Captain's Log, Stardate 2021.08.27

circle
circle

Captain's Log, Stardate is an ongoing series, published every Friday, highlighting interesting cyber news from the past week. To continue the discussion on any of these topics, join us on Slack

J1_Ambassador Hunter @2x

Security Professionals — What Do We Do All Day? | Dark Roast Security/Katlyn Gallo
Today, I had the opportunity to talk to undergraduate Computer Science students about a Master’s degree in Cybersecurity. After talking a bit about how I got where I am today, someone asked me, “can you talk a bit about what you do from day to day in your role?” Boy was that a loaded question! A great one, but nonetheless loaded. Read the full story...

Microsoft Power Apps misconfiguration exposes 38 million data records | ZDNet/Larry Dignan
Sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps. The data leaks impacted American Airlines, Microsoft, J.B. Hunt and governments of Indiana, Maryland and New York City. Read the full story...

The last S3 security document that we’ll ever need, and how to use it | TrustOnCloud/Jonathan Rault
We have released the ThreatModel™ for Amazon S3, free and open source. The Shared Responsibility Model is an easy-to-understand diagram by Cloud Providers. The reality is that: 1) the Shared Responsibility Model is the responsibility of the customer, and 2) it is difficult to execute as the line between responsibilities is not clearly mapped out. With 70+ ThreatModels published for our customers, we decided to release the ThreatModel for Amazon S3 to all, in order to clearly define customer responsibilities and reduce security bad days for the AWS community, now and in the future.  Read the full story...

Google Docs Scams Still Pose a Threat | Wired/Lily Hey Newman
A 2017 worm caused havoc across the internet. Matthew Bryant is warning that despite new protections put in place, it could still happen again. In research presented at the Defcon security conference this month, Bryant found workarounds that attackers could potentially use to get past Google's enhanced Workspace protections. And the risk of Google Workspace hijinks isn't just theoretical. A number of recent scams use the same general approach of manipulating real Google Workspace notifications and features to make phishing links or pages look more legitimate and appealing to targets. Read the full story...

My Bucket, My Data! (or is it?) | Erkang Zheng
AWS S3 has long become a standard for storing file object data. Despite the many efforts in making S3 secure, we continue to see data in private buckets exposed or exploited in novel ways over the years. Just how many ways can I trip over my own buckets (and spill the data)? Short answer: too many. Here’s a checklist of a dozen key security configurations and best practices that should be considered for S3: Read the full story...

Resources

Modern Visibility in Cyberseccurity

avatar

Posted By Mark Miller

Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.

Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.

As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).

To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

PREVIOUS ARTICLE

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.