn about Cloud Security in AWS.

Day kicked off with presentation from  Cloud Compliance Vendor Telos, their Solution Xacta

Again, forgive brevity, partial sentences; these are literally, my notes transcribed from as fast as I could write in my notebook.

Good stuff started when Nathan McGuirt, Public Sector Manager, AWS, took the stage for AWS Network Security; and this is where my notes begin:

Nathan opens: Almost everything is an API and can be automated. APIs automated network discovery ( things network tools used to do )

AWS Network configs are centralized. VPC is NOT a vlan or a VRF! Pressures to migrate to large, shared networks are all but gone.

Micro-segmentation allows for smaller networks; are more granular in function, reduce Application risk via isolation, reduce (effect of) deployment risks of new systems

Security Groups (SG) have become the most important piece of Security in AWS; Security groups are essentially stateful Firewalls that can be deployed per-instance / per VPC.

Two EC2 instances in the same Security Group don’t communicate by default. Security Groups are flexible and rules can be set to allow another Security Group as the source of the traffic.

The idea is Role Based Security group / permissions to communicate based on Role. Security Group traffic shows up in VPC flow logs in a netflow format.

VPC subnet ACL’s  ( access control lists ) are secondary layer of protection. ACLS are NOT stateful; and ephemeral ports have to be allowed on return traffic. ACLs are better suited for solving broad problems; communication between VPCs.

Route tables are now thought of as another Security mechanism for isolation and to control permissions; route tables create an extra set of protections.

Stop thinking about filtering at layer 3,4 and focus on filtering application:

  Ingress filtering tech: Reverse Proxy, (Elastic Load Balancer), Application Load balance with WAF, CloudFront CDN with WAF

  Egress filtering: Proxies / NAT

Moving outside VPC – VPC Peering – inside inside routes, Virtual Private Gateway to connect to on-prem legacy VPN hardware, AWS Direct Connect( AWS on prem fiber )

No transitive VPC peering, no A – > B -> C

 – some work-arounds, using proxies/ virtual router AMIs and routing to them instead of VPC ( does not scale large )

 – Nathan talked about a Management Services VPC that has all needed services in it( auth, monitoring, etc. )  and connecting all VPCS to that.

VPC design; plan early, plan carefully,  think about subnets and how you want to scale VPC before you implement it; since subnets cannot be removed from VPC once built.

Coud Formation and Change Control.  New AWS feature called ‘ Change Sets’ allow you to stage your Cloud formation builds and assign different permissions to developers, approversand implementer.

Talked about how powerful AWS config https://aws.amazon.com/config/   is; scans envrinments, object history, change logs, given snapshots of whole AWS environment .

Logging VPC flow logs / netflows for all things – goes to CloudWatch for every instance in the VPC. Rather than watching the noisy edge; Combine tight Security Groups with VPC flow logs within / and between other VPCs and look at what is getting denied – people trying to move sideways.  Watch for config changes that impair you ability to see config changes. ( e.g.., disabling of Cloud Trail ) – Automated remediation is possible thru APIs. Watch for dis-allowed configurations

Next up was Jim Jennis AWS Solutions Architect;

 Jim has a solid background – worked for US Coast Guard.

Jim: Automate Deploy Monitor in Security SDLC, build in Security and verify before deployment

Design>Package>Constrain>Deploy

Using Cloud Formation to describe AWS resources, JSON templates, key value pairs

How Security in the Cloud is different:

– Everything is an API Call

– Security Infrastructure should be Cloud Aware

– Security Features as APIs

– Automate Everything

Use Federation to leverage AD accounts of existing staff to get access to AWS and lock down tasks to their specific tasks.

[ Trust required with AD/ required ]

Preso Back to Tim and Nathan McGuirk together

 AWS cli matches the one in the API – live demo AWS command line (  learning AWS CLI would be a good way into learning API )

Nathan using AWS cli to:

  find EBS volumes that are unencrypted

  find Security Groups / with ssh allowed

  give a list of instances attached to groups found from last command

  ( Tim said this could be used to find IAM groups with resource of * )

Tim: this demo is the base to automation to find things that are not supposed to be there; run them multiple times a day

to locate things that are happening out of scope in our environment;

USE accounts and VPCs to limit last blast radius of compromise

 – Accounts are inherently isolated from one another provide isolation of both access and visibility for deployed resources

    – compromise of one account limits impact

Place Hardened templates in Service catalog; and employees can only select your hardened templates / AMIs when spinning up new instances

My Thoughts:  Security people that want to protect AWS need to learn to understand APIs, code  to fully leverage automation, and use the amazon cli and benefit. Queries are powerful can be leveraged to tell you very specific things in an environment; I’ve seen things today that make the old network tools I used to use look like Ford model-T.  Security Professionals and Network need to adapt and become application-centric thinkers. AWS has incredible built in tools to ensure proper secure design from the creation of  hardened AMI / CF templates, to be able to lock down those the deployment of pre-approved instances. Security Groups and IAM make it to where you can get very granular on the permission level; as  Even applications can be granted permissions through access roles.

When thinking about everything I have done in the last 20 years as a Network Engineer / Sys Admin / Security Engineer; what I experienced the last two days really reminded me the scene in ‘Dr Strange’ movie;  where Strange shows up at Kamar-Taj temple – and begins his true teaching. The ancient one says tell him that what he had learned before got him far in life; but he needed to embrace a whole new and completely different way of thinking.

For me, I am not as reluctant as Strange was, but the idea of embracing the concept that an entire infrastructure is just CODE; servers, routers, firewalls are now just coded objects and APIs are the “neurons” that make it all work is just as impactful.

I am grateful to AWS Engineers and the Vendors for coming to Denver!

THANK YOU!!!

AWS Workshop Automating Security in the Cloud in Denver: Day 1

When I found out AWS was going to be doing a two day Security class in my home town at the end of April, I took no chances and simply requested two days PTO so I could go to this event.

Day one CORE content was taught by Tim Sandage , Senior Security Partner Strategist, AWS. Tim knows his world very well and relayed the material in a clear and concise way, keeping the audience engaged at all times.

There were a slew of Cloud Security Vendors there as well, my favorite vendor presentation was by Aaron Newman, CEO Cloudcheckr. Aaron is a very passionate and dynamic speaker – and the Cloudcheckr Product is gives solid, Security centric view of your AWS assets.

Some of the ideas presented below carry over from standard on-prem Infrastructure Security, such as Principle of Least Privilege; and some are unique to Cloud – CloudFormation Templates.

Below are my notes, transposed here from furiously fast handwritten catch during the event. Please excuse any brevity; partial sentences, etc.

Tim Sandage Notes: DevOps is Rising. Shortage of individuals to maintain Security.  DevOps needs Security engrained into their process. Focus on Continious Risk Treatments (CRT). Need to bring Security Risk treatment into DevOps Lifecycle. Technology drives governance. Governance is shared between AWS and end customer. Security Automation is key to Successful Governance.  API is the common language through which Policy can be automated.

AWS is a SHARED Security model. Security by Design ( SbD ) is an AWS assurance approach that formalizes account design and automates control and auditing. Cloud Templates / Cloud formation is key.

Continuos monitoring is not enough, it does not catch bad guys; we need to create a workflow to help with tech governance.

Security is top priority at AWS. AWS has over 1800 accreditation/ certifications geared toward being a compliant provider for its customers.

When moving to the Cloud, consider the boundary extensions and how they can affect compliance. Before moving to the Cloud, first look at dependencies and traffic flows, to ensure you are not moving something into the Cloud that is not compliant.

[SHORT BREAK]  VENDOR PRESO Okta Did presentation on Securing Cloud. Tools for Cloud Compliance.

Back to Tim: Talked about a slide that showed Rationalizing Security Requirements / Standards; a framework for building internal polices based on Industry standards, Common Practices, Laws and Requirements. Talked on Share Responsibility Control Models. 1. Inherited Control, Hybrid Control, Shared Control and Customer Control.

Tim: Talked about Defining Data Protection; laid out Problem statements  1. Most orgs don’t have Data Classification scheme, 2 most orgs don’t have Authoritative Source for Data, most orgs don’t have Data LifeCycle Policy.

Topic change; Breaches: Breaches that involve actors obtaining Data from stolen laptop / or cell phone is because the world has moved to a mobile workforce and employer has not caught up with that; e.g., still storing data on employee devices and not in central location, protected by predefined automated policies. Nothing should be on local laptop or phone.

Make sure least privilege is always used – No human should ever have admin ( at least for very long); instead, user gets promoted to admin role; and then STS token expries and Role goes away.

Topic change Assets: Everything in AWS is an asset; instance IDs are unique , Security Group IDs are unique. Customers choose to track and decide how these assets are protected. ID’s by Amazon Resource Name; ( ARN )  Enable a Data Protection Architecture – a Methodology to lock down assets launched in AWS; using Cloud Formation templates with pre-defined polices. [ no EC2 launched in root, no S3 buckets with World read ]

CLOUD SECURITY TIP: CloudTrail needs to be enabled for all Regions; to mitigate against internal people spinning up instances in regions you don’t operate in; mitigate against external threats; expose any badness in your account.  Show Activity in a space in which you do not operate.

CLOUD SECURITY TIP: AWS root account – Delete Admin ROOT API Key. Never use root to do any task. No repudiation in logging  – Instead,  log in, create two admin accounts, turn on Cloud trail and MFA 

AWS Security Architecture Recipes using CIS Benchmarks – Tactical Control rules for hardening.  CIs Benchmarks have been “templatized” for CloudFormation  current on GITHUB  –

Use Tag in assets – mapping correlation for proof of documentation for which CIS template was used to meet compliance.

[ My thoughts on day one ] This is HUGE! Basically, AWS assets, EC2 instances, S3 buckets, RDS instances can all be deployed with these CIS based templates; ensuring that all assets have the same Security controls/permissions on them each time they are deployed; and then mapped back to an audit control with the naming in the TAG. Basically, hand the auditor a paper and say “bye bye now” This compliments custom, secure AMI ( Amazon Machine instances ) that are deployed from the original AMI that was built.

Great Security tips included and woven into each presentation. My notes did not capture all of this; but I did the best to get the main points – I have things in my notebook that may appear in later blogs – Also, Amazon does a fantastic job of documenting this

https://aws.amazon.com/documentation/

See you all tomorrow at Day2!

 

It’s time to use a VPN and DuckDuckGo.

The House has now allowed ISPs to sell your browsing habits  As this last remaining privacy barrier crumbles, the question I have had from a few friends and family members is; should I use a VPN; and if yes, which one?

The first part of that question; “should” you use a VPN? Well, I believe YES, for some things.

  1. Medical Conditions. If you are doing research regarding medical conditions for yourself or a family member, I would consider that private and information you don’t want bought and sold. Remember when Target knew a girl was pregnant before her own Family? You can avoid situations like that by using a combination of a private search Engine like DuckDuckGo and a VPN service. Furthermore, DuckDuckGo has an IOS / Android App that won’t save history and cookies.

2. Job Hunting. I would think job hunting would fall under the category of things I don’t want my ISP to know about; as we don’t know WHO will be buying your internet browsing history – and we don’t want that to be your current employer.

3. Financials. Although all Banking traffic in transit is encrypted with https these days; data about which banking institutions as well as frequency of logins may be marketable. Thats Nobody’s business.

4. Websites and data that could be misconstrued by future employers, lenders and Apartment leasing agents.  ( Because that who is buying your data) This is obviously more generic and requires some thought. It is now necessary to think about what kind of story your browsing habits tell about you; from multiple angles. Use VPN when you go somewhere that is nobody’s business.

Enter TunnelBear

Now, we move to the second part, which VPN service should I use? My personal favorite is TunnelBear. It’s super easy to use; and negligible performance hits –  Downloadable as an App for IOS or Android; client for MAC or Windows; or as a browser extension for Chrome. AES-256 Encryption and SUPER cheap. There is a FREE tier that you can use; that will give you 500 MB a month. That should be plenty as long as you are not Tunneling your Videos; or tunneling big file downloads.

When you launch Tunnel bear; and browse to any site on the internet, all your ISP will see if Traffic to Tunnel Bear’s VPN service. Sweet, yeah? Sell that, Comcast!

There are other VPN services similar to Tunnel bear out there; price and performance vary on each.

Also, let us not forget about Cookies! Although this new law sucks in its entirety; Stored Browser Cookies tell sites you visit more about where you’ve been than any other mechanism. Although most sites require you store cookies now-a-days, it is something to be aware of. DuckDuckGo ‘s Mobile App browsers have cookies off by default. If you truly want to stay private, you must: Not use Google, or Google Chrome to search. Not visit any site with a browser with cached cookies of your browsing history. ( e.g., clear your cookies often or DuckDuckGo Mobile ). Use a VPN service.

A few last notes; personally, I don’t think there is a need to tunnel Netflix, Hulu and other video sites – some VPNs will introduce performance issues on those services; and frankly, I don’t see the reason . . .yet. Social Media sites are also another big can of worms that I don’t really ant to open here; except to say they are ALREADY selling your info. What the ISPs would get through this new law is how frequent you visit Facebook, and others . . . so your call. Really, the list above is a good place to start your Privacy.

Safe Safe!

Disclaimer: I am not paid or employed by TunnelBear. I just like their service. What is offered above is my unpaid – unbiased opinion only.

 

Social Security Card was never meant to be used as an ID card.

This is a solid 7 minute video explaining the inception and original INTENDED use of the United States Social Security card; and how it was NEVER originally intended to be used as an identification card.  What?? REALLY???

The other “shocker” is that there is no Security built into the card regarding the number schema – pretty amazing [SAD] when you think about how much this number is used for major financial transactions, ( outside of Social Security itself). Yes, the number is fairly guessable if you know state of birth, year of birth. Because of this; and the plethora of Security breaches that have taken place over the years, I assume compromise when it comes to my own number; ( e.g., the bad guys have it somewhere – waiting to be used, along with millions of others’ SS numbers)

So then – The BEST thing you and I can do use utilize some kind of credit monitoring service; or continuously keep your credit report in FRAUD alert mode, making it hard for other people to open accounts in your name. FRAUD alerts must be set every 90 days; or if you are active military, one year.  FRAUD alerts fall under the ” I don’t have to out run the bear, I just need to out run you “; as fraud alerts don’t guarantee your identity can’t be stolen; it just makes it harder to steal yours than the next guys’  🙂

If you set an alert with one of the Bureaus – they notify the other ones. Here is the Equifax link to set an initial 90 day alert.

On Credit Monitoring – I have sort of a love-hate relationship with credit monitoring services; because I believe credit monitoring is something that the three(four) major credit bureaus should BE DOING ANYWAY as it clearly falls under their due diligence as record keepers of such critical information. BUT they don’t . . . and we must pay for the credit monitoring service from one of the major bureaus or a third party. That’s kind of wrong, but necessary in my eyes.

Stay safe!

 

 

 

Why I am pursuing Amazon Certified Solutions Architect Certification

It’s time to switch up here a bit . . . While we Security Professionals have been shunning all things Cloud and jumping up and down, waving our hands, desperately warning our employers not to move data there; the world has gone on without us and Enterprises are aggressively moving data and services to the Cloud. This is driven largely by massive cost saves associated with Cloud Services in general. Software is eating the world. And Cloud is making that possible. Businesses are moving in that direction. The time has come (or it has been here a while), for InfoSec as a whole to embrace this practice of having data, services and workloads in the Cloud and do the best we can to secure the Confidentiality, Integrity and Availability of those services and data in the Cloud.

Of all companies in this space, Amazon is kicking serious ass in being the world leader in Cloud Platforms. Amazon AWS is the fastest growing multi-billion dollar Enterprise IT company in the World. 14 Billion to be exact. Many heavy hitters are putting dollars and infrastructure in the the Cloud. Amazon is putting tremendous resources in the cloud in their own right and have bet the farm on it; they are innovating at a furious pace as their own shopping services rely on their own AWS Cloud. AWS is experiencing 47% year over year growth!

All of my IT personas: Information Security, Network, Linux guy, Server guy, I believe that an understanding of Cloud / Securing Cloud / Writing Code for the Cloud is the best way I can serve others and provide for my Family in the many years to come. The Economics driving this push to Cloud, [ ultra-cheap compute power, no longer paying to build and maintain data centers, paying for services only when your customers use them are just a few of the drivers ]  simply cannot be ignored!  That is why  I am pursuing  the

Amazon Certified Architect first; followed by the AWS Security Specialization Exam then; the Professional Architect Exam. Presently, I am doing a ton of hands on labs after hours in the AWS Free tier; Enrolled in a great course by A Cloud Guru Learning. The course is taught by Ryan Kroonenberg and is SUPERB! I’m 70% through the first run.

I believe the Amazon Cert Program is solid and will compliment my background and skill set and increase my value to employers. So, yeah, I am excited!  I am learning at a pace and depth I never thought possible! I think that is because I truly enjoy the AWS platform; the multitude of services offered and how to interface and build with them!

disclaimer: I do not work for Amazon, nor I am paid by Amazon.

Stay Safe!

 

UPDATE:  At the AWS ‘Automating Security in the Cloud’ event I attended ( a few weeks after this posting ); during the audience polling; most event attendants were there because their employers are moving data and predictable workloads into AWS. Amazon and partners are making it easier to address regulatory compliance; FedRAMP, 800-53.  All this means is that the FRICTION is  that used to exist between getting on-prem data / workloads into the cloud is eroding. That’s not an accident.