In this course I will deep dive into the infrastructure security world, showing how an attacker can abuse an architecture design that doesn't cover all aspects. Course is designed and presented by Carlo Dapino - 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
2. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
user@hostname:~$ whoami
__________________
3. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Target
__________________
Visualize the big picture
Review that, thinking like an attacker
Connect the dots
Evaluate Security Posture
Propose changes
4. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Audience
__________________
Security Professionals
CTOs
IT staff
Curious individuals
5. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security:
- Overview infrastructure design
- Web stack error response Vs. security and discovery
- SSL end-points
- double hop and various designes
- on-prem. Vs. cloud infra design
- end to end encryption Vs. security
- API design Vs. security
- CDN design Vs. security
- VPN and headache (split tunnel, etc)
- MPLS and headache (lateral move, etc)
- trusted Vs. untrusted domain...can something be trusted?
- DNS (in)security...why in cloud most implementation sucks
- End point and no sense dogma
- IAM, AAA, ZTA, SASE and a lot of marketing around
- common architecture errors
- common implementation issues
Syllabus
6. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 2 - Security controls design:
- Reliability Engineering Vs. security
- In Line and inspection design not always a solution
- TAP issues (on-prem, cloud)
- SSL certs management issues
- API nightmare
- ephemeral containers
- How to standarize controls in a scattered IaaS, Paas and FaaS world
- Service Mesh, VPC and SD-WAN networking issues
- A/B testing and security
- CI/CD+SecDevOps+SOAR when you thought to create a perfect cycle and
you end-up with a Matrioska
- DFIR automation and so little discussed
- Orchestrator compromise and Management access attacks
- Secrets and Vaults
- Hardening, why it is your friend
- DNS security also with DoH, etc
- Application routing controls (SD-WAN, CDN, LB)
Syllabus
7. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 3 - Security integrator is the role you miss:
- how to evaluate a security product
- how to analyze redundancy of security controls
- securing automation
- obtain a unique view
- agility != stupidity
- Plug-in incident response at the right layer
- DLP all talking about that but...
- Chaos engineering applied to security
Chapter 4 - Future picture
- Attacker RaaS and Automation Vs. you
- limit of MITRE ATT&CK
- Session Hijack and your 3FA is gone
- Device auth Vs. User auth, so much confusion around it
- SOAR playbook anticipating your game
- redirect all your traffic is the Ddos and availability attack of the future
- Multi-cloud and hybrid deployment Vs. lateral move and new east<>west
- JS/DOM and why your controls aren't up for the game
Syllabus
8. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 5 - Wrap-up
- How keep in check the security posture Vs. infra road map
- Understand how threats are becoming modular by frameworks and how
you can spot it
- Re:think design boundaries, especially about lateral move
- Re:think collaboration across the organization also in terms of roles
______________________
COURSE is FREE
______________________
STAY TUNED and SUBSCRIBE
https://www.youtube.com/channel/UCK0Z7e2riiRT8hRFvPfiMcw
Syllabus