Articles & Presentations
Here is a collection of Kenneth G. Hartman’s articles and presentations of a variety of topics including information security, privacy, and leadership:
Can You Really Be More Secure in the Cloud?
More than ever, companies are using more of the cloud. They are using more different services from each cloud service provider and more cloud service providers than ever before. However, this migration to the cloud is fraught with peril. The media is full of examples of companies who got it wrong. The default configuration of most cloud services is insecure, primarily to empower exploration by new users. Before an organization can responsibly store sensitive data in the cloud, it must ensure the environment is adequately secured. Can the cloud be made secure enough? Where does one start with this herculean task? At SANS, we believe that you can, indeed, be more secure in the cloud. This keynote presentation will cover some of the foundational practices woven into the SANS Cloud Curriculum that leading companies have leveraged to provide a very high level of security assurance. We will cover how to get started on this cloud security journey and then how to take it out of the stratosphere.
Embrace Your Inner Hacker - Ideas for developers who raise the bar on fragile systems
This talk takes a longitudinal perspective on one Security Engineer’s experience working inside Amazon, Google, and SAP with a focus on lessons that can be learned from the past decade’s significant security events–Heartbleed, Shellshock, Ransomware, and of course Solar Winds. The presentation will explore how and why the various advancements that enable systems development at global scale can and have been exploited. Of course, there is no such thing as a magic security bullet, but this talk argues that thinking like a hacker can help developers build systems that are more secure and robust…and possibly find more meaning and fulfilment in the process.
Tech Tuesday Workshop - Use Terraform to Provision Your Own Cloud-Based Remote Browsing Workstation
This workshop will teach you everything you need to know to provision your own Cloud-Based Ubuntu Workstation in AWS for Remote Browsing. Sometimes there are valid security and privacy reasons to use a temporary workstation for potentially malicious websites or to avoid tracking. During the session we will briefly cover some basic git commands as well as Terraform basics, including installation.
A Purple-Team Approach to Exploring AWS Security Services & Capabilities
Kenneth G. Hartman will demonstrate common attacks on a load-balanced WordPress EC2 Instance with poor security and showcase how that activity can be detected using cloud-native AWS technologies such as GuardDuty, VPC Flow Logs, CloudTrail, Athena, Config, and CloudWatch. At SANS, we believe that nothing beats hands-on experience, and the goal of this talk is to encourage you to use the cloud as your personal lab for sharpening your offensive and defensive skills.
How Azure, AWS, Google handle data destruction in the cloud
Techtarget Article, Guest Contributor
Data destruction is a topic that has been poorly covered until recently. Regardless of which cloud service provider you use, this review of the top three CSPs’ data destruction documentation should improve your due diligence.
SANS Webcast: The Best of Both Worlds: Cloud + SASE
There is a buzz in the industry about a new type of solution set that promises to change the way we secure networks and the cloud. It is called the Secure Access Service Edge (SASE), and it refers to the consolidation of security solutions and the evolving IT ecosystem in which organizations operate today. Enterprises are transitioning from on-premises users, applications, and data to a heavy reliance on the cloud, edge applications, and a more dispersed mobile workforce. The shift to cloud services such as SaaS, IaaS, and PaaS, the reliance on mobile device access, and the growth in remote working is increasing the pressure on legacy networks and security architectures. – Prasidh Srikanth, Bitglass & Kenneth G. Hartman, SANS
Doing Cloud in China
Cloud & DevOps Security Summit - 2019
China is the only country in the world that does not permit foreign cloud service providers to own and operate their own data centers in the country. To operate a data center in China, a locally registered company that has less than 50% foreign investment must obtain a value-added telecom permit. This talk looks at how Amazon Web Services (AWS) and Microsoft Azure have modified their services to gain entry to the cloud market space in China and compares their service offerings to local Chinese cloud service providers. We will cover specific considerations for foreign companies using cloud services in China. The Chinese company, Alibaba Cloud, is the fourth largest global Infrastructure-as-a-Service provider following AWS, Azure, and Google Cloud Platform. We end the session taking a test drive of Alibaba Cloud and discuss why this CSP should be on your watchlist. NOTE: This talk provides a preview of some content from SANS SEC488: Cloud Security Essentials.
SANS Webcast: What To Do When Moving to the Cloud
There are many ways to say that your organization is adopting the Cloud. As Cloud adoption is rapidly increasing, along with the trend of using multiple Cloud Service Providers skill shortage is becoming a barrier to increasing the velocity of this adoption. SEC488: Cloud Security Essentials is ready to arm your organization with the foundational knowledge and skills. Security personnel, Developers, and Technical Managers alike can make informed decisions as the adage Security is everyones responsibility comes to fruition as we move to the Cloud.
Join the course authors for an exciting webcast as we cover the stepping stones into the Cloud, and discuss SEC488: Cloud Security Essentials and learn how to improve your personal Cloud adoption experience, whether your organization is just starting or already on its way. – Kenneth G. Hartman, Kyle Dickinson, Ryan Nicholson
A DevOps Approach to Security Controls
The DevOps movement has made it possible for leading companies to get their applications to market faster, with higher quality and reduced costs. DevOps is both a culture and a set of processes that enable development and operation teams to create, release, and manage applications following a Systems Development Life Cycle (SDLC) that is typically automated via Continuous Integration/Continuous Delivery (CI/CD) tooling. Today, DevOps principles have expanded beyond merely managing the application to managing the environment itself, giving rise to concepts such as software-defined networking and infrastructure as code. A security control is a testable countermeasure designed to mitigate a specific risk. Multiple, complementary controls create security capabilities. Of course, security engineers need to be baking security into applications throughout the SDLC by engaging with operations and development teams and hooking into the CI/CD toolchain. This presentation makes a corollary argument, advocating that security teams need to apply DevOps principles to how they implement security controls for virtually every compliance requirement, using a “security controls as code” approach. We will present tools that can support this paradigm, but more importantly, we will look at some fundamental principles that can be applied immediately to the development, implementation, and enforcement of security controls.
What Cloud Saavy Customers Really Want - Customer Care in the Era of CI/CD, SOAR, and Self-service
SANS Cloud Security Operations Solutions Forum 2019 Keynote
There are lots of innovative, brilliant solutions that can greatly benefit us as cloud customers. Many times these messages may fall on deaf ears. Bulk email is effortless to ignore, and trade show booths are minimally effective. How do solution providers truly connect with the right customers? Just as important, what are cloud customers looking for in the relationships they have with their Cloud Service Providers and Security Solution Providers? Presented from the perspective of a Cloud Security Product Manager turned Cloud Security Engineering Leader, this talk delves into what customers need from their providers to help them overcome their concerns about cloud adoption.
Data Protection in the Public Cloud: A look at the Good, the Bad, and the Ugly
Customers want to ensure that they can entrust their sensitive data to public cloud providers. This often leads to discussions with the cloud provider on various aspects of data protection, such as retention, encryption, and key management. If encryption is not implemented properly it will not provide the security assurance customers expect, resulting in misplaced trust. This talk will look at encryption at rest in various layers of the application stack with a focus on the risks each type of encryption mitigates. We will also look at various cloud-related key management schemes, including “bring your own key” (BYOK) and cloud-based Hardware Security Modules (HSMs). Lastly, we will cover potential problems with customer data-retention that should be explored with the cloud service provider.
Digital Forensic Analysis of Amazon Linux EC2 Instances
Companies continue to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2). With demand for skilled security engineers at an all-time high, many organizations do not have the capability to do an adequate forensic analysis to determine the root cause of an intrusion or to identify indicators of compromise. To help organizations improve their incident response capability, this paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS “Finding Malware – Step by Step” process for Microsoft Windows.
Scripting Cloud Security Capabilities
ITIL defines a capability as the “ability to carry out an activity” and indicates that capabilities are assets that can be intentionally managed and improved in pursuit of the company’s mission. NIST Special Publication 800-53R4 states that a security capability generally results from the selection and implementation of a set of mutually reinforcing security controls. Forward-thinking companies like Google. Microsoft, and Amazon are delivering their cloud services such that they can be consumed by other services via an Application Programming Interface (API). This has given rise to several important concepts such as Software Defined Networking, Orchestration, and Infrastructure as Code. A central theme is that everything that is customized or unique has been reduced so that it can be expressed as version-controlled program code. This allows organizations to encapsulate, inherit, abstract, and reuse their IT capabilities just like other code. Using selected examples from the CIS Critical Security Controls , this presentation will share some concepts, tools and practical experiences of a security engineer using the “capabilities as code” approach to improve the security of his organization’s use of Amazon Web Services.
The Tyranny of the Urgent and the Transformational Security Leader
In many companies, the information security team has minimal resources and operates in a very reactive mode, moving from one crisis to another. Without strong transformational leadership, information security teams can become victims of the tyranny of the urgent. Recent cross-disciplinary research in brain function and evolutionary psychology can serve as a powerful motivation model for transformational leadership. This type of leadership enables a security leader to construct transformational experiences that elevate an organization’s security posture while meeting the individual needs of colleagues and thus preventing burnout in the process.
BitTorrent & Digital Contraband
BitTorrent is a popular peer-to-peer file transfer program that allows participants in a swarm to exchange pieces with each other during the downloading process. Since users do not have to download all pieces from the original publisher, the downloading of very large files in an active swarm is typically faster than other methods used to distribute files. BitTorrent is often used to share pirated music and videos. Unfortunately, it is also used to distribute child pornography. Many people do not understand how the BitTorrent protocol works, including those in law enforcement and the legal profession. This lack of technical understanding combined with various legal issues can result in a weak case against those that are truly guilty or an inadequate defense of those that are not. This paper explains the technology, the investigative process, and the legal issues surrounding BitTorrent with a goal of improving the base knowledge of those on both sides of the legal dialectic process.
What Every Tech Startup Should Know About Security, Privacy, and Compliance
The brilliant innovators who launch tech startups may not have significant experience managing the security, privacy, or compliance issues that are inherent with a growing technology business. Although these businesses are able to attract considerable amounts of funding and woo well-known customers, there may be material issues under the surface that would seriously undermine the trust of their investors and customers. Businesses that lack a mature information security program may experience security breaches, mishandle their customers’ personally identifiable information, or fail to meet compliance requirements. Management will need to address security, privacy, and compliance considerations throughout the life cycle of the company, starting with the initial business plan. How the company will manage security, privacy, and compliance will evolve as the company matures. This paper presents actionable recommendations supported by academic literature, with the goal of preventing business organizers from learning these same lessons the hard way.
A Mission from God, Blues Brothers Style
A fun guest blog post for InfoSecRockStar.com with an emphasis on the importance of finding and leveraging one’s mandate.
Data Protection Starts With Physical Security
Ensuring the availability and reliability of mission critical systems and applications are ubiquitous across all organizations large or small. Challenges posed by increased power requirements, tight capital markets and compliance environments are requiring more and more resources to support mission critical systems and applications. Exceptional physical security provides the infrastructure, operations, and support to meet today’s challenges.
This presentation will showcases the physical security features of a best in class, Tier III data center and the skills required to maintain a secure facility. Additionally it highlights what compliance is and how to protect confidentiality, integrity and availability, and how physical security relates to business continuity/disaster recovery.
Skype & Data Exfiltration
Few software packages have been as controversial, yet as ubiquitous as Skype. A common question on the Internet is whether Skype is safe for business. Skype makes extensive use of encryption. Encrypting traffic prevents intrusion detection systems and firewalls from inspecting the contents of the traffic. Therefore, an adversary can use Skype or traffic that simply resembles Skype traffic as the communication channel to exfiltrate a large amount of data off a network that permits Skype. Historically, miscreants have used and exploited Skype as a channel for a variety of nefarious purposes including data exfiltration. Microsoft has been active in addressing these abuses, but the overarching concern remains that Skype uses closed encryption in a highly distributed peer-to-peer network. Through the examination of prior research and utilization of tools and experimental observations, network operators can make the appropriate determination regarding the suitability of Skype for their own organizations.
Security and the Cloud
The “Cloud”–The very term conjures up images of things that big, fluffy and lacking substance. This presentation defines what vendors mean when they discuss cloud-computing concepts and reintroduces important security fundamentals as they relate to cloud security. It will equip the reader to have the all-important discussions with their cloud service provider regarding how the vendor will secure their sensitive data.
Understanding the Role of Trust in the Protection of Privacy
Privacy is much more than compliance with HITECH and the HIPAA Privacy Rule. The root issues are also deeper than the latest privacy breach broadcasted by the public media. Privacy matters to the people that healthcare serves, therefore as Health IT professionals we can all benefit from an enhanced understanding of privacy.
A more complete understanding of the various aspects of privacy will allow all of us to be more empathetic to the various privacy expectations of our patients and to be more motivated to secure the protected health information entrusted to us. Lastly, an enhanced understanding of privacy by patients, providers, and Health IT Professionals will improve health information exchange because the exchange of personal and private information can only work in a framework of trust.
Is Skype Secure?
Skype offers a free solution to communicate via instant message, voice and video with anyone, virtually anywhere in the world. The Skype website boasts that it has more than 145 million connected users per month. In May of 2011, Microsoft announced that it was buying Skype. Overshadowing all of the great functionality, potential, and media buzz are lingering questions regarding the security of Skype.
Businesses face pressure to allow their customers, clients, vendors, and staff to communicate with each other via Skype and other social media tools. This has many business decision makers grappling with questions regarding what to do about Skype. This is good. Each business need to make a decision for itself regarding Skype, based on the information security needs of that business. Ignoring the issue or failing to make a decision is not leadership.
This article will facilitate your decision-making process by demonstrating the application of security management fundamentals and will allow you, as the decision maker to feel at ease with the decision you make. The article is written in two sections. The first section presents a decision-making framework, while the second part of the article will provide important security considerations and resources that can be used as inputs to the decision.
Are You Using Full Disk Encryption Yet?
Over the past decade, breach notification legislation has been an accelerating trend. Since California enacted the first breach notification law in 2002, at least forty-six states have passed legislation that requires notification of security breaches that involve personally identifiable information. Breach notification laws as well as other regulations are driving the use of encryption technologies to protect data at rest.
Operating system passwords, BIOS passwords, and Hard Disk Passwords are protection technologies that do provide adequate data protection unless used in conjunction with FDE, and therefore do not afford safe harbor protection under US breach notification laws.
Software-based full disk encryption is a valid option for legacy systems that cannot be transitioned to the use of self-encrypting drives. A growing consensus is considering self-encrypting drives to be a better option in terms of manageability and user experience.
Full disk encryption should be considered only one component of a defense-in-depth security program along with awareness, physical security, minimal use, and file encryption among other countermeasures.
Privacy of Electronic Health Information
The American Recovery and Reinvestment Act of 2009 allocated approximately $19 billion toward the adoption of electronic health records and the enablement of the electronic exchange of health information. According to the National Opinion Research Center, 78% of Americans favor electronic medical records and 64% say that the benefits outweigh the privacy concerns. However, if you are like most people, you probably have an uncomfortable feeling when asked by your physician to sign a blanket privacy consent form.
This presentation provides a balanced look at various attitudes about privacy and trust relationships. It covers the privacy related provisions of HIPAA and the ARRA HITECH Act as well as the specific requirements of disclosure accounting and breach notification. Next, the document covers recent recommendations that were made to the Office of the National Coordinator for Health IT that will shape future privacy legislation. Lastly, the PowerPoint covers the technical emerging standards that enable information systems to manage the exchange of data based on granular patient consent preferences.
Introduction to the HIMSS Privacy & Security Toolkit for Small Provider Organizations
All healthcare providers, regardless of size, have an obligation to their patients to protect the personal information provided or created as a result of medical care. As a result of the HIMSS 2010 Annual Security Survey and the needs of its members, the Healthcare Information Management Systems Society (HIMSS) and the Medical Group Management Association (MGMA) decided to create a special version of the Security & Privacy Toolkit focused on the needs of small provider organizations, such as solo practitioners, physician groups, or independent ambulatory practices or clinics. The Toolkit is a set of tools, white papers, analysis, best practices and other reference materials.
This introductory document, written in collaboration with Lisa A. Gallagher, BSEE, CISM, CPHIMS and Robert Tennant, MA, MGMA, discusses the important responsibilities of every provider, the risks of non-compliance, and the benefits of proper information security. Lastly, the document discusses the layout of the toolkit.
Auditing Essentials for Small Provider Organizations
The very idea of an information systems security audit is likely to conjure up feelings of dread and an overwhelming desire to procrastinate. Perhaps images of an IRS personal tax audit come to mind, or experiences with Joint Commission or State Medicare Surveys. However, auditing has a vital role in security governance. This paper will provide essential understanding of the role of security audits and how to leverage auditing to promote more focused progress toward your organization’s security and HIPAA compliance goals.
Security Challenges on the Plant Floor
This presentation, given to the Madison, Wisconsin Section of the Institute of Electrical and Electronics Engineers discusses the security threats and counter measures that can be used to increase the level of protection of industrial automation and control networks.
The Legacy of Coach John Wooden
The late Coach John Wooden is considered one of the greatest basketball coaches of all times, but he was also a shaper of men. After retirement, Wooden was a highly sought public speaker. Coach Wooden loved maxims and he frequently invoked them with his players and later, in his many speeches. This document was written as a leadership assignment for attainment of Ken’s 2nd Degree Blackbelt from Karate America Mixed Martial Arts. We share it because everything about Wooden sets an example worthy of emulation.
Love What You Do
This inspiring talk called “Love What You Do” was presented at the 2009 Visonex Developer Summit. Topics, which include signs of burnout and the important of being passionate about work, are discussed in a way that is meaningful to software developers. This talk reinforces the Visonex culture and core values.
Coach John Wooden & Martial Arts
Wooden said, “…be bold in execution rather than hang back in fear of failure. Mistakes are part of winning-not dumb mistakes or those caused by haste or sloppiness but mistakes made by intelligent and thoughtful individuals attempting to make something happen.” This article discusses Wooden’s notions of team excellence, success, and competition. This article was written for Ken’s First Degree Blackbelt from Karate America, in Sun Prairie, Wisconsin.
Curse of the Handyman
This is a fun article about prioritization and the “Hey, you’re an electrical engineer, can you fix my [insert electronic gadget here]?” conversation.