DevOps has transformed how we create and maintain information systems. Increasingly, we don't build servers or even datacenters. Many startups skip datacenters entirely, using software-as-a-service (SaaS) for what they can, and abstracting all of their other information technology needs into cloud services, whether via infrastructure or platform-as-a-service. For those organizations, a single compromised API key represents complete control of the organization's cloud presence – from firewalls, to load balancers, to servers.
One penetration tester found an organization's highest privilege API key checked into a public source code repository. His test achieved complete information technology compromise before he'd sent a single packet to his client.
This cultural change isn't simply about how we build technology--it's also about how we introduce technology increasingly into our everyday life, via the IoT movement. In our personal lives, our phones, smart speakers, and computers control our homes, our cars, and our pacemakers. Central to all of this is radio, whether it be a standard protocol like WiFi, Bluetooth, Zigbee, or Z-Wave, or a custom radio protocol created for a single product line (as in the pacemaker vulnerabilities disclosed by MedSec).
The radio-connected Internet of Things doesn’t apply solely to consumer devices. Consider this: computers connecting by radio increasingly control our manufacturing, farming, transportation, environment controls, and building security. What happens when a security flaw allows an attacker to cause damage to crops by faking the data from the sensors monitoring those crops?
For deeper insights into these issues, check out my on-demand webinar, Tackling the Privilege Challenge of Next Generation Technologies, where I share stories of hacking both DevOps-enabled cloud environments and the Internet of Things. You will hear a penetration tester's experiences hacking cloud-enabled companies and radio-connected IoT devices, and also gain some practical security guidance from BeyondTrust on how to better enable and secure next-gen initiatives, like DevOps, IoT, and more.
Jay Beale, co-founder, COO and CTO, InGuardians
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the “Stealing the Network” series. He has led training classes on Linux Hardening and other topics at Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training. Jay is a co-founder, Chief Operating Officer and CTO of the information security consulting company InGuardians.