Author: Martin McGregor, Cofounder and CEO, Devicie
How should we run Docker on our end-user devices? Why are organisations slow to holistically adopt cloud-native technology? How do we keep our kids safe online without ruining their social lives? And, since when did lock picking become so popular? CrikeyCon has overdelivered once again, inspiring questions and thoughts on how to live and work safely on the internet. Here are my takeaways from the event.
If you’re like me and were lucky enough to attend CrikeyCon, you’re probably still buzzing from the event. Now in its eighth year, CrikeyCon is a grassroots security conference like no other. What makes it unique is that it is a community-led event for people who genuinely care about putting a stop to cybercrime and give up their free time to do so.
I learned so much and had a great time connecting with old and new friends. It’s exactly this type of event that promotes and inspires collaboration and innovation – and I know there will be some great outcomes for the Australian cyber industry that result from it.
I’ve been thinking a lot about what resonated the most. This blog will cover what I took away from the conference and my advice for enterprise organisations.
1. Inspired by Mangopdf’s talk, ‘Hiding malware in Docker’: If you’re running Docker in your organisation, consider the pros and cons of standardising it on Linux.
Docker is designed to run on Linux. When running it on Mac or Windows, a virtual machine is created with no capabilities for system administrators to manage or secure it. As such, the existing hardening of this virtual machine could use some more investigation when considering those platforms in your organisation.
A good example of this would be limiting the virtual machine’s access to areas of the operating system within the context of the user as opposed to root.
What was clear from Mangopdf’s talk is that hiding malware in a typical user context is certainly feasible and difficult to detect due to the obfuscated nature of this Docker virtual machine.
Organisations should consider the usability impact of running Docker on Linux as well as their capacity to manage Linux at scale. At the same time, they should weigh the security and compliance risks introduced by running Docker on MacOS and Windows.
The challenge with virtual machines is always accessing end-user resources, like files and the network. To overcome this, virtual machines typically require access to the host operating system or network. Making this seamless for end users improves the usability of virtualisation, however it is important to consider the degree and scope of access the virtualisation software has to these resources, particularly those that are privileged.
In my opinion, running Docker on Linux natively certainly appears to simplify the complexity and scope of system hardening required to keep devices secure and compliant in enterprise organisations. However, Linux for end-user devices comes with its own set of challenges that also require consideration.
Managing Linux remotely, system deployment and provisioning, and maintaining visibility at scale is an uphill battle for most enterprises. Interestingly, Microsoft Intune support for Linux is a potentially feasible solution for organisations to manage Linux over the internet holistically along with other supported operating systems, however it is still early days.
2. With the ever-increasing risks posed by cybercrime to everyday organisations, the cost and complexity of managing the security and compliance of server infrastructure is becoming increasingly unfeasible for most organisations.
While enjoying Fancy_4n6’s presentation on ‘Using the ATT&CK matrix to map incidents to bolster detect and respond capabilities’, it occurred to me that so many of the mitigations organisation need to maintain have a strong focus on system hardening. In my opinion, this is out of reach for most budgets and teams.
When you consider the amount of effort required to reduce the attack surface across most organisations’ infrastructure and applications, the scope is incredibly vast. For example, database servers require hardening from the database level all the way down to the operating system level. We can’t expose them to the internet most of the time, so we often end up having to manage network access between resources and protecting them from basic SQL attacks with application firewalls.
Application and web servers have the same challenges. Then there’s the required infrastructure for things like authentication, such as Active Directory and its distribution across geographic locations. Servers for organisations can easily end up in the hundreds or even thousands – and they all require system hardening, reporting, gap analysis and constant reapplication of security controls. Then there’s the compliance requirements that need to be applied and audited regularly.
It has become unfeasible for most organisations to manage this much complexity let alone find the resources to do so. This is particularly true when managing virtualisation stacks, which also need to be maintained along with the applications and operating systems that sit above them. All this complexity does is create unintended functionality and exploit opportunities for attackers.
When considering attack mitigation solutions, organisations need to weigh up the business systems and applications that generate revenue against their effectiveness to combat cybercrime.
I believe cloud-native and serverless architectures should be taken much more seriously than they have to date. In my experience, most organisations are just tipping their toe in the water, often because they see the cost as being too high to go all in.
My advice is to consider the degree of services that run in your environment that are not required for your business to function and ask yourself why they are there.
