Hi What I am saying is that in general you have more chance of humans being negligent and messing up security then you have of someone smuggling explosives into a Datacentre. While the AWS security breech wasn’t entirely the companies fault it doesn’t make them look good when they have Capital one splashed all over their website as a case study of how well they are doing. AWS really should be recommending their larger customers to go through trained partners. Regards Chad.
Chad Kelly Manager CPK Web Services Phone 03 52730246 Web https://www.cpkws.com.au From: Andras Toth <diosbej...@gmail.com> Sent: Wednesday, September 11, 2019 10:26 PM To: Chad Kelly <c...@cpkws.com.au> Cc: firstname.lastname@example.org; ausnog-requ...@lists.ausnog.net Subject: Re: [AusNOG] Risks to country and business infrastructure The person that got access to their system was not an AWS employee when the breach happened. The person got access via a misconfigured server/system that wasn't Amazon's fault. See the original court case for details: http://regmedia.co.uk/2019/07/29/capital_one_paige_thompson.pdf This is the same as saying it's Amazon's fault that people make their S3 buckets public and information gets exposed. Andras On Wed, Sep 11, 2019 at 12:26 PM Chad Kelly <c...@cpkws.com.au<mailto:c...@cpkws.com.au>> wrote: On 9/11/2019 12:00 PM, ausnog-requ...@lists.ausnog.net<mailto:ausnog-requ...@lists.ausnog.net> wrote: > When someone questions whether this-or-that was predicted, this seems most > likely to indicate either the plausibility of the threat, or which side of > a closed door the questioner was on when the discussions were held. I'd worry less about people placing explosives in servers and more about making sure that proper checks are in place for the people with access to information. AWS is a good example of this, they really need to lift their game. Stuff like the Capital One incident just shouldn't happen and as a result of that I am not recommending AWS to any of our customers. That isn't the only reason, but the fact Capital One are still with AWS after that incident scares me a little, if I was them I would of dumped them as a vendor immediately. Basically Datacentres and network operators need to force all staff to undergo regular checks particularly when dealing with sensitive info. I also am aware that the Capital One case isn't Australian, but it is still a good example of why providers need to keep an eye on who has access to certain info. -- Chad Kelly Manager CPK Web Services Phone 03 5273 0246 Web www.cpkws.com.au<http://www.cpkws.com.au> _______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net<mailto:AusNOG@lists.ausnog.net> http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog