Tim (Wadhwa-)Brown :donor:<p>Launching the network into the sun is the strategic response. For a short term operational fix, should they just set fire to the desks and racks? Minimal capex for that, right?</p><p><a href="https://infosec.exchange/tags/networkarchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networkarchitecture</span></a></p>
veganism.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Veganism Social is a welcoming space on the internet for vegans to connect and engage with the broader decentralized social media community.
Administered by:
Server stats:
293active users
veganism.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-alpha.5
#networkarchitecture
1 post · 1 participant · 0 posts today
Bob Young<p>Over the weekend I set up an air-gapped computer for use with certain clients. The increasing use of Artificial Intelligence (AI) to analyze data of all types warrants this new operational procedure for my clients with Non-Disclosure Agreements (NDAs).</p><p>Examples of privacy violations are too numerous to count. To give you one example (that doesn’t even use AI), companies have been found guilty of violating user preferences regarding location tracking. Another example: so-called anonymized data has been connected back to the associated sources many times through the use of many methods. The analysis of anonymized data with AI tools makes it even easier to de-anonymize information.</p><p>Major software companies, operating system companies, device manufacturers, and cloud service providers are all actively working to obtain your data.</p><p>Legal protections are lagging behind technology advances.</p><p>Privacy policies are written to confuse. They deliberately include doublespeak and ambiguity.</p><p>Default opt-in is normalized.</p><p>AI systems are leaky. They have information they obtain without your informed consent, and they leak that information in ways the system owners can’t even predict.</p><p>You cannot avoid working with AI-enabled networks, hardware, software, and systems. Even when you try to minimize it, disable it, or reject it, your information is at risk.</p><p>For these reasons, I’m applying the following operational policies for information from any company for which I’ve signed an NDA: </p><p>1) I’m making available file transfer systems that are end-to-end encrypted. The use of these systems is at the client’s option. If they want to send a document as an unencrypted email attachment, they can still do that. I’ll support, and work with, any encryption methods the client chooses.</p><p>2) All information received under an NDA will be moved to the air-gapped system for processing. Even if they send me a document as an unencrypted PDF, I won’t open it with any application until it’s on the air-gapped system.</p><p>These steps don’t protect the client from all risks, but they do allow me to prove due diligence in protecting information provided to FIFO Networks under an NDA.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://infosec.exchange/tags/NDA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NDA</span></a> <a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a> <a href="https://infosec.exchange/tags/policy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>policy</span></a></p>
Bob Young<p>When you set up your e-commerce platform on a Cloud Services Provider (CSP), be sure you understand how their load balancing works. Understand the geographic distribution of the load balancing system in relation to your e-commerce servers. Where are your customers “entering” the network, and where is their data transported for sales and payment events? Load balancing can significantly affect pricing, so you’ll want to engineer accordingly, and monitor continually.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a></p>
Bob Young<p>Using the company website as the launch point for the employee login is a common practice. With adequate Identity and Access Management (IAM), it seems secure enough. But, there’s another piece to this.</p><p>When the well-known domain is the launch point for the employee login, it sometimes means that the employee data is stored on, and accessible from, the same server group, and in the same IP address range. In other words, the employee data may be accessible and downloadable without an employee’s authentication credentials.</p><p>I know of a law firm that has its billing and financial data literally on the same hard disk as their website. If the cybercriminal breaches the website, they have access to everything.</p><p>THE LESSON<br>The more separation you have between your public website and your private data, the better.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a></p>
Bob Young<p>If you prefer centralization to segmentation, <br>If you prefer “cloud only” to cloud as a last resort, <br>If you prefer outsourcing your help desk to building tribal knowledge, <br>I’m not your huckleberry.</p><p>Why? Because...<br>I will tear your team apart.<br>I will deconstruct your team <br>and reconstruct your team.</p><p>As quickly as I can, I’ll replace the “cloud only” people with <br>people who value security over convenience, with <br>people who value security over lowest cost, with <br>people who value security over business as usual.</p><p>From Accounting to Marketing to Sales to Customer Care, every department will be involved in reviewing their part of the company’s data to determine what must be online, and what can be stored locally.</p><p>You will have a server room of your very own.<br>Your own IT personnel will hear the whirring of the servers’ fans.<br>I will replace some VPNs with more expensive dedicated circuits.<br>Some data will only be accessible by coming into the office.<br>In Customer Care, no single login will be able to access all customers’ sensitive information. Depending on the size of the company and call center, one Customer Care representative may only be able to access A-M, or A-G, or maybe even just A. If a cybercriminal phishes their login, that’s all the cybercriminal will get.</p><p>Everything will be backed up locally.<br>Everything.<br>Even what’s left in the cloud.<br>Yes, there will still be some data left in the cloud, like your store, where you sell stuff.<br>And there may still be some data off premise, in private cloud storage, on servers the company owns, rather than servers the company leases.<br>But, for the most part, the cybercriminal will have to enter the building to access the data.<br>Instead of having only one security mechanism (authentication), you will have two: authentication security plus location security.</p><p>If you can’t make a profit with this security model, one of two things are true.<br>Either <br>Your business model isn’t viable, <br>Or<br>You suck at running a business.</p><p>It has always been possible to run a profitable business without creating a global attack surface for your sensitive data.