KubeCon + CloudNativeCon Europe 2021+ Pipeline hack - my wrap-up
Two weeks ago (May 4th→ May 7th) I spent a bit of time watching / skimming over KubeCon EU 2021 contributions (travel restrictions due to COVID19). Two years ago, didn’t we all complain about the boredom of InfoSec cons? – Knocked off one’s perch.
What’s the difference between arrogant and offensive InfoSec?
Developers develop DevOps
(S. Ballmer (Microsoft), Developers, about 2000)
Before I moved into InfoSec / Compliance I worked as a software-engineer doing C# and C++. That was before “DevOps”, before “Cloud” even. Time went by and things changed. But I was working as a software developer with critical infrastructure systems, and things remained. Sometimes for good reasons, sometimes not.
These days developers may have more organizational influence. It’s more common to ask for a Dev’s opinion than to mismanage the teams (which was common). If I take a look at the KubeCon 2021 (EU) contributions it feels like every 3rd or 4th contribution is about security / compliance, documentation, and communication. That shift of focus from bits and bytes to security and communication is an indicator that things mature.
I decided to add Information Management as one of this site’s key areas. After all this setup here is a versatile documentation system with an emphasis on slickness and velocity. Velocity…
Between policy, velocity and Ransomware
So I continue working from home during these unprecedented times. Being within the digital economy is a privilege these days… Still, I have to write ISMS policy amendments. Naturally, I take breaks (good for communication) I get social while I read this on my Twitter feed:
The real masterstroke is achieving both security and velocity at the same time. It’s easy to achieve just one at the complete expense of the other.
[…] You should be running the security team as a software team so that you scale better and can use data to prioritize and empathize better with other teams.
Dino on a roll? – Probably. But it also sums up why InfoSec and Compliance need to look at DevOps. If DevOps is done right, you can benefit from organic cross-functional agility. But that’s a big IF as well all know.
– Isn’t it the job of InfoSec to influence organizations so that this becomes a more common reality?
Yes and no. Because what this little Twitter dialogue doesn’t say is, that Dev(/)Ops may organically sacrifice security and compliance, and break all the rules. As a developer, I wasn’t responsible for this level of business objectives, and neither are Dev(/)Ops engineers today responsible for it. The reason why it’s so easy to break the rules is, that for most digital products management / vendor liability is a joke. – Not enough incentive.
The difference between a DevOps and an Oil Pipeline
The operator of the biggest gasoline pipeline in the U.S. shut down operations late Friday [7th of May] following a ransomware attack that threatens to roil energy markets and upend the supply of gas and diesel to the East Coast.
(Bloomberg, M Jeffers & William Turton, 8 May 2021)
Sometimes things in critical infrastructure change, sometimes they don’t. Unless regulators make and enforce laws, regularly audit these operators, and hold top managers / operators incl. shareholders accountable. That’s true for the USA, as it is for Europe. The market will not regulate this. Regulators have to step in.
In my opinion strict enforcement (without exceptions) is the best way so that there can be some level of change. The reason why I think that only dictated / prescribed measures can work is, that this kind of technical dept / ignorance may affect people’s lives negatively already (in many cases).
If we really want to prevent organized criminals from taking technical systems hostage via Ransomware we do not need to spend a lot of money. If you read an analysis from Sophos you can learn a couple of technical details, that may justify this kind of conclusion:
The Sophos Rapid Response team has been called in for incident response or to intervene during an attack involving DarkSide on at least five different instances in the past year.
(Sophos, May 11 2021, S. Gallagher, M. Loman, P. Mackenzie)
In short: that is Red Team / Windows Pentesting 101. Embarrassing, but true. We can backup this insight with other sources as well. Based on that information it’s safe to say, that it doesn’t take much to be prepared.
“If we don’t get it […] they will teach us the errors of our ways.”
(Black Hills, J. Strand (2021))
What this has to do with DevOps is simple: it’s easy to sacrifice security / compliance for the sake of velocity. At KubeCon that became pretty clear, and it’s also clear that this is not the way to go. Devs have more influence these days, and we should use it well.
What becomes clear at InfoSec cons is that it’s easy to say that we bought a tool or two. But testing security belongs with a DevOps process / Pipeline the same way it belongs to Oil pipeline operations: regularly and responsibly. Otherwise, things go sideways. – Anywhere: because criminals go where the money is, and they don’t really have to care much about the business sector or the development process even. Publish nice financials and they’ll take an interest.
Security vendors may lie and may care too little for actual attacker tactics. Dev(/)Ops may break the rules and care too little for security controls. Organizations may not be liable and their management may care too little for compliance.
These limitations exist and no one should take it personally. It’s just 2021 and not the 2050s when this may have gotten better. Everyone gets a piece of that, and there is no return policy / or effective insurance. It’s a one-way street, and it’s not going uphill.