Practical DevOps

 

Dear Readers,

In February's edition of Hakin9 we would like to present you a few very important topics. If you asked an average person “What does DevOps mean to you?” you’d probably get a blank stare. Then there are those that are vaguely aware of DevOps as a concept. While a vague understanding is better than nothing, it leaves a lot of room for misconceptions and misinformation, which can be problematic in the long term. Since DevOps is invading the cybersecurity field we decided to share a perspective of specialists that will explain the nature of DevOps in the security area.

You’ll also learn about securing the cloud in AWS environment, as Tiago Silva prepared the perfect guide to keep your company data safe. Staying in the defensive approach, we also present an article about Blockchain Network Security, where you’ll learn about its vulnerabilities. To fully prepare for cyberattack, you have to remember about Incident Response stages - luckily we have a perfect article for you. In ‘Incident Response: Step-by-step process’ you’ll read about a case study where a company is attacked by a malware campaign, describing what precautions were taken to secure the sensitive data.

We didn’t forget about those that expect more offensive approach: ‘Hunting IoT Devices with NetHunter: PART 1’, is the perfect example of preparing a hacking device to exploit smart devices. The second part in the series will appear in a future edition! Anatomy of Ransomware attack also presents good information about one of the most popular cyber threats that many underestimate.

There are many more amazing articles in the issue that we hope you’ll enjoy reading, each offers a new portion of knowledge from the cybersecurity field. Thanks to all the authors, reviewers, and proofreaders for participating in this project.

Let's dive in!

Hakin9 Team

---

Ensure Security at your AWS Environment

Tiago Silva

One of the greatest concerns about Public Clouds is about how to let a third party company keep your company data, how to ensure access control, compliance of this information and how to recover if needed. Maintaining the focus on the AWS platform, I will clarify a few points and provide an overview on how to use AWS services to assure the IT security Main Pillars, a.k.a C.I.A. (confidentiality, integrity and availability).

---

Investigation of Blockchain Network Security: Exploration of Consensus Mechanisms and Quantum Vulnerabilities

Jack Kelly, Michelle Lauer, Ryan Prinster, Stephenie Zhang

Another technology that is steadily on the rise is quantum computing, particularly with companies like Google and IBM investing significant resources in development. The authentication and consensus portions of blockchain networks rely upon the computational infeasibility of inverting certain functions, so quantum computers have the potential to cause significant disruption in this space. We will discuss some of the the security vulnerabilities that quantum computing would introduce to blockchain networks, how they impact PoW- and PoS-based networks differently, and potential solutions to these problems.

---

Hunting IoT Devices with NetHunter:  PART 1

Veerababu Penugonda

I work on hardware and IoT devices. I love to break into devices so in that part, even if I'm not able to carry my laptop, I always carry something to hack devices or to test surrounding devices in the connected world. Here, I am writing on one of the best known platforms of Kali Linux, NetHunter for mobile. Kali Linux NetHunter is a platform for pentesting from the mobile interface so right now mobile is more than enough to breaking into security.

But I choose Kali Linux NetHunter for hunting devices.

---

KRATOS: An Open Source Hardware-Software Platform for Rapid Research in LPWANs

Rajeev Piyare, Amy L. Murphy, Michele Magno, and Luca Benini  

Long-range (LoRa) radio technologies have recently gained momentum in the IoT landscape, allowing low-power communications over distances up to several kilometers. As a result, more and more LoRa networks are being deployed. However, commercially available LoRa devices are expensive and proprietary, creating a barrier to entry and possibly slowing down developments and deployments of novel applications. Using open-source hardware and software platforms would allow more developers to test and build intelligent devices resulting in a better overall development ecosystem, lower barriers to entry, and rapid growth in the number of IoT applications. Toward this goal, this paper presents the design, implementation, and evaluation of KRATOS, a low-cost LoRa platform running ContikiOS. Both our hardware and software designs are released as an open-source to the research community. 

---

Incident Response:  Step-by-step process

Vishal Thakur 

In this article, we take a look at how to understand, follow and respond to Malware Campaigns that target our organisations on a regular basis, from an Incident Response point of view. The information in this article has been generalised for wider implementation but will need to be customised for specific environments.

---

Anatomy of a Ransomware Attack CryptoLocker, CryptoWall. How to Stay Safe.

Ajaypal Singh Randhawa 

Ransomware is malware that prevents you from using your files or your computer, and then extorts money from you in exchange for a promise to unlock them. This type of malware is responsible for tens of millions of dollars in extortion annually. Worse still, developing new variants is trivial, facilitating the evasion of many antivirus and intrusion detection systems. Ransomware, it’s everywhere. We had hoped that the notorious file-encrypting ransomware called CryptoLocker was defeated after law enforcement knocked out its infrastructure last year, but CryptoLocker and its close cousin CryptoWall have come back stronger than ever. We’d like to show you more about the newest kinds of ransomware, how they work, and what you as an organization or individual can do to stay safe. 

---

Managing Multiple PostgreSQL Installations with pgenv

Luca Ferrari

In this article, you will see how to use and interact with pgenv, main concepts behind the configuration and patching process, as well as a typical workflow. pgenv can run on pretty much any Unix like operating system, and in this article a FreeBSD machine will be used. However, pgenv can run on top of Mac OSX as well as Linux.

---

Practical DevOps in 2019. Shock Therapy from Manufacturing Assembly Line to Secure CI/CD Pipeline.

Muhammad Salam, Musab Sayyed, Najib Baig Mirza, CISA, CEH

There is no doubt that ours is a digital economy, every business is a digital business or has a digital façade to it and every company is a software company. In this digital economy, businesses are pressured to deliver unique value to their end customer at a rapid pace to maintain their competitive advantage. To make this transition, the IT teams responsible for producing software are increasingly adopting the methodology of DevOps to rapidly churn out lines of executable code that show up as the output of the digital economy in the form of features, modules and even entire applications - mobile and/or web applications.

---

Comparative Study of Virtual Machines and Containers for DevOps Developers

Sumit Maheshwari, Saurabh Deochake, Ridip De, Anish Grover

In this work, we plan to develop a system to compare virtual machines with container technology. We would devise ways to measure the administrator effort of containers vs. Virtual Machines (VMs). Metrics that will be tested against include human efforts required, ease of migration, resource utilization and ease of use using containers and virtual machines. 

---

Artificial Intelligence in Cybersecurity

Zakaria Elbazi

Before we start talking about how AI and its statistical approaches can be used in the field of cyber security, I will introduce key words and how they emerge as saviors in so many other fields as the best alternative to traditional ways, then I will introduce some real case scenarios and projects from the world of cyber security leaders and I will finish with a brief conclusion.