</p><p>The Cloud Sales Machine has done an incredibly effective job of convincing you <br>that if it’s not secure, it’s your fault, <br>that authentication is enough, <br>that cheap is just as good.</p><p>The Cloud Sales Machine has done a really, truly, amazingly, incredibly effective job with that last one: cheap. <br>It is rational for you to question whether your monthly subscription and service fees have gotten out of hand. <br>It is rational for you to be dismayed at the complexity of the pricing scheme, because it really is a scheme, carefully designed to hide the true cost in a swirling fog of mystery.</p><p>It is rational for you to think, “Maybe we could actually save money by pulling this in-house.”</p><p>But don’t lose sight of the objective. <br>The objective isn’t to do it the least expensive way possible. <br>The objective is to do it in a way that is secure, and still profitable.</p><p>If any of this makes sense to you, <br>I’m your huckleberry.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/networkarchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networkarchitecture</span></a></p>
Bob Young<p>Someone recently asked me about the difference between network segmentation and data segmentation after I mentioned them in a post. Both are important. Sometimes you use one method, sometimes the other, and sometimes both. And then, karma. A perfect example of data segmentation appeared on my screen a day or two later, and now I’ll share it with you.</p><p>Here’s an example of data segmentation, possibly without network segmentation. See accompanying picture.</p><p>I have multiple websites with the same hosting company. The hosting company is offering me the option of merging all of my websites under one login. That would be convenient, but it’s less secure.</p><p>At the data level, a cybercriminal must authenticate on each of the websites separately, with separate 2FA. At the network level, I have no way of knowing if the web hosting company has segmented the infrastructure, and to what degree. For some companies, detailed knowledge of the hosting company’s physical architecture is essential to good security, but for me it doesn’t matter, since I have zero confidential information stored on, or accessible from, the web servers. The worst thing a cybercriminal can do to my websites is defacement or knocking them offline.</p><p>THE LESSON<br>As part of your risk assessment, consider both network segmentation and data segmentation. Everything that can be accessed from the same authentication credentials is in the same data segment. The most common weakness I uncover is in granting a single Administrator account too much access.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a> <a href="https://infosec.exchange/tags/DataArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataArchitecture</span></a></p>
Bob Young<p>I just posted this controversial post on LinkedIn. Let the blocking begin. (It might happen here, too).</p><p>“Hi Bob, I hope that you're well! Do you do migrations? I’m looking for someone who can help me with migrating my <number redacted> employee company from <Cloud Provider Name Redacted> to <Cloud Provider Name Redacted> and help us avoid any gotchas, as we will still be hosting our production site on <Cloud Provider Name Redacted> for the time being. I'm realizing that paying an expert in this case will save time and opportunity. Thanks much!”</p><p>“<Name redacted>, thank you so much for thinking of me. In this instance, I’m not the right person for the job. I’d be the one to call if you wanted to migrate out of a commercial cloud service and maintain your operations in your own server room, or on your (owned) equipment in a private data center. You need someone with good knowledge of <Cloud Provider Name Redacted> cloud products. I studiously avoid an architecture that I consider fundamentally flawed.”</p><p>If the current chaos in the USA has caused you to realize that it’s important to keep local control of your IT operations, I’m the Network Architect/Engineer who can help you with that.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/ProjectManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ProjectManagement</span></a> <a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a> <a href="https://infosec.exchange/tags/NetworkEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkEngineering</span></a> <a href="https://infosec.exchange/tags/Policy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Policy</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/InformationSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InformationSecurity</span></a></p>
Bob Young<p>A new Director asked me for help to quickly get a grasp of the network he was responsible for. I signed an NDA as part of the preparation for the engagement. Then the company sent me a purchase order, and we were ready to begin.</p><p>As we talked, I learned that he was the only in-house, on-the-payroll IT person. It was a hybrid system, both cloud and on-prem. The company was using a Managed Services Provider (MSP), and they provided two full-time, on site personnel. They did Help Desk support and any on-prem work that needed to be done in the server room.</p><p>“Okay,” I said, “ask them to give you a copy of the network diagram and send it to me. Then we’ll go over it together, and I’m sure I’ll have more questions, too.”</p><p>The two guys from the MSP couldn’t provide him with a network diagram. This MSP had been providing operations support for a couple of years. Both of the gentlemen from the MSP had been working on site for several months.</p><p>Soon, I was in a video conference with the Director and the two techs from the MSP. They didn’t like me much. I was always polite and respectful, but I kept asking questions they couldn’t answer. Someone at the MSP figured out that the account was in jeopardy and told the on-prem guys to cooperate with me. Things went much smoother after that.</p><p>THE LESSON<br>If you’re in IT upper management, ask your team for a network diagram. Even if the majority of your system is cloud-based, you’ve still got an Internet connection into the building, a firewall, and a distribution system. They should be able to provide this information instantly, and if they can’t, there are far bigger problems waiting to be discovered.</p><p><a href="https://infosec.exchange/tags/CallMeIfYouNeedMe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CallMeIfYouNeedMe</span></a> <a href="https://infosec.exchange/tags/FIFONetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIFONetworks</span></a></p><p><a href="https://infosec.exchange/tags/NetworkArchitecture" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkArchitecture</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
VegansExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload