Dark Insight: the Basic of Security - Alexander Obozinskiy

Ruby Meditation
Ruby MeditationRuby Meditation
Dark Insight the basics of security by Alexander Obozinsky
We are talking about Things like • BIND TSIG CVE-2017-3143 • Intel AMT CVE-2017-5689 • Doorkeeper CVE-2016-6582 • Google groups for business default settings • Source engine • Ovidiy Stealer • Kerberos CVE-2017-11368 • sudo CVE-2017-1000367 • Skype CVE-2017-6517 • RubyGems CVE-2017-0901
Informational Security Confidentiality Integrity Availability
Cyber Security Is about threats for • Hardware • Software • Network • Data
Hardware Threats • Physical • Not only about servers • Not only about computers • Hidden hardware in your computers • Closed-source firmware • Virtualization • Escaping from guest OS • Clouds
Software Threats • OS security • Vulnerabilities in libraries • Vulnerabilities in server software • 3rd party software can have unexpected side effects • Open source software can be compromised • Insecurity in security software
Network Threats • Passive • Monitoring • Eavesdropping • Active • Tampering • DoS • Buffer Overflow • DNS poisoning • XSS/CSRF/SSRF/SQLi • Networking devices • IoT devices
Data Threats • Can be violated by 3rd persons • Data integrity can be broken by hardware/software failures • Fake data can be used as primary source of truth • Small leak can compromise whole system
Social Engineering Hack by using human psychology vulnerabilities • Giving people what they want • Provoking by content • Road Apple Attack • Phishing • Using information from social networks • Reverse SE
Insiders • You can buy insider info • Insider can be hired by you • Someone can compromise your normal employee • Life circumstances can turn your employees against you • Firing process
Securing Your Systems
Hardware • Personal • Enterprise Workstations • Servers
Operating Systems • Linux distributions • OpenBSD • Windows • Virtual Environments • Containers • Cloud VPS
Software • Design safe systems • Agile vs Security • Security checks • Monitoring • Code inspection and review • Automated security scanning • OWASP Software Assurance Maturity Model
Network • Corporate network • Wifi routers • Guest networks • Mobile Phones • DNS Sec • DMZ • Firewalls • WAF • Intrusion Prevention • Honeypots • Intrusion Detection • Simple Models • Port Knocking • Remote access to your servers through VPN
Data • Integrity • Persistence • Access Restriction • Confidentiality
Cryptography • Ciphers • Asymmetric • RSA/DSA/DH • Symmetric • Block • DES/3DES • Blowfish/AES • Cipher Block Chaining (CBC) • Stream • RC4/ARCFOUR • Salsa20/ChaCha20 • Hash functions • MD5 • SHA
Web Applications Security • SSL/TLS • HTTPS / HTTP2 • letsencrypt.org • Web Application Firewalls • Local • Cloud • AWS/Cloudflare/Akamai • Black box testing • Fuzz testing • White box testing
Software
Tenable Nessus/Pentestit OpenVAS security scanners • 82k/50k plugins • CVE and OpenSCAP databases linked • Nessus (dockerhub pull 100k+) • OpenVAS (dockerhub pull 1m+) • http://www.openvas.org/ • https://www.tenable.com/products/nessus-vulnerability- scanner
w3af OSS web applications audit framework • Contains • Crawl plugins • Audit plugins • Attack plugins • http://w3af.org/
OWASP Zed Attack Proxy Project • Opensource • Dynamically developing • Easy to use • No paid version • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
nikto • Checks for outdated components • Scan multiple ports on a server, or multiple servers via input file • Identifies installed software via headers, favicons and files • Subdomain guessing • Can log to Metasploit • https://cirt.net/Nikto2
• Scanner for RoR applications • https://brakemanscanner.org/
Radamsa • Open source fuzz testing framework • https://github.com/aoh/radamsa
OSS WAF • NAXSI https://github.com/nbs-system/naxsi • ModSecurity https://modsecurity.org/ • TestCookie https://github.com/kyprizel/testcookie-nginx- module
• Ruby framework • Golden Standard in Industry • https://www.offensive-security.com/metasploit-unleashed/
It’s time
Where to learn? • https://www.hacksplaining.com/ • http://www.cvedetails.com/ • https://www.owasp.org/ • http://www.opennet.ru/ • https://thehackernews.com/ • http://krebsonsecurity.com/ • https://github.com/onlurking/awesome-infosec
qu35710n5? https://gitlab.com/l33t/ahoregator rm@nmc.ninja
1 of 30

