1) The document discusses ways that security functions on Windows can potentially be bypassed during a penetration test, such as restricting access to drives, applications, and Internet Explorer.
2) Methods are presented for bypassing application restrictions, such as using HTML help to access the internet without a browser or using InstallUtil to execute PowerShell without PowerShell.
3) Countermeasures are suggested like using AppLocker with a whitelist and monitoring logs to prevent bypassing security restrictions.
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
Sigue siendo una tendencia mayoritaria en el ámbito del desarrollo de software que el analizar la seguridad del producto se postergue a las últimas etapas del proceso. Uno de los motivos suele ser el impacto económico de contar con un ciclo seguro de desarrollo, pesa demasiado al inicio del proyecto y por tanto se descarta tener una metodología integrada durante todo el proceso.
Este planteamiento se está volviendo cada vez más en contra de los desarrolladores y demás actores implicados. Una vez lanzado el producto al mercado, acaban teniendo que invertir recursos inesperados por culpa de problemas de seguridad. Parches, hotfixes, actualizaciones… se convierten en la solución monótona que, lo que consigue es acabar dificultando la usabilidad del producto. Seguro que a todos se nos vienen nombres a la cabeza.
El propósito de esta presentación es el exponer la necesidad de integrar metodologías de seguridad desde las etapas más tempranas del ciclo de vida de sus productos, los beneficios de tener presente el desarrollo seguro de productos y mostrar buenas practicas que favorecen a la mejora de la seguridad de los productos, generando software de mayor calidad.
Y si esto ya te lo han contado en otra CON… ¿por qué no lo estás poniendo en práctica?
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
In this presentation, DevOps and DevSecOps expert John Willis dives into how to implement DevSecOps, including:
- Why traditional DevOps has shifted and what this shift means
- How DevSecOps can change the game for your team
- Tips and tricks for getting DevSecOps started within your organization
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
In this webinar, Sumo Logic VP of Security and Compliance George Gerchow dives into how to make the shift to DevSecOps, discussing how to:
- Incorporate fundamental and high impact security best practices into your current DevOps operations
- Gain visibility into your compliance posture
- Identify potential risks and threats in your environments
José Vila - ¿Otro parche más? No, por favor. [rooted2018]RootedCON
Sigue siendo una tendencia mayoritaria en el ámbito del desarrollo de software que el analizar la seguridad del producto se postergue a las últimas etapas del proceso. Uno de los motivos suele ser el impacto económico de contar con un ciclo seguro de desarrollo, pesa demasiado al inicio del proyecto y por tanto se descarta tener una metodología integrada durante todo el proceso.
Este planteamiento se está volviendo cada vez más en contra de los desarrolladores y demás actores implicados. Una vez lanzado el producto al mercado, acaban teniendo que invertir recursos inesperados por culpa de problemas de seguridad. Parches, hotfixes, actualizaciones… se convierten en la solución monótona que, lo que consigue es acabar dificultando la usabilidad del producto. Seguro que a todos se nos vienen nombres a la cabeza.
El propósito de esta presentación es el exponer la necesidad de integrar metodologías de seguridad desde las etapas más tempranas del ciclo de vida de sus productos, los beneficios de tener presente el desarrollo seguro de productos y mostrar buenas practicas que favorecen a la mejora de la seguridad de los productos, generando software de mayor calidad.
Y si esto ya te lo han contado en otra CON… ¿por qué no lo estás poniendo en práctica?
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
In this presentation, DevOps and DevSecOps expert John Willis dives into how to implement DevSecOps, including:
- Why traditional DevOps has shifted and what this shift means
- How DevSecOps can change the game for your team
- Tips and tricks for getting DevSecOps started within your organization
Integrate Security into DevOps - SecDevOpsUlf Mattsson
1.Security Controls Must Be Programmable and Automated Wherever Possible
2.Implement a Simple Risk and Threat Model for All Applications
3.Scan Custom Code, Applications and APIs
4.Scan for OSS Issues in Development
5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code
6.Measure System Integrity and Ensure Correct Configuration at Load
7.Use Whitelisting on Production Systems, Including Container-Based Implementations
8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response
9.Lock Down Production Infrastructure and Services
10.Tokenization and Payment Processing
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
In this webinar, Sumo Logic VP of Security and Compliance George Gerchow dives into how to make the shift to DevSecOps, discussing how to:
- Incorporate fundamental and high impact security best practices into your current DevOps operations
- Gain visibility into your compliance posture
- Identify potential risks and threats in your environments
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
DevOps is powering the computing environments of tomorrow. When properly configured, the Splunk platform allows us to gain real-time visibility into the velocity, quality, and business impact of DevOps-driven application delivery across all roles, departments, process, and systems. Splunk can be used by DevOps practitioners to provide continuous integration/deployment and the real-time feedback to help the organization with their operational intelligence. Join us for a exciting talk about Splunk’s current approach to DevOps, and for examples of how Splunk is being used by customers today to transform DevOps initiatives.
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
Continuous Integration, Continuous Delivery, and Continuous Deployment can include security! We will explore functional examples of CI/CD^2 toolchains using only open source software (OSS): What are the components? What activities do they support? What works well? What works... not so well? What is the cost of freely available OSS?
In this talk we will explore the activities that are involved with successful Continuous Integration, Continuous Delivery, and Continuous Deployment. We’ll do this by discussing how traditional software security activities like SAST, DAST, manual code reviews, and ethical hacking work together and independently to strengthen your program.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Lucy Huh Kerner
Red Hat isn't just valuable if you need support. In this 2017 Red Hat Summit Infrastructure Lightning Talk, learn why to pick Red Hat Enterprise Linux as your secure operating system foundation.
ChaoSlingr introduces the discipline of security testing into chaos engineering with the focus on driving failure out of the model and going beyond the reactive processes that currently dominate traditional security testing methodology.
(Source: RSA Conference USA 2018)
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...Lucy Huh Kerner
In my hands-on lab that I delivered at the 2017 Red Hat Summit, you'll learn how to automate security compliance using a combination of Red Hat CloudForms, Red Hat Satellite, OpenSCAP, Red Hat Insights, and Ansible Tower by Red Hat. Specifically, you'll do a series of exercises to show you how to use Red Hat CloudForms to create control policies, how to automate security scans and remediations using the OpenSCAP integration in Satellite, how to utilize the data provided by Red Hat Insights for security compliance automation, how to use Ansible Tower by Red Hat for automated security remediations, and how to use Red Hat CloudForms as a central place for security compliance automation.
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Do you know encryption fact from fiction?
With data breaches frequently making the headlines, businesses are losing more business and personally identifiable information than ever. Every industry and company is at risk – public and private. Encryption is one of the best ways to protect this information, but misperceptions related to cost, performance, and ease of use run rampant.
View this webcast on-demand where we talk with Patrick Townsend, Founder & CEO of Townsend Security, to set the record straight on the top 5 encryption myths for IBM i users.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware.
How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
DevOps is powering the computing environments of tomorrow. When properly configured, the Splunk platform allows us to gain real-time visibility into the velocity, quality, and business impact of DevOps-driven application delivery across all roles, departments, process, and systems. Splunk can be used by DevOps practitioners to provide continuous integration/deployment and the real-time feedback to help the organization with their operational intelligence. Join us for a exciting talk about Splunk’s current approach to DevOps, and for examples of how Splunk is being used by customers today to transform DevOps initiatives.
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
Continuous Integration, Continuous Delivery, and Continuous Deployment can include security! We will explore functional examples of CI/CD^2 toolchains using only open source software (OSS): What are the components? What activities do they support? What works well? What works... not so well? What is the cost of freely available OSS?
In this talk we will explore the activities that are involved with successful Continuous Integration, Continuous Delivery, and Continuous Deployment. We’ll do this by discussing how traditional software security activities like SAST, DAST, manual code reviews, and ethical hacking work together and independently to strengthen your program.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
DevSecOps without DevOps is Just SecurityKevin Fealey
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined.
Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream.
This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Secure Foundations: Why Red Hat Enterprise Linux is not just another Linux di...Lucy Huh Kerner
Red Hat isn't just valuable if you need support. In this 2017 Red Hat Summit Infrastructure Lightning Talk, learn why to pick Red Hat Enterprise Linux as your secure operating system foundation.
ChaoSlingr introduces the discipline of security testing into chaos engineering with the focus on driving failure out of the model and going beyond the reactive processes that currently dominate traditional security testing methodology.
(Source: RSA Conference USA 2018)
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...Lucy Huh Kerner
In my hands-on lab that I delivered at the 2017 Red Hat Summit, you'll learn how to automate security compliance using a combination of Red Hat CloudForms, Red Hat Satellite, OpenSCAP, Red Hat Insights, and Ansible Tower by Red Hat. Specifically, you'll do a series of exercises to show you how to use Red Hat CloudForms to create control policies, how to automate security scans and remediations using the OpenSCAP integration in Satellite, how to utilize the data provided by Red Hat Insights for security compliance automation, how to use Ansible Tower by Red Hat for automated security remediations, and how to use Red Hat CloudForms as a central place for security compliance automation.
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
Do you know encryption fact from fiction?
With data breaches frequently making the headlines, businesses are losing more business and personally identifiable information than ever. Every industry and company is at risk – public and private. Encryption is one of the best ways to protect this information, but misperceptions related to cost, performance, and ease of use run rampant.
View this webcast on-demand where we talk with Patrick Townsend, Founder & CEO of Townsend Security, to set the record straight on the top 5 encryption myths for IBM i users.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
Companies and researchers are exploring ways to make software and hardware development easier for the masses. Soon you will be able to build your own autonomous drone, create a sensor that assess the watering needs of your plants, and develop a cat tracking device with minimal coding and hardware skills.
What is the place of security and privacy in this exciting development?
Are we building the next generation of Internet security vulnerabilities right now?
In his talk Hannes Tschofenig will highlight challenges with Internet of Things, what role standardization plays, and what contributions ARM, a provider of microprocessor IP, is making to improve IoT security.
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7
IBM Cognos Forum, Conference Presentation
Attendees of the session were shown how to develop a migration roadmap, how to realize quick benefits, and how to plan the deployment that works best for their organization. They learned about testing strategies and other risk mitigations, and were shown how an upgrade can deliver business process improvements while reducing maintenance costs, improving ease of use, and lowering total cost of ownership.
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Serverless security: how to protect what you don't see?
Jean Baptiste Aviat, Co-founder and CTO at Sqreen.io
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
3. Profile
Speaker
• OWASP DAY 2014
• July Tech Festa 2015, 2017
• AVTOKYO2016
• Financials ISAC Japan Conference 2018
Writing
• Software Design
CODE BLUE 2018 3
4. Background
I have done penetration tests at many companies,
and I’ve Windows security functions at
each company.
CODE BLUE 2018 4
5. Things to inform in this session
is not always detected and blocked, so I
wanted to say that it’s important to only not enable
security functions, but to implement multilayered defense,
such as strengthening monitoring.
CODE BLUE 2018 5
6. Penetration Test
We suppose the scenario, and test from the point of
intrusion into servers and network devices.
Firewall
Attack from internet
Inside Jobs
Take over
Attack
・ what kind of authority
・ what we can do
Impact
CODE BLUE 2018 6
7. The Penetration Test scenarios
There are cases where we investigate whether or not we
can intrude servers assuming malware infection caused by
Advanced Persistent Threats (APTs).
Firewall
PC & Domain User Tester
User SegmentServer Segment
IPS
Access
Internet
Tester
Access
CODE BLUE 2018 7
8. View of attacker
In APTs, since an attacker with a clear intention and purpose
intends to steal information from a specific organization, we
assume that even if there are restricted by security functions, they
will bypass and accomplish their purpose.
authentication and intrude
security function restrictions
..etc
CODE BLUE 2018 8
9. View of attacker
In APTs, since an attacker with a clear intention and purpose
intends to steal information from a specific organization, we
assume that even if there are restricted by security functions, they
will bypass and accomplish their purpose.
authentication and intrude
security function restrictions
..etc
CODE BLUE 2018 9
This Session
10. Steps in APT
Preparation Intrusion
Lateral
Movement
Action
• Gathering information from Target
• Intrusion into Target
• Intrusion into the important servers
• Stealing confidential information and hiding log
CODE BLUE 2018 10
11. Steps in APT
“Preparation“ doesn’t concern so I won’t
talk about it this time.
