--- name: cybersecurity-expert description: Security hardening, vulnerability management, incident response, access control, phishing, MFA, pen test, firewall, encryption, breach, SOC, PII, data protection, cybersecurity, zero trust, WAF, compliance, endpoint security. --- # Cybersecurity Expert — Sunrise Communities Defensive security operations reference for Sunrise Communities' infrastructure spanning Cloudflare (Workers, Pages, Access, Tunnel), Oracle Cloud VM, Google Workspace, RentManager, and 66+ SaaS vendors across 15 operating states. --- --- ## 1. Sunrise Attack Surface Map ### System Inventory & Data Classification | System | Data Held | Classification | Trust Boundary | |--------|-----------|---------------|----------------| | **RentManager** | Resident PII (SSN, DOB, bank acct), lease data, payment history | CRITICAL | SaaS — vendor-managed | | **Google Workspace** | Email (investor comms, legal), Drive (financials, HR docs), Sheets (KPIs) | CRITICAL | SaaS — admin-managed | | **Paychex** | Employee SSN, W-2, bank routing, payroll | CRITICAL | SaaS — vendor-managed | | **HubSpot** | Investor contact info, deal pipeline, IR communications | HIGH | SaaS — admin-managed | | **Cloudflare Workers** | API logic, secrets (env vars), transient request data | HIGH | Serverless — CF-managed infra | | **Cloudflare Pages** | Dashboard frontends (KPI, Occupancy, IC Tracker, Sunny AI) | MEDIUM | Static — CF-managed CDN | | **Oracle Cloud VM** | MCP server, extraction scripts, cron jobs, CF Tunnel agent | HIGH | IaaS — self-managed | | **Cloudflare Access** | Auth tokens, identity provider config, access policies | HIGH | SaaS — admin-managed | | **Sunny AI** | Resident queries, staff interactions, operational context | HIGH | Worker + Pages — CF-managed | | **RingCentral** | Call recordings, voicemail, IVR config | MEDIUM | SaaS — vendor-managed | | **MCP Servers** | API credentials, data transforms, RM/Google integration | HIGH | Self-hosted (Oracle + local) | ### Data Flow Diagram (Simplified) ``` Residents ──► Sunny AI (CF Pages+Worker) ──► RentManager API (via MCP) │ Staff ──► Google Workspace ◄──► MCP Server ◄───┘ │ (Oracle VM) ▼ │ Paychex CF Tunnel (encrypted) RingCentral │ HubSpot CF Workers (APIs) │ Investors ──► HubSpot ◄──► CF Pages (IC Tracker, KPI Dashboard) ``` ### Primary Threat Model | Threat Actor | Motivation | Likely Vector | Target Systems | |-------------|-----------|--------------|----------------| | Opportunistic criminal | Financial gain | Phishing/BEC, credential stuffing | Email, RentManager, banking | | Ransomware operator | Extortion | Phishing → lateral movement | Google Drive, Oracle VM | | Disgruntled employee | Revenge/data theft | Insider access abuse | RentManager, Google Drive | | Competitor/social eng. | Business intel | Pretexting staff | HubSpot, Google Workspace | | Script kiddie | Opportunism | Scanning exposed services | Oracle VM, CF Workers | --- --- ## 13. Decision Trees ### Is This a Security Incident? ``` Event detected ├── Is data accessed by unauthorized party? │ ├── YES ──► INCIDENT — Activate Runbook C (Data Breach) │ └── NO ──► Continue ├── Is a system unavailable or behaving abnormally? │ ├── YES ──► Is it caused by malicious action? │ │ ├── YES ──► INCIDENT — Activate relevant runbook │ │ ├── UNKNOWN ──► Treat as incident until proven otherwise │ │ └── NO ──► Operational issue, not security incident │ └── NO ──► Continue ├── Did credentials get exposed or compromised? │ ├── YES ──► INCIDENT — Activate Runbook A (Credential Compromise) │ └── NO ──► Continue ├── Is there suspicious activity without confirmed impact? │ ├── YES ──► ALERT — Investigate within 4 hours, escalate if confirmed │ └── NO ──► Log and monitor └── None of the above ──► Not an incident. Document in log. ``` ### Which Systems to Check First During Incident ``` Incident detected ├── Is it email/phishing related? │ └── CHECK: Google Workspace ──► Email forwarding rules ──► OAuth grants ──► Drive sharing ├── Is it auth/access related? │ └── CHECK: CF Access logs ──► Google login audit ──► RentManager access log ├── Is it infrastructure related? │ └── CHECK: Oracle VM (SSH logs, processes) ──► CF Tunnel status ──► Worker logs ├── Is it data exposure? │ └── CHECK: RentManager export logs ──► Google Drive sharing ──► Worker request logs └── Unknown/unclear? └── CHECK: CF Access (who logged in) ──► Google Workspace (email + Drive) ──► Oracle VM ``` ### Escalation Path ``` Level 1: IT Admin (Carlos) ├── Can resolve within 1 hour? ──► Resolve + document └── Cannot resolve OR involves PII breach? └── Level 2: Executive (Sam) + External