Cybersecurity

When it comes to building IT related solutions, security should always be at the heart of everything you do. In fact, really "simple" questions (with hard answers) such as the following are examples of what you can ask yourself when you're building solutions:

• Where is the data going to be stored?
• Who can access it? And how?
• Does it ened to be encrypted?
• How many backups of this data do we need?
• Should our API be public facing or can it be internal only?

And many, many more questions along those lines.

Cybersecurity is a very tough field. It's forever changing and nothing you implement is ever enough. New attack vectors come and go, new systems come along and introduce new ways to break into networks (without anyone realising it), and more.

What we're going to do now is cover topics that will teach you the basics you need to (hopefully) build secure solutions from the ground up, and from day one.

Subjects

1. Separation of Concerns
2. Encryption
3. Transport Layer Security (TLS)
4. Firewalls
5. Zero Trust
6. Authentication
7. Password Management
8. Cloud Secrets Management
9. OWASP
10. Center for Internet Security (CIS)
11. National Institute of Standards and Technology (NIST)

Curated Materials

With these curated materials, you're going to have a healthy introduction to the very vast, highly complex world of cybersecurity. Take your time, and go through them carefully. It's important to learn and understand concepts more than it is to learn technologies.

Separation of Concerns

In AWS Organisations, we're able to create a structure for our accounts. This structure is like a classic hiearchy in an organisation, from a HR perspective, and comes with a lot of benefits. Being able to dynamically create AWS accounts in a structure, as well as attach policies to the accounts, makes it possible for us to isolate workloads and lock them down from the top down.

When we're able to create an account just for one specific workload, we're able to control the "blast radius" should that account get compromised. Ideally, we should be isolating workloads as much as possible, and into as small a "radius" as possible.

All of this is known as Separation of Concerns. It's a key concept when it comes to architecting AWS solutions, especially how accounts are organised.

• Separation in the Cloud

Encryption

Encryption is critical. You're using it right now to read this content, because it was (or at least it should have been) delivered to you via HTTPS. The S means Secure, which involes using Transport Layer Security, or TLS (discuss below) to encrypt the traffic between your web browser and the remote server that send you this page.

We encrypt data because we want to guarantee a few things:

1. Only the people who should read the data can read it;
2. And any changes to the data should be detectable so that we know it's integrity hasn't been compromised.

There are two key methods for encrypting things you should be aware of:

1. Public Key Cryptography
2. Symmetric Encryption

We'll provide you materials that cover both in sufficient detail.

• NIST: Encryption Basics

• Khan Academy: Encryption and Public Keys

• CrashCourse: Cryptography

Transport Layer Security (TLS)

Now we come to the actual implementation of encryption. TLS is encryption "on the wire", or put another way: encryption that happens when you're communicating over a network, like the public Internet, between you and another remote party.

TLS was previously called SSL - Secure Socket Layer - but that protocol has since been deprecated in favour of TLS. You'll see people refer to "SSL" however, and all they're really saying is "TLS".

What you need to know about TLS primarily revolves around certificates, and how they're requested, created and used. The materials we've got for you in this section goes over the techical details of TLS, from what it is to its handshake. We've then got some materials that cover what a "Root CA" is, which brings us to certificates.

When it comes time to look at project work, we'll actually implement TLS in a few forms.

• Computerphile: TLS
• Computerphile: TLS Handshake
• What is a CA?

ACME (Let's Encrypt)

As an extra thought to TLS, let's briefly look at ACME and Let's Encrypt. We'll be using Let's Encrypt later on in the projects to get hands on experience with TLS.

• How Let's Encrypt Works
• Getting Started

Firewalls

Computer networks are something you connect to and access in order to utilise some resource. For example, visiting a website means you computer connects to a remote networking and asks a web server for a resource via HTTP.

But what if you're not supposed to access that resource? What if it's a website that should only be accessible from another, very specific network somewhere else on the planet? That's what a firewall can help us with.

Firewalls allow us to define conditions that must be met before a connection is allowed to pass through to the network "behind" the firewall - what the requester is trying to access. Firewall are mostly "transparent", which means the user requesting the resource doesn't know they're there.

Let's look at some basic firewall concepts and then we'll explore them more in the projects later on.

• CBTNuggets: Firewalls
• IBM: NAT and Firewall Explained

Zero Trust

This is an adavnced topic, but it's becoming more and more important, so we wanted to touch on it.

When we talked about firewalls above, we talked about using a rule to restrict access to an internal web server. Zero Trust rejects the notion that once someone passes through a firewall and is on "the inside" of a network, they can be automatically trusted. Instead, the concept of Zero Trust states that identity and access control is a complete end-to-end process, from the very client that made the request, all the way through to the process handling it.

When you implement Zero Trust, you're basically saying you don't trust anything at all, and you take every step possible to authenticate and identify any and all clients access the resources you provide. Some Zero Trust adherents go so far as to claim you should, in short, assume you've been compromised.

• Zero Trust in 4 Minutes
• Why Zero Trust?
• Great all round video on Zero Trust
• How Goldman Sachs use Zero Trust

Authentication

So let's pretend you've got through a firewall's rules (legally) and you're now looking at a login screen on a website. That's the first step in a authentication process - prove you're permitted to access the system by providing some credentials and validate your identity. That's authentication. It's all around us. When you login to your Google account, you're authenticating with Google.

Let's review some common ways in which you'll experience authentication, as well as implement it.

