#infrasec β Public Fediverse posts
Live and recent posts from across the Fediverse tagged #infrasec, aggregated by home.social.
-
You can't buy VMware. What do you choose for your prod environment?
#vm #proxmox #hyperv #hypervisors #infrastructure #infraSec -
Protocol Alert: NoScript has been promoted to a 'hacking tool' in my stack. Itβs now using the `chrome.debugger` APIβwhich triggers a native browser warning for a reason. Verified a massive spike in data egress (1GB+) while the 'debugging' notification was active. If your 'security' tool uses a God-View backdoor to phone home, itβs not a tool; itβs a wiretap. #InfraSec #NoScript #Privacy
-
Hi! π
I'm not quite #newhere, but recently moved back from a Sharkey-Instance due to technical difficulties and didn't ever get around to write a newhere-post anyway.
Originally from #Karlsruhe, Germany, I found my home with my favorite human in #Norderstedt, but I'm a #Hamburg|ian at heart.
To keep my mixed-breed #dog πΆ fed, I'm bugging my colleagues and our customers with #infosec / #infrasec stuff.
I like to spend my nights on goth dancefloors or at equally scary festivals π¦, preferring dark, electric and fast music. There's lots of other black stuff that I like (fritz-kola, clothing, humor, ...), although no coffee.The almost non-existant rest of my time, I spend with #TV-series, #books π (preferably #Sci-Fi and #Cyberpunk), #boardgames, #pc-games or #PenAndPaper. I'm also quite passionate about #electromobility, #renewableenergies and lots of technical gadgetry in general.
-
A short letter to our non-infrastructure colleagues: "The Value of a Small but Visible Investment in Infrastructure Security"
From time to time, conversations come up on why infrasec is important, and I regularly find variations of this TLDR to be useful.
I hope this is helpful for you to learn or share a perspective on where infrasec fits among a portfolio of security approaches for defense in depth.
#KeyMaterial #InfraSec
https://keymaterial.net/2023/06/14/tldr-the-value-of-a-small-but-visible-investment-in-infrastructure-security/ -
When I'm evaluating infra risks on my own, I sometimes forget to benchmark the "impact severity" component against a common standard (CVSS, MITRE CWSS, or otherwise)
If everyone involved isn't using a common method for rating risk (especially impact severity), we're entirely unable to compare severity of risks
Aligning on a single risk rating framework is hard β and an expensive investment that often isn't equally effective for all areas (e.g., system security, network security, app security, client security, privacy, trust/fraud, etc.)
A useful shortcut: set aside top risks within each category of whatever slicing approach works best for the insight into risks that you need (infra/app/privacy/trust, product areas, orgs, etc.). Each slice can use their own approach, and at least you have visibility into what the top risks are for each, even though they aren't aligned to the same benchmark. It's a lighter exercise to translate that smaller set via a common rating scheme (or provide narrative framing of impact/effects, to evade the rating issue altogether within the "top risks").
-
It's always a challenge to balance the right investment in infrastructure, whether it's SREs, platform engineering, infrastructure security, or the many other folks that support our infra.
Once you make that investment in InfraSec, also find the balance for when and how much InfraSec is part of the conversation on risk assessment and on risk mitigation.
-
InfraSec isn't "the most important" or "the most impactful" or "the highest risk". InfraSec provides a collection of critical foundation layers for defense in depth.
InfraSec is the reason why a single AppSec vuln exploit doesn't turn into a data breachβe.g., by providing preventing lateral movement, or by preventing unauthorized egress, or by isolating a minimally privileged container/VM to limit the blast radius of a web app vuln.
AND β Appsec is the reason why we can accept taking down an InfraSec control while we fix an issue, or why we can choose a weaker InfraSec control in a middle layer as a tradeoff for better performance, while strengthening the surrounding controls.
-
One abusive player could Rickroll everyone around them.
One appsec vuln exploit could spam Rickrolls to every player everywhere.
One infrasec vuln exploit could replace all game assets with Rickrolls β and delete all server-side game data, and steal personal information and payment data from players and employees, and deploy a botnet, and bury a rootkit/surveillance script/C2 in the hope that defenders will miss cleansing it with fire.
-
It's reasonable for infrastructure security to be only a small investment in a consumer product business where our security/privacy/trust conversations are dominated by topics like fraud prevention and content moderation.
Defending Trust & Safety and preventing Fraud & Abuse are complex, evolving efforts where we can measure monetary loss and user impact around attacks like Account Takeovers.
But take care to make space for raising visibility of infrastructure risk. InfraSec is among the least likely categories of risk, while also being among the most impactful types of incidents!
-
By (un)popular demand: a thread on CDN security
This threat will grow over time if nurtured with regular watering and bright, indirect sunlight
Sorry, I mean this threat will grow. The threat landscape of 2030 won't be what it is in 2022, which isn't what it was in 2010.
Let's dive right in before setting the stage or mixing metaphors:
Where should you start in thinking about CDN security?
#CDNSecurity #CDN #InfraSec #ThreadModeling