The document discusses common security issues faced by embedded systems and recommendations for improving security. It identifies 12 common threats to embedded systems, such as supply chain attacks, physical access, reverse engineering, lack of secure configurations, and human errors. The document recommends building security functions into embedded systems from the start to defend against threats, understanding contract manufacturing processes, and ensuring host systems maintain control over security. It advises assessing risks and vulnerabilities based on the 12 threats and seeking external security reviews within 6 months.
Der Vortrag zeigt anhand von Beispielen für Angriffe auf eingebettete Systeme, wie sie in vernetzten Systemen heute schon praktiziert werden, wie wichtