C-00000291*. sys— This is the tiny 40 KB file, a driver file associated with CrowdStrike's Falcon endpoint security software sensor, that took down over 8.5 million Windows computers worldwide. This file, a crucial software component, caused a worldwide outage, affecting airlines, airports, banks, hotels, hospitals, manufacturing, stock markets, broadcasting, gas stations, retail stores, governmental services, and Fortune 500 companies. So, hundreds of millions worldwide missed doctor's appointments, airline flights, and other critical services. This tiny file caused worldwide financial loss estimated at least USD 10 billion by multiple insurance firms, including cyber insurance firms. As I've talked about in an earlier article I wrote in February, compromising one of the three parts of the CIA triad, namely Confidentiality, Integrity, and Availability, can negatively affect human lives, health, jobs, businesses, and economies worldwide. Though not the result of or related to a cyberattack, the CrowdStrike outage significantly affected millions of people by compromising the availability of critical services. In the case of the recent CrowdStrike outage on Friday, July 19, 2024, the availability part of the CIA triad was broken.

So, how did this massive outage that affected over 8.5 Windows systems worldwide happen? To start, let's identify the problem's system, which, in this case, was the Blue Screen of Death (BSOD) on Windows machines running CrowdStrike's Falcon endpoint security platform, which is like anti-malware software on steroids. The BSOD is a critical system error in Windows operating systems that can cause the system to crash, leading to data loss and potential hardware damage. A computer generally has two areas: Ring 0, or kernel mode, and Ring 1, or user mode. Kernel mode is where an operating system and kernel-mode drivers, which have direct access to and control of the computer's hardware, run. On the other hand, user mode is where multiple applications, such as Microsoft Office or your favorite Windows-based game, run on top of the Windows operating system located in kernel mode. When an application crashes, its blast radius is isolated to Ring 1 and doesn't affect the underlying operating system running in Ring 0. However, when an issue occurs in Ring 0 or kernel mode, its blast radius of damage affects the entire system, bringing down all the applications running on top of it. The driver file associated with CrowdStrike's Falcon endpoint security software sensor, C-00000291*.sys, caused an 'out-of-bounds memory read' and subsequent Blue Screen of Death (BSOD) on Windows machines running CrowdStrike's Falcon endpoint security software, which runs in Ring 0 or kernel mode.

As you can see, any issue occurring in the kernel mode will bring down the entire system. It wasn't the Falcon sensor content, one of two updates to CrowdStrike's Falcon endpoint security software, that caused the issue; it was the sensor configuration update meant to provide instructions for detecting malware that caused the problem. Isn't it fascinating that CrowdStrike's Falcon sensor earned Microsoft's Windows Hardware Quality Labs (WHQL) certification? This certification, a rigorous testing process conducted by Microsoft, demonstrates that the Falcon sensor successfully cleared demanding tests to meet Microsoft's strict compatibility and reliability standards for the Windows operating system. However, it's crucial to recognize that even with the "WHQL" certification, there is still potential for issues to arise and create chaos.

The breakdown in CrowdStrike's CI/CD pipeline may have occurred during the continuous integration phase, specifically in the software update's quality control process. The faulty update was not properly validated before deployment, resulting in the outage. Like many CI/CD pipelines, CrowdStrike's CI/CD pipeline involves several automated steps, including code commits, building and compiling code, running automated tests, and performing code quality checks. However, the defect in the software update went undetected during these validation checks. This issue highlighted a gap in the automated testing and quality assurance processes within the CI/CD pipeline.

While the problem may have been caused by something during the change management process, the specific issue may be isolated to a content validator, a software tool that verifies the accuracy, integrity, and security of the content being deployed. The content validator ensures that updates, configuration, or any changes pushed through the CI/CD pipeline don't contain vulnerabilities, errors, or other harmful elements that can disrupt the system. So, in the CrowdStrike incident, the content validator can be expected to check for errors to catch code defects, perform security verification to ensure updates are free from malicious code or vulnerabilities, perform compatibility checks to make sure that updates work smoothly with the existing system and other software components, and, finally, verify compliance with regulatory and compliance requirements specific to the organization and industry. Considering the various functions of the content validator, we can see how its failure to catch errors in the software update before it was deployed caused BSODs in Windows machines worldwide, highlighting the critical role of effective content validation in maintaining the security and stability of CI/CD pipelines. Also, this outage emphasizes how strong validation mechanisms can prevent many of the consequences I've described earlier that were felt by millions worldwide.

CrowdStrike didn't reveal the specific name of the content validator tool they're using, but it's evident that it's a vital part of their internal validation and testing process. The recent failure showed the importance of strengthening validation mechanisms, improving testing procedures, and enhancing error-handling capabilities within CI/CD pipelines.

In response to the incident, CrowdStrike has committed to enhancing its content update testing, improving error handling, and implementing staggered deployments to prevent future occurrences. These proactive measures, combined with their existing release process, including extensive automated testing and a canary deployment strategy, demonstrate their dedication to preventing similar incidents. A canary deployment strategy involves rolling out a new software update to a small subset of users or systems first, allowing for early detection of any issues before an entire deployment. However, this incident serves as a stark reminder of the potential vulnerabilities in cybersecurity systems and the high stakes involved for companies reliant on these protections. It emphasizes the urgent need for more rigorous safeguards, particularly in error handling and deployment strategies.

Let's explore the intricate Defense in Depth strategy. Imagine a futuristic fortress with a tower at its core, protecting a valuable resource or crown jewel. This fortress is fortified with multiple secure walls, meticulously arranged in concentric circles around the building. Each wall features a distinct security control, such as a biometric scanner, a firewall, or a security guard. These mechanisms are intricately designed to deter unauthorized intruders from reaching the crown jewel. Beyond preventing unauthorized access, the fortress has physical controls like reinforced doors or fire suppression systems to mitigate damage or loss from physical attacks or natural disasters. This analogy highlights the complexity and synergy of multiple security layers, each with unique security controls, working together to protect data, the crown jewel.

Physical Security

As the first layer within the Defense in Depth strategy, the physical layer is pivotal in preventing intruders from accessing, compromising, or destroying the physical infrastructure containing the crown jewel—data. While cyber-attacks are often directed at the logical layers, attacks on critical infrastructure, such as data centers, are rare. This rarity underscores the effectiveness and reliability of the physical layer in the Defense in Depth strategy. Examples of physical controls that help protect critical infrastructure are walls, CCTV cameras, RFID-locked doors, biometric and motion scanners, security guards, guard dogs, fire suppression systems, HVAC systems, and reinforced fences.

Network Security

The second layer within the concept of Defense in Depth is the network layer. A primary way to secure a network is through network traffic monitoring and analysis, and firewalls are one of the controls that help monitor network traffic, preventing unauthorized access. Additionally, firewalls can allow or block network traffic dictated by security or policy rules. Another set of controls within this layer are Intrusion detection systems (IDS) and Intrusion prevention systems (IPS), which work synergistically with infrastructure networks and endpoint firewalls as they help identify threats and respond accordingly. Other network controls include microsegmentation, endpoint security, VPN, and Zero Trust Architecture (ZTA), a security model that requires strict identity verification for every person and device trying to access resources on a network, regardless of whether they are inside or outside the network perimeter. This is exemplified by Google's BeyondCorp initiative, which redefines network security through continuous verification, a process that ensures the ongoing validity of a user's identity and device security posture, strict access controls, and comprehensive monitoring regarding network security.

Platform Security

As the third layer within the Defense in Depth strategy, Platform Security focuses on the security architecture and its inherent tools and processes that work synergistically to secure various underlying systems that are the foundation on which applications and services run. These systems include endpoints, servers, virtual machines (VM), operating systems, firmware, and containers. System security controls in this layer refer to the tools and processes implemented to secure these underlying systems. Some examples of system security controls in this layer include the following:

• Host-based Intrusion Detection Systems (HIDS) and Host-based Intrusion Prevention Systems (HIPS): HIDS monitors a single host for suspicious activity and potential threats. At the same time, HIPS can actively block or prevent detected threats on the host.
• Host-based Firewalls are software firewalls installed on individual hosts that control incoming and outgoing network traffic based on security rules, protecting the host from unauthorized access.
• Endpoint Anti-Malware Software refers to programs installed on endpoints to detect, prevent, and remove malicious software. These programs protect endpoint devices from malware, a typical cyber threat.
• Server System Hardening through Ports and Services Restrictions: Configuring servers to turn off unnecessary ports and services, adhering to security configuration baselines to reduce the attack surface.
• Automated Patch Management: Using automated tools to regularly update software and systems with the latest security patches to protect against vulnerabilities.
• Access Controls such as Role-Based Access Controls (RBAC) and Multi-Factor Authentication (MFA): RBAC assigns permissions based on user roles. MFA requires multiple forms of verification for access, enhancing security.
• Log Monitoring: Continuously reviewing logs from systems and applications to detect and respond to suspicious activities or security incidents.
• Using VMs to Isolate Applications, Services, and Processes: Running different applications in separate VMs to prevent a compromise or failure in one VM from affecting others, enhancing security and stability.
• Ensuring Container Security Using Minimal Base Images and Scanning for Vulnerabilities: Create container images with only essential components (i.e., base OS, application code, dependencies, configuration files, runtime environments, etc.) and regularly scan them for vulnerabilities to reduce the attack surface and ensure a secure container environment.

Application Security

The Application Security layer involves developing, adding, and testing application security features to prevent vulnerabilities like unauthorized access and alteration. Application security also involves measures taken during application development and deployment to avoid threats such as data or code within an application being stolen or hijacked. Application Security controls include IDE security, which refers to the security measures implemented within the Integrated Development Environment (IDE) to ensure the code's security. Other controls include static code analysis, software composition analysis (SCA), dynamic application security testing, and API security.

• Secure Coding Practices: Adherence to secure coding standards to prevent vulnerabilities like SQL injection, XSS, etc.
• Application Penetration Testing: Regular testing of applications to find vulnerabilities.
• Authentication and Authorization: Mechanisms like OAuth multifactor authentication ensure users are who they say they are and have appropriate access.
• Static Code Analysis: The process of examining source code for vulnerabilities and coding errors without executing the program. This process helps identify potential security issues early in the development cycle.
• Static Application Security Testing (SAST): A subset of Static Code Analysis, this process focuses more on the application's security, meaning it identifies vulnerabilities that can be exploited be attackers. Some of the security vulnerabilities that SAST seeks to root out are SQL injection, cross-site scripting (XSS), buffer overflows, and similar potential security flaws.
• Software Composition Analysis (SCA): The practice of identifying and managing open-source components or dependencies within software to ensure security and compliance with licensing requirements. It also helps detect known vulnerabilities in third-party libraries.
• Dynamic Application Security Testing (DAST): A method of testing the running application to identify vulnerabilities by simulating attacks. It focuses on the application's operational state to find security flaws that may not be evident in the source code.
• API Security: The practice of securing Application Programming Interfaces (APIs) by implementing measures such as authentication, authorization, input validation, and rate limiting to protect against threats and ensure secure data exchange between applications.

Data Security

The Data Security Layer is not just a part of the Defense in Depth strategy, but its heart and soul. Within this layer lies the crown jewel that the layers above aim to shield and protect through various intricate controls. The crown jewel is the data. This layer is not just a safeguard but a fortress at the center, protecting data from unauthorized access and alterations, regardless of location or transmission method. Various controls at this core layer include encryption, access controls, and data loss prevention, and the weight of our responsibility to ensure this invaluable resource's security. I've concisely described some controls at this layer below: 

1. Data Encryption protects data by converting it into a coded format that can only be read by someone with the correct decryption key, ensuring the confidentiality of data both at rest (stored data) and in transit (data being transmitted).
2. Data Masking: This procedure obfuscates specific data within a database to protect sensitive information, showing fictitious data instead of actual data during non-production scenarios, such as testing and development.
3. Access Controls: Implement policies like Role-Based Access Control (RBAC) to ensure only authorized users can access specific data. Limiting data access based on user roles and permissions minimizes the risk of data breaches.
4. Data Loss Prevention (DLP): Monitors and controls data transfer to prevent unauthorized sharing, leakage, or loss of sensitive data. DLP solutions can block or alert risky data movements.
5. Tokenization: This process replaces sensitive data elements with non-sensitive equivalents (tokens) with no exploitable value outside a specific context. It is often used in payment processing to protect credit card information.
6. Data Classification: This process assigns categories to data based on its sensitivity and criticality to the organization, which helps apply appropriate security controls and handling practices based on the classification level.
7. Immutable Storage: Ensures that once data is written, it cannot be modified or deleted. This is often used for logs and backup data to protect against tampering and unauthorized changes. 
8. Database Activity Monitoring (DAM) continuously monitors and analyzes database activities to detect and respond to unauthorized or suspicious actions, which helps identify potential breaches and enforce security policies.
9. Backup and Recovery: Regularly creates copies of data and stores them securely to ensure data can be recovered in case of accidental loss, corruption, or ransomware attacks, ensuring data availability and integrity.
10. Auditing and Logging: Maintain detailed records of data access and modification activities. This helps track data usage, detect anomalies, and ensure compliance with regulatory requirements.
11. Secure Deletion: This method ensures that when data is no longer needed, it is completely and securely erased, making it unrecoverable. This prevents unauthorized access to sensitive data that is no longer in use.
12. Data Anonymization removes or alters personally identifiable information (PII) from data sets so individuals cannot be identified. This is crucial for complying with privacy regulations and protecting user privacy during data analysis.

By implementing these controls, organizations can strengthen their data security layer, protecting sensitive information from unauthorized access, breaches, and data loss. Implementing a robust defense-in-depth strategy involves effectively integrating these layers to provide a holistic security posture that significantly mitigates risks. Each layer builds upon the last, creating a comprehensive shield against security threats. It's essential to note that not all cyberattacks target data. Some cyberattacks deny data availability through various means, such as overwhelming network and computing resources through DDoS (Distributed Denial of Service) attacks that use botnet endpoints orchestrated by command and control servers to generate overwhelming traffic, taking down data availability. When data availability is compromised, it affects the availability component of the CIA triad. For details about the CIA triad, please check out my article that explains each component.

Identification

Identification, the crucial process of using various data and information to establish a person's or subject's identity, is the cornerstone of the access control process. It's the initial step where a user or system presents credentials or attributes that assert their identity. This process is vital as it helps to recognize an individual using data such as their name, username, user IP address, employee number, social security number, tax ID, social media handle, and other relevant information.

When attackers gain access to personal identification, the consequences can be severe. They can impersonate legitimate users, leading to data breaches and unauthorized transactions. With compromised identification, attackers can elevate their access rights, potentially gaining administrator-level access and manipulating system settings, data, and access controls. They can also perpetrate fraud by stealing funds or services by impersonating the rightful owner of the identity. Knowing someone's identifier can allow attackers to craft targeted phishing or social engineering attacks, tricking victims into revealing more sensitive information or installing malicious software. Additionally, attackers might use stolen identification to disrupt services by overwhelming a system with requests as part of a Denial of Service attack or altering system configurations. The compromise of identification could undermine trust in a system's security, affecting user confidence and potentially causing reputational damage to the organization.

Authentication

Authentication means proof that a subject (like a person) or an object (like an application) is who they claim to be through three methods. These authentication methods are the following:

1. "Something you know" would be like a password, PIN, and the answers to security questions. Hackers typically attack knowledge factors since they are less challenging than the other authentication methods. Knowing this, we can ensure that knowledge-based authentication information is more difficult to crack. For instance, we can increase the complexity and number of characters of our passwords to prevent cyber criminals from breaking them and selling that information on the dark web, which is illegal.
2. "Something you have" is another authentication method that includes professional IDs, smart cards, hardware tokens (similar to thumb drives in appearance), and browser cookies. A person or subject uses a tangible or intangible item "they have" to authenticate their identity.
3. "Something you are" includes a person's physiological characteristics used to authenticate. Biometrics is an example of using physiological characteristics to authenticate. Unique fingerprint patterns and the complex pattern of ridges and furrows inside the human iris are examples of physiological characteristics used in biometrics. Behavioral characteristics are also used in the authentication process to establish a baseline to identify suspicious changes by studying a person's behavioral pattern. Voice pattern recognition is an example of a behavioral characteristic used in biometric authentication.

Authorization

The Principle of Least Privilege is a security principle that focuses on granting access permissions to only those subjects who require them to perform their duties. By adhering to this principle, we can prevent subjects from intentionally or unintentionally compromising information that may negatively affect an organization's financial status and human lives. It is crucial to enforce this principle at all times, particularly when granting new hires access to resources or transitioning personnel to new roles.

The Need-to-Know principle requires that a person be granted access to information and data only if it is necessary to perform a specific duty, even if the individual already has access permissions.

Discretionary Access Control (DAC)

Discretionary Access Control is used when availability is critical. Since this access control type is identity-based, the object owner or system decides to assign object access at their discretion to a specific subject. The resource owner can use this access control type to grant access to particular groups or users who need it to ensure access to resources that must be available to them when performing duties and responsibilities. While DAC is a distributed model that is useful when no central authority has sufficient information to perform access control decisions, its flexibility and decentralized nature can pose a security risk. For instance, a centralized IT department may not know who needs access to a specific file or folder on Google Drive, but the file or folder's owner knows whom to grant access to collaborate. However, enforcing consistency becomes more complicated when a large group of data owners make access control decisions, including the ability to make permission changes, which insider threats can exploit.

Mandatory Access Control (MAC)

Often used in the government and military, critical infrastructure (e.g., power plants, financial institutions, and healthcare systems), and corporate environments where sensitive data needs to be tightly controlled, Mandatory Access Control is used when confidentiality is vital. This type of access control is rules-based and policy-driven, ensuring only administrators can change rules and policies. Under MAC, access permissions are pre-determined for all users and are centrally managed for ease of administration, meaning access control is not at the discretion of data owners. Still, it is enforced systematically where the data owner is responsible for assigning the appropriate security label to an object (e.g., files, databases, or devices) and a subject, such as users or processes, is assigned a security clearance so when a subject attempts to access an object, the system checks the subject's clearance against the object's classification label to determine access permissions.

One standard MAC model is the Bell-LaPadula Model, which focuses on maintaining data confidentiality and enforces rules to prevent information flow from higher to lower security levels. Another standard MAC model is the Biba Model, which focuses on data integrity and enforces rules to prevent information flow from lower to higher integrity levels.

Role-Based Access Control (RBAC)

Role-Based Access Control is used when data integrity preservation is critical or most important. It's a policy-neutral access control mechanism defined based on roles and privileges. RBAC is the most effective access control to help prevent any change to data and information, which could cause significant financial loss and negatively impact people's lives. RBAC must be used when there needs to be a clear separation between organizational departments, teams, roles, and the corresponding data and information each is authorized to access. In RBAC, roles are first identified within an organization. For instance, "Finance," "HR," and "Sales" are roles defined by a company. Each of these roles is assigned permissions, such as "read," "write," "execute," and other access rights required to perform specific duties and access particular resources (objects). These roles are then assigned to users based on their job functions and responsibilities. When a user (subject) attempts to access a resource, the system checks the user's roles and the permissions associated with those roles to determine if access should be granted.

Attribute-Based Access Control (ABAC)

Being more flexible, dynamic, and risk-based than other access control models, the Attribute-Based Access control has a mechanism where access to an object or resource is granted or denied to a subject based on the subject, object, and environment's attributes when evaluated against a policy. For instance, a stateful multi-layer firewall can allow incoming traffic from the internet, granting it access to a specific endpoint if it meets the policy specifying that incoming internet traffic that corresponds to a previously established communication session by one particular endpoint will be allowed entry into the private network. Another example would be a finance manager attempting to access sensitive files on the company's private network outside of regular working hours from an unrecognized device in a foreign country will be denied access since object and environmental attributes do not meet policy specifics, even though the subject's attributes, which in this case are his user credentials and multi-factor authentication, meets some of a policy's requirements.

Context-Based Access Control

Context-Based Access Control (CBAC) is a security mechanism that determines access permissions based on the context in which access requests are made. Unlike Attribute-Based Access Control (ABAC), which evaluates a wide array of attributes, CBAC focuses on situational factors such as the user's location, the time of access, the sequence of prior actions, and the access history. This approach allows for dynamic adjustments to access permissions, enhancing security by considering real-time conditions.

For example, if users access Amazon.com from India, they are redirected to Amazon.in, providing a localized shopping experience. Similarly, a company might implement CBAC to restrict access to sensitive resources outside of business hours, mitigating the risk of unauthorized access during off-hours. In another example, a user's access might be granted or denied based on the sequence of steps they have previously taken in the system, ensuring that they follow the correct workflow. By leveraging contextual information, CBAC can provide more adaptive and responsive security measures tailored to the specific circumstances of each access attempt. This not only enhances security but also empowers the organization with the ability to control access in a more nuanced and effective manner.

Content-Based Access Control

Content-Based Access Control (CBAC) regulates access based on the attributes or content of the accessed data. This approach is beneficial when access needs to be finely tuned to specific information within a larger dataset. For example, within a payroll system, a manager may have access to the payroll database but is restricted to viewing records only of their direct reports, ensuring the confidentiality of other employees' salary information.

In a document management system, access can be controlled at a granular level, allowing users to view or edit only certain parts of a document based on its content. For instance, general employees might have access to read a policy document, but only HR personnel can view sections containing sensitive employee data. As another example, doctors might have full access to a patient's medical history in a healthcare system. At the same time, administrative staff can only see non-medical information such as patient contact details. Specific medical data, like mental health records, might only be accessible to authorized mental health professionals. This level of control is achieved by analyzing the content of the data and applying rules that dictate who can access what information. Content-Based Access Control enhances security by ensuring users interact only with data relevant to their role and authorization level, thus protecting sensitive information from unauthorized access.

Accountability

Accountability in information security is the ability to trace actions within a system back to the responsible party. This involves maintaining comprehensive audit logs that record who acted, what action was taken when it occurred, and what resources were involved. These logs are crucial for detecting security incidents, conducting audits, ensuring regulatory compliance, and maintaining system integrity. In other words, accountability ensures that every action within a system can be attributed to a specific user, application, or process, making it easier to identify and address any security issues that may arise.

Non-repudiation, a critical accountability component, ensures that individuals cannot deny their actions. This is often achieved through digital signatures, secure logging, and other cryptographic methods that provide irrefutable evidence of user activities. In simpler terms, non-repudiation means that once a user has acted within a system, they cannot later deny doing so. This is important for maintaining the system's integrity and ensuring all actions can be reviewed and verified.

For example, in a financial system, accountability mechanisms ensure that every transaction can be traced back to the user who initiated it. This traceability is essential for internal controls and external audits, helping to detect and prevent fraudulent activities. Accountability measures uphold information systems' security, reliability, and trustworthiness by maintaining detailed and tamper-proof logs, ensuring that all actions can be reviewed and verified.

An Application Load Balancer (ALB) is a powerful tool that evenly distributes incoming traffic across multiple EC2 instances, preventing any one instance from becoming overwhelmed. This not only improves the application's availability and uptime but also enhances its security and scalability, making it a key component in addressing the availability aspect of the CIA triad.

Application Load Balancers can also automatically adjust traffic distribution based on the application's load, allowing it to scale horizontally as computing demand fluctuates. Additionally, ALBs can reroute traffic to healthy instances if one or more EC2 instances fail, ensuring fault tolerance and continuous normal operations through redundant virtual servers. By balancing the load across multiple instances, ALBs can improve application performance by reducing response time and preventing overload on any single instance, thereby enhancing performance, reliability, and scalability.

ALBs play a crucial role in enhancing security by reducing the attack surface and number of entry points. They achieve this by centralizing access, integrating with security services, offloading SSL/TLS termination, and providing tight control over network access. A standout security feature is the ability to conduct health checks on specific groups of EC2 instances, ensuring that only healthy instances receive traffic. These features work together to minimize potential vulnerabilities and entry points that attackers can exploit, thereby significantly improving an application's overall security.

1. I navigated to EC2/Instances and launched and configured a few instances, giving each one a name. From the available image options, I selected "Amazon Linux AWS" as my AMI for this demonstration. Under Architecture, I chose 64-bit (x86), and for the instance type, I selected t2.micro.

2. While I don't recommend it for security purposes, I selected "Proceed without a key pair" under the Key pair (login) option for this time. A key pair allows secure SSH access to EC2 instances by authenticating users with the private key corresponding to the instance's public key.

3. Using a test code block, I configured the User Data option. I then launched the instance before I could view all instances.

Code Block

4. I renamed one of my endpoint instances to help distinguish each instance. Under the selected endpoint's details section, I copied its public IP address to test on a browser.

5. After pasting the public IP address into a browser, Endpoint-2's user data is returned, as expected, signifying the instance's accessibility.

6. I then navigated to the Load Balancers option before selecting "Create load balancer."

7. Selecting the Application Load Balancer: The ALB allows clients to make requests to your application. The listeners in the load balancer receive requests based on the chosen protocol and port settings. The receiving listener checks the incoming request against the defined rules and, if necessary, directs the request to the appropriate target group. Using an HTTPS listener makes it possible to delegate the task of TLS encryption and decryption to a load balancer. Healthy targets in one or more target groups receive traffic according to the load-balancing algorithm and the routing rules specified by the listener.

8. Navigating to EC2/Load balancer, I configured the ALB's basic configurations by naming it, specifying Internet facing under the Scheme option, selecting IPv4-IP under the IP address type option, and choosing Default under VPC.

9. Under the Network mapping section, I enabled all Availability Zones (AZ) to increase redundancy and fault tolerance.

10. For this step, I selected Create a new security group to configure the ALB's virtual firewall to manage inbound and outbound traffic at the network layer.

11. Under EC2/Security Groups, I specified the inbound rules with the HTTP protocol and Anywhere IPv4 as the source. Since this ALB will be public-facing, configuring SSH under inbound rules is unnecessary. Once I verified the configurations, I selected the Create Security Group Button at the bottom right side of the page.

12. After selecting the Created ALB option under the Listeners and Routing section, I selected Create Target Group. Specifying the target type, group name, transport protocol and port, and IP address type are some of the necessary configurations to get ALB to function.

13. Next, I then specified the VPC and protocol version. While HTTP2 and gRPC protocols are more advanced and efficient and can be used in more complex situations, I selected HTTP1 since it offers more compatibility with existing web infrastructure (including legacy systems) and applications. For Health checks, I configured "/" to perform health checks at the root before proceeding to the next step by selecting the Next button.

14. I then added the instances to my target group by selecting the "include as pending review" button.

15. Under Listeners and Routing, I selected the target group I created. I bypassed the Optimize with service integrations options because they are unnecessary for what I need to accomplish.

16. To finally create the ALB, I selected the Create load balancer button at the bottom right of the page.

17. Once my application load balancer transitioned to an active state, I copied its public IP address to verify its functionality later with a browser. Selecting the ALB and navigating under the Details tab exposes more information, including the ALB's public IP address.

18. After pasting the public IP address of my application load balancer into a browser, I tested refreshing the browser multiple times to verify that the ALB switches between virtual servers under the target group, and it successfully did so. This proved that the ALB works by evenly distributing incoming network traffic.

19. Under EC2/Target groups, I checked and verified that the instances under the target group are healthy. As a test, I stopped one virtual server from operating, causing the application load balancer to load only the healthy instance in the target group. This showed that the ALB demonstrated fault tolerance through instance redundancy, which concludes this test.

1. On the IAM Dashboard, select the role.

2. Select the "Create Role" button.

3. Select the "Trusted Entity Type."

4. Select the Service or Use Case.

5. Select EC2. Then, hit the Next button.

6. Type in "s3read" to select its Policy.

7. Name the IAM role.

8. Hit the "Create Role" button.

9. You can now view the newly created IAM role.

The AWS EC2 Instance Connect feature allows you to run commands on your EC2 instance remotely as if you were physically present at the server. Using the SSH protocol, you can securely transfer files between your local machine and the EC2 instance using the SCP (Secure Copy Protocol) or SFTP (SSH File Transfer Protocol) options.

1. Select and start a server. If you haven't created a server, please refer to my article explaining the steps for launching and configuring an EC2 instance.

2. Add the SSH protocol as an inbound rule under the server's security group under the server's security tab. Adding and configuring SSH as an inbound security group rule creates a secure, encrypted channel over an unsecured network like the Internet. This encryption ensures that malicious actors cannot intercept or eavesdrop on any data transmitted between the client (your local computer) and the server (in this case, the EC2 instance). This level of security means that sensitive information, such as passwords and commands, is kept safe from prying eyes.

3. When the server is selected, click the "Connect" button on the upper right-hand side.

4. You can now select the "Connect" button on the lower left-hand side to access the server's Linux terminal. To connect your instance, you'll choose the "EC2 Instance Connect" option for now.

5. Accessing the AWS Linux terminal through the EC2 Instance Connect function is a convenient alternative to using OpenSSH for Windows or SSH for MacOS and Linux. As you can see below, you can now execute commands after being granted remote access to the server.

This resource shows how cloud firewalls work. In AWS, you can customize an EC2 instance's firewall to meet an organization's security requirements.

1. Launch an existing EC2 instance by navigating to Instance State, then select Start Instance.

2. Once the selected EC2 instance runs, you can access its public IP to verify that the server works. You can access the instance's public IP under the Details tab.

3. If the EC2 instance was configured with a script under its user data, its output will be displayed on a browser page. You can refer to my "Creating an EC2 Instance" article for the steps in configuring a script for the instance's user data. As you can see, the way this particular instance's inbound rules are configured makes it publicly accessible to any sources through the Internet, which is not secure and is a serious security issue.

4. Selecting the "Security" tab lets you ascertain the various inbound and outbound rules under a specific security group assigned to the EC2 instance. In this case, you can see that the server allows for any IP source, which is indicated by an IP address and subnet of 0.0.0.0/0 under the "Source" tab, to access the server on port 80, as it is configured under the instance's "Port Range" tab. To reconfigure the selected instance's inbound rules, select its specific security group by clicking the "Security groups" link under the Security tab.

5. After selecting the instance's security group, navigate to the "Inbound rules" tab to view how the server's inbound rules are configured. You can see that any IP address and subnet source, signified by how 0.0.0.0/0 was configured under "Source," can access the instance from the internet, which is unsecured and prone to attacks.

6. You can address an instance's unsecured inbound rules by selecting "Edit inbound rules," either by selecting "Actions" from the drop-down menu on the upper right-hand side of the selected security group or by selecting the "Inbound Rules" tab and clicking on the "Edit Inbound Rules" button located on the lower right-hand side that corresponds to the security group that needs to be reconfigured.

7. Since the current EC2 instance's inbound rules are unsecured, we will delete it, removing the configured 0.0.0.0/0 IP source. An EC2 instance's inbound rules configuration functions similarly to a hardware network firewall; however, unlike a hardware network firewall, it's based in the cloud, which is impressive.

8. We just removed the instance's unsecured inbound rule, which blocks anyone from accessing it over the public internet. To implement the change in the inbound rules, click the "Save" button. Although we made the instance more secure, we also made it unavailable to the public, which is not cool. We need to make sure that we balance security and convenience. So, let's not stop here and keep working on it. Now that we've deleted the instance's unsecured inbound rule, access to the instance is prevented over the public internet. While we've secured the instance, we also prevented access from the public internet, making the third aspect of the CIA triad, "Availability," non-existent. This is not where we should stop since cybersecurity must balance security and convenience.

9. As we can see, there are no rules under the instance's Inbound rules.

10. To verify that we indeed cannot access the EC2 instance using its public IP address, we copy and paste its public IP into a browser's address bar. Now, you can see that the cloud server fails to load, confirming that we no longer have access to it.

To launch an instance on AWS, follow these steps:

1. Navigate to the Services menu on the top left of the dashboard.

2. Choose Compute, then EC2, and then Instances.

3. Click on Launch Instances on the top right.

4. Name your server and select an Amazon Machine Image (AMI).

5. You can select an operating system (OS) type before choosing an AMI specific to your chosen OS.

6. Once you've selected an AMI, you can choose either an Intel-based CPU architecture, which is commonly used and offers a wide range of software compatibility, or an Advanced RISC Machines (Arm)-based CPU architecture, which is known for its energy efficiency and is licensed to companies like Apple.

7. Choose an instance type that matches your computing, memory, networking, or storage needs. Your instance type will determine the server's hardware capacity and resources. It's a crucial decision that impacts the performance and cost of running your instance. If you need assistance making this decision, click the "Get advice" hyperlink next to "Info."
8. Choose a key pair once you have selected your instance type. A key pair is a set of cryptographic keys AWS uses to authenticate and secure your connection to your instance. It consists of a public key that AWS stores and a private key that you store. The private key is required to connect to your instance securely. Remember, you're in control of your security, so store your key pair in a safe and easily accessible location before launching your instance. If you are not using Windows instances, I recommend selecting RSA. For the private key format, you can use .pem unless you are using older operating systems such as Windows 7 or 8.

9. After selecting your key pair, it's time to choose a security group under Network settings. A security group is a virtual firewall that controls inbound and outbound traffic for your instance. It acts as a barrier that allows or blocks traffic based on the rules you define. Inbound rules control incoming traffic to your instance, while outbound rules control outgoing traffic from your instance. You can assign one or more security groups to your instance. If you assign multiple security groups, all rules will be evaluated to regulate inbound and outbound traffic. If no value is specified, the value of the source template will be used. If the template value is not specified, the default API value will be used. I recommend selecting the "Allow SSH traffic from" option and specifying an IP address to connect to your instance securely for remote configuration.

10. You now have the option to specify the storage preferences for the instance.

11. Navigate to User Data under Advanced Details and paste the script below, which will deploy an Apache Web Server with a basic web page.

#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Creating an EC2 $(hostname -f)</h1>" > /var/www/html/index.html

12. Enter the number of instances you want to launch. You can specify more than one instance for launch, but all will use the same configuration. It's best to break up large requests into smaller batches to launch instances faster. An example would be creating five separate launch requests for 100 instances each instead of one for 500 instances. Once you've verified everything, select the "Launch Instance" button.

11. You can select the specific instance you've launched to view networking and other details.

12. Copy and paste the instance's public IP onto a new tab to test. You should now see your Apache Web Server with a basic web page.

Understanding scalability in cloud computing is crucial since it allows an application or system to expand its resources to meet critical needs through vertical and horizontal scaling, the latter of which affects high availability.

High Availability

Horizontal scaling, unlike vertical scalability, directly contributes to high availability. As the number of servers increases, so does availability, reducing latency and increasing redundancy. Operating an application or system in multiple Availability Zones is an effective way to achieve high availability, as it mitigates the risk of data center loss due to natural or man-made disasters, aligning with business continuity and disaster recovery plans.  

Vertical Scalability 

Vertical scalability, also known as scaling up, can meet an increased demand for application or system resources by increasing the size of a cloud instance. For instance, upgrading from a t2.micro instance with 1 vCPU and 1 GiB RAM to a t2.xlarge EC2 instance with 4 vCPU and 16 GiB RAM to accommodate a demand increase is an example of vertical scalability. This type of scalability is commonly used in non-distributed systems like databases.

Horizon Scalability 

Horizontal scalability can address availability requirements by scaling in (decreasing the number of instances) or scaling out (increasing the number of instances. A situation with a sudden increased demand for application, system, or compute resources benefits from automatically increasing the number of instances quickly. Conversely, a decrease in server demand will cause a reduction in the number of instances automatically. Scaling in or out is critical to optimizing availability and adapting to the ever-changing needs of cloud resources. Setting up an Auto Scaling Group configured to maintain a specific number of instances at all times, automatically scaling in or out from the set number of instances, makes horizontal scalability possible. To prevent overtaxing any particular instance from incoming requests, configuring a load balancer to optimally route incoming traffic for cloud resources across EC2 instances inside an Auto Scaling Group makes horizontal scalability more efficient and effective.

Scalability vs. Elasticity vs. Agility

Scalability can be achieved by adding more servers to the existing infrastructure (scale out) or upgrading the hardware of the existing servers (scale up) to meet the growing demands of the users. The ultimate goal of scalability is to ensure that the system remains efficient and effective even as the user demand changes.

Elasticity is a critical feature that allows your infrastructure to adapt to changing demand by quickly acquiring or releasing resources once scalability is achieved. With this auto-scaling capability, your cloud-based resources can quickly scale in and out, optimizing costs and efficiency. This feature enables cost savings by allowing for pay-per-use and match-demand models, ensuring that you only pay for what you need and when needed.

Agility allows to quickly and efficiently provide new IT resources to developers, which is a crucial aspect of modern software development. Companies can ensure that new resources are only a click away, reducing the time it takes to make them available from weeks to mere minutes. This results in faster and more efficient software development processes that can keep pace with the demands of today's rapidly changing business landscape.

Confidentiality

Confidentiality ensures that sensitive information is only accessible to authorized individuals. For instance, in a hospital setting, patient records are confidential and can only be accessed by authorized healthcare professionals. Unauthorized individuals, such as other patients or visitors, must not access these sensitive records.

Integrity

Data integrity is the practice of protecting data and information from unauthorized modification. It ensures that data remains unaltered both while at rest and during transit. For instance, if test scores were to be changed in a math exam, it could lead to unfair outcomes and loss of trust in the examination system. We can ensure data integrity using various tools, such as hashes or checksums, data validation, digital signatures, access controls, and logs. For example, the hashes or checksums before and after transit must match to ensure that the data's integrity is not compromised. Another example is how digital signatures offer a secure way to verify the authenticity and integrity of digital documents or messages.

Availability

Cybersecurity is not only about protecting data but also ensuring that it is always available. This fact is known as availability, and it involves guaranteeing data and information through the accessibility of resources such as servers, networks, computers, and other systems and network resources. However, threats like system failures, cyber-attacks, or natural disasters can disrupt availability. Therefore, maintaining critical data and systems availability as much as possible is crucial for a business's profitability, people's well-being, and many other benefits.

Juggling security and convenience can be a real challenge. Getting it right is essential, but it can be challenging. Security measures can do the job, but they can also make things more complicated. Sometimes, prioritizing convenience can leave us open to attacks. Whether security or convenience should come first depends on the situation. Just remember that finding the right balance is an ongoing process. We need to be adaptable and flexible to keep things in check. The goal is to have adequate security that minimizes risks while maximizing convenience.

Cybersecurity measures are essential to protect businesses, jobs, health, and lives worldwide. Here are some examples that showcase the adverse outcomes of inadequate cybersecurity measures:

Equifax Data Breach (2017):

One of the most prominent credit reporting agencies, Equifax, suffered from a massive data breach that exposed the personal information of over 147 million people.

Financial Losses: Equifax faced significant financial losses due to lawsuits, regulatory fines, and a drop in its stock price.

Reputation Damage: The incident severely damaged Equifax's reputation and trust among consumers.

WannaCry Ransomware Attack (2017):

The WannaCry ransomware attack impacted healthcare systems, including the UK's National Health Service (NHS), causing widespread disruption. Hospitals had to cancel appointments and redirect patients due to the inability to access critical systems.

Lives Affected: Patients' lives were directly affected as patient care was delayed or compromised, highlighting the real-world consequences of cyberattacks on healthcare infrastructure.

SolarWinds Supply Chain Attack (2020):

The SolarWinds supply chain attack infiltrated numerous government agencies and corporations worldwide, compromising the software supply chain.

National Security Implications: The incident raised concerns about national security as sensitive government agencies, including the US Department of Defense and the Department of Homeland Security, were compromised.

Job Implications: The incident led to increased scrutiny of supply chain security practices, which may lead to potential job changes for cybersecurity professionals.

Colonial Pipeline Ransomware Attack (2021):

The ransomware attack on Colonial Pipeline disrupted fuel supplies along the East Coast, leading to panic buying and fuel shortages.

Economic Consequences: The attack had significant consequences due to disrupted fuel distribution and increased fuel prices.

Public Safety Concerns: The incident raised concerns about the vulnerability of critical infrastructure to cyberattacks and underscored the potential risks to public safety.

These examples show inadequate cybersecurity measures can negatively affect businesses, jobs, health, and lives worldwide. Therefore, organizations must prioritize cybersecurity measures and invest in robust defenses to prevent such incidents from happening in the future.