avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

4139

Abstract

to tell others why someone is setting you on edge, it often sounds so trivial. As the words are coming out of your mouth, you find yourself thinking, “Wow, I probably sound super paranoid.”</p><p id="2b40">So, instead of going with your gut, you tell yourself the innocent explanation must be the correct one. You keep going along with it.</p><p id="2666">All those pink flags only start looking red once you’ve seen enough of them — <b>once you’ve noticed a clear pattern emerging.</b></p><p id="a47d">Depending on how experienced you are at dealing with people’s shit and how overt the asshole you’re dealing with is, it could take hours, days, months, or years before you piece it all together.</p><p id="619a">Recently, I had someone reach out to me who gave me kind of weird vibes. I felt like he was laying the groundwork for something (what exactly, I don’t know, but something).</p><p id="dc34">First, he reached out with some effusive praise on one of my articles. But he did it as a private message, not as a regular response.</p><p id="6e44">That made me a bit ill at ease. But I had a hard time really understanding why. I mean, private messages are a thing, and he didn’t say anything off color in it.</p><p id="a878">The private messages kept coming. I ignored them (can’t clap on private messages and I had nothing to say), but had the same odd feeling that I couldn’t fully explain.</p><p id="0ced">Eventually, he gave me some effusive praise and I thanked him. He responded within an hour asking if we could talk off Medium. Ostensibly, it was so we didn’t have to deal with the character limit (though there would have been none if he had just sent me regular responses).</p><p id="75b2">I decided to check out some of his stuff. The first thing that stood out was a very misogynistic article. And then I came across not one but two love letters he wrote to an unnamed Medium writer, each of them with a strong stalker vibe. (I don’t know if they were about me or not, but either way, they were creepy.)</p><p id="b8fb">When I told him I didn’t want to move my relationships with my readers off Medium, he made up an excuse and backpedaled. He claimed he was a professional sex coach and only wanted to offer me some advice about my clitoris.</p><p id="d078">Then, before the day was over, he went back to a post I wrote weeks before called <a href="https://readmedium.com/no-one-owes-you-a-chance-bef1a3ac4072">No One Owes You a Chance</a>. He left a lengthy response that implied that women who don’t give him a chance (e.g. me, just earlier) are bitter, angry, heartless bitches.</p><p id="9b52"><b>Yeah, his intentions were <i>totally </i>professional…</b></p><p id="fe6b">At that point, I cut communication with him before he could try to take things further. I blocked him. He deleted his response. And I hope that’ll be the last of it.</p><p id="0089">Now, given everything I know now — especially those super stalkery posts — it’s clear to me that the private messaging was a red flag. It’s also clear that asking to communicate off Medium is a bit of a red flag here. It’s quite likely he was laying the groundwork for something.</p><p id="a8c5" type="7">But up until that point, each of those individual actions seemed kind of innocent. Pink flags at best.</p><p id="682a">And that’s another way women “ignore” red flags — because each of them on their own doesn’t look that bad.</p><h1 id="3135">“Not All Men” Men Need to Sit the Fuck Down</h1><p id="f59f">There’s one more reason women ignore red flags. <b>We’re constantly being told we should.</b></p><p id="ec92">One big part of the problem is all the men who cry out “Not All Men” whenever women discuss the shit they deal with.</p><p id="c488">We have a lot of reasons for sharing our stories — it’s cathartic, it’s healing, and it helps us bond and understand each other.</p><p id="640e" type="7">It’s also a way of issuing warnings.</p><p id="2010">It’s because we share our bad experiences that we know about fuckboys and how to spot them. Or what to do if our boyfriend turns out to be a narcissist. Or that “Nice Guys” often have a total disregard

Options

for our sexual consent.</p><p id="02c9"><b>That shit’s fucking critical.</b></p><p id="4234">I didn’t have those kinds of conversations when I was younger and I didn’t have access to them online. So, I ended up in some risky situations, or got too close to guys who deep down did not give a shit about me, because I was figuring it all out on my own.</p><p id="8542">But now when we finally share our stories so that we can show each other (and clue some guys in) the red flags and pink flags we need to be mindful of, we keep hearing from men who are annoyed that we’re painting them with a broad brush.</p><p id="3147">Sometimes they don’t say “not all men.” Sometimes, they say that we should give guys a chance even if we feel weird. Sometimes, they say it’s not fair that they get treated like potential rapists just because they were being really forward because damnit they mean well.</p><p id="9486"><b>But in the end, what they’re doing is telling us not to trust our instincts. </b>They’re telling us that we need to give men the benefit of the doubt. They’re telling us to set aside our gut feelings because following them might mean we’re judging a decent guy too harshly.</p><p id="a9f5" type="7">And that’s one of the reasons women ignore red flags — because we’re constantly told we should, even when protecting men’s egos puts us at more serious risk.</p><p id="440e">I’m sure it sucks being treated with suspicion, but there’s a reason we have to be suspicious even if it has nothing to do with you personally. Those guards she’s putting up — the ones that make it trickier for you to interact with her — <b>they might be the only thing keeping her from being abused or having the worst night of her life.</b></p><p id="0515">So if you ever feel like a woman is unfairly treating you like a potential threat, understand that she has to put her safety first. <b>She deserves your empathy, not your contempt.</b></p><p id="cbb2"><a href="https://emmaaustin.substack.com/p/welcome-to-my-newsletter"><b><i>Let’s keep in touch! Sign up for my weekly newsletter</i></b></a><b><i> (I won’t send you anything without your enthusiastic consent!)</i></b></p><p id="0320"><b>❤ If you liked this post, you might also love:</b></p><div id="c7dc" class="link-block"> <a href="https://readmedium.com/the-real-reason-shes-not-being-honest-with-you-76ebab3ff50c"> <div> <div> <h2>The Real Reason She’s Not Being Honest With You</h2> <div><h3>She wants to be straightforward — it’s just not safe</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*5gk1jvdsTLP_qzsFVPr3tg.jpeg)"></div> </div> </div> </a> </div><div id="17a8" class="link-block"> <a href="https://readmedium.com/men-hitting-on-women-online-need-to-up-their-game-8c077ca48fc"> <div> <div> <h2>Men Hitting on Women Online Need to Up Their Game</h2> <div><h3>It’s not hard — here’s how to do it</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*M_wLC7GCweb2S5mI8TLexw.jpeg)"></div> </div> </div> </a> </div><div id="0e7a" class="link-block"> <a href="https://readmedium.com/signs-your-new-boyfriend-might-be-a-narcissist-e55b2e6d7e2b"> <div> <div> <h2>Signs Your New Boyfriend Might Be a Narcissist</h2> <div><h3>After years of narcissistic abuse, I’m on the lookout for red flags</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*xekbc_KPuOOC_xD8maW9Kw.jpeg)"></div> </div> </div> </a> </div></article></body>

Structuring Accounts For A Common Job Execution Framework

ACM.433 Revisiting the catch-22 of deployments from the root account

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | Abstraction

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I created a common job execution container for running batch jobs.

As I started working on the next script I hit this problem. The job execution role needs to access the SSM parameters so they need to be in the same account where the role was created.

Then I decided the parameters needed to be in the same account as the EC2 execution role so it could pull the list of parameters and secrets, etc. But I forgot about my prior dilemma and was trying to use a role from a different account to execute the job.

In the end, the easiest solution (and least complexity to prevent security misconfigurations or issues) is to ensure that the EC2 instance, EC2 instance role, parameters, secrets, and job execution role are all in the same account.

That led me to think about in which accounts I wanted that job execution framework to exist.

Components of our Job Execution Framework

Based on the last post here are the components we need to deploy resources using the job execution framework I’m creating.

  • An EC2 instance
  • An EC2 instance role
  • Job configuration SSM Parameters
  • A user that can run jobs with an MFA device
  • Secrets with credentials associated with the user
  • A role that can execute a job

So I will need to deploy the above in any account where I want to run jobs.

In addition, to the above, the EC2 instance needs access to an ECR repository to pull down containers and possibly a source control repository. It’s simpler if all those things are in the same account. For now I’m going to say they will be.

I don’t need all that in every account because someone executing a job can assume a cross-account role to take action in another account. So I only need these things in the accounts where jobs get executed, not all the accounts where jobs take actions. Limiting job execution to a subset of accounts will make it easier to manage, monitor, and secure deployments.

Deploying resources in the root management account

Now I need to think through the scenario of deploying this framework in the root account for things we need to deploy in the root account. Do I even want to do that?

We want to use the root account as little as possible. Actions in that account are not governed by service control policies.

When I set up the account, I create a new user with some scripts that do not require any special configuration.

I do that because when you start with a blank slate, there’s nothing there. You have to deploy all the infrastructure you want to use to deploy things. I’d need to deploy all those resources for the job framework to use it.

The root user runs these scripts to create a break glass user in case we can’t access the IdP which I’ll eventually get back to deploying and configuring.

Initially that new user created what is currently named the “root-org” account. That account is used to deploy the rest of the organization. What I actually want is to get the job framework into that account and use it from there.

Once I create the org-admin that user can set up the whole job framework and any other authorized user or role can use it.

But what I was trying to do in the first place was deploy the org-admin. Do I really want to set up the whole job framework in the root account?

No.

All I really need to deploy in the root account are the scripts above, the new account, and the new user that has permission to take actions in that new account to deploy everything we require for the job execution framework.

I was having that root user in the root account deploy the root-admin user and then the root-admin user deployed the new account. That way if you needed to make a change to the account you could do that with the root-admin user. What I think I am going to do is simply use the root user to deploy the initial resources in one quick script and make sure the root user has access to those resources.

The “org” environment

The other thing I have been thinking about is how do you deploy resources in the governance and security account? Where do you put the jobs and the repositories accessed to deploy those resources? Are they just production repositories or something else?

I also run security assessments and penetration tests out of other accounts. I would consider those “production” accounts but I don’t want those accounts to have access in any way to my organization or my production applications. I don’t want anything to infiltrate my organizational repositories that should not.

So really I have separate “production” environments which I want to have separate job execution frameworks, code, and containers. I was trying to figure out where I was going to deploy the jobs, parameters, roles, secrets, and repositories.

That led me to a change to my organizational structure. I’m going to create a separate “org” environment with the “org-admin” account below that. Everything else is mostly the same, but governance and security fall under this new org parent OU.

The org-admin account will be where all the job execution framework components exist. Similarly the nonprod-admin account will be where all the job execution framework components exist for the nonprod environment.

Separate jobs deploy resources in the “org” environment from the jobs that deploy things in the “nonprod” environment. People who deploy things in the “org” environment can test them first in the “nonprod” environment. The credentials used in the nonprod environment will be in a separate account from those used in the org environment (or production, or penetration accounts, etc.)

The one thing I would need to think about is how code moves from non-prod to production, for example. Rather than a “push” which is normally what it tends to be called when you move code from dev to QA, for example, I think it is going to be a “pull” from the org-admin account to production. An execution job in the org-admin account can orchestrate that deployment pull.

So after way too much noodling over all of this, my next step is going to be to revamp the initial script I run when I create a new account to create the new root user, the organization, the org OU, the org-admin account, and the org-admin user, role, and group.

Once I have those resources, I can build out the job framework in the org-admin account. Then I can use that to redeploy the organization and resources using the new and improved job framework.

I also have some ideas I wanted to look into related to that initial script and AWS may have just made that easier. So I’m going to explore that in the next post. I think. I keep starting a topic, hitting an issue, and realizing I have to implement something else first. But generally you start from the beginning and back to the beginning is where this problem led me. So pretty sure that is what I’m going to deploy in the next post because there’s no place left to go up the chain. 😆

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Job
Execution
Framework
Security
Root
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarJan Kammerath
Inside The Outages: A Dangerous Null Pointer Exception Deployed On Friday

The world went into shock when cyber security firm “Crowdstrike”, a provider of endpoint protection software, released an update on Friday…

6 min read
avatarBarack Obama
My Statement on President Biden’s Announcement

Joe Biden has been one of America’s most consequential presidents, as well as a dear friend and partner to me. Today, we’ve also been…

3 min read
avatarAbhay Parashar
10 Python Packages I Use To Elevate My Codebase Standards

Level Up Your Python Projects

7 min read
avatarPiotr
Finally, a viable Helm Replacement

Fully backwards compatible

6 min read
avatarMichelle Teheux
We Could Learn a Lot About Sex From the Dutch

My Dutch relative’s views shocked me, but I immediately realized she was right

6 min read