ix.de/zb98

• Ory Segal, Medium.com, 29.01.2019: "Serverless and the Evolution in Cloud Security, how FaaS differs from IaaS"

  Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

• New York Times, 06.08.2020: "Capital One Hack Settlement – Capital One will pay $80 Million over Hack" (hinter Paywall)

  Dass Cloud-Anwendungen nicht per se sicher sind, haben mehrere Angriffe in der Vergangenheit gezeigt. Ein Beispiel ist der Capital-One-Hack aus dem Jahr 2019, über den ausführliche Informationen vorliegen. Angreifern gelang es, in den Besitz der Identitäts-, Bonitäts- und Kreditkartendaten sowie Sozialversicherungsnummern von insgesamt über 100 Millionen Kunden der US-amerikanischen Bank zu kommen. Dem Unternehmen wurden im Anschluss fehlende Sicherheitsmaßnahmen vorgeworfen und der Hack kostete die Bank 80 Millionen Dollar an Schad

• Heise Online, 30.07.201: "Capital One: Hackerin prahlt mit Bank-Hack mit 100 Millionen Betroffenen"

  Das FBI hat eine Frau angeklagt, die damit geprahlt haben soll, eine Bank gehackt zu haben. Es gibt 100 Millionen Betroffene in den USA, 6 Millionen in Kanada.

• Cybersecurity at MIT Sloan, Working Paper, März 2020: "A Case Study of the Capital One Data Breach (Revised)"

  In an increasingly regulated world, with companies prioritizing a big part of their budget for expenses with cyber security protections, why have all of these protection initiatives and compliance standards not been enough to prevent the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber security regulations, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in 2018, demonstrate a strong trend and growing concern on how to protect businesses and customers from the significant increase in cyberattacks. Does the flaw lie in the existing compliance requirements or in how companies manage their protections and enforce compliance controls? The purpose of this research was to answer these questions by means of a technical assessment of the Capital One data breach incident, one of the largest financial institutions in the U.S. This case study aims to understand the technical modus operandi of the attack, map out exploited vulnerabilities, and identify the related compliance requirements, that existed, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, version 1.1 , an agnostic framework widely used in the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulator y agencie s, and companies to improve their cyber security

• Bitdefender, Blogeintrag 24.01.2018: "Leaky Buckets: 10 Worst Amazon S3 Breaches"

  The last year has proved out about security naysayers' warnings about the undisciplined use of cloud architectures. While many organizations work hard to secure data stored on cloud stores, the truth is that there's a lot of work to go. That fact is made abundantly clear by the growing number of incidents caused by extremely poor security hygiene within Amazon Simple Storage Service (S3) storage buckets that are holding very sensitive information.

• Gartner, Blogpost 10.10.2019: "Is the Cloud Secure?"

  Gartner offers recommendations for developing a cloud computing strategy and predictions for the future of cloud security.

• Stuart Millar (2017), Queen's University Belfast, PhD Thesis: "Vulnerability Detection in Open Source Software: The Cure and the Cause"

  According to Veracode, a Gartner-recognised leader in application security, 44% of applications contain critical vulnerabilities in an open source component [16]. Most companies do not have a reliable way of being notified when zero-day vulnerabilities1 are found, or when patches are made available. This means that attack vectors in Open Source Software (OSS) exist longer than they should. This paper discusses the cause of OSS vulnerabilities, why they are a major issue, and how they may be mitigated. Conventional methods of detection are discussed along with novel approaches and research trends. A new conclusion is made that it may not be possible to replace expert human inspection of OSS although it can be effectively augmented with techniques such as machine learning, IDE plug-ins and repository linking to make OSS implementation and review less time intensive. Underpinning any technological advances should be better knowledge at the human level – development teams need trained, coached and improved so they can implement OSS more securely, know what vulnerabilities to look for and how to handle them. It is the use of this blended approach to detection which is key

• ESG Research Report, 13.07.2017: "Cybersecurity Analytics and Operations in Transition"

  In order to assess organizations’ cybersecurity analytics and operations plans, successes, and struggles, ESG surveyed 412 IT and information security professionals representing mid-market (500 to 999 employees) and enterprise-class (more than 1,000 employees) organizations in North America and Western Europe. All respondents were involved in the planning, implementation, and/or daily operations of their organization’s security analytics and operations.

• CodeShield: Cloud-Sicherheitstool Autoren des Artikels (Dr. Johannes Späth, Andreas Dann und Manuel Benz)

  "Actionable insights, fortified cloud – Find critical cloud security issues in minutes": CodeShield ist ein Cloud-Security Werkzeug, das CSPM, SCA, sowie CIEM und SAST vereint.

• CIS-Benchmarks

Diese Liste ist ein Zusatzangebot zu einem iX special-Artikel. Sie wird nach dem Erscheinungstermin der jeweiligen Zeitschriftenausgabe nicht mehr aktualisiert. Bei älteren Artikeln kann es daher vorkommen, dass einzelne Links nicht mehr funktionieren. Wir bitten, dies zu entschuldigen.