Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Presented by Marija Strazdas - Sr. Solutions Engineer, Alert Logic
Presented to the Boston Amazon Web Services Meetup Group on Jun 5 & 21
https://www.meetup.com/The-Boston-Amazon-Web-Services-Meetup-Group/
Summary/Themes:
- Understanding your attack surface is critical to deploying the right security controls.
- Attack surface in the cloud environments is significantly different than on-premises
- Dominant cloud exposures are often misunderstood
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Presented by Marija Strazdas - Sr. Solutions Engineer, Alert Logic
Presented to the Boston Amazon Web Services Meetup Group on Jun 5 & 21
https://www.meetup.com/The-Boston-Amazon-Web-Services-Meetup-Group/
Summary/Themes:
- Understanding your attack surface is critical to deploying the right security controls.
- Attack surface in the cloud environments is significantly different than on-premises
- Dominant cloud exposures are often misunderstood
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
I hope this helpes you to know more about what is SQL-injection and SYN attack and SYN foolds this present with there description also how to prvent this attacks.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
this presentation about security testing gives you an idea about the need of security testing, 2 commonly used security testing approaches in the industry , brief of cookies testing & basic security checklist for an application
Domain 4 of CEH V11: Network and Perimeter HackingShivamSharma909
Networks are composed of two or more computers that share resources (such as printers and CDs), exchange files, and allow electronic communications. A network of computers may be connected by cables, telephone lines, radio waves, satellites, or infrared beams.
https://www.infosectrain.com/blog/domain-4-of-ceh-v11-network-and-perimeter-hacking/
Considering that most people have used mobile applications like PUB-G, Instagram, and WhatsApp. I will give you an example of a web application that is also a mobile app. Now assume you’ve lost your mobile or your mobile is switched off, and you are willing to scroll the insta feed. What will you do? Login to your account through Google Chrome. Right? And that’s it, as you can use your Instagram by using a web browser. It is called a web application. A few famous examples of web applications are Facebook, MakeMyTrip, Flipboard, and the 2048 Game.
https://www.infosectrain.com/blog/domain-5-of-the-ceh-web-application-hacking/
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
The heartbleed vulnerability exposes a weakness in current vulnerability management practices - namely, they aren't driven by the data. Starting with the data, we identify 4 vulnerabilities which are arugably more important than Heartbleed.
This is a detailed presentation of our web security suite - SECURITY-TESTING. It's a cloud based product, providing solutions under 6 modules - SERM, Scanning, Detection, Monitoring, Performance and Inventory. For more details please visit our website www.security-testing.net
In this breakout session Cerdant's top engineers, Jeremiah Johnson and Jason Palm displayed how to get the most out of your SonicWALL device by utilizing advanced features like Capture ATP and DPI-SSL.
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
I hope this helpes you to know more about what is SQL-injection and SYN attack and SYN foolds this present with there description also how to prvent this attacks.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
this presentation about security testing gives you an idea about the need of security testing, 2 commonly used security testing approaches in the industry , brief of cookies testing & basic security checklist for an application
Domain 4 of CEH V11: Network and Perimeter HackingShivamSharma909
Networks are composed of two or more computers that share resources (such as printers and CDs), exchange files, and allow electronic communications. A network of computers may be connected by cables, telephone lines, radio waves, satellites, or infrared beams.
https://www.infosectrain.com/blog/domain-4-of-ceh-v11-network-and-perimeter-hacking/
Considering that most people have used mobile applications like PUB-G, Instagram, and WhatsApp. I will give you an example of a web application that is also a mobile app. Now assume you’ve lost your mobile or your mobile is switched off, and you are willing to scroll the insta feed. What will you do? Login to your account through Google Chrome. Right? And that’s it, as you can use your Instagram by using a web browser. It is called a web application. A few famous examples of web applications are Facebook, MakeMyTrip, Flipboard, and the 2048 Game.
https://www.infosectrain.com/blog/domain-5-of-the-ceh-web-application-hacking/
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
The heartbleed vulnerability exposes a weakness in current vulnerability management practices - namely, they aren't driven by the data. Starting with the data, we identify 4 vulnerabilities which are arugably more important than Heartbleed.