Preparation Intrusion
Lateral
Movement
Action
CODE BLUE 2018 11
12. Steps in APT
Preparation Intrusion
Lateral
Movement
has to do with anti-viruses and monitoring,
but I won’t talk about it this time.
CODE BLUE 2018 12
Action
13. Steps in APT
I’ll be talking about which may be used
when intruding PCs etc.
Preparation Intrusion
Lateral
Movement
Action
CODE BLUE 2018 13
14. Lateral Movement
• Operation in the intruded PCs
• Searching for other vulnerable PCs and expanding intrusion
• Intrusion into servers using the collected information
Gathering informationOperation
Intrusion into servers
CODE BLUE 2018 14
15. Lateral Movement
https://attack.mitre.org/wiki/Lateral_Movement
• AppleScript
• Application Deployment Software
• Distributed Component Object Model
• Replication Through Removable Media
• Windows Remote Management
• Exploitation of Vulnerability
• Remote Desktop Protocol
• Remote File Copy
• Logon Scripts
• Pass the Hash
• SSH Hijacking
• Shared Webroot
• Remote Services
• Taint Shared Content
• Third-party Software
• Windows Admin Shares
Japanese
https://github.com/abend9999/lateralmovement
CODE BLUE 2018 15
16. How to protect Windows
There are security functions to protect Windows
against various attack methods.
• AppLocker
• Software Restriction Policy
• Windows Defender
• UAC (User Account Control)
..etc
CODE BLUE 2018 16
17. Security restrictions on Windows
• Cannot install application (excluding PowerUser)
• Cannot change PC setting
• Cannot execute applications that are inadequate
for business
• Do not grant local administrator authority
• Restricts execution of specific applications
CODE BLUE 2018 17
Result
18. AppLocker control object
Based on the publisher, file path, and file hash , AppLocker
currently supports the following file extensions.
• Executables (.exe, .com)
• Windows Installers (.msi, .mst, .msp)
• Scripts (.vbs, .js, .ps1, .cmd, .bat)
• Dlls (.ocx, .dll)
• Packaged app installers (.appx)
CODE BLUE 2018 18
20. Note about AppLocker
If the service "Application Identity" is not running,
AppLocker cannot be activated.
CODE BLUE 2018 20
21. Advantages of AppLocker
If you have applications that you do not plan to use
such as cmd.exe, restricting them may increase the
security level.
CODE BLUE 2018 21
22. From here, I will introduce examples of
security restrictions in penetration testing.
CODE BLUE 2018 22
24. Restricting Drive Access - Background
In cases where access to an arbitrary drive is
prohibited, access to C drive is often prohibited or
hidden.
CODE BLUE 2018 24
25. Restricting Drive Access - Trial
But it can be referenced in command prompt and
can be accessed by directly specifying the path.
CODE BLUE 2018 25
26. Restricting Drive Access - Trial
But it can be referenced in command prompt and
can be accessed by directly specifying the path.
CODE BLUE 2018 26
28. Restricting Drive Access –
Assumption
HKEY_LOCAL_MACHINESoftwareMicrosoftWind
owsCurrentVersionPolicesExplorerNoViewOnD
rive
CODE BLUE 2018 28
It is possible to specify and restrict the drive with
the following registry key, therefore we assume
that this was controlled by the registry.
30. Restricting Applications - Background
There was a case where presumably the following
countermeasures were implemented to restrict specific
applications (such as notepad and command prompt):
• Disabled “Run”
• Hid C drive
• Deleted program menu
CODE BLUE 2018 30
31. Restricting Applications - Trial
I ran Notepad with "View source" in Internet Explorer, generated a
bat file to run cmd.exe, and then executed it.
CODE BLUE 2018 31
32. Restricting Applications - Trial
I ran Notepad with "View source" in Internet Explorer, generated a
bat file to run cmd.exe, and then executed it.
CODE BLUE 2018 32
33. CODE BLUE 2018 33
If you choose GOOD ADVICE and even IE is stopped.
34. Restricting Application –
Assumption
• Control “Run” in the registry:
CODE BLUE 2018 34
HKEY_CURRENT_USER¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Policies¥Explorer
NoRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicesExplorerN
oViewOnDrive
• Control Drive display setting in the registry:
C:¥ProgramData¥Microsoft¥Windows¥Start Menu¥Programs
• Control program menu in the folder:
48. Restricting PowerShell
By restricting PowerShell, you can prevent file-less
attacks using PowerShell.
If file-less, it is hard to
detect for Antiviruses
Running a malicious script using Pass the Hash
CODE BLUE 2018 48
49. PowerShell without PowerShell
"PowerShell without PowerShell" released in August
2016 bypasses AppLocker and runs PowerShell.
https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-byp
ass-application-whitelisting-environment-restrictions-av/
CODE BLUE 2018 49
50. PowerShell without PowerShell
• Compile C# program with CSC.exe to run PowerShell as
action at uninstall
• Uninstall output compiled with InstallUtil.exe
• PowerShell runs
CSC.exe
InstallUtil.exe
C# SourceOverride Uninstall and
specify PowerShell command
①Compile
②Output
Binary file
③Uninstall
Run PowerShell
specified in C#
CODE BLUE 2018 50
52. PowerShell without PowerShel
It can be executed with user privilege.
• Compiling CSC.exe
• Uninstalling InstallUnite.exe
CODE BLUE 2018 52
53. PowerShell without PowerShell
PowerShell runs in the background, but depending
on the PowerShell script you run, it may be easy to
get shell.
InstallUtil.exe
Binary File
Uninstall
Run PowerShell
specified in C#
CODE BLUE 2018 53
54. PowerShell without PowerShell
You can easily obtain shell by running a script that
performs reverse connect.
Device that restricts
PowerShell
• Acquire script via IEX using
Powershell without PowerShell
• Execute file-less
Reverse connect target
CODE BLUE 2018 54
55. • Acquire script via IEX using
Powershell without PowerShell
• Execute file-less
PowerShell without PowerShell
You can easily obtain shell by running a script that
performs reverse connect.
CODE BLUE 2018 55
Device that restricts
PowerShell
Reverse connect target
56. CODE BLUE 2018 56
Q.Which same One?
It is easier than this problem.
57. by using Install Option
I found another method ( by using Install
Option), so I would like to introduce it.
• PowerShell without Powershell
⇒ User privilege
by using Install Option
⇒ Administrator privilege required
CODE BLUE 2018 57
59. Differences depending on the
extension
I thought that if I changed the extension of the EXE
file in various ways, I could AppLocker.
• Change to COM file
→ AppLocker blocked
• Change to BAT file
→ AppLocker blocked
• Change to MSI file
→ Error showing that it's not package file
CODE BLUE 2018 59
60. Trial ①
I tried to build cmd.exe so that it can be installed as
an MSI file without causing an error.
CODE BLUE 2018 60
61. Trial ②
I noticed the Custom Option and built it to run
cmd.exe as an Install Option.
CODE BLUE 2018 61
71. Run powershell_ise.exe
You can run powershell_ise.exe, but it will be
blocked when you start a new PowerShell process
within it.
CODE BLUE 2018 71
72. One wish
I asked MSRC if I could do something to solve this,
but I got a similar answer.
“Applocker generally does not meet the bar
for MSRC case.”
CODE BLUE 2018 72
73. CODE BLUE 2018 73
In order to protect myself from bypass, I noticed that I had to do
something for myself.
74. Countermeasures
• Use AppLocker with a whitelist
• If it’s difficult to operate a whitelist, set strict
restrictions for AppLocker along with other group
policies
• Detect problems using multilayer defense such as
monitoring operation logs
CODE BLUE 2018 74
75. Countermeasures
By implementing the following restrictions, I could
not the methods introduced in this talk.
I restricted the following using AppLocker:
• iexplorer.exe
• csc.exe
• powershell.exe
• powershell_ise.exe
• cmd.exe
• Installing non-Microsoft software
※ There is possibility of other operations being affected by implementing these restrictions.
Please do so at your own risk.
CODE BLUE 2018 75
76. Summary
• There are many methods of Windows
security functions, and it is very difficult to
completely prevent them
• It is important to acquire logs, restrict and
monitor networks, etc. on the premise that you
will get
CODE BLUE 2018 76