avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6371

Abstract

ete the work, which I multiply by an hourly rate to come up with a price for the project.</p><p id="f43f"><b>Deliverables</b></p><ul><li>The deliverable for training is a class.</li><li>The deliverable for any other project is a report.</li></ul><p id="799b"><b>Project Billing</b></p><p id="eba1">2nd Sight Lab always bills for a project the same way to keep it simple. We require 50% upfront and 50% on the delivery of a report or class. With training, we need to request the upfront payment at least 2–4 weeks prior to the class to cover the cost of work performed before scheduled class dates. The minimum project fee is 8,000 at this time but is often 15,000 and up. Private 40-hour classes with labs start at 25,000 for 10 students.</p><p id="0f1c"><b>Why No Hourly Rates</b></p><p id="cae8">We do not use an hourly-rate billing model and here’s why. First of all, if you don’t know how many hours you’re going to spend you could end up paying a lawyer 1000 to negotiate a contract and the project lasts two hours. You lost money. Secondly, I used to bill hourly through my software company. Tracking and billing time on invoices created a lot of overhead. I’d rather spend that time helping clients. Finally, it takes time to chase down payments. I had a client who consistently argued with me about every. single. bill. I finally just told her to scratch off what she had a problem with on each bill and just pay the rest. She would mark off something like 300 on a 15,000 invoice. It was very stressful and time-consuming. It’s not worth the hassle.</p><p id="369e"><b>About Cash Flow</b></p><p id="51bb">In addition to the problems I already mentioned with hourly rates, there is too much lag when trying to maintain consistent cash flow. One customer pays in advance. Another pays with a term of 60 days. Now you have a window with no cash flow. Gaps in cash flow impact small business owners more than large companies. Last year I took time off to get my house in Seattle ready to sell. The drop in income over that time period caused by my time off and the contractor’s failure to complete work on time affected my ability to get a loan for my new home. I ended up finding a way to pay cash, but it was not ideal. Even though with the sale of my home in Seattle, I had a higher income than ever in my life, banks will only look at business cash flow with their rigid underwriting formulas. All they see is a gap with no income. There’s your mini business lesson on cash flow for the day. It’s one of the number one reasons startups go out of business.</p><p id="7a86"><b>Focused Deliverables</b></p><p id="6d19">Another reason I focus on fixed-rate projects is that I don’t want to waste customers’ time. I did one hourly rate project, and I would spend hours on-site working for someone revising spreadsheets. I don’t think that was a good use of my time. It also tied me up for a long time doing busy work instead of actively solving security problems. That was an interesting project, and I was grateful to participate, but in the end, I felt like I could deliver what I gave to that client in six weeks instead of three months. I like to work on focused deliverables and get them done as quickly as possible. I’m not one for milking clocks.</p><p id="0d8b"><b>A company, not an employee</b></p><p id="6be1">When you hire me, you <b><i>hire my company,</i></b> not me personally. If you’re working on an hourly rate, you’re basically a short-term employee paid an hourly rate. 2nd Sight Lab offers a product — our classes. We also offer analysis services that include a deliverable — a report. Those products are delivered using the processes, tools, and documentation we have developed.</p><p id="762c"><b>Why I don’t want to be an employee</b></p><p id="b861">One of the reasons I choose not to be an employee of a large company is that it comes with too many restrictions and roadblocks to delivering effective security assistance. I was not allowed to say certain things for political reasons or simply ignored. I couldn’t fix things I wanted to fix. When 2nd Sight Lab assists a company, we provide the analysis and deliver a report or training. When the company receives the deliverable, it is up to them to fix the issues. If they don’t, I won’t be caught up as an employee of the company involved in the next big breach over something out of my control to fix. By coming in as an external advisor we can speak truth to power for employees who hire us to improve security. I often work with CISOs prior to pentests and security assessments to deliver the desired message in our report and provide the data to back it up.</p><p id="b969"><b>Who does the work?</b></p><p id="c41a">I’ve never wanted a large company. I had five employees in my previous company, Radical Software, and that was OK. I managed a team of 30 as director of SAAS engineering for a company. I don’t want to do that again. I spent a lot of time dealing with “people issues” (not to mention politics) instead of getting a project delivered. At this moment, I’m doing the majority of the work. Someone I used to work with helped me create some class labs for the first class I delivered when I was in a time crunch. In the past, I hired interns to help with basic penetration testing, class material review, editing, and accounting.</p><p id="50af"><b>Who are the interns and assistants?</b></p><p id="b7bc">In the past, the people helping me most of the time were my nieces and nephews, but they went off to college to be teachers and doctors and got too busy for me. Cybersecurity was not their passion. Now I’m looking into working with local colleges. I reached out to <a href="https://www.savannahstate.edu/">Savannah State University</a> last year to hire an intern. I never heard back from the department where I sent the job description. I may pursue that again later through some different schools. Other than that, I’ve only received help from people I know personally. If a client doesn’t want anyone else to do the work or see their report, we can work that out.</p><p id="fc88"><b>Security for Interns and Employees</b></p><p id="545e">I am working with a human resources company that performs background and reference checks. When I have someone work on a penetration test for 2nd Sight Lab, they get a separate cloud account and must follow our security sta

Options

ndards and instructions. After they finish, we terminate their access to any customer information on that project. Currently, I’m only using interns who are friends or friends’ kids. They are helping me test new cybersecurity training, proofreading documents, and will review books. Employees receive access through our cloud accounts, and that is one of the reasons we can only do projects from the cloud. It limits the exposure of customer data to other systems and networks.</p><p id="28e6"><b>Ownership</b></p><p id="d3be">2nd Sight Lab owns all training materials we produce or use for client training. We often will revise or rearrange our training material for a client to focus on their specific needs. That material contractually remains the property of 2nd Sight Lab and according to our agreement should remain confidential. In addition, any tools, processes, or materials we use on penetration tests or assessments remain the property of 2nd Sight Lab. However, our clients own the report we deliver. We are obligated to keep reports and any client information confidential unless explicitly allowed in our contract. For example, a customer requesting a product assessment of the efficacy of their product may want 2nd Sight Lab to publish our findings, if we find that it solves a particular problem very well.</p><p id="0ccd"><b>How to contact me about a cybersecurity project — LinkedIn</b></p><p id="c4c5">At this time, the best way to reach me for a project is through LinkedIn. I’ve explained this before but using <a href="https://linkedin.com/in/teriradichel">LinkedIn</a> I can see some information about the person with whom I am doing business. I had some very sketchy people contact me while running my past company, <a href="http://radicalsoftware.com/">Radical Software, Inc.</a> I always wondered if they were legitimate or they were having me perform work for a nefarious organization. That is one of the ways I attempt to verify clients, other than those I meet in person or who are referred by someone else. Unfortunately, I cannot provide training to organizations in certain countries at this time.</p><p id="a890"><b>Starting a cybersecurity project</b></p><p id="2089">Once you contact me on LinkedIn, I’ll send you information to set up a call to discuss your project. I only do phone calls, not Zoom or video calls, until after I have a signed contract. Even then, I require a week’s advance notice for video calls as my network is not set up to handled those at this time. After I understand a bit about the scope, you’ll receive a proposal and a contract for review. We may work to revise it to meet your specific needs. We’ll define a schedule and deliverables and payment terms in the contract. If I need to explain how to get set up for a penetration test or class those instructions come after receipt of the upfront payment.</p><p id="a1d9"><b>Completing a cybersecurity project</b></p><p id="2f1a">Prior to signing a contract we’ll discuss arrangements for communication over the course of the project. Often that will be via email for an on-going penetration test. For a security assessment, I will typically include phone interviews to ask questions up front and further discuss findings after reviewing the assessed environment, but this can vary as needed based on customer needs. Once we’ve completed our work, you’ll receive a report. I try to wait a few days before sending the final invoice to make sure the customer received and could open the report.</p><p id="f3be"><b>Additional support after report delivery</b></p><p id="dd74">Once a class is complete 2nd Sight Lab doesn’t generally provide any additional assistance, though in some cases we had a lab fail and provided a working version after class to the client. I have taken many cybersecurity classes in my time and never had another company do that for me. I usually don’t charge extra for a few questions after the report gets delivered. However, extensive questions or support would require an additional fee. Often, customers will ask us to verify their fixes for findings after completion of a penetration test report. We include that on our penetration report contracts at an hourly rate and can cap the time we spend reviewing the findings as needed.</p><p id="8b7a">If you are thinking of hiring a company to perform a cybersecurity assessment, penetration test, research project, or due diligence related to a cybersecurity investment hopefully this information helps you understand how <a href="https://2ndsightlab.com/">2nd Sight Lab</a> operates. You can reach out to me on <a href="https://www.linkedin.com/in/teriradichel">LinkedIn</a> if you have any additional questions about assessments, penetration test, or training.</p><p id="2373">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Network Design: Serverless Applications

ACM.73 Thinking through serverless network architecture

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | Network Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I covered network access for developers for our batch job development and deployment in the last post.

In this post I am going to cover some considerations for serverless application networking.

Earlier in this series I provided scripts to deploy a VPC and related networking in an automated fashion. Those posts start here:

We left the networking rules for our Lambda functions blank to be implemented at a later point. Here are some of the things we’ll need to consider.

Private Batch Job VPC

My plan is to deploy batch jobs to a separate production account where they will execute with restricted permissions in a completely automated manner. When designing the network, we could have put our batch jobs and related lambda functions in the same VPC as our developer subnet for development purposes, but then our network would not mirror the way I want to deploy my batch jobs in production. I wouldn’t be able to use the same templates to deploy my networks to dev, QA, staging, and production.

I know that in production the batch job resources will be in a separate account which obviously means they will be in a separate VPC, so I’m going to create a separate VPC for those resources and make it private. We actually already did that in prior posts, but we need to complete a few more things before our Lambda function will be restricted from the Internet, yet able to access the resources they need.

Private Link for resources in our private batch job network (no NAT)

Since the batch job VPC is private, the resources in that network will not be able to reach the Internet or other AWS services that require Internet connections. I could set up a NAT to allow the resources in that private network to reach AWS services, but we’re going to take a look at Private Link instead and see if we can get that to work. I covered Private Link briefly in the last post.

One of the things I’ll need to do is allow a Lambda function to reach SSM Parameter store as I showed you earlier from a private network. I imagine we’ll also be access AWS S3 buckets and other resources for which we want to keep traffic on the AWS network.

AWS-managed prefix lists

We may need an AWS-managed prefix list at some point to access AWS services in our network rules. These prefixes can be used to get the IP ranges for AWS services.

AWS also provides the IP addresses for AWS services here:

As you can see it is not always that fine-grained. In order to use it you would need to constantly be evaluating the list and updating your rules based on CIDRs whenever the list changes. A prefix will maintain that relationship for you.

Inbound Internet Traffic for Lambda Functions in our Batch Network

What if you want to assign a static IP address to a Lambda function? I explained what EIPs (elastic IPs) were in the last post. They allow you to reserve and assign a static IP address that doesn’t change which you can then use in firewall rules. Put your Lambda function that requires a static IP address behind an Elastic Load Balancer (ELB) and assign an EIP to the load balancer.

We can also use the ELB in a public network and have it send traffic to a Lambda function in a private network. That may come in handy later. I haven’t decided yet.

We could also front a Lambda function with an API gateway if we wanted to expose APIs for external use. I don’t forsee a need for that in the immediate future for what I am building in this series.

Outbound Internet Traffic for Lambda and Batch from a Private Network (such as to GitHub)

I already showed you some risks related allowing outbound traffic for Lambda functions in this post:

If we do end up needing to allow our Lambda functions to call an external API (e.g. something on GitHub) then we could use a NAT to allow that external access.

We can associate an EIP with the NAT gateway to allow it to access GitHub.

Of course, if we have a lot of resources using that NAT gateway that would be a risk. We’ll likely want to have a NAT gateway just for the purpose of accessing GitHub so we don’t inadvertently allow someone else to change our code. This is one of the security controls that can help us prevent attacks such as those that affected Solar Winds:

Separate networks for resources that indirectly require Internet access

I’m going to break up my subnets in my private Batch VPC into at least the following subnets:

  • NAT subnet (public): The NAT, if we were hosting it, would be in a separate subnet. That may be handled by AWS.
  • NAT-Access Subnet (private): Even though some resources will be in a private network they may require access to the NAT for outbound Internet Access.
  • ELB subnet (public): We will deploy ELBs in their own subnet as they have Internet Access (unless we front them with an additional security appliance).
  • ELB-Access Subnet (Private): Other resources may require access inbound via an ELB. We will put them in their own Subnet.
  • Private Data Subnet: Certain other resources will never need access to or from the Internet even indirectly. This is where the most sensitive data will be accessed and will remain completely segregated from even indirect access.
  • Remote Access Subnet: We’ve got our developers using virtual machines in a separate network so they will get their own remote access subnet. To simplify our network we’ll use separate security groups for RDP and SSH but a single subnet for both protocols.

It could be that when we get further along into our design we decide we need additional or less subnets but that’s currently what I’m thinking we need. If you look at what I’ve designed it is similar to a three tier network: Web tier — App tier — Data tier.

VPC Peering

Since I’m planning to deploy my production batch jobs in a separate account ultimately, we’ll put the batch jobs in their own VPC. If we need to allow the developers to connect to the batch jobs or Lambda function in that separate account and VPC we’d need to set up VPC peering for that. We’ll see if we need to do that or not in future posts.

If we think through this a bit, developers might need to access Lambda functions or Batch jobs in a development environment. The QA team might need to access them in a QA environment. An Ops team might access them in a production environment. We’ll see if we need all that but we would want to create our deployment scripts to support that model, if required.

Separate security groups for all resources for a zero-trust network

We may end up creating broader security group rules in some cases, but we’ll always create a separate security group for each resource unless they require exactly the same network access.

Batch Network: ELB Subnets

We might need a public and private ELB subnet as explained above. In this case, we would associate a public route table with the ELB subnet and a private route table for the subnet that has resources accessed through the ELB. We could use any port for communication between the ELB and the resources it interfaces with in the private network so I am leaving that TBD or now.

Batch Network: NAT Subnets

The NAT subnets look similar but the direction of traffic is reversed. We don’t need a NAT for updates at this point since we will pull resources into our developer account and then deploy from there. All our resources will be deployed via code so we don’t need to have resources go get updates on the Internet. We don’t yet have a resources that needs to reach out over the Internet but we may in the future. We’ll deploy this if and when we need it.

Batch Network: Private Data Subnet

Now here’s the interesting thing. I mentioned we want to create a private VPC for our Lambda functions and Batch jobs. However, as I look ahead at the configuration of AWS Batch I only see this option to add a public IP address or not when using a non-Fargate deployment.

If you’re using Fargate you can assign subnets but I don’t see a place to assign security groups:

It is interesting that you can assign a public IP when using Fargate even if there is no Internet Gateway. In that case would Batch jobs be able to access the Internet??

We’re going to need to explore what kind of network connectivity and logs we get when we start using AWS Batch, but for now we’re going to just create the network infrastructure defined so far and keep moving forward. Sometimes AWS adds new capabilities to lock services down to private networks later after the service is initially released. I haven’t explored Batch in enough detail (yet) to fully understand our options for networking.

For now we will a completely private network, and we will create a security group per Lambda function as we started doing. We’ll update our Lambda configurations to run in a VPC. We will add a VPC Endpoint configuration that allows our Lambda functions to access whatever services they need to access.

That seems like it will work. We’ll have to complete our POC and do some additional testing. I suspect we will need to add some additional network constructs along the way. Follow for updates.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Private Network
AWS
Vpc Endpoints
Network Security
Cloud Security
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarAndrew Blooman
Stop using SSH in AWS! Here’s Why! A DevSecOps Perspective

Using Session Manager to provide secure EC2 access, whilst improving incident response capabilities with activity recording.

12 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarArtem Lajko
Internal Developer Platforms: A Real Thing or Just a Trend?

Are Internal Developer Platforms like Backstage merely a hyped topic that will be forgotten in a few years?

14 min read
avatarAndrew Zuo
Async Await Is The Worst Thing To Happen To Programming

I recently saw this meme about async and await.

5 min read
avatarNurunnubi Talukder
Simplify AWS WAF Configurations: A Step-by-Step Guide for Cloud Security Architects!!

Struggling with AWS WAF Configurations? Here’s What to Do…

2 min read