Dark Insight: the Basic of Security - Alexander Obozinskiy

Download to read offline
Technology

Ruby Meditation #17 September 9, 2017 Hub 4.0, Kyiv

Ruby Meditation
Ruby MeditationRuby Meditation

Recommended

Attacking VPN's by
Attacking VPN'sAttacking VPN's
Attacking VPN'sn|u - The Open Security Community
1.6K views15 slides
Network Security by
Network SecurityNetwork Security
Network SecurityEng Hasan Shamroukh CISCO Exams Author
469 views38 slides
Web & Cloud Security in the real world by
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
1.5K views37 slides
Common crypto attacks and secure implementations by
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
141 views32 slides
Zerotrusting serverless applications protecting microservices using secure d... by
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
69 views29 slides
Node JS reverse shell by
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
4.9K views23 slides

More Related Content

What's hot

Hacking Exposé - Using SSL to Secure SQL Server Connections by
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsChris Bell
1K views15 slides
Matriux blue by
Matriux blueMatriux blue
Matriux blueInMobi Technology
1.1K views19 slides
State of the Web by
State of the WebState of the Web
State of the WebCASCouncil
1.3K views21 slides
Spa Secure Coding Guide by
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
152 views32 slides
Introduction to Mod security session April 2016 by
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
1.1K views29 slides
Optimizing ModSecurity on NGINX and NGINX Plus by
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
2.2K views49 slides

What's hot(20)

Hacking Exposé - Using SSL to Secure SQL Server Connections by Chris Bell
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server Connections
Chris Bell1K views
Matriux blue by InMobi Technology
Matriux blueMatriux blue
Matriux blue
InMobi Technology1.1K views
State of the Web by CASCouncil
State of the WebState of the Web
State of the Web
CASCouncil1.3K views
Spa Secure Coding Guide by Geoffrey Vandiest
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest152 views
Introduction to Mod security session April 2016 by Rahul
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul1.1K views
Optimizing ModSecurity on NGINX and NGINX Plus by Christian Folini
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
Christian Folini2.2K views
Implementing ossec by Jeronimo Zucco
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco8.5K views
Mod security by Shruthi Kamath
Mod securityMod security
Mod security
Shruthi Kamath1.9K views
Fidelis - Live Demonstration of Deception Solution by Fidelis Cybersecurity
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception Solution
Fidelis Cybersecurity352 views
Top 10 Threats to Cloud Security by SBWebinars
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
SBWebinars468 views
20 common security vulnerabilities and misconfiguration in Azure by Cheah Eng Soon
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon716 views
Mod Security by Abhishek Singh
Mod SecurityMod Security
Mod Security
Abhishek Singh1.1K views
Dangerous Design Patterns In One Line by Lewis Ardern
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern470 views
Equifax cyber attack contained by containers by Aqua Security
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security2K views
All You Need is One - A ClickOnce Love Story - Secure360 2015 by NetSPI
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI2.5K views
Web Application Security - DevFest + GDay George Town 2016 by Gareth Davies
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies25.1K views
The Rise of Secrets Management by Akeyless
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless697 views
Attacker's Perspective of Active Directory by Sunny Neo
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo1.6K views
Towards Securing Computer Network Environment By Using Kerberos-based Network... by FATIN FAZAIN MOHD AFFANDI
Towards Securing Computer Network Environment By Using Kerberos-based Network...Towards Securing Computer Network Environment By Using Kerberos-based Network...
Towards Securing Computer Network Environment By Using Kerberos-based Network...
FATIN FAZAIN MOHD AFFANDI87 views
Ossec Lightning by wremes
Ossec LightningOssec Lightning
Ossec Lightning
wremes1.3K views

Similar to Dark Insight: the Basic of Security - Alexander Obozinskiy

Cyber Security and Cloud Computing by
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
2K views37 slides
Securing the cloud by
Securing the cloudSecuring the cloud
Securing the cloudZIONSECURITY
511 views20 slides
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams by
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
2.7K views36 slides
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me... by
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
299 views45 slides
Web Services Hacking and Security by
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
6.1K views69 slides
Cloud security what to expect (introduction to cloud security) by
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
1.5K views24 slides

Similar to Dark Insight: the Basic of Security - Alexander Obozinskiy(20)

