All posts by Mooky Desai

InfoSec 101

Cloud Security Posture Management (CSPM): This will provide organizations with the ability to monitor and manage the security posture of their cloud infrastructure, ensuring compliance with industry standards and regulations, detecting and addressing security threats, and preventing data breaches.

  • Palo Alto Prisma Cloud
  • CheckPoint (CloudGuard)
  • CSP Native
  • AWS Config
  • Azure Security Center
  • Cloud Security Command Center

Secure Access Service Edge (SASE) platform: A cloud-based platform that combines several security functions, such as secure web gateways, firewall as a service, cloud access security brokers (CASBs), and zero-trust network access (ZTNA), into a single, integrated solution. SASE platforms provide a scalable, flexible, and cost-effective way to achieve a secure service edge.

  • Palo Alto Prisma Access
  • zScaler
  • Cisco
  • Fortinet Secure SDWAN
  • Cato Networks
  • Netskope
  • Perimeter 81
  • Forcepoint

Software-Defined Perimeter (SDP): An approach to network security that uses a “zero-trust” model to secure access to applications and data. SDP solutions create a secure, isolated network connection between users and applications, effectively hiding them from the public internet and reducing the risk of cyber attacks.

  • Palo Alto Prisma Access
  • zScaler
  • Okta
  • Cisco
  • Perimeter 81
  • Appgate
  • Symantec

Web Application Firewall (WAF): A security solution that provides an additional layer of protection for web applications by monitoring and filtering incoming web traffic based on predefined rules. WAFs can help prevent a range of cyber attacks, such as SQL injection, cross-site scripting (XSS), and file inclusion attacks.

  • F5
  • Fortinet
  • Imperva
  • Cloudflare
  • Citrix
  • Sophos

Cloud Access Security Broker (CASB): A security solution that provides visibility and control over cloud applications and services. CASBs allow organizations to monitor user activity, detect and respond to security threats, and enforce policies for data protection and compliance.

  • Palo Alto Networks (Prisma)
  • Netskope
  • Cisco CloudLock
  • BitGlass
  • Forcepoint
  • Proofpoint
  • Microsoft Cloud App Security
  • AWS CloudTrail (limited)

Identity and Access Management (IAM): A set of technologies and policies that manage user identities and access to applications and data. IAM solutions can help organizations enforce strong authentication and authorization policies, manage user privileges, and monitor user activity.

  • Okta
  • OneLogin
  • Ping
  • SailPoint
  • Azure AD

Endpoint Detection and Response (EDR): A security solution that monitors endpoint devices, such as desktops, laptops, and servers, for signs of security threats. EDR solutions can detect and respond to malware infections, advanced persistent threats (APTs), and other security incidents.

  • TrendMicro
  • CrowdStrike
  • Palo Alto Networks
  • FireEye
  • CarbonBlack
  • Sophos
  • Symantec

User Entity And Behavioral Analytics (UEBA): A solution that analyzes patterns of user and entity behavior across various data sources, such as logs, network traffic, and user activity data, to establish a baseline of normal behavior. Once the baseline is established, the UEBA solution can identify deviations from normal behavior that may indicate a security threat, such as insider threats, compromised user credentials, or advanced persistent threats (APTs).

  • Splunk
  • Rapid7
  • Securonix
  • Teramind
  • Exabeam
  • Azure Sentinel

Data Loss Prevention (DLP): A security technology that focuses on protecting sensitive data from unauthorized disclosure or theft. DLP solutions can identify and monitor sensitive data as it moves through an organization’s network, such as personally identifiable information (PII), financial data, or intellectual property. DLP solutions can also enforce data protection policies, such as blocking or encrypting sensitive data, or alerting security teams when a policy violation occurs.

  • TrendMicro
  • Symantec
  • ForcePoint

Antivirus and Antimalware: Install antivirus and antimalware software on all devices to prevent malware from infecting your network.

  • ArcticWolf
  • TrendMicro
  • Sophos
  • CarbonBlack

Password Policy: Establish a password policy that requires employees to use strong, unique passwords and change them periodically.

  • Active Directory
  • Okta
  • OneLogin
  • Azure AD

Access Control (SSO/AMFA): Implement access controls to restrict access to sensitive data and systems to only those who need it.

  • Okta
  • Active Directory
  • One Login
  • CSP IAM

Immutable Data Backup: Regularly back up your data to prevent data loss in case of a disaster or a security breach.

  • Rubrik
  • Cohesity
  • Veeam
  • CSP S3

Security Awareness Training: Educate your employees on security best practices, including how to identify and avoid phishing attacks and other scams.

  • KnowBe4
  • ProofPoint
  • MimeCast
  • ArcticWolf

Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in the event of a security incident.

  • ArcticWolf
  • CrowdStrike
  • FireEye
  • Kroll
  • SecureWorks

Physical Security: Implement physical security measures such as security cameras, alarm systems, and access controls to protect your premises.

  • Verkada
  • Meraki
  • HID Global
  • Tyco

Vendor Management: Ensure that all third-party vendors have appropriate security controls in place when accessing your network.

  • InterVision vCISO
  • BitSight
  • OneTrust

Regular Security Audits: Regularly audit your security controls to identify and address vulnerabilities and ensure compliance with regulations.

  • PwC
  • Deloitte
  • KPMG

DevOps Security:

Code Analysis (SAST) – practice of using automated tools to analyze code and identify potential issues, such as security vulnerabilities, performance problems, and compliance violations.

  • VeraCode
  • GitLab
  • Snyk
  • CheckMarx
  • Coverity
  • Fortify

Code Analysis (DAST) – practice of using automated scanning techniques to identify common web application vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure authentication and authorization mechanisms.

  • Rapid7
  • Qualys
  • Veracode
  • Tenable
  • Acunetix

Runtime Protection (RASP) – detect and respond to security threats in real-time

  • Aqua
  • SysDig
  • TwistLock
  • VeraCode
  • Contrast
  • Policy Enforcement
  • Twistlock
  • Snyk
  • CheckMarx
  • SonarQube
  • GitHub Actions
  • Threat Detection
  • CheckMarx
  • Veracode
  • SonarQube
  • Fortify

Vulnerability Scanning – process of identifying security vulnerabilities in software, networks, systems, or applications

  • Qualys
  • Rapid7
  • Tenable
  • Aqua
  • GitLab
  • Snyk
  • CheckMarx
  • TrendMicro

Container Scanning – process of analyzing the contents of a container image for known vulnerabilities, misconfigurations, and other security issues

  • GitLab
  • Snyk
  • CheckMarx
  • TrendMicro

SOC 2 Compliance. What, Why, and How.

What is SOC 2?

Service Organization Controls (SOC) 2 is an InfoSec Compliance Standard maintained by the American Institute of Certified Public Accountants (AICPA). It’s designed to test and demonstrate the cybersecurity of an organization. 

To get a SOC 2, companies must create a compliant cybersecurity program and complete an audit with an AICPA-affiliated CPA. The auditor reviews and tests the cybersecurity controls to the SOC 2 standard, and writes a report documenting their findings. 

The resulting SOC 2 report facilitates sales and vendor management by providing one document that sales teams can send to potential customers for review, instead of working through cybersecurity questionnaires.

5 Trust Services Criteria

  • Security (REQUIRED)
    • Guidelines on company management and culture, risk assessments, communication, control monitoring, and cybersecurity strategy
  • Availability – uptime of a vendors services
    • Controls include plans to maximize uptime and restore availability after an outage. 
    • Business continuity, data recovery, and backup plans are all important controls for this criteria.
  • Processing Integrity – how a vendor processes the data it collects
    • Controls are meant to evaluate that data processing is being performed in a consistent manner and that exceptions are handled appropriately.
      • It is challenging and laborious work to create the documentation needed to meet this criteria, because it requires SOC 2-specific content with detailed descriptions on how data is being processed. (Almost all other content used in a SOC 2 audit has applications outside of SOC 2, this does not.) 
  • Confidentiality – used to keep confidential business data confidential
    • This criteria expects vendors to identify and protect confidential data. 
    • Example controls for confidentiality include encryption and data destruction. 
  • Privacy – how personal information is kept private.
    • This criteria requires that vendors have a privacy policy, that personal data is collected legally, and is stored securely. 
    • SOC 2 Privacy is more applicable to Business-to-Consumer companies as opposed to Business-to-Business companies.

How Do I Get There?

To achieve SOC 2 Type 2 compliance, you will need to implement and maintain strong controls over your systems and processes. This will typically involve the following steps:

  • Identify the systems and processes that need to be covered by your SOC 2 Type 2 compliance efforts.
  • Develop policies and procedures to ensure that these systems and processes are secure and meet the relevant standards.
  • Implement technical and organizational controls to support these policies and procedures.
  • Test and monitor your controls to ensure that they are effective.
  • Conduct an independent audit of your controls by a certified third-party auditor.
  • Obtain a report from the auditor indicating that your controls meet the relevant standards.

Achieving SOC 2 Type 2 compliance is an ongoing process, and you will need to continually review and update your controls to ensure that they remain effective.

What Can I Do To Prepare?

  • Determine Scope
    • SOC 2 is about demonstrating your commitment to security and improving customer confidence in your security program. You should include all services and products that you expect customers will have security concerns for. 
  • Identify and fill gaps
    • Evaluate your current cybersecurity program in comparison to the SOC 2 control set. Even companies with mature cybersecurity programs do not meet every single control from the get-go.
      • There are a number of administrative and technical security controls that are often overlooked prior to getting a SOC 2, and they can be sticking points that generate a lot of additional work before and during the audit process
  • Document – create and edit security policies and other documentation
    • Define access controls. Who is required to have it? What types of apps are required to use it, versus which ones are not? What authenticator apps are allowable?
      • Most controls need to have a policy and evidence your organization is sticking to the policy created for them. It’s a lot of work – but your company will become much more secure in the process. 
  • Modify internal procedures.

What Are The Benefits?

  • Demonstrating to customers that you have strong controls in place to protect their data can help you build trust with them and increase customer satisfaction.
  • Achieving SOC 2 Type 2 compliance can help you comply with regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).
  • Demonstrating that you have been independently audited and have met industry standards for information security can give your business a competitive advantage.
  • Achieving SOC 2 Type 2 compliance can also protect your business from potential liabilities, as it shows that you have taken reasonable steps to protect your customers’ data.
  • Finally, implementing strong controls as part of your SOC 2 Type 2 compliance efforts can help you improve the security and reliability of your systems, which can ultimately benefit your business by reducing the risk of data breaches, system failures, and other security incidents.

How Can We Help?

  • Perform a Gap Assessment – A gap assessment is crucial for taking stock of an existing cybersecurity program and finding gaps that need to be filled to get your company audit-ready.
  • Acquire and implement technical controls – if there’s a deficit, consultants help companies add those needed controls to to improve security and ensure compliance.
  • Adjust policies and procedures – As we just mentioned, policies and procedures are likely not be audit-ready until efforts are made to make them so.
  • Create content – The content that’s created is going to be key documentation for a SOC 2 audit. Policies, procedures, reports – they can write it and get it in place. 
  • Project manage – Virtual CISOs can project-manage the whole audit project. There’s something to be said about domain-expert project managers. 
  • Perform risk assessments – if this is not something that you were doing before you will now! Risk Assessments are mandatory for SOC 2 compliance, and a Virtual CISO can perform the assessment and write the report. 
  • Perform vendor evaluations – Vendor management is a part of every SOC 2 compliance program. If this is not already in practice at an organization, it can valuable to outsource the activity to an expert. 
  • Perform “External Internal Audit” – Internal audits are necessary for SOC 2 compliance – they help make sure that your company is doing everything needed before the auditor catches you. Some firms don’t have an internal audit function, so an “External Internal Auditor” who is familiar with the standards and can keep the organization accountable is helpful.
  • Select an Auditor – A good Virtual CISO will know what makes a good SOC 2 auditor and can remove auditor selection from your plate. 
  • Advocate on your behalf with the Auditor – Your Virtual CISO will be with you for every audit call. They will advocate on your behalf, ensuring the auditor sets realistic compliance expectations for your organization. 

Reach out to us if you need help @ mdesai@intervision.com

Minecraft 1.17 Java Error

I downloaded the new 1.17 jar and updated my server as I have done numerous times. I received the error below this time around:

Error: LinkageError occurred while loading main class net.minecraft.server.Main
java.lang.UnsupportedClassVersionError: net/minecraft/server/Main has been compiled by a more recent version of the Java Runtime (class file version 60.0), this version of the Java Runtime only recognizes class file versions up to 55.0

I updated my java version using the commands below.

sudo add-apt-repository ppa:linuxuprising/java
sudo apt update
sudo apt install oracle-java16-installer --install-recommends

After updating it, it started up with no problems.

Galaxy S21 Ultra – Pic from Video

I bought a shiny new Galaxy S21 Ultra the other day and wanted to try out the “Pic from Video” feature. After pulling my hair out a few times, I resorted to Googling. The hair pulling resumed.

The short answer here is:

Go to Camera

Select Video mode

Click the 5th Icon on the top

Scroll that bar to the right and select 8K/24 (see below)

Shoot your video

From here, Samsung says…”Go to Gallery and click the little icon”…YOU CANT (but dont pull your hair out).

Once you are in the Gallery, click the 3 little dots (ellipses) in the bottom right

Select “Open in Video Player”

NOW, if you click on your screen, you will see a little icon on the top right of the screen and you can pause your video and click the icon to capture a pic.

Hope that helps. Good luck!

Chakros.com

Completely fraudulent website. Dont order anything from this place. I was looking for a winch for my UTV, it showed on in a Google shopping search at a great price. I ordered it using PayPal and it never showed up but my bank account was charged. All the information in the PayPal transaction had foreign characters (Chinese?), the email address never responded and the tracking information showed that it was delivered on a date BEFORE the ship date. I have filed a claim through PayPal but not holding my breath. Again, http://www.chakros.com…looks like they primarily sell jewelry…TOTAL FRAUD.

UPDATE (3/4/2021): PayPal determined that this was, in fact, a fraudulent website with numerous complaints and refunded me in full.

Terraform on Windows 101

Create a folder called “bin” in %USERPROFILE%

Start–>Run–>%USERPROFILE%–>create a folder called “bin”

Download Terraform

https://www.terraform.io/downloads.html
Save the .exe in the “bin” folder you created

Set Windows “PATH” Variable

System Properties–>Environment Variables
Highight PATH
Click “Edit”
Click “New”
Add %USERPROFILE%\bin

Create a user in AWS for Terraform

In AWS, go to IAM
Create a user called “terraform”
programmatic access only
Attach existing policies directly
Administrator access (proceed with caution!)
Copy the Access Key ID (save to credentials store like KeePass or an excel spreadsheet for now)
Copy the Secret Access Key (save to credentials store)
Or download the .CSV and grab the values

Create a folder called .aws on your PC

Make sure to add a “.” at the end of the folder name or it will throw an error

Create a credentials file

Create a new file called “credentials” in the .aws directory (remove the extension)
Using the ID and Key from above, make it look like this:
Line 1: [default]
Line 2: aws_access_key_id=your_key_id_here
Line 3: aws_secret_access_key=your_access_key_here
Save the file (again, make sure to remove the .txt extension or it wont work)

Download and install Git for Windows

https://gitforwindows.org

Create a folder called TF_Code for your working files

I created mine on my desktop

Open Git Bash, navigate to your working directory

cd desktop
cd TF_Code

Make the directory a Git repository

git init

Create a new file with VI

vi first_code.tf
Line 1: provider “aws” {
Line 2: profile = “default”
Line 3: region = “us-west-2”
Line 4: }
Line 6: resource “aws_s3_bucket” “tf_course” {
Line 7: bucket = “tf-course-uniqueID”
Line 8: acl = “private”
Line 9: }

Commit the code

git add first_code.tf
git commit -m “some commit message”

Try Terraform! (in Git Bash)

terraform init
Downloads and Initializes plugins

Apply the code

terraform apply
yes (to perform the actions)

Check your AWS account (S3), you should see a new S3 bucket!

Delete the bucket

terraform plan -destroy -out=example.plan
terraform apply example.plan

Your bucket will now be deleted!

To recreate the bucket, just run the ‘terraform apply’ command again, say yes, and…BOOM, your bucket is created again!

Hope that helps. Good luck and happy computing!

SSH from PuTTY to GCP Compute Engine

First off, if you are trying to securely connect to your enterprise production network and instances, there are better (safer) methods (architectures) to do this. OSLogin or federating your Azure AD for instance, might be more secure and scalable. I run a pointless website (this one) with nothing to really lose across a handful of instances. This is a hobby.

Second, I recently got a dose of humble pie when trying to use PuTTY on Windows to connect to a Ubuntu instance in GCP. I was generally using gCloud command-line for getting my app running but I got a wild hair up my ass this morning to try and just use PuTTY to avoid the step of logging into Google Cloud (via Chrome) for administration. I am fairly use to AWS where I just create an instance, download the .pem file, convert it to a ppk with PuTTYgen, and then use that along with the default login (ec2-user or ubuntu) to connect to my minecraft and web servers. GCP was a little different.

Once I read a few docs from Google searches, it became much more apparent vs reading the GCP docs. Here is how I did it.

Download PuTTYgen if you dont have it already.

Launch PuTTYgen.

Click on “Generate“. I used a 2048 bit RSA key.

Move your mouse around the box to generate a key.

In the “Key comment” field, replace the data there with a username you want to use to connect to your Compute Engine instance (highlighted)

Copy the ENTIRE contents of the public key (the data in the “public key for pasting…”) box. It should end with the username you want to connect with if you scroll down.

Click on “Save Private Key” and select a location/path that is secure (and one that you will remember!).

Create a new Compute Engine instance or go to an existing instance. From the VM instances page, click on the instance name. In my case it was “minecraft001”.

At the top of the page, click on “Edit“.

Scroll almost all the way to the bottom and you will see an “SSH Keys” section.

Click on “show and edit

Click on “+ Add Item

Paste in the key data you copied from PuTTYgen from the step above.

  • You will notice that it extracts the username from your key on the left. This is the username you will use from PuTTY.

On the same page, click on “Save” at the bottom of the page.

On the VM instance details page, find the “External IP” section and copy the IP address (the cascaded window icon will add it to your buffer).

Now open or go back to your PuTTY client (not PuTTYgen).

Paste the IP address into your PuTTY client.

On the left side of the PuTTY client, scroll down to the “Connection” section and click the “+” to expand it

Click the “+” next to the “SSH” section

HIGHLIGHT the “Auth” section. Dont expand it.


Click on “Browse…

Find the Private Key file you saved from earlier (should have a .ppk file extension). Double click to select and use it.

Scroll back up and highlight the Session category.

From here you can either name your connection and Save it under “saved sessions“…or just click the “Open” button.

It should make a connection to your Compute Instance and ask for a username. Supply the username you specified in the step above and voila! I used “jonny” in my example.

That’s it! Happy computing!

Pushing Docker Containers to GitHub

I recently went through the process of building a dockerfile from scratch. I wont get into the details of that process but I did come across an error when trying to publish my package to GitHub Packages.

I tried to do a sudo docker push docker.pkg.github.com/mookyd/mymooky/mymooky:latest (my repo) and was thrown the error:

unauthorized: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.

Its pretty clear what needed to happen but I thought my credentials would be enough since I wasnt using a script per se. I used docker login and provided my username and password and tried the command again. Same error.

After doing some reading, I discovered that you need to pass a “Personal Access Token” as a password. I generated a PAT under Settings–> Developer Settings –> Personal Access Tokens. I gave the token the access to the repo and to read and write packages. I then used docker login and passed the token string to login. After that, I was able to use docker push to upload my image.

Minikube on VirtualBox on Ubuntu on VirtualBox

I recently needed a small lab environment to sharpen my Kubernetes skills. I setup Minikube on an Ubuntu VM running 18.04.4 LTS (bionic). This VM was created on my Windows Desktop in VirtualBox. Confused yet? Some of the commands can leave your environment insecure so do not do this in your Production Internet facing environment.

To get started, I downloaded and installed VirtualBox onto my Windows PC. I then created an Ubuntu 18.04 VM and make sure the number of vCPUs on your VM is greater than or equal to 2.

First step is to update your VM.

  • sudo apt-get update
  • sudo apt-get install apt-transport-https (if using 1.4 or earlier)
  • sudo apt-get upgrade

Install VirtualBox on your Ubuntu VM

  • sudo apt install virtualbox virtualbox-ext-pack

Download Minikube

  • wget https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64

Make it executable

  • sudo chmod +x minikube-linux-amd64

Move it so its in path

  • sudo mv minikube-linux-amd64 /usr/local/bin/minikube

Download kubectl

  • curl -LO https://storage.googleapis.com/kubernetes-release/release/curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt/bin/linux/amd64/kubectl

Make it executable

  • chmod +x ./kubectl
  • sudo mv ./kubectl /usr/local/bin/kubectl

Check that its working properly

  • kubectl version -o json

I received an error saying docker wasn’t in $PATH. You may or may not see this error.

Install docker

  • curl -fsSL https://get.docker.com/ | sh

Start Minikube

  • sudo minikube start –vm-driver=virtualbox

Start the Kubernetes Dashboard

  • minikube dashboard
  • minikube dashboard –url

If you want to view the dashboard remotely, you will need to run the following commands:

  • sudo kubectl proxy –address=’0.0.0.0′ –disable-filter=true

You will get a message saying “Starting to serve on [::]:8001”

Hopefully this helps. If you get stuck or have a way to optimize this, please comment below.

Kudos to https://computingforgeeks.com/how-to-install-minikube-on-ubuntu-18-04/ for helping me get started.

Valves vs Diverters

Ignorance is bliss.

Valve – the thing that opens and closes to let the water start flowing to your bathroom.

Diverter – the thing that reroutes your flowing water from your bathtub spigot to the shower head. Remember that little thing you used to pull up on and the shower would come on? That’s a diverter that diverted the water from your bathtub faucet to your shower.

Valve with integrated diverter – Allows you to turn on water and send it from the tub to the shower all in one fancy unit.

Trim – The actual KNOBS. The actual VALVES and DIVERTERS go in the wall and you never see them after the tile is on (rough in). The trim is the pretty shiny piece that makes the valves and diverters move. Dont confuse these with escutcheons. Escutcheons are the big plates that cover the ugly holes in the tile. You usually have one over the shower arm as well. They are sometimes referred to as flanges too (or cover plates).

Settings – The Shower, The bathtub faucet, The handheld shower…are all “settings”. If you want to run the shower and the handheld together, that is considered another “setting”.

I am in the process of renovating my house. While we are planning on doing the entire house, we started with our guest bathroom. It has a traditional bathtub with shower design. I wanted to give my daughters a little bench seat and a hand shower to use so they have a safe bathing environment as they grow up and learn about female hygiene. Adding a hand shower seemed like a straight forward thing to do.

I took a quick trip to Pacific Sales and the salesman was super helpful. He helped me piece together a kit that would accommodate my requirements. It was like 9 different pieces. I thought I needed like 3.

What was all this stuff I came home with? It turns out, while it was a good kit, I could have streamlined my design if I had some better knowledge of how this stuff works. Hopefully this post helps someone else in the same boat.

Valves vs Diverters. I called my plumber once my bathroom was demo’d and he looked at all the parts and said, “you want to do WHAT?”. We had a few colorful conversations after he told me I had the wrong parts. It turns out, I didnt. That super helpful sales guy was right…kinda.

He had sold me 2 little “thingies” I had to “turn”. One would open the water, and the other would tell it where to go. When I got everything, there were 2 handles on one of them and another knob handle thingie. 3 knobs. WTF!?

It turns out, I had bought a fancy new “ThermoStatic” valve with “Volume Control”. Thermostatic just means you can turn the dial to the temp you like and leave it there for the rest of your life. Every time you get back in the shower, you dont have to worry about temperature knob…just how much water (volume) you want to come out (the other knob). Two separate “thingies” to turn. One for temp, one for volume. Much unlike the one handle we are used to that you turn all the way to the left for hot water and keep in the middle for warm. With that, you get full blast water whether you like it or not. Or maybe a trickle of cold if you need that sort of thing.

While this thing was cool, I found out after the fact, that I could have had something cooler! I could have just got a valve with an integrated 3 setting diverter, This would have allowed me to just have one control in my shower instead of 2! Proving again, ignorance is bliss.

Good luck with your remodel.