Staff Picks for Splunk Security Reading December 2020
Security Ryan Kovar
Check out our monthly staff security picks and our all-time best picks for security books and articles. I hope you enjoy.
Device and Data Access when Personal Safety is at Risk by Apple
I have become more and more aware of how technology can enable abusers in abusive relationships over the last few years. Great talks by folks like Xena Olsen, who spoke at SANS CTI 2020 on how people use Stalkerware against "loved ones," and testimonials from friends and colleagues have opened my eyes to the dangers of technology. Especially Mobile phones. Thankfully some great folks over at Apple have released this document that outlines how to protect yourself better if you are an iPhone user. Read it, pass it along, and make it available to anyone you can. It may save a life.
Top Ten Security Updates from AWS re:Invent 2020 by Phil Rodrigues
It isn't easy keeping up with the release of new cloud services, especially during AWS re:Invent. This year has been no different, with AWS introducing several interesting new security-related services at re:Invent over the past few weeks. This summary posted by Phil Rodrigues on LinkedIn captures ten (plus a bonus selection) of the most interesting. It includes various goodies ranging from AWS Network Firewall (a stateful layer-7 advanced virtual firewall) to Code Signing for AWS Lambda. I found it to be a concise and valuable summary!
Zero-click zero-day targets journalists by Pierluigi Paganini
At least 36 journalists were targeted using a zero-click zero-day on their iPhones. Using the KISMET exploit chain, which includes a zero-click exploit in Apple's iMessage software, attackers were able to compromise Al Jazeera staff, including journalists in July and August 2020. This attack appears to have primarily focused on the personal devices of the targets, but the reality is that protecting against this type of adversary is incredibly difficult even on enterprise controlled devices. Performing regular security audits, looking for anomalies in baseline configurations, and updating to the most current version of the OS are things an enterprise team can do to detect and protect against these types of attacks.
DevSecOps as an idea and a practice is only gaining more and more traction as organizations realize that security MUST be part of the DevOps process further to the "left" in the development cycle. I found this blog post from @christophetd particularly helpful for those looking for some practical tips about how to approach "shifting left" some security practices for your infrastructure as code that leverages Terraform. I'm a big fan of Terraform from @hashicorp for provisioning cloud infrastructure on your cloud provider of choice. Checking this infrastructure both before and after it's deployed is a critical part of ensuring your cloud presence has a strong security posture.
As I look back over the past few weeks, there is a tremendous amount of great articles, papers, and discussions to share. In fact, my concern is that there is so much out there that some of the issues being confronted get overlooked compared to others. That's why I wanted to highlight a report that dropped from the fine folks at The Citizen Lab. They released an excellent, well researched report on journalists IOS devices being hacked using a zero-click exploit. Citizen Lab lays out the background, the technical details of the attacks, as well as analyzing a live infection. The Citizen Lab team hypothesized around the interests of specific operators targeting specific journalists as well, but it notes that "Counting the 36 cases revealed in this report, there are now at least fifty publicly known cases of journalists and others in media targeted with NSO spyware, with attacks observed as recently as August 2020." These attacks are taking place against journalists in many parts of the world that goes beyond just this report. Take a little time out of your day, and check out this report.
Related Articles
Splunk Named a Leader in the 2024 IDC MarketScape for SIEM for Enterprise
Detecting dynamic DNS domains in Splunk
