This paper shines a spotlight risk management, particularly on the dogma and BS in security "best practice", and utilizes primary research in password strength and compromise as a case study to blow the lid off password mythology.
Onalytica-CyberSecurity-2015-Top-100-Influencers-And-BrandsMark W. Bennett
This document provides a list of the top 100 individuals and brands in cybersecurity based on their influence in conversations around the topic on Twitter over a 96 day period. It ranks the individuals and brands separately based on a PageRank methodology that considers the number and quality of references a user receives in tweets mentioning cybersecurity. For each of the top 25 individuals and brands, it shows their normalized PageRank score to indicate their level of influence. It then provides tables listing the names, Twitter handles, and normalized PageRank scores for individuals ranked 1-50 and 51-100, as well as for brands ranked 1-50.
Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
This document discusses many topics related to cybersecurity including common security mistakes, the importance of trust and how it can be broken, lessons learned from security breaches, and strategies for improving security practices. It notes that most software has security issues, encryption and hashing should not be implemented without understanding, and outlines approaches like patching strategies, training, and monitoring to help build more secure systems. The overall message is that security requires a holistic, ongoing approach rather than one-time fixes.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
The document provides an overview of wireless network security, outlining common issues, threats, and security measures for wireless networks. It discusses standards and protocols like WEP, WPA, and WPA2 and provides practical tips for securing a wireless network, such as enabling encryption, changing default settings, and using firewalls. The document also briefly discusses future trends in wireless network security.
SIEM 101: Get a Clue About IT Security Analysis AlienVault
How real-time network sleuthing can help you lock down IT.
Everyone in IT knows that security is a big deal, but did you know that SIEM (security information and event management) can help protect your network from data breaches, even when traditional defenses fail?
If SIEM a mystery to you, lets grab Colonel Mustard, the candlestick and head to the library because this mystery is about to be solved. We'll be giving out more than just clues in this webinar: you'll discover explanations of security concepts, tools, tips and tricks as we unravel the mystery of how to better protect your network. Bring your magnifying glass, because you’ll also learn about event correlation, EPS, normalization and other things that will surely impress your friends.
Sign up now to learn from our chief gumshoe and noted SIEM Enthusiast Joe Schreiber. He’ll explain the reasons that SIEM exists, how it works, and most importantly - what you can do with it.
IT WAS MR. BODDY ALL ALONG!!!
Onalytica-CyberSecurity-2015-Top-100-Influencers-And-BrandsMark W. Bennett
This document provides a list of the top 100 individuals and brands in cybersecurity based on their influence in conversations around the topic on Twitter over a 96 day period. It ranks the individuals and brands separately based on a PageRank methodology that considers the number and quality of references a user receives in tweets mentioning cybersecurity. For each of the top 25 individuals and brands, it shows their normalized PageRank score to indicate their level of influence. It then provides tables listing the names, Twitter handles, and normalized PageRank scores for individuals ranked 1-50 and 51-100, as well as for brands ranked 1-50.
Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
This document discusses many topics related to cybersecurity including common security mistakes, the importance of trust and how it can be broken, lessons learned from security breaches, and strategies for improving security practices. It notes that most software has security issues, encryption and hashing should not be implemented without understanding, and outlines approaches like patching strategies, training, and monitoring to help build more secure systems. The overall message is that security requires a holistic, ongoing approach rather than one-time fixes.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
The document provides an overview of wireless network security, outlining common issues, threats, and security measures for wireless networks. It discusses standards and protocols like WEP, WPA, and WPA2 and provides practical tips for securing a wireless network, such as enabling encryption, changing default settings, and using firewalls. The document also briefly discusses future trends in wireless network security.
SIEM 101: Get a Clue About IT Security Analysis AlienVault
How real-time network sleuthing can help you lock down IT.
Everyone in IT knows that security is a big deal, but did you know that SIEM (security information and event management) can help protect your network from data breaches, even when traditional defenses fail?
If SIEM a mystery to you, lets grab Colonel Mustard, the candlestick and head to the library because this mystery is about to be solved. We'll be giving out more than just clues in this webinar: you'll discover explanations of security concepts, tools, tips and tricks as we unravel the mystery of how to better protect your network. Bring your magnifying glass, because you’ll also learn about event correlation, EPS, normalization and other things that will surely impress your friends.
Sign up now to learn from our chief gumshoe and noted SIEM Enthusiast Joe Schreiber. He’ll explain the reasons that SIEM exists, how it works, and most importantly - what you can do with it.