• Single Sign On (SSO)
• Security Assertion Markup Language (SAML)
• OAuth and OpenID
• OAuth vs SAML vs OIDC
• 2FA/MFA

Password Management

I think it's safe to say that you know what a password is, but did you know that when you supply a website with a password, perhaps when registering for an account, they can do whatever they want with it from a technical perspective? Consider this for a second: you sent some text, let's say p4ssw0rd! (which is terrible), to some remote website... what did they do with it? Ideally, they would immediately hash the password using a hashing function, store it in a database, and throw away the plaintext password. Well in an ideal world, that would be true and a reliable, but you can't depend on that being true.

So what can you do?

There are several things you can do to help you out in the wild, naming:

1. Use a password manager
2. Use a unique password for every website
3. Use a passphrase
4. Make sure the password to your financial accounts is completely unique
5. Make sure the password to your email account(s) is completely uniue

That last one is very important for one simple fact people don't realise: your email account is the center of your online identity.

But that's just from your own personal perspective. From the perspective of an engineer working in an organisation, you have to do whatever you can to secure the infrastructure you're managing, and using a password manager helps a lot.

First, start with understanding what a good password looks like:

• Creating String Passphrases

Now come to appreciate why a password manager is important:

• Why you should use a password amanger

Then move onto a password manager that we recommend: 1Password.

• Why 1Password

This is hardly a taxing topic, but it's very important.

Cloud Secrets Management

Managing personal secrets for systems access is one thing, but when it comes to managing secrets in the Cloud, you need to be using things other than password managers.

Instead, tools like AWS Secrets Manager are designed to be less about your personal access, and more about programmatic access to secrets. The secrets management system as APIs and interfaces that software can use to interact with it, extract or store secrets, and use them to access other systems. A common example of this is an application that needs access to a database. Instead of hard coding the secret to the database into the software, the software is developed to use AWS Secrets Manager, where it extracts the secret as and when it needs it, and never stores it (except in RAM.)

The benefit to this may not be immediately obvious, but essentially the secret(s) can be rotated on a regular basis, meaning if they've been compromised at any one point, the compromised version of the credentials becomes useless. There are other benefits of course, which are all explained in the materials below.

• What is Secrets Manager?
• Getting Started

OWASP

Even though you're not learning to become a software engineer, knowing the most common attack vectors against online systems and software is a no brainer. Below we've listed one simple resource: The OWASP Top Ten. Give it a read and explore the attacks that are the mostly found online. You'd be surprised at some of them, possibly even wondering how anyone could allow them to happen, but they do.

• The OWASP Top Ten

Center for Internet Security (CIS)

The CIS provides state level security programs, benchmarks, and controls. The benchmarks and controls from the CIS are considered industry standard. Simply knowing that they even exist, and using their tools and services to implement CIS hardened infrastructure, is enough to place you well ahead of your industry peers, most of whom will not have heard of the CIS.

Don't be overwhelmed by the content here. There's a lot, but you don't need to know even a fraction of it. Getting to grips with everything in this space is an entire job in and of iteself. Check out the resources and keep the CIS in your mind when you're building infrastructure (we'll certainly be keeping them in mind for future projects.)

• About
• Benchmarks
• Controls

National Institute of Standards and Technology (NIST)

The NIST is very much like the CIS, but funded by the US government. In their own words:

"NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public."

When it comes to industry best practice on Cybersecurity, the NIST and the CIS are the two goto frameworks and standards. Just like the CIS, you should review what NIST have to offer and come to understand how you can apply their findings to your own work.

• NIST: Cybersecurity

Project(s)

Let's get practicing what we've learned from above.

Encryption

1. Generate a key pair
2. Encrypt a file
3. Have your mentor do the same, and send you a file
4. Confirm signatures and such
5. Use a symmetric algorithm to encrypt a file and send it to your mentor
6. Have your mentor send you an encrypted file (and its secret) and decrypt it

TLS

1. Create a self-signed certificate
2. Use it via nginx
3. See what happens when you access the site via HTTPS
4. Create a certificate using Let's Encrypt and repeat the above

Firewalls

1. Does your local system have a firewall installed?
2. What rules are in place right now?
   1. Don't list them all, as there might be thousands!
3. What happens if you add a rule to block outbound connections to any remote server on TCP port 80 (HTTP)? Can you access website via http://?
4. Try pinging 1.1.1.1 (Cloudflare's DNS server[s]), and then try blocking ICMP ping from your host to that exact IP - can you ping it now?
5. Using draw.io or miro.com, design a simple diagram that explores the following traffic flows:
   1. Traffic coming from the Internet, through a firewall, and accessing a web server
   2. Traffic coming from the web server to a databae in another subnet
   3. Traffic coming from head office to a VPN server on the network
6. Now think about the protocols being used, and design rules for each of the following:
   1. Only allow HTTPS traffic from the Internet to the web server
   2. Only allow head office's IP (1.3.5.7) to access the VPN server
   3. Prevent anything BUT the web server and VPN from accessing the database

Zero Trust

We don't have a Zero Trust project for you to complete. It's an extremely advanced topic, so we'll explore it later on.

Authentication

1. Add an extra step of authentication to your online accounts by adding a 2FA device to them
   1. We recommend Microsoft's Authenticator app as it allows you to sync the tokens (secrets) to a Microsoft account
2. Ensure your email accounts have a unique, separate passPHRASE
3. Check your email address and or password at ';--have i been pwned?

Password Management

We think this one is going to be obvious: download, install and start using a password manager. Here are some choices:

1. 1Password
2. bitwarden (open-source)

We cannot recommend any others at this time.

Cloud Secrets Management

We will get the opportunity to delve into application level secrets management later on.

OWASP

We will also get the opportunity to go use some OWASP resources when we come to write our own web app later on.

CIS

These are optional, but fun if you're willing to give them a go.

1. Apply some CIS benchmarks to a Ubuntu 22.04 VM
2. Write a short report on the tools that CIS provides to help with using their standards.

NIST

Repeat the CIS projects above.