The tools below have been used both in personal and professional capacities. They have solved problems and helped make security easier to do right on a daily basis.
This section is an active work in progress and should expand over time.
The sections are outlined below:
- Section 1: Daily Needs
- Section 2: Design
- Section 3: Ops & Auditing
- Section 4: Investigation & Exploitation
Section 1: Daily Needs
Good security hygiene requires investment in the right tools. These tools should reduce our overall cognitive burden, and add value in increased protection.
With a browser plugin, mobile apps, teams, and enterprise support, LastPass has a comprehensive suite of offerings for a range of needs. Individuals and companies alike can derive value from these offerings. LastPass’ blog has a lot of good content, both for current events and technical information.
Drawbacks include that LastPass is proprietary. Important things like pricing, ongoing service and support, code quality, and organization policies are out of scope for users to know or influence.
The user experience can be unintuitive at times, but serves its purpose.
Sensitive peer-to-peer communication, team credentials, datasets, documents, etc. Don’t use email or slack – neither should be considered secure for sensitive information. Instead, consider some of the tools below to fit these needs.
Keybase is a security application that is designed to make it easy to do common tasks securely. Main features include team chat, and file sharing, both of which are encrypted E2E.
Keybase is also open source.
GPG is an excellent open source option for transmitting encrypted data. It requires a slightly higher level of technical knowledge to understand and use than something like Keybase for encrypted communication, but it’s an excellent option for its use-cases.
Section 2: Design
This section is geared toward engineers whose primary responsibilities include designing and implementing secure systems.
It’s time to put HTTP out to pasture. Without guarantees against payload modification, the protocol is fundamentally no longer appropriate for content transmission.
Even when the source and destination are in the same internal network, we’re taking unnecessary risks if there’s any expectation that the payload should be unmodified or protected from unauthorized access. A breach within the internal network will quickly lead to privilege escalation or data siphoning if further safety measures are not in place (such as HTTPS).
As far as CA, consider your hosting provider as well as LetsEncrypt.
Password Requirement Best Practices
The time of forced password expiration is over, and I’m not alone in this assessment (see section 184.108.40.206). The same is true for arbitrary complexity rules. Instead, encourage use of a password manager, and never re-use passwords.
For the love of all things good, don’t set a low max length requirement (NIST says at least 64 character max, if not more). Encourage use of pass phrases, which are long and memorable.
Vault by HashiCorp is a multi-purpose secret manager. One of my favorite features is dynamic secrets, in which Vault integrates directly with AWS in order to generate pre-configured credentials upon request. Best practices describe defining very narrow-scoped roles (IAM policies) on a service-by-service basis. The generated credentials have a lease with an expiration, automating much of the tedious and brittle parts of credential rotation.
Other features include management of certificates, keys, tokens, passwords, and other secrets. Vault can be used over CLI, web UI, or API.
Open source, easy to setup and use, Pritunl makes the top of the recommendation list in this category. Being open source, Pritunl can be audited for backdoors, cryptographic security flaws, and can receive improvement feedback from the community.
As a first line of defense, well defined firewall rules around all networked devices is essential. Unused ports should be closed. Just because a port isn’t used now, doesn’t mean someone won’t use it later (authorized or not).
An example of authorized usage might be a developer setting up a proof-of-concept using an open port and forgetting about it. By using a port policy of default-closed, our hypothetical PoC and the port it requires would be tracked through a change management process. The change management process (a ticket in a project tracker is enough) will track follow up, including closing the port when the PoC completes.
Public ports should be IP restricted if possible. There are exceptions, like web and mail servers, but exceptions should be limited and tracked. One section below discusses Scout2, an AWS account auditing tool, which will report on firewall rules across the account.
Firewall rules should be applied to internal networks as well. Service-to-service communication should be strictly limited, monitored, and audited. Anomalies require investigation, and resolution. What was the cause? Was a new service deployed? Is the network model wrong? Or was there an intrusion? These questions are important.
Section 3: Ops & Auditing
This section is written for individuals in engineering security roles, where tracking, auditability, and observability can really improve the role’s effectiveness.
An open source offering from OWASP, Defect Dojo helps manage CVE concerns. CVE information, remediation tracking, KPIs (time to discovery, time to remediation, among others),and suggested fixes are all part of Defect Dojo’s offerings.
Scout2 is a comprehensive AWS account auditing tool. It will analyze both global settings & services, and region-specific services. Scout2 outputs HTML, so it’s good to have it running on a schedule and publishing findings to a non-public http server. Review the output on a regular basis with the affected teams. Prioritize fixes based on relative risk, and track improvements as they are implemented.
Multi Factor Authentication
All essential services (email, communication, code repositories, infrastructure consoles) should require every user to use MFA. After all, if it’s good enough for Google, it’s good enough for you.
Documentation quickly rots, and boiling the ocean should be avoided. So do we avoid thinking about risk altogether? Not really. Instead, we need a lightweight framework for identifying, assessing, triaging, and tracking important risks.
Initial risk identification should scope to the business, its clients, and requirements around the data the business needs in order to operate. GDPR, SOC compliance, HIPAA regulations. If these or other regulations apply, start by understanding them and what architectural and business processes are required in order to comply.
Other important sources of risk are: lack of observability in operations; loose or non-existent processes around credentials and authorizations; ad-hoc infrastructure configurations; CVEs. These risks and others must be identified, scored by severity, and prioritized into a backlog.
Proactive risk assessment is a critical component of a comprehensive security roadmap.
Section 4: Investigation & Exploitation
There are a lot of different tools and distros to choose from for pentesting these days. One distro that works well and gets regular updates is Backbox. Based on Ubuntu, with the XFCE window manager, Backbox comes preloaded with an array of tools for network analysis, sniffing, vulnerability assessment, and exploitation, among others.
Some, like OWASP ZAP, are pretty dead simple to fire up and run with minimal configuration. Others, like metasploit, have a slightly steeper learning curve. Metasploit serves as an exploitation and penetration testing framework, which can be configured with plugins for specific use-cases.