Evaluate the cost of keeping legacy systems secure and compliant, and compare that with the cost of reducing the infrastructure you need to manage in the first place.
Ask yourself why you’re building your own authentication, database, network and virtualisation infrastructure, when it’s something you can consume as a service. Performance, cost reduction, scalability and distribution are just some of the perks.
Most importantly, the scope of services that your organisation needs to harden and stay secure is greatly reduced. And when so many methods used by attackers depend on having access to host operating systems, it seems like a no-brainer to this shift this complexity outside your organisation.
3. Always invite Jason (pictured left) as a volunteer to an event – he works hard AF. I barely got to hang out with him. However, after this article he may never say yes again.
4. Everyone has a hidden interest in lock picking.
Just be careful. Don’t do the double lock handcuff behind your back and get stuck needing to be rescued by a series of expert locksmiths. It’s humiliating and people will remind you of it at subsequent CrikeyCons. I personally avoided lock picking this year for no reason particularly.
5. It’s up to us to build a safer internet for our kids and the kids of the future.
During the presentation, ‘Doin’ it for the kids’, JP and Cam gave a great analogy likening the internet to seatbelts. We would never allow our children not to wear seatbelts, knowing the potential dangers – so why would we allow our children to roam freely on the internet? We know the risks of our children having unrestricted internet access. It’s up to us to define the safer future.
There are a host of concerns, from robbing the attention of our children to shady forums where abusive behaviour and peer pressure can create stress and anxiety. Sexual content and pornography introduce shame, guilt and humiliation that can last a lifetime.
As a parent who works on and grew up using the internet, I can sometimes sound like a bit of a crazy person for restricting internet access to my kids. Certainly, their friends and sometimes their parents think so. I don’t have all the answers, but I can identify with anyone who feels like they’re fighting an uphill battle alone. I do believe we need broader cooperation to raise awareness of the challenges and to regulate corporations that don’t act in the interests of our children’s wellbeing. With social media being so embedded in the lives of highschool kids, how can parents compete with hyper-focused corporations’ algorithmic annihilation of our kids’ attention? We need to work together to create a healthy understanding in society of the dangers of allowing children to have unrestricted access to the internet from a young age.
I will be cooperating with some other security professionals and parents on a blog on this very topic. The blog will feature some practical steps for parents, so their children can better self-regulate and explore the internet safely without missing out on the valuable social interactions that are so common with young people today.
6. Overcoming cybercrime is becoming increasingly political.
Businesses and individuals are increasingly having to consider the geopolitical climate when operating on the internet. While crime groups have been the greatest concern to date, the business model that makes those crimes attractive, and how to keep out of their firing line, is increasingly becoming a matter of politics.
In the talk ‘Inside the persistent mind of a Chinese APT’, Inversecos articulated the correlations between exposure of Australian businesses to Chinese cyberattack groups and the increasing strain between Australia and China.
To reduce cybercrime, we need global cooperation. When governments don’t work nicely with each other, or even oppose each other, it puts everyday businesses and individuals at greater risk.
However, we are still in control in terms of how we use the internet. My advice is to consider the way we use the internet to reflect the way we conduct business more precisely. Understand your team members, partners, customers and services – and from where, when and, most importantly, how they interact with your business. Operating online will always come with risk, but that doesn’t mean we can’t limit our internet use to only what’s required to operate our businesses.
7. The internet is becoming increasingly dangerous – but it isn’t all doom and gloom.
Indeed, the internet is becoming an unimaginably lawless and dangerous place to do business and live our lives. At the same time, as intense as the risks can sometimes appear, balance is still essential.
As a child of the late ‘70s, my first exposure to the internet was as an early teen, when I was at my brattiest and in constant trouble. Cracking video games, accessing things I wasn’t supposed to and trolling friends is what interested me in computers most. It was only later in life I learnt there were productive things to do online. But because of this, I have always seen the internet as a place to be careful. Even as a teen, I never would have imagined the internet being as dangerous as it is today and year-on-year predictions from my peers and I are typically underestimated.
But it’s not as bad as it seems. We mustn’t forget the value of the internet in the first place. In my experience, access to information, the ability to have a voice on a global platform, and the culture the internet has brought to the world far surpass the down sides.
I want to congratulate the organisers for putting on another cracking event. It’s a real privilege for Devicie to support it and I just love being a part of CrikeyCon each year.