IT WAS MR. BODDY ALL ALONG!!!
The document is a series of tweets discussing various topics related to cybersecurity. It touches on issues with security practices of companies, developers, and users. It notes that most security practices are ineffective when taken in isolation and advocates for a holistic, layered approach to security with an emphasis on understanding where trust is misplaced. It also highlights common mistakes made with sessions, encryption, and hashing and emphasizes the importance of not rolling your own implementations for these.
This document discusses securing cloud environments. It notes that traditional security defenses are insufficient for dynamic cloud environments. It recommends building a protection "bubble" around every machine using the same controls traditionally done at the perimeter, like antivirus, firewalls, and log inspection. It also recommends leveraging hypervisor and cloud context awareness. The document outlines challenges like ensuring proper context awareness and policy management across multiple cloud providers. It briefly describes organized cybercrime networks involved in activities like selling malware, stolen credentials, and illegal services.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
The document discusses various security issues and mistakes made by users, developers, and organizations. It covers topics like weak security practices, implementation flaws, trusting the wrong things, disclosure of too much information, and the challenges of social engineering. Specific examples are provided around password hashing, encryption, sessions, randomness, and log files to illustrate common mistakes. The overall message is that security is difficult and mistakes are often made due to a lack of understanding, convenience prioritized over security, and misplaced trust. Holistic security involving people, process and technology is advocated for along with constant awareness and mitigation of risks.
The document summarizes proposed changes to NIST's Digital Authentication Guideline SP 800-63-3 regarding password requirements. Some key changes include increasing the minimum password length to 8 characters, allowing passwords up to 64 characters, accepting all printable ASCII characters and emojis, removing composition rules and knowledge-based authentication questions, and prohibiting password expiration unless compromised. The document encourages participation in the public review process on GitHub to help finalize the updated guidelines.
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
All signs point to a future world of more complex, harder to detect cyber threats. Our adversaries are exploiting what seems to be our strengths. Intel predicts the next big hacker marketplace to be in the sale of digital certificates – already selling for more than $1000 each on Russian marketplaces. Gartner expects 50% of network attacks to use encrypted SSL/TLS in less than 2 years. What’s to do? The human immune system has evolved to defend and destroy complex and oftentimes overwhelming attacks. What can we learn from it? How can we create a future that’s more resistant as we use more software, more clouds, more apps, and more connected devices.
This document provides an overview and discussion of distributed denial of service (DDoS) attacks. It begins with an agenda outlining topics to be covered, including the business side of DDoS, attack types, recognition and mitigation. It then covers various DDoS attack types classified by network layer, including examples like SYN floods. Detection and mitigation techniques are discussed for different layers. The document emphasizes preparation, monitoring, response plans and partnerships as important strategies for dealing with DDoS attacks.
Brazil, March, 2014
This presentation talks about the various ways that the technology of the Internet does not currently suit our needs for privacy and anonymity, and some ways we can combat these issues. We will discuss everything from the layout of cables and physical infrastructure to the issues with application layer systems. We might also spend some
time discussing what legislation and policy measures are necessary as a complement to technical solutions.
Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.
Chapter 4 access control fundamental iiSyaiful Ahdan
This document discusses access control fundamentals and authentication methods. It covers passwords as a common authentication method and their weaknesses, such as being prone to dictionary attacks. It also discusses other authentication factors like biometrics and two-factor authentication. Password cracking tools are mentioned as a way for administrators to test for weak passwords.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
This document discusses the Trojan horse virus. It begins with an introduction that defines malware and Trojan viruses. It then explains how Trojans work by creating backdoors and not self-replicating like other viruses. The document outlines the tasks Trojans can perform, such as erasing data, spreading other malware, stealing passwords and personal information, and shutting down or rebooting systems. It also discusses how Trojans are used to steal credit card numbers, email addresses, work projects, photos and other files. The document provides tips for protecting systems and discusses common Trojan variations and examples. In conclusion, it states that Trojans can slow down systems and steal or corrupt personal data.
The CDO Agenda - Data Security and EncryptionDATAVERSITY
If you're not terrified, you're not paying attention.
Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.
Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.
Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)
A Technical Dive into Defensive TrickeryDan Kaminsky
This document discusses various techniques for improving security and making it easier to deploy. It begins by introducing Dan Kaminsky and the goal of challenging assumptions. It then discusses how security is often hard to implement due to challenges like DDoS attacks being hard to remediate, TLS being difficult to deploy properly, and data loss prevention during attacks. The document proposes several solutions to these challenges, including Overflowd to help trace DDoS attacks, JFE to automatically provision TLS for all network services, and Ratelock to enforce access policies like rate limits in the cloud even if servers are compromised. It argues that moving enforcement to the cloud can improve security. The document concludes by noting that running code safely through sandboxing is also difficult but
NetForts aims to allow networks to react in real-time to evolving threats by creating products and services that can detect and contain zero-day worms. Their solution monitors network traffic to detect worms within seconds, even stealthy or passive ones, and dynamically extracts signatures without false positives. This allows automatic and manual containment actions including blocking ports and isolating infected systems, protecting enterprises from costly data loss and downtime from worms.
This document summarizes Dan Houser's experiment aging bourbon in bottles at home. Some key points:
1) Houser conducted an experiment aging bourbon in bottles using toasted oak inserts to see if he could achieve the taste of an aged $40-50 bourbon for under $10 per liter with minimal additional investment.
2) The results showed that higher alcohol by volume (ABV) spirits like rye whiskey aged more dramatically than lower ABV bourbons.
3) However, finding high ABV bourbons or moonshine for under $30 per bottle to experiment with was not feasible given legal constraints.
4) While aging in bottles was capable of producing different flavor profiles,
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
The (ISC)² Ethics Committee helped provide this overview of professionalism, ethics, the (ISC)² Code of Ethics and case studies to help explain the ethics complaint & review process. Co-developed with William H. Murray, Graham Jackon & Mano Paul.
The document is a series of tweets discussing various topics related to cybersecurity. It touches on issues with security practices of companies, developers, and users. It notes that most security practices are ineffective when taken in isolation and advocates for a holistic, layered approach to security with an emphasis on understanding where trust is misplaced. It also highlights common mistakes made with sessions, encryption, and hashing and emphasizes the importance of not rolling your own implementations for these.
This document discusses securing cloud environments. It notes that traditional security defenses are insufficient for dynamic cloud environments. It recommends building a protection "bubble" around every machine using the same controls traditionally done at the perimeter, like antivirus, firewalls, and log inspection. It also recommends leveraging hypervisor and cloud context awareness. The document outlines challenges like ensuring proper context awareness and policy management across multiple cloud providers. It briefly describes organized cybercrime networks involved in activities like selling malware, stolen credentials, and illegal services.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
The document discusses various security issues and mistakes made by users, developers, and organizations. It covers topics like weak security practices, implementation flaws, trusting the wrong things, disclosure of too much information, and the challenges of social engineering. Specific examples are provided around password hashing, encryption, sessions, randomness, and log files to illustrate common mistakes. The overall message is that security is difficult and mistakes are often made due to a lack of understanding, convenience prioritized over security, and misplaced trust. Holistic security involving people, process and technology is advocated for along with constant awareness and mitigation of risks.
The document summarizes proposed changes to NIST's Digital Authentication Guideline SP 800-63-3 regarding password requirements. Some key changes include increasing the minimum password length to 8 characters, allowing passwords up to 64 characters, accepting all printable ASCII characters and emojis, removing composition rules and knowledge-based authentication questions, and prohibiting password expiration unless compromised. The document encourages participation in the public review process on GitHub to help finalize the updated guidelines.
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
All signs point to a future world of more complex, harder to detect cyber threats. Our adversaries are exploiting what seems to be our strengths. Intel predicts the next big hacker marketplace to be in the sale of digital certificates – already selling for more than $1000 each on Russian marketplaces. Gartner expects 50% of network attacks to use encrypted SSL/TLS in less than 2 years. What’s to do? The human immune system has evolved to defend and destroy complex and oftentimes overwhelming attacks. What can we learn from it? How can we create a future that’s more resistant as we use more software, more clouds, more apps, and more connected devices.
This document provides an overview and discussion of distributed denial of service (DDoS) attacks. It begins with an agenda outlining topics to be covered, including the business side of DDoS, attack types, recognition and mitigation. It then covers various DDoS attack types classified by network layer, including examples like SYN floods. Detection and mitigation techniques are discussed for different layers. The document emphasizes preparation, monitoring, response plans and partnerships as important strategies for dealing with DDoS attacks.
Brazil, March, 2014
This presentation talks about the various ways that the technology of the Internet does not currently suit our needs for privacy and anonymity, and some ways we can combat these issues. We will discuss everything from the layout of cables and physical infrastructure to the issues with application layer systems. We might also spend some
time discussing what legislation and policy measures are necessary as a complement to technical solutions.
Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.
Chapter 4 access control fundamental iiSyaiful Ahdan
This document discusses access control fundamentals and authentication methods. It covers passwords as a common authentication method and their weaknesses, such as being prone to dictionary attacks. It also discusses other authentication factors like biometrics and two-factor authentication. Password cracking tools are mentioned as a way for administrators to test for weak passwords.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
This session covered cyber security and ethical hacking topics such as network hacking, Kali Linux, IPV4 vs IPV6, MAC addresses, wireless hacking techniques like deauthentication attacks, cracking WEP and WPA encryption, and post-connection attacks including ARP spoofing and MITM attacks. The presenter emphasized the importance of securing networks by using strong passwords, disabling WPS, and enabling HTTPS to prevent hacking attempts.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
This document discusses the Trojan horse virus. It begins with an introduction that defines malware and Trojan viruses. It then explains how Trojans work by creating backdoors and not self-replicating like other viruses. The document outlines the tasks Trojans can perform, such as erasing data, spreading other malware, stealing passwords and personal information, and shutting down or rebooting systems. It also discusses how Trojans are used to steal credit card numbers, email addresses, work projects, photos and other files. The document provides tips for protecting systems and discusses common Trojan variations and examples. In conclusion, it states that Trojans can slow down systems and steal or corrupt personal data.
The CDO Agenda - Data Security and EncryptionDATAVERSITY
If you're not terrified, you're not paying attention.
Every organization in the world, large and small, should be concerned about Data Security. Virtually every week there’s a well-publicized and embarrassing data breach that serves to remind how important it is to protect both customer and enterprise information.
Tools and techniques exist to help, for managing identity, authentication, and authorization. Encryption is also an effective way of making it harder for people to steal your secrets. But it isn't magical, it isn't fool proof and, depending on how you are using it, may be completely useless. You don't have to understand the math (although that will help), but you do have to understand what encryption will and won't do for you.
Data and web security today
Protecting data in transit
Protecting data at rest
What advantage does Encryption provide?
How can you build encrypted data protection into your software and systems?
Are there business trade-offs?
Implications for specific industries (financial, health)
A Technical Dive into Defensive TrickeryDan Kaminsky
This document discusses various techniques for improving security and making it easier to deploy. It begins by introducing Dan Kaminsky and the goal of challenging assumptions. It then discusses how security is often hard to implement due to challenges like DDoS attacks being hard to remediate, TLS being difficult to deploy properly, and data loss prevention during attacks. The document proposes several solutions to these challenges, including Overflowd to help trace DDoS attacks, JFE to automatically provision TLS for all network services, and Ratelock to enforce access policies like rate limits in the cloud even if servers are compromised. It argues that moving enforcement to the cloud can improve security. The document concludes by noting that running code safely through sandboxing is also difficult but
NetForts aims to allow networks to react in real-time to evolving threats by creating products and services that can detect and contain zero-day worms. Their solution monitors network traffic to detect worms within seconds, even stealthy or passive ones, and dynamically extracts signatures without false positives. This allows automatic and manual containment actions including blocking ports and isolating infected systems, protecting enterprises from costly data loss and downtime from worms.
Similar to Debunking Information Security myths (20)
This document summarizes Dan Houser's experiment aging bourbon in bottles at home. Some key points:
1) Houser conducted an experiment aging bourbon in bottles using toasted oak inserts to see if he could achieve the taste of an aged $40-50 bourbon for under $10 per liter with minimal additional investment.
2) The results showed that higher alcohol by volume (ABV) spirits like rye whiskey aged more dramatically than lower ABV bourbons.
3) However, finding high ABV bourbons or moonshine for under $30 per bottle to experiment with was not feasible given legal constraints.
4) While aging in bottles was capable of producing different flavor profiles,
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
The (ISC)² Ethics Committee helped provide this overview of professionalism, ethics, the (ISC)² Code of Ethics and case studies to help explain the ethics complaint & review process. Co-developed with William H. Murray, Graham Jackon & Mano Paul.
RSA2008: What Vendors Won’t Tell You About Federated IdentityDan Houser
Federated Identity overview, including the little known traps and issues with implementing federated identity for SSO using SAML. Lessons learned, build vs. buy, support, SLAs, and legal issues. Jointly developed with Bob West.
The Challenges & Risks of New Technology: Privacy Law & PolicyDan Houser
This document summarizes key challenges and risks related to new technologies, including privacy issues, interesting case law, and regulatory changes. It discusses invasive technologies like RFID and smart dust that could threaten privacy. Two Supreme Court cases related to thermal imaging of homes and email wiretapping are analyzed. The document emphasizes that privacy must be protected and quotes Benjamin Franklin's warnings about trading liberty for security. The presenter provides an overview of their background and security work before opening for questions.
Perimeter Defense in a World Without WallsDan Houser
Perimeter Defense when you don't have a perimeter, and how to change the paradigm to protect hosts, and hide from the bad guys. Introduction of the Big Freakin' Haystack project (that, sadly, went nowhere).
Risk Based Planning for Mission ContinuityDan Houser
Introduction to Continuity Management & Risk Based Continuity Planning. Risk-based approach to provide mission-critical BCP. Models are provided to conduct quantitative & qualitative analytics, prioritize activity and integrate continuity planning into risk management activities.
Security Capability Model - InfoSec Forum VIIIDan Houser
A security capability model for evaluation of risk based on mapping controls based on attack vectors, using the OSI 7-layer model plus 4 categories outside OSI, as well as the four disciplines of Security Management. This creates a matrix that permits scoring of capabilities by discipline and control layer.
Certifications and Career Development for Security ProfessionalsDan Houser
Joint presentation by Kevin Flanagan & Dan Houser, RSA 2008. Overview of career development, professional security/risk certifications, and how to develop and drive your career plan.
The document discusses considerations for surviving an identity and access management (IAM) audit. It provides recommendations in four key areas:
1. Understand the different types of audits for IAM - compliance, corporate controls, internal IAM audits, and addressing IAM issues in other audits. Prepare for each by understanding requirements and risks.
2. Recognize how auditors think in terms of preventative, detective and corrective controls, and how they need to collect evidence that controls are properly designed and operating as intended.
3. Be prepared to address specific IAM topics like access approval processes, as well as broader issues like logical security, change management, availability and disaster recovery that relate
Humorous and insightful look at breaking into security conferences by conquering the CFP. Uses Hacking Exposed methodology for targeting, prioritizing and mounting your "attack" on the CFP, and steps for strong execution as a speaker.
Case Study: Securing & Tokenizing Big DataDan Houser
Case study of massive Hadoop deployment by Cardinal Health to achieve both strong security & substantive analytical utility.
This was distributed publicly in 2014 in Krakow, Poland, and at multiple big data conferences 2014-2015. This is being hosted on SlideShare for posterity.
Crypto in the Real World: or How to Scare an IT AuditorDan Houser
Real world cryptography & theoretical cryptography are not the same. Bad ciphers, weak keys, cleartext keys, bad SSL, TLS, SSH permutations, and snake-oil crypto can undermine all your hard security work. This presentation provides real-world examples of broken crypto, and how to detect bad crypto, in the real world.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
4. Shaman Without Shame
Shaman
• Tribal Group
• Power = Reputation
• Arcane & Secret
Knowledge
• Shaman gatherings to
exchange knowledge
• Early medicine & science
• Wrath of gods for
questioning the shaman
and knowledge
• Much error
InfoSec Practitioner
• Workgroup / Department
• Power = Reputation
• Best Practice & “Need to
Know” shroud of secrecy
• Information Security
Conferences / Events
• Early science
• Wrath of security for
questioning practices,
opinions, findings
• Much error
5. Comfort with Being a Shaman?
• We associate our profession
with Computer Science
• Calling it a science does not
make it so
• Very few practice science
• Best Practice vs. Mythology
Science vs. Dogma
Show me the money
Show me the data
• Let’s examine mythology
Courtesy Salmon Chanted Evening-
2001
7. What can we learn of risk mythology?
Risk Myths
• Environment is critical – risk cannot be determined in
isolation from the environment
• Possibility not the same as Probability
• A vulnerability without a threat is no risk
• A threat without a threat agent poses no threat
• Threat agents without capabilities pose no threats
• A threat and vulnerability without value poses no risk
8. Best Practice
Best Practice? Best?
For Who? Where? When? What?
What security does the NSA need?
What security does a limo company need?
We must kill the mythology of Best Practice
Sufficient practice? Good practice? Adequate steps?
One recommendation:
Appropriate & reasonable measures of due care
9. Best Practice
What makes for a good myth?
- Misunderstanding of risk
- Misunderstanding environment
- No bologna detection
- Lack of academic approach
- Vendors have to eat
10. More Bones, Leeches, and Poultices
Windows is less secure than Linux
Linux is less secure than Unix
Worms start in labs
Internet transactions must be encrypted to be
protected
The contract will protect us
Internet is untrusted, core network is safe
11. More Bones, Leeches, and Poultices
A firewall can offer me complete protection at the
gateway.
My users are not smart enough to install and run rootkits,
sniffers or password crackers
My users are smart enough not to fall for social
engineering tactics
Network intrusion detection systems are sufficient to
secure my network
Intrusion Prevention works
With that next silver bullet, we’ll be safe at last
12. More Bones, Leeches, and Poultices
eMail security is not an issue for me because my state bar
does not require lawyers to encrypt e-mail to preserve
the attorney client privilege
My users have antivirus software on their home PC -
that's all I need to worry about
Only big corporations are targets for hackers
My developers and engineers have read our corporate
security policy, and refer to it when making decisions
13. More Bones, Leeches, and Poultices
Information security is a technical issue
The policies are written. My work here is done.
Adding another firewall will protect us
Adding another product will protect us
We’re good, it’s using SSL.
14. Password Mythology
Much mythology exists in password security
• 30 day expiry is a good number
• Long passwords = strong passwords
• Definition of a strong password:
– Mixed case, alphanumeric, special character, 10+ characters.
– T!$oc¥w~m9B¬sQ» is a better password than 39104 or yotozod
• Wait! You mean, it’s not?
• Well no. Randomized, highly complex passwords are designed to
defeat a single attack: password cracking through brute force.
• How many attacks are there against passwords?
19. Password Analysis
Two camps of password controls
• Internal controls: length, composition,
age, history,
• External controls: encryption, hash,
shadow file, physical security, expiry at
reset, identification, host IDS, training,
log file analysis…..
• Three classes of attacks for which
internal password controls are effective
– Cracking: offline, dictionary or brute
force
– Guessing: online, attempting to login as
the user
– Disclosure: user writing down password
(yellow sticky attack)
20. Internal Password Controls
Myth: Internal Password Controls are effective against cracking.
False - Largely worthless against cracking (with LANMAN/NTLM passwords)
WHAT!!??!!
Imagine you’re CISO of a university.
You get a phone call – your main password file has been grabbed by a
hacker.
Do you…
a) Assure the system admin that your passwords are long, strong, complex
and highly resistent to cracking?
b) Change key passwords now.
Minimum Length History Dictionary File
Composition Minimum Age Maximum Age
21. Password Analysis
Two camps of password controls
• Internal controls: length, composition,
age, history,
• External controls: encryption, hash,
shadow file, physical security, expiry at
reset, identification, host IDS, training,
log file analysis…..
• Three classes of attacks for which
internal password controls are effective
– Cracking: offline, dictionary or brute
force
– Guessing: online, attempting to login as
the user
– Disclosure: user writing down password
(yellow sticky attack)
22. Why strong passwords aren’t strong
• Remember earlier password myth: T!$oc¥w~m9B¬sQ» is a better
password than 39104 or yotozod
• Why is this a myth?
• Inverse relationship of disclosure:
– Longer, more complex passwords are more likely to be written down
– In fact, minimum of 45%, maximum of 90% of users will write down
passwords
• Much higher incidence of disclosure than hacking
– Cracking: very low incidence
– Disclosure: 10,000 employees, with 30 day password expiry will create
66,000 to 108,000 attacks per year
23. Why strong passwords aren’t strong
• Controls to prevent password cracking and guessing have an inverse
relationship to controls for disclosure.
– Cracking defeated: T4sf!Θd¥89¬dsdBs»/E7±deË10k}l«MM°
– Disclosure defeated: flowers
– Cracking assured: flowers
– Disclosure assured: T4sf!Θd¥89¬dsdBs»/E7±deË10k}l«MM°
24. What is a strong password?
Provides a blended approach to the blended threats
Balances resistance to cracking, disclosure & guessing
Isn’t developed in isolation from environment
• What are you protecting?
• What are the most likely attacks?
• What environmental controls and safeguards are in place (external
controls)?
In our analysis:
6-character alpha, non-dictionary, 30-day expiry, 5-history showed a 4-fold
increase in password security over highly complex, traditional “strong
password”
Increasing to 8 alpha characters was virtually identical to 6 alpha characters
25. Avoiding Future Myths
Prescriptive Approach
• Tuning the bologna meter
• Team diversity (c.f. Bletchley Park)
• Missouri philosophy: Show me!
• Academia bridge
• Create a culture of questioning assumptions