This is a detailed presentation of our web security suite - SECURITY-TESTING. It's a cloud based product, providing solutions under 6 modules - SERM, Scanning, Detection, Monitoring, Performance and Inventory. For more details please visit our website www.security-testing.net
In this breakout session Cerdant's top engineers, Jeremiah Johnson and Jason Palm displayed how to get the most out of your SonicWALL device by utilizing advanced features like Capture ATP and DPI-SSL.
Buy Automobile Corporation of Goa for a target of Rs549 - IndiaNiveshIndiaNotes.com
Autocorp is a bigger play on transportation and to a lesser extent on auto ancillary segment. Its bus coach manufacturing division did well even in tough macroeconomic environment; buy.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Managing Security in External Software Dependenciesthariyarox
This is the slides of the presentation done in "WSO2 Jaffna: Integrating Security Into Software Development Life Cycle" event. http://www.meetup.com/wso2srilanka/events/233915649/
This is the slides of the presentation done in "WSO2 Jaffna: Integrating Security Into Software Development Life Cycle" http://www.meetup.com/wso2srilanka/events/233915649/
Top 20 certified ethical hacker interview questions and answerShivamSharma909
The technique of discovering vulnerabilities in a software, website, or agency’s structure that a hacker might exploit is known as ethical hacking. They employ this method to avoid cyberattacks and security breaches by legitimately hacking into systems and looking for flaws. CEH was designed to include a hands-on environment and a logical procedure across each ethical hacking area and technique. This is to provide you the opportunity to work towards proving the knowledge and skills to earn the CEH certificate and perform the tasks of an ethical hacker.
Read more: https://www.infosectrain.com/blog/top-20-certified-ethical-hacker-interview-questions-and-answer/
Secure Software Development with 3rd Party Dependenciesthariyarox
This is the presentation of the "Secure Software Development with 3rd Party Dependencies" session done in Colombo Security Meetup organized by OWASP Sri Lanka Chapter.
http://www.meetup.com/colombo-security-meetup/events/231681389/
Enhancing the impregnability of linux serversIJNSA Journal
Worldwide IT industry is experiencing a rapid shift towards Service Oriented Architecture (SOA). As a
response to the current trend, all the IT firms are adopting business models such as cloud based services
which rely on reliable and highly available server platforms. Linux servers are known to be highly
secure. Network security thus becomes a major concern to all IT organizations offering cloud based
services. The fundamental form of attack on network security is Denial of Service. This paper focuses on
fortifying the Linux server defence mechanisms resulting in an increase in reliability and availability of
services offered by the Linux server platforms. To meet this emerging scenario, most of the organizations
are adopting business models such as cloud computing that are dependant on reliable server platforms.
Linux servers are well ahead of other server platforms in terms of security. This brings network security
to the forefront of major concerns to an organization. The most common form of attacks is a Denial of
Service attack. This paper focuses on mechanisms to detect and immunize Linux servers from DoS .
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSIJNSA Journal
Worldwide IT industry is experiencing a rapid shift towards Service Oriented Architecture (SOA). As a response to the current trend, all the IT firms are adopting business models such as cloud based services which rely on reliable and highly available server platforms. Linux servers are known to be highly secure. Network security thus becomes a major concern to all IT organizations offering cloud based services. The fundamental form of attack on network security is Denial of Service. This paper focuses on fortifying the Linux server defence mechanisms resulting in an increase in reliability and availability of services offered by the Linux server platforms. To meet this emerging scenario, most of the organizations are adopting business models such as cloud computing that are dependant on reliable server platforms. Linux servers are well ahead of other server platforms in terms of security. This brings network security to the forefront of major concerns to an organization. The most common form of attacks is a Denial of Service attack. This paper focuses on mechanisms to detect and immunize Linux servers from DoS .
1. Vulnerability AlertSymantec
SilverStripe Multiple Cross-Site Scripting Vulnerabilities
50063Bugtraq ID
Threat Breakdown
Credibility Single Source
Ease of Exploit
Impact
Severity
8
4
6.1
Synopsis
Urgency Rating 6.1
CVSS Version 2
CVSS2 Base
CVSS2 Temporal
5.8
5
CVE-MAP-NOMATCH
Oct 11 2011Published
Classification Input Validation Error
Remote Yes Local No
Availability User Initiated Authentication Not Required
Ease Exploit Available
Last Update 10/11/2011 7:12:43 PM GMT
Last Change Initial analysis.
CVE
CVSS2 Base
CVSS1 Base
5.8
3.7
CVSS Version 2
CVSS Version 1
CVSS2 Base
Vector
CVSS1
Temporal
AV:N/AC:M/Au:N/C:P/I:P/A:N
3.2
CVSS2
Temporal
5 CVSS2
Temporal Vector
E:F/RL:U/RC:UC
NVD CVSS2
BaseScore
4.3 NVD CVSS2
Component
String
AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerable Systems
SilverStripe SilverStripe 2.4.5 cpe:/a:silverstripe:silverstripe:2.4.5 SYMC
Short Summary
SilverStripe is prone to multiple cross-site scripting vulnerabilities.
Impact
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the
context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch
other attacks.
Technical Description
SilverStripe is an open source content management system.
The application is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input
passed through the following URIs:
'admin/reports'
'admin/comments'
'admin'
'admin/show/4'
'admin/show/2'
'admin/show/root'
'admin/show/3'
'admin/show'
SilverStripe Multiple Cross-Site Scripting Vulnerabilities
Create Date 10/11/2011 7:15:13 PM GMT
2. 'admin/reports'
'admin/comments'
'admin'
'admin/show/4'
'admin/show/2'
'admin/show/root'
'admin/show/3'
'admin/show'
'admin/assets'
'admin/show/1'
'admin/show/5'
'admin/security'
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the
context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch
other attacks.
SilverStripe 2.4.5 is vulnerable; other versions may also be affected.
Attack Scenarios
1. An attacker scans for and locates a site running the affected application.
2. The attacker crafts a URI that includes malicious script code to leverage any of the issues.
3. The attacker uses email or some other means to distribute the malicious link and entice an unsuspecting user to
follow it.
4. When the user follows the link, the attacker-specified script code runs in their browser in the context of the affected
site.
A successful exploit will allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Exploits
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
The following example is available:
Stefan Schurtz 2011-10-11 00:00:00Z
http://downloads.securityfocus.com/vulnerabilities/exploits/50063.txt
Mitigating Strategies
Block external access at the network boundary, unless external parties require service.
If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to
only trusted computers and networks might greatly reduce the likelihood of a successful exploit.
Run all software as a nonprivileged user with minimal access rights.
Attackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When
possible, run client software as regular user accounts with limited access to system resources. This may limit the
immediate consequences of client-side vulnerabilities.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources.
Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
SilverStripe Multiple Cross-Site Scripting Vulnerabilities
Create Date 10/11/2011 7:15:13 PM GMT
3. Set web browser security to disable the execution of script code or active content.
Since exploiting cross-site scripting issues often requires the execution of malicious script code in web clients,
consider disabling script code and active content support within a client browser as a way to prevent a successful
exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of
browser-based script code.
Solutions
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent
information, please mail us at: vuldb@securityfocus.com.
Credit
Stefan Schurtz
References
Advisory:SilverStripe 2.4.5 Multiple backend Cross-site scripting vulnerabilities Stefan Schurtz
http://www.rul3z.de/advisories/SSCHADV2011-024.txt
SilverStripe 2.4.5 Multiple backend Cross-site scripting (sschurtz@t-online.de)
http://www.securityfocus.com/archive/1/201110080822.p988MCbu025404@sf01web2.securityfocus.com
Web Page:SilverStripe Homepage SilverStripe
http://www.silverstripe.com
Change Log
2011.10.11: Initial analysis.
URL
https://alerts.symantec.com/loaddocument.aspx?GUID=d3c2871c-f066-41c9-8208-942c79f84d0a
SilverStripe Multiple Cross-Site Scripting Vulnerabilities
Create Date 10/11/2011 7:15:13 PM GMT