Middle of the night alert from my @Synology. "Security risk found!"

The risk in question: I haven't bound SSH to a non-standard port.

Security myth: binding SSH to a non-standard port is somehow safer.

In practice, use keypair auth only; then the only benefit of a non-standard port is that your logs don't fill up with brute force attempts.

Security myth: rotate your @awscloud IAM credentials frequently so your console doesn't yell at you.

In practice, compromised keys are exploited in less time than it takes to microwave a burrito. Use role assumption if you can, but rotating keys is busywork.

Security myth: everything should be encrypted at rest.

In practice, if you can bust into an AWS datacenter, grab all of the drives needed to reconstitute my data, and escape alive? You've earned it.

But it's easier to enable it than to win the auditor argument.

Security myth: your greatest threat comes from state actors and advanced threats.

In practice, your CEO's password is `Kitty!` and is written in sharpie on their laptop being used mid-airport.

Security myth: NAT isn't a security measure.

In practice, sure it is!

Security myth: firewalls aren't relevant in 2020.

In practice, firewalls aren't relevant in 2020 but good luck getting your @RSAConference talk accepted without the word "firewall" in the title.

Security myth: cloud virtualization isn't sufficient, so you should only use dedicated instances for sensitive data.

In practice, if someone has a working EC2 hypervisor escape they'd be complete idiots to waste it on YOU.

Security myth: you should have different security levels in different AWS accounts.

In practice, of course you should but good freaking luck migrating 8 petabytes dating back to 2008, so now you're stuck with building internal-to-the-account access controls.

Security myth: password managers work because they make it easy to not reuse passwords.

In practice, password managers work because they won't fill in a site's password into a phishing site.

Security myth: passwords display as asterisks on your screen to prevent "shoulder surfing."

In practice, your computer is swearing at you.

Security myth: you lose a lot of performance when Intel's speculative execution patches are applied.

In practice, you don't get to install Norton Antivirus and then whine about hardware performance.

Security myth: training prevents security breaches.

In practice half of your staff would tell me their passwords for $8 and a candy bar.

Security myth: certifications means that your infosec staff is up to speed on the latest security trends.

In practice, https://twitter.com/AUSFestivus/status/1323574395235831809

Security myth: a breach is the death knell of your company.

In practice, tell that to Equifax, Target, Heartland, Marriot or--hah, can you believe I almost said "Yahoo?"

Security myth: A CISO's job is to guide the company's security posture.

In practice the CISO's role is to be publicly fired after a breach.

Security myth: you must have a physical security token for your @awscloud root account that you store in a safe.

In practice, you won't remember where you put the safe when you need to log into the AWS root account.

Security myth: you can migrate your whole stack to IPv6 to avoid portscanning and brute force attempts.

In practice, don't you have real work to do?

Security myth: enable all of the appliance's rules so you catch everything.

In practice,

Security myth: after 5 failed login attempts, lock user accounts and require a manual unlock by the helpdesk.

In practice, this policy gets overturned damned quick after you intentionally lock out the CEO's email a few dozen times in an afternoon.

Security myth: security isn't something you can buy.

In practice, there sure are an awful lot of companies who would like to sell it to you.

Security myth: "Security by obscurity" is a trash methodology.

In practice, nobody ever exploits SNMP.

Security myth: Security is very important to you.

In practice, you only tell me that directly after you've suffered a security breach because security wasn't very important to you.

Security myth: people who leave open S3 buckets are idiots.

In practice, go grant access to an S3 bucket in your account to a user in my account. I'll wait until you give up and open the bucket so we can get our work done.

Security myth: something like fail2ban that parses your ssh logs and blocks brute force attempts is a good plan.

In practice there have been CVEs around this because "code that parses arbitrary strings from logs" is its own form of exploit.

Security myth: drug testing your staff leads to a better company.

In practice, drug testing your board of directors would lead to a better company.

Security myth: your corporate controls are iron clad.

In practice, email a few fake invoices to Google and Facebook and they'll apparently just go ahead and wire you $100 million. https://www.independent.co.uk/news/world/americas/google-facebook-scam-fake-invoice-wire-fraud-guilty-a8840071.html

Security myth: You shouldn't use your pet's name as a password.

In practice, be sure to change your pet's name every 60 days.

Security myth: @awscloud's Shared Responsibility Model is deeply complex and takes an hour and seven slides to explain.

In practice, it's that way because telling a customer who just got breached that it was their fault needs way more of a song and dance than... well, this: