— Addressing Vulnerabilities and RDP Security
Quick recap. The team discussed various security issues, including Chinese groups targeting firewalls, the high number of known exploited vulnerabilities in Microsoft, and the use of remote desktop protocol for spear phishing campaigns. They also discussed the importance of evaluating container security, handling security alerts from third-party vendors, and navigating disagreements between engineering and security teams. Lastly, they emphasized the importance of partnership, collaboration, and proper documentation in resolving security issues.
Show 4 discussion topics
Addressing Vulnerabilities and RDP Security
The team discussed an article by Sophos about Chinese groups targeting firewalls. They also discussed a report by Patrick Garrity, a researcher at Volnshek, which showed that Microsoft had the highest number of known exploited vulnerabilities. The team agreed that the data set used in the report was flawed and that it was easier to find vulnerabilities in Microsoft due to its widespread use. They also discussed the issue of remote desktop protocol (RDP) being used by foreign threat actors for spear phishing campaigns. The team concluded that closing RDP ports was a necessary security measure, even if it was inconvenient for some users. They also discussed the challenges of implementing security measures in small to medium-sized organizations.
Container Security and Permission Management
In the meeting, Matt Alvarez expressed concern about the state of their security systems. Micah, a security operations engineer, raised a question about container security, specifically about alerts related to controllers with the ability to read secrets and pods. Neil and Don discussed the importance of evaluating the necessity of certain permissions and the potential for misconfigurations in third-party services. They suggested that the alert could be a valid configuration, but it might be desirable to limit the permissions of the service account to only read its own secrets. The team agreed that further triage and evaluation were necessary to determine the best course of action.
Handling Security Alerts From Vendors
The group discusses how to handle security alerts from third-party vendors. Connor suggests documenting the risk, presenting it to the business, and letting them decide whether to accept or mitigate it. Neil advises providing well-researched arguments to vendors for fixing issues, as vague requests are unlikely to be addressed. Jay notes that only major organizations can effectively pressure vendors. Matt recommends gathering justification from vendors and presenting it to management for a path forward. The group agrees that support teams should properly gather data and escalate to product teams, while security teams should build a case around the business risk.
Navigating Security Alert Disagreements
In the meeting, Don and Jay provided guidance to Micah on how to navigate a situation where an engineering team disagreed with a security alert. They suggested that Micah should educate himself on the topic, particularly on Kubernetes, and try to reproduce the alert in a dev environment. They also advised Micah to figure out the business criticality of the system where the alert is taking place. Connor added that vendor tools often go to the lowest common denominator and may not be fully customizable. Eric suggested analyzing event logs to prove the existence of the issue. The team also discussed the importance of partnership and collaboration in resolving security issues. Micah expressed appreciation for the advice and plans to apply it to his situation.