Cloud infestation by networked attacks (current state) vs. (old school) system infection by virus

When your cloud assets are breached by a virus ….

Scenario 1 (old school):

Your machine gets a virus on it. You use anti-virus to kill it, or rebuild … move on with your life.
  • Future impact: Zero
  • Cost: One time

Scenario 2 (most businesses and product teams)

Your cloud environment gets infected with a virus / ransomware. Now though instead of just one machine, this virus (for simplicity of writing) moves within the environment infects other systems. After initial infect, this virus calls back to a command and control server and shares intelligence about the hosts it has infected (ip address space, user details, security protocols, vpn details, routing tables, user information, and any database details, etc…). These details, much like a robo-call spammer, are logged and shared with other attack networks and targeted further, but now customized to the infected host footprints.
The result – higher success rate of breach for similarly managed systems. Higher value to attackers who now have rich data store to attack and to sell on black market for interested parties.
  • Future Impact: High and frequent
  • Cost: Ongoing
The impact of such a breach is best understood when the fact that these are networked attacks is acknowledged. These are learning attacks that build upon prior successes. To undo the damage, full system refreshes are required, all of the keys that linked to those environments need to be reset, and any tokens or ‘obfuscation’ techniques changed. Cloud allows for auto-scaling and self-healing, but it works the other way too. Attackers can auto-customize their attacks to fit our profile.
Act accordingly

All can rejoice, officially sensible Password Best Practices published – now to undo decades of bad habits

After decades of making passwords harder and harder manage, while the whole time every security professional and data scientist could show you how it did not make account credentials more secure, NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines that made it official.

This is a brave release and the first step for private industry to now take the lead at the product innovation, customer experience, and classic computing system usage around authentication and authorization. They make three important suggestions when it comes to passwords:

  • Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
  • Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
  • Let people use password managers. This is how we deal with all the passwords we need.

Bruce Schneier highlighted these 3 bullets and has an excellent discussion occurring in the comments. I recommend developers, security professionals, and businesses review these guidances from NIST and make the right choices! Source: Changes in Password Best Practices – Schneier on Security

Cloud Natural Language API  |  Google Cloud Platform

Playing with some projects on the intersection between human expression and the state of affairs related to hobbies. Explored natural speech and sentiment analysis. Worthwhile to those interested in parsing large spans of consumer experiences.

The applications to cybersecurity are immense. I look froward to sharing my experiences and open source adventures.

Analyze text using ML to extract relevant entities, understand the overall sentiment, identify parts of speech and create dependency parse trees.

Source: Cloud Natural Language API  |  Google Cloud Platform

Paper demonstrating viable attack between chipsets and a device’s main processor 

Interesting paper demonstrating a threat vector from replacement parts to consumer (easily commercial / industrial) electronic devices. This paper shows, ‘attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques.’ The authors of the paper demonstrate several use cases and prove the effectiveness of the technology.

Product cybersecurity extends well beyond the development and operate life cycle of a product, and clearly requires the maintenance phase too. The greatest challenge will be the attractiveness of non-branded 3rd party parts due to their $ savings and lack of IP protection. Other ideas and thoughts?

Click to access Shattered.pdf


2017 State of DevOps Report, the pulse of development work patterns

One of my favorite snapshots into the current flight of product development team work patterns, habits, and cultures. Download it, it is free and THE source for catching the pulse and benefits of DevOps.

Here are a few things you’ll learn in this year’s report:

  • How DevOps practices affect deployment frequency, lead time, change failure rate and MTTR
  • The influence leadership has on DevOps transformationsHow high- and low-performing teams automate differently
  • The impact of architecture and team structure on IT performance
  • How DevOps helps organizations reach both their financial and non-financial goals

Source: 2017 State of DevOps Report, presented by Puppet and DORA

Serverless/ Lambda CyberSecurity: Unhinged realities and magnitude impacts

These past six months I have had the privilege of developing and building the cybersecurity strategy for the global digital products of a industry leader. We are working with traditional end-client products, serverless architecture (i.e., Amazon Lambda), IoT, and our own developed firmware that used by millions everyday. While I cannot share much of the success, technology, and methods fully, I aim to share what I can for our community.

One aspect of this experience has been the exploration and discovery of the most ideal strategy and practical safeguards to ensure maximum customer experiences across these extreme environments. My intention is to share these insights to encourage debate and development. Much like any discovery, perspectives from different multiple individuals creates the greatest utility.

Strategy unhinged

Having crafted digital strategies over the past decade, I was surprised how classic concepts and assumptions were easily challenged. Here are a few that top my moleskin notebook:

  • Roles and classic ownership disappear
  • Third parties are the product now
  • Permanency doesn’t exist, so don’t look for it

Greater detail of each of these observations I’ll share for a future reflection, as they deserve their own deep dive given their complexity. To share some leads to help your own environment better, here is what I have seen for each of these components.


— The RACI in a classic sense needs to be rebuilt. A solid first step is to reframe the areas of concern (the left column) to match your cybersecurity policy and app strategy elements. The roles should drill into the product principals and that authority chain.

Third Parties

 — Build a dependency inventory of the libraries, services, managed services, integrators, shims, and digital elements of your product. This requires patience and following the rabbit hole. Start with an XLS and move to something more dynamic and automatic to be sustainable long term.


— Flux is the nature of digital products and the honeymoon of web apps or smartphone apps with single platform and standards are gone. Adjusting the safeguard concepts; risk analysis flows, and honestly finding ways to accelerate product innovation and architecture discussions is the key to success here.


In a serverless environment calls and services can grow exponentially, in fact, magnitudes faster and more complex than most expect. As a result, innovation and buildout of these environments must be matched by similar innovation and responsiveness from across the organization. Those who have proven successful partners in this process include:

  • technical engineers actually writing the code of the product
  • team members who wrote the shims / interfaces between product and these serverless environments
  • hosting providers (Amazon in many cases) and their services to unearth data necessary for performance improvement, forensics, and analytics

How have you changed your risk management analysis with serverless architecture?

What new goals have been set with regard to these new digital solutions?

What is the tolerance level for impact to your customer’s experience with regard to quality and faults?

How are you using patterns and anti-patterns to discover faults in the transaction and performance of these REST end-points?

Just a few questions to consider…

Set goals, diagnose challenges, and build your cybersecurity strategy with heavy contemplation of 1st, 2nd, and 3rd order consequences (such as exponential cost curves on team members and $$)

Building a cybersecurity strategy requires a full appreciation of the business direction, current technical assets, and the technology being developed and supported. Many organizations began with a strategy — a basic one built on fundamental elements, such as have good availability and ensure our operations execute as expected. Simple.

Today though, we as leaders are now sought in a strategy around our digital assets, technology solutions, and customer experience. These require a rebirth of your strategy and is an awesome opportunity for everyone involved. My experiences here have seen great and bad. Great where teams collaborate, innovate, and customer feedback is fantastic. Bad, well, usually they are just false starts — where isolated ideas never become operational realties or in other cases when textbook ideas don’t fit reality of a business.

Having been in the center of reboots and uniquely blessed to build such programs (generally around digital products, IOT, and currently serverless / Lambda), I found a principle that has benefited me repeatedly. A first principle of sorts, on how to approach a strategy development and activation (the initiation of a new strategy within an operating organization whether 10 teams or 5,000 teams), and it is best approached by asking how your strategy answers this question:

How much do you respond to 1st order consequences at the expense of 2nd and 3rd order consequences?

Your strategy analysis can be accomplished with this question answered, and in my experience, when you structure that approach in the following process. A process that creates laser focus on achieving your goals, but not rushing into activities without the above 2nd and 3rd order consequences considered!

To achieve your goals:

  • Set Goals (high level, specific, prioritize)
  • Identify and mitigate problems (resources, buy-in)
  • Diagnose of root problems (Get to the nerve of the issue)
  • Design plan (be practical and creative, not all things need to be fixed)
  • Task and complete (tasks aren’t the goals, but require diligence to achieve goal)

Greater expansion on this idea is developed and articulated within the Management Principles of Ray Dalio of Bridgewater Capital, one of the most successful management companies in the world.