Cyber Security and Cloud Computing by Keet Sugathadasa
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
Keet Sugathadasa2K views
Securing the cloud by ZIONSECURITY
Securing the cloudSecuring the cloud
Securing the cloud
ZIONSECURITY511 views
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams by Andrew Morris
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris2.7K views
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me... by Ruby Meditation
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation299 views
Web Services Hacking and Security by Blueinfy Solutions
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions6.1K views
Cloud security what to expect (introduction to cloud security) by Moshe Ferber
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
Moshe Ferber1.5K views
Do you lose sleep at night? by Nathan Van Gheem
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem1.4K views
SIEM.pdf by ssuser0c1819
SIEM.pdfSIEM.pdf
SIEM.pdf
ssuser0c18197 views
How to create a secure IoT device by Abhijeet Rane
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT device
Abhijeet Rane229 views
A tale of two clouds by Andrew Siemer
A tale of two cloudsA tale of two clouds
A tale of two clouds
Andrew Siemer1.7K views
CompTIA Security+ Chapter Four Review by DCPS
CompTIA Security+ Chapter Four ReviewCompTIA Security+ Chapter Four Review
CompTIA Security+ Chapter Four Review
DCPS3.3K views
Azure 101: Shared responsibility in the Azure Cloud by Paulo Renato
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato496 views
Shared Security Responsibility for the Azure Cloud by Alert Logic
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic 2.7K views
Lacework | Top 10 Cloud Security Threats by Lacework
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework879 views
Extending Your Network Cloud Security to AWS by Fidelis Cybersecurity
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity394 views
Security and Privacy in the AWS Cloud - AWS India Summit 2012 by Amazon Web Services
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Amazon Web Services2.2K views
Deploy, Scale and Manage your Microsoft Investments with AWS by Amazon Web Services
Deploy, Scale and Manage your Microsoft Investments with AWSDeploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWS
Amazon Web Services1.4K views
Secure Your Apps with NGINX Plus and the ModSecurity WAF by NGINX, Inc.
Secure Your Apps with NGINX Plus and the ModSecurity WAFSecure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAF
NGINX, Inc.1.2K views
CloudStack Secured by John Kinsella
CloudStack SecuredCloudStack Secured
CloudStack Secured
John Kinsella1.6K views
Malware cryptomining uploadv3 by Setia Juli Irzal Ismail
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
Setia Juli Irzal Ismail777 views

More from Ruby Meditation

Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30 by
Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30
Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30Ruby Meditation
207 views22 slides
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky... by
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...Ruby Meditation
462 views141 slides
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29 by
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29Ruby Meditation
210 views49 slides
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ... by
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...Ruby Meditation
1.6K views59 slides
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28 by
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28 How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28 Ruby Meditation
366 views23 slides
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28 by
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28Ruby Meditation
459 views20 slides

More from Ruby Meditation(20)

Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30 by Ruby Meditation
Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30
Is this Legacy or Revenant Code? - Sergey Sergyenko | Ruby Meditation 30
Ruby Meditation207 views
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky... by Ruby Meditation
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...
Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky...
Ruby Meditation462 views
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29 by Ruby Meditation
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29
Where is your license, dude? - Viacheslav Miroshnychenko | Ruby Meditation 29
Ruby Meditation210 views
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ... by Ruby Meditation
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...
Dry-validation update. Dry-validation vs Dry-schema 1.0 - Aleksandra Stolyar ...
Ruby Meditation1.6K views
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28 by Ruby Meditation
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28 How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28
How to cook Rabbit on Production - Bohdan Parshentsev | Ruby Meditation 28
Ruby Meditation366 views
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28 by Ruby Meditation
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28
How to cook Rabbit on Production - Serhiy Nazarov | Ruby Meditation 28
Ruby Meditation459 views
Reinventing the wheel - why do it and how to feel good about it - Julik Tarkh... by Ruby Meditation
Reinventing the wheel - why do it and how to feel good about it - Julik Tarkh...Reinventing the wheel - why do it and how to feel good about it - Julik Tarkh...
Reinventing the wheel - why do it and how to feel good about it - Julik Tarkh...
Ruby Meditation462 views
Performance Optimization 101 for Ruby developers - Nihad Abbasov (ENG) | Ruby... by Ruby Meditation
Performance Optimization 101 for Ruby developers - Nihad Abbasov (ENG) | Ruby...Performance Optimization 101 for Ruby developers - Nihad Abbasov (ENG) | Ruby...
Performance Optimization 101 for Ruby developers - Nihad Abbasov (ENG) | Ruby...
Ruby Meditation475 views
Use cases for Serverless Technologies - Ruslan Tolstov (RUS) | Ruby Meditatio... by Ruby Meditation
Use cases for Serverless Technologies - Ruslan Tolstov (RUS) | Ruby Meditatio...Use cases for Serverless Technologies - Ruslan Tolstov (RUS) | Ruby Meditatio...
Use cases for Serverless Technologies - Ruslan Tolstov (RUS) | Ruby Meditatio...
Ruby Meditation320 views
The Trailblazer Ride from the If Jungle into a Civilised Railway Station - Or... by Ruby Meditation
The Trailblazer Ride from the If Jungle into a Civilised Railway Station - Or...The Trailblazer Ride from the If Jungle into a Civilised Railway Station - Or...
The Trailblazer Ride from the If Jungle into a Civilised Railway Station - Or...
Ruby Meditation285 views
What/How to do with GraphQL? - Valentyn Ostakh (ENG) | Ruby Meditation 27 by Ruby Meditation
What/How to do with GraphQL? - Valentyn Ostakh (ENG) | Ruby Meditation 27What/How to do with GraphQL? - Valentyn Ostakh (ENG) | Ruby Meditation 27
What/How to do with GraphQL? - Valentyn Ostakh (ENG) | Ruby Meditation 27
Ruby Meditation1.1K views
New features in Rails 6 - Nihad Abbasov (RUS) | Ruby Meditation 26 by Ruby Meditation
New features in Rails 6 - Nihad Abbasov (RUS) | Ruby Meditation 26New features in Rails 6 - Nihad Abbasov (RUS) | Ruby Meditation 26
New features in Rails 6 - Nihad Abbasov (RUS) | Ruby Meditation 26
Ruby Meditation577 views
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26 by Ruby Meditation
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Ruby Meditation299 views
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (... by Ruby Meditation
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Ruby Meditation455 views
Best practices. Exploring - Ike Kurghinyan (RUS) | Ruby Meditation 26 by Ruby Meditation
Best practices. Exploring - Ike Kurghinyan (RUS) | Ruby Meditation 26Best practices. Exploring - Ike Kurghinyan (RUS) | Ruby Meditation 26
Best practices. Exploring - Ike Kurghinyan (RUS) | Ruby Meditation 26
Ruby Meditation204 views
Road to A/B testing - Alexey Vasiliev (ENG) | Ruby Meditation 25 by Ruby Meditation
Road to A/B testing - Alexey Vasiliev (ENG) | Ruby Meditation 25Road to A/B testing - Alexey Vasiliev (ENG) | Ruby Meditation 25
Road to A/B testing - Alexey Vasiliev (ENG) | Ruby Meditation 25
Ruby Meditation577 views
Concurrency in production. Real life example - Dmytro Herasymuk | Ruby Medita... by Ruby Meditation
Concurrency in production. Real life example - Dmytro Herasymuk | Ruby Medita...Concurrency in production. Real life example - Dmytro Herasymuk | Ruby Medita...
Concurrency in production. Real life example - Dmytro Herasymuk | Ruby Medita...
Ruby Meditation511 views
Rails App performance at the limit - Bogdan Gusiev by Ruby Meditation
Rails App performance at the limit - Bogdan GusievRails App performance at the limit - Bogdan Gusiev
Rails App performance at the limit - Bogdan Gusiev
Ruby Meditation418 views
GDPR. Next Y2K in 2018? - Anton Tkachov | Ruby Meditation #23 by Ruby Meditation
GDPR. Next Y2K in 2018? - Anton Tkachov | Ruby Meditation #23GDPR. Next Y2K in 2018? - Anton Tkachov | Ruby Meditation #23
GDPR. Next Y2K in 2018? - Anton Tkachov | Ruby Meditation #23
Ruby Meditation179 views
Postgres vs Elasticsearch while enriching data - Vlad Somov | Ruby Meditaiton... by Ruby Meditation
Postgres vs Elasticsearch while enriching data - Vlad Somov | Ruby Meditaiton...Postgres vs Elasticsearch while enriching data - Vlad Somov | Ruby Meditaiton...
Postgres vs Elasticsearch while enriching data - Vlad Somov | Ruby Meditaiton...
Ruby Meditation2.7K views

Recently uploaded

Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
434 views92 slides
Data Integrity for Banking and Financial Services by
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
56 views26 slides
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
28 views49 slides
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueShapeBlue
96 views7 slides
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
46 views73 slides
DRBD Deep Dive - Philipp Reisner - LINBIT by
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBITShapeBlue
62 views21 slides

Recently uploaded(20)

Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil434 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely56 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld28 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue96 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH46 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue77 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining80 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10369 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.67 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro29 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp76 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue145 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya136 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi141 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray1080 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue63 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue83 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu141 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc77 views

Dark Insight: the Basic of Security - Alexander Obozinskiy

  • 1. Dark Insight the basics of security by Alexander Obozinsky
  • 2. We are talking about Things like • BIND TSIG CVE-2017-3143 • Intel AMT CVE-2017-5689 • Doorkeeper CVE-2016-6582 • Google groups for business default settings • Source engine • Ovidiy Stealer • Kerberos CVE-2017-11368 • sudo CVE-2017-1000367 • Skype CVE-2017-6517 • RubyGems CVE-2017-0901
  • 4. Cyber Security Is about threats for • Hardware • Software • Network • Data
  • 5. Hardware Threats • Physical • Not only about servers • Not only about computers • Hidden hardware in your computers • Closed-source firmware • Virtualization • Escaping from guest OS • Clouds
  • 6. Software Threats • OS security • Vulnerabilities in libraries • Vulnerabilities in server software • 3rd party software can have unexpected side effects • Open source software can be compromised • Insecurity in security software
  • 7. Network Threats • Passive • Monitoring • Eavesdropping • Active • Tampering • DoS • Buffer Overflow • DNS poisoning • XSS/CSRF/SSRF/SQLi • Networking devices • IoT devices
  • 8. Data Threats • Can be violated by 3rd persons • Data integrity can be broken by hardware/software failures • Fake data can be used as primary source of truth • Small leak can compromise whole system
  • 9. Social Engineering Hack by using human psychology vulnerabilities • Giving people what they want • Provoking by content • Road Apple Attack • Phishing • Using information from social networks • Reverse SE
  • 10. Insiders • You can buy insider info • Insider can be hired by you • Someone can compromise your normal employee • Life circumstances can turn your employees against you • Firing process
  • 12. Hardware • Personal • Enterprise Workstations • Servers
  • 13. Operating Systems • Linux distributions • OpenBSD • Windows • Virtual Environments • Containers • Cloud VPS
  • 14. Software • Design safe systems • Agile vs Security • Security checks • Monitoring • Code inspection and review • Automated security scanning • OWASP Software Assurance Maturity Model
  • 15. Network • Corporate network • Wifi routers • Guest networks • Mobile Phones • DNS Sec • DMZ • Firewalls • WAF • Intrusion Prevention • Honeypots • Intrusion Detection • Simple Models • Port Knocking • Remote access to your servers through VPN
  • 16. Data • Integrity • Persistence • Access Restriction • Confidentiality
  • 17. Cryptography • Ciphers • Asymmetric • RSA/DSA/DH • Symmetric • Block • DES/3DES • Blowfish/AES • Cipher Block Chaining (CBC) • Stream • RC4/ARCFOUR • Salsa20/ChaCha20 • Hash functions • MD5 • SHA
  • 18. Web Applications Security • SSL/TLS • HTTPS / HTTP2 • letsencrypt.org • Web Application Firewalls • Local • Cloud • AWS/Cloudflare/Akamai • Black box testing • Fuzz testing • White box testing
  • 20. Tenable Nessus/Pentestit OpenVAS security scanners • 82k/50k plugins • CVE and OpenSCAP databases linked • Nessus (dockerhub pull 100k+) • OpenVAS (dockerhub pull 1m+) • http://www.openvas.org/ • https://www.tenable.com/products/nessus-vulnerability- scanner
  • 21. w3af OSS web applications audit framework • Contains • Crawl plugins • Audit plugins • Attack plugins • http://w3af.org/
  • 22. OWASP Zed Attack Proxy Project • Opensource • Dynamically developing • Easy to use • No paid version • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • 23. nikto • Checks for outdated components • Scan multiple ports on a server, or multiple servers via input file • Identifies installed software via headers, favicons and files • Subdomain guessing • Can log to Metasploit • https://cirt.net/Nikto2
  • 24. • Scanner for RoR applications • https://brakemanscanner.org/
  • 25. Radamsa • Open source fuzz testing framework • https://github.com/aoh/radamsa
  • 26. OSS WAF • NAXSI https://github.com/nbs-system/naxsi • ModSecurity https://modsecurity.org/ • TestCookie https://github.com/kyprizel/testcookie-nginx- module
  • 27. • Ruby framework • Golden Standard in Industry • https://www.offensive-security.com/metasploit-unleashed/
  • 29. Where to learn? • https://www.hacksplaining.com/ • http://www.cvedetails.com/ • https://www.owasp.org/ • http://www.opennet.ru/ • https://thehackernews.com/ • http://krebsonsecurity.com/ • https://github.com/onlurking/awesome-infosec