The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government–wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, and…
QuickGuide: Cloud Security Recommendations
Know the infrastructure security of your provider or platform: In the shared security model, the provider (or whoever maintains the private cloud platform) has the burden of ensuring the underlying physical, abstraction, and orchestration layers of the cloud are secure. Review compliance certifications and attestations. Check industry-standard and industry-specific compliance certifications and attestations on a regular basis for having the…
Common Cloud Security Threats
Cloud deployments, whether public, private, hybrid or community, are susceptible to all the traditional cybersecurity threats and more. Let’s look at the most common threats: Virtual machine attacks: Active VMs are vulnerable to all traditional attacks that can affect physical servers. Once a VM is compromised, it may be able to attack other VMs running…
“Trust me, I am a CISO”
As things around us rapidly unfold in the cybersecurity realm, many “experts” are sprouting out of the woodwork. How do we distinguish between the real deal and the phonies? Some questions to ask every “CISO” – How do you ensure security policies, procedures, baselines, standards, and guidelines are written to address the information security needs…
QuickGuide: ISO/IEC 17789 Cloud Computing Reference Architecture (CCRA)
ISO/IEC describes cloud computing systems from four distinct viewpoints: User view: The system context, the parties, the roles, the sub-roles, and the cloud computing activities Functional view: The functions necessary for the support of cloud computing activities Implementation view: The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts Deployment…
Weapons of Mass Disruption
Moonlight Maze In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale. Victims included the Pentagon, NASA, and the Department of Energy, to name a very limited few. The scale of the theft was literally monumental,…
Oracle Data Safe and Consumer Privacy Acts
New consumer data privacy laws are cropping up through out the US. Just like the European Union’s General Data Protection Regulation (GDPR), these Acts force the hand of many (but not all) organizations to protect consumers’ data privacy rights. Privacy Acts aim to safeguard consumer privacy and it doesn’t just mean names and addresses, but also…
Installing Kali Linux on OCI
What is Kali Linux? Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali Linux contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. Kali Linux is developed, funded and maintained by Offensive Security, a leading information security training company. Installing Kali…
Installing Debian on OCI
Download Debian – Go to https://cloud.debian.org/images/cloud/OpenStack/9.13.7-20201108/ Download debian-9.13.7-20201108-openstack-amd64.qcow2 Upload Debian to Oracle Cloud Infrastructure – Login to your OCI Console, for instance, https://console.us-ashburn-1.oraclecloud.com/ Go to Object Storage and pick or create a bucket Upload debian-9.13.7-20201108-openstack-amd64.qcow2 to the bucket Import Debian Custom Image – Login to your OCI Console, for instance, https://console.us-ashburn-1.oraclecloud.com/ Go to Compute -> Custom Images and click on Import Image Select Import from Object Storage…
QuickGuide: PCI Guidelines at a glance
PCI DSS (Payment Card Industry Data Security Standard) is an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must comply with PCI DSS. Here are the 12 key requirements set by PCI DSS – Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults…