Bill Carver

Bill Carver has more than two decades of information security experience. Prior to joining NetSPI, he helped establish consulting services capabilities at Optiv and FishNet Security, focusing on the evaluation and improvement of information security programs. He has also held information security roles at Merck and CitiFinancial. Bill has developed a wide range of security experience, ranging from technical to programmatic and he is truly passionate about helping organizations improve their security posture while delivering value to their clients and shareholders.
More by Bill Carver
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "63"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "63"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "63"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "63"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "63"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "63"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "63"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "63"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{b5d8ac779acc51a2a95d7044283b74a919a9e0e07d27e5cae51e29b103eec00a}\"63\"{b5d8ac779acc51a2a95d7044283b74a919a9e0e07d27e5cae51e29b103eec00a}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{b5d8ac779acc51a2a95d7044283b74a919a9e0e07d27e5cae51e29b103eec00a}\"63\"{b5d8ac779acc51a2a95d7044283b74a919a9e0e07d27e5cae51e29b103eec00a}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 17411
                    [post_author] => 2
                    [post_date] => 2020-02-26 10:40:32
                    [post_date_gmt] => 2020-02-26 16:40:32
                    [post_content] => Nearly every organization is talking about moving to the Cloud, developing a strategy to move to the Cloud, moving to the Cloud, or already all in on the Cloud. Join two of NetSPI’s cloud security experts, Practice Director Karl Fosaaen and CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think.
                    [post_title] => Best Practices to Protect Your Organization's Cloud Assets
                    [post_excerpt] => Nearly every organization is talking about moving to the Cloud, developing a strategy to move to the Cloud, moving to the Cloud, or already all in on the Cloud. Join two of NetSPI’s cloud security experts, Practice Director Karl Fosaaen and CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think.
                    [post_status] => publish
                    [comment_status] => closed
                    [ping_status] => closed
                    [post_password] => 
                    [post_name] => best-practices-to-protect-your-organizations-cloud-assets
                    [to_ping] => 
                    [pinged] => 
                    [post_modified] => 2021-06-02 08:58:17
                    [post_modified_gmt] => 2021-06-02 08:58:17
                    [post_content_filtered] => 
                    [post_parent] => 0
                    [guid] => https://www.netspi.com/?post_type=webinars&p=17411
                    [menu_order] => 46
                    [post_type] => webinars
                    [post_mime_type] => 
                    [comment_count] => 0
                    [filter] => raw
                )

            [1] => WP_Post Object
                (
                    [ID] => 17422
                    [post_author] => 2
                    [post_date] => 2020-02-22 12:20:10
                    [post_date_gmt] => 2020-02-22 12:20:10
                    [post_content] => 

Are you working to improve your organization’s security maturity level, but not sure where to start? Want to ensure you can answer that middle-of-the-night text with steps you are taking to avoid the Spectre Meltdown?

In this webinar, we cover:

  • How to begin assessing your organization’s security maturity
  • Core components to begin scoring your security maturity
  • An example executive summary report to give visibility across your organization
[post_title] => Threat & Vulnerability Management: Where Do You Rank? [post_excerpt] => Are you working to improve your organization’s security maturity level, but not sure where to start? Want to ensure you can answer that middle-of-the-night text with steps you are taking to avoid the Spectre Meltdown? Learn how NetSPI can help. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => threat-vulnerability-management-where-do-you-rank-2 [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:58:33 [post_modified_gmt] => 2021-06-02 08:58:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=17422 [menu_order] => 49 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 14043 [post_author] => 63 [post_date] => 2019-11-25 07:00:20 [post_date_gmt] => 2019-11-25 07:00:20 [post_content] =>

Despite a plethora of available tools and resources, there are still many ways to configure cloud services incorrectly. According to a Wall Street Journal article published earlier this year, research and advisory firm Gartner Inc. estimated that up to 95% of cloud breaches occur due to human errors such as configuration mistakes. Not surprisingly, there have been frequent public and private cloud breaches − even for organizations with significant resources and mature security programs.
So what can we do about it?

Based on many discussions with our clients, NetSPI has identified a number of common security issues that span different cloud platforms, environments, and even vertical markets:

  • Lack of multi-factor authentication – A cloud breach is often achieved by using common vulnerabilities, public data exposures, and active credential guessing attacks, for example by enumerating a potential email address off of a public data source and guessing credentials. You may find it surprising that many cloud services do not use multifactor authentication right out of the box.
  • Integration of cloud and on-premise networks – Integrating cloud and on-premise environments makes it easier to migrate resources, users, and accounts out to a cloud provider. However, it does increase risk, especially if federated authentication, shared user accounts, and the same active directory environment are used. This makes it much easier for attackers to pivot into traditional (often less secure) network resources once they have gained access to the cloud.
  • Poor permission configuration – Security can sometimes take a back seat when developers are trying to be agile and for simplicity, accounts can be over-permissioned. This is a growing problem, in part because of the increasing popularity of public repositories and Internet services like GitHub to manage code and configurations. This has led to a rise in accidental pastes of copied user names and passwords on the Internet, which can be leveraged by malicious actors.

How You Can Protect Yourself

With these issues in mind, what steps can you take to improve your cloud security? First, it’s important to practice proper cloud hygiene at the outset by: (a) clearly defining requirements, (b) isolating development, staging, and production environments, and (c) limiting privileges in all environments to guard against escalation by malicious actors.

Second, NetSPI recommends pentesting regularly and fully. This includes penetration testing all layers of your environment and using cloud configuration reviews to evaluate how well the security controls your cloud provider has available are actually protecting your cloud application(s). Traditional penetration testing does not go deep enough when you are running cloud applications, which is why more rigorous cloud penetration testing is critical.

In addition to the common insights gained from an external penetration test, a cloud penetration test goes much further to include testing on cloud hosts and services. Internal network layer testing of virtual machines and services from the cloud virtual networks are included, as well as external network layer testing of externally exposed services. In addition, a configuration review of cloud services also includes reviews of firewall rules, access controls (IAM/RBAC) of users/roles/groups/policies, as well as utilized cloud services (storage, databases, etc.).

Recommendations for Undertaking Cloud Penetration Testing

It’s clear that full and regular pentesting is a sure-fire way to improve the security of your applications and data residing in the cloud and ultimately your on-premise network if both environments are closely integrated. If you are planning on undertaking cloud penetration testing, NetSPI recommends the following best practices:

  • Ensure systems and services are updated and patched in accordance with industry/vendor recommendations
  • Verify if identity and access management (IAM) and role-based access control (RBAC) roles are assigned appropriately and not over-permissioned and there is no provision for permission escalation
  • Use security groups and firewall rules to limit access between services and virtual machines
  • Ensure that sensitive information is not written in clear text to any cloud storage services and encrypt data prior to storage
  • Verify user permissions for any cloud storage containing sensitive data and ensure that the rules represent only the users who require access to the storage
  • Ensure only the appropriate parties have access to key material for decryption purposes

One Last Thought

As a security vendor, we hear statements every day like, “Cloud doesn’t change anything from a security perspective because it’s all the same stuff, just in a different place” or “My cloud provider takes care of security.” In the rush to embrace cloud and its advantages, some security best practices have fallen by the wayside. Now’s the time to refocus on securing assets by working proactively with your cloud services provider and cloud penetration testing regularly. The last thing you want is to be included in those ever-increasing cloud breach statistics.

Learn about NetSPI’s cloud penetration testing services for AWS, Azure, and Google Cloud.

[post_title] => Your Cloud Assets are Probably Not as Secure as You Think They Are [post_excerpt] => Despite a plethora of available tools and resources, there are still many ways to configure cloud services incorrectly. According to a Wall Street Journal article published earlier this year, research and advisory firm Gartner Inc. [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => your-cloud-assets-are-probably-not-as-secure-as-you-think-they-are [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:28 [post_modified_gmt] => 2021-04-14 00:56:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=14043 [menu_order] => 194 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 17411 [post_author] => 2 [post_date] => 2020-02-26 10:40:32 [post_date_gmt] => 2020-02-26 16:40:32 [post_content] => Nearly every organization is talking about moving to the Cloud, developing a strategy to move to the Cloud, moving to the Cloud, or already all in on the Cloud. Join two of NetSPI’s cloud security experts, Practice Director Karl Fosaaen and CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think. [post_title] => Best Practices to Protect Your Organization's Cloud Assets [post_excerpt] => Nearly every organization is talking about moving to the Cloud, developing a strategy to move to the Cloud, moving to the Cloud, or already all in on the Cloud. Join two of NetSPI’s cloud security experts, Practice Director Karl Fosaaen and CISO/Managing Director Bill Carver to learn if your cloud assets are as protected as you think. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => best-practices-to-protect-your-organizations-cloud-assets [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:58:17 [post_modified_gmt] => 2021-06-02 08:58:17 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=17411 [menu_order] => 46 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 3 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 59d1f42e979dd7d4d1fb6dee3f1829ab [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Risk scoring is now available to all PTaaS clients! Download this whitepaper to explore NetSPI's methodology and learn how to put your risk score to use.

X