counsel ├── Contained, no data exposure? ──► Resolve + document └── Data breach confirmed OR cannot contain? └── Level 3: Breach counsel + insurance carrier + law enforcement └── Follow state notification requirements (Section 7) ``` ### Should We Notify Affected Parties? ``` Breach confirmed with resident PII ├── Was PII actually accessed (not just exposed)? │ ├── YES ──► Notification likely required │ ├── UNKNOWN ──► Assume yes — err on notification side │ └── NO (exposure only, no access) ──► Document risk assessment │ └── Some states still require notification for exposure — consult counsel ├── How many residents affected? │ ├── >500 in FL ──► Notify FL AG within 30 days │ ├── >500 in MN/IL ──► Notify CRAs │ ├── >1,000 in any state ──► Notify CRAs in that state │ └── <500 ──► Individual notification still required ├── Which state has the shortest deadline? │ └── FL = 30 days (drives your timeline) └── Always: Notify breach counsel BEFORE notifying consumers ``` ### Vendor Security Assessment: Approve or Reject ``` New vendor evaluation ├── Does vendor hold resident PII or financial data? │ ├── YES ──► Tier 1 review required (full questionnaire) │ └── NO ──► Does vendor integrate with our systems? │ ├── YES ──► Tier 2 review (abbreviated questionnaire) │ └── NO ──► Tier 3/4 (standard review on renewal) │ For Tier 1: ├── SOC 2 Type II or equivalent? ──► Required (reject without) ├── Supports SSO/MFA? ──► Required ├── Data encrypted at rest + transit? ──► Required ├── Breach notification <72 hours? ──► Required ├── Data residency: US only? ──► Preferred (required for PII) └── All requirements met? ──► APPROVE with annual re-review └── Missing any required? ──► REJECT or require remediation plan with deadline ``` --- --- ## 14. Common Gotchas ### Cloudflare-Specific | Gotcha | Impact | Fix | |--------|--------|-----| | CF Access cookies are per-domain | Frontend on `app.suncom.work` can't auth to API on `api.suncom.work` | Serve both from same domain using Worker `[assets]` | | `workers_dev = false` before custom domain | Worker goes dark — no URL to reach it | Always set up custom domain FIRST, then disable workers.dev | | TOML `routes` placed after `[vars]` | Route parsed as env var, not Worker route | Place `routes` before any section header | | Deleting Pages project doesn't delete DNS CNAME | Stale DNS record blocks reuse of hostname | Manually delete CNAME before reusing | | CF Access `Bypass` policy | Allows unauthenticated access — defeats Zero Trust | Never use Bypass. Use Service Auth for service-to-service | | WAF OWASP at PL2+ | False positives on JSON API payloads | Use PL1 for API-serving zones | ### Oracle VM-Specific | Gotcha | Impact | Fix | |--------|--------|-----| | Free tier: no auto-backup | Data loss on VM failure | Manual encrypted backup to Google Drive weekly | | Free tier: limited resources | Can't run SIEM + services | Prioritize essential services; SIEM only if resources allow | | OCI security list + host iptables | Double firewall confusion — rules must match at both layers | Document both layers; test with `curl` from external IP | | `cloudflared` runs as root by default | Privilege escalation risk | Run as dedicated `cloudflared` user with systemd | | Ubuntu auto-upgrade can break cloudflared | Tunnel goes down after package update | Pin cloudflared version or test updates in maintenance window | ### MCP Server-Specific | Gotcha | Impact | Fix | |--------|--------|-----| | MCP server credentials in plaintext config | Credential theft if VM compromised | Use environment variables, restrict file permissions (`chmod 600`) | | No auth on MCP protocol by default | Anyone on localhost can query | Bind to 127.0.0.1 only; access only via CF Tunnel | | Service account JSON has `_fixed` and non-fixed versions | Non-fixed version has malformed JSON | Always use `aurora-475203-a7faf206f94e_fixed.json` | ### Google Workspace-Specific | Gotcha | Impact | Fix | |--------|--------|-----| | Email delegation grants full mailbox access | Delegated user reads all email silently | Audit delegations monthly (Admin → Reports) | | OAuth app grants persist after employee leaves | Ex-employee's authorized apps still have access | Revoke OAuth grants during offboarding (Section 5) | | Drive sharing with "Anyone with link" | Data accessible to anyone with URL | Restrict to "People in organization" by default | | Google Groups with external posting | Spam/phishing to group members | Restrict posting to group members only | --- --- ## 15. Cross-Skill References | Scenario | Primary Skill | Also Invoke | |----------|--------------|-------------| | CF Worker deployment with security hardening | `cybersecurity-expert` | `cloudflare-expert` | | RentManager API credential rotation | `cybersecurity-expert` | `rm-accounting-expert` | | Employee offboarding (Paychex + access) | `cybersecurity-expert` | `paychex-expert` | | Phishing response in Google Workspace | `cybersecurity-expert` | (this skill is self-contained for email security) | | HubSpot SSO integration | `cybersecurity-expert` | `hubspot-expert` | | Regulatory compliance (state-specific) | `cybersecurity-expert` | `mhp-regulatory` (for tenant protection angle) | | Vendor security assessment for MHP ops tools | `cybersecurity-expert` | `mhp-operations-expert` | | Oracle VM hardening + CF Tunnel | `cybersecurity-expert` | `cloudflare-expert` | --- ## 16. References ### Frameworks & Standards - **NIST CSF 2.0** (Feb 2024): [nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf) - **NIST SP 800-61r3** — Incident Response (2025): [nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf) - **OWASP Top 10:2025**: [owasp.org/Top10/2025/en/](https://owasp.org/Top10/2025/en/) - **CIS Benchmarks**: [cisecurity.org/cis-benchmarks](https://www.cisecurity.org/cis-benchmarks) ### Cloudflare Documentation - CF Access policies: [developers.cloudflare.com/cloudflare-one/policies/access/](https://developers.cloudflare.com/cloudflare-one/policies/access/) - CF JWT validation: [developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) - CF Workers secrets: [developers.cloudflare.com/workers/configuration/secrets/](https://developers.cloudflare.com/workers/configuration/secrets/) - CF WAF rate limiting: [developers.cloudflare.com/waf/rate-limiting-rules/](https://developers.cloudflare.com/waf/rate-limiting-rules/) - CF Workers rate limit binding: [developers.cloudflare.com/workers/runtime-apis/bindings/rate-limit/](https://developers.cloudflare.com/workers/runtime-apis/bindings/rate-limit/) ### Google Workspace Security - SPF setup: [support.google.com/a/answer/33786](https://support.google.com/a/answer/33786) - DKIM setup: [support.google.com/a/answer/174124](https://support.google.com/a/answer/174124) - DMARC setup: [support.google.com/a/answer/2466580](https://support.google.com/a/answer/2466580) - Security checklist (2026): [refractiv.co.uk/news/secure-google-workspace-checklist/](https://refractiv.co.uk/news/secure-google-workspace-checklist/) ### Oracle Cloud Security - Securing Compute: [docs.oracle.com/en-us/iaas/Content/Security/Reference/compute_security.htm](https://docs.oracle.com/en-us/iaas/Content/Security/Reference/compute_security.htm) - Hardening Oracle Linux: [oracle.com/technical-resources/articles/it-infrastructure/admin-tips-harden-oracle-linux.html](https://www.oracle.com/technical-resources/articles/it-infrastructure/admin-tips-harden-oracle-linux.html) ### Data Breach Law References - Perkins Coie 50-State Chart: [perkinscoie.com/insights/publication/security-breach-notification-chart](https://perkinscoie.com/insights/publication/security-breach-notification-chart) - NCSL State Laws: [ncsl.org/technology-and-communication/security-breach-notification-laws](https://www.ncsl.org/technology-and-communication/security-breach-notification-laws) - IAPP State Chart: [iapp.org/resources/article/state-data-breach-notification-chart](https://iapp.org/resources/article/state-data-breach-notification-chart) ### Industry Threat Intelligence - RSM Real Estate Cybersecurity 2025: [rsmus.com/insights/industries/real-estate/2025-cybersecurity-mmbi-real-estate-snapshot.html](https://rsmus.com/insights/industries/real-estate/2025-cybersecurity-mmbi-real-estate-snapshot.html) - Wire fraud in real estate: [stewart.com/en/insights/how-business-email-compromise-attacks-real-estate-transactions](https://www.stewart.com/en/insights/how-business-email-compromise-attacks-real-estate-transactions) - CSA State of SaaS Security 2025-2026: [cloudsecurityalliance.org/artifacts/state-of-saas-security-report-2025](https://cloudsecurityalliance.org/artifacts/state-of-saas-security-report-2025) --- ## Progressive Reference Loading Deep reference content has been moved to `references/` for lazy loading. Read only the file you need. | Topic | Load | |-------|------| | Cloudflare security, Oracle VM hardening | `references/infrastructure.md` | | API security, IAM | `references/api-iam.md` | | Email security, Incident response playbook | `references/email-incident.md` | | Vulnerability management, SaaS vendor risk | `references/vuln-saas.md` | | Data protection, Compliance framework, Monitoring/Logging | `references/data-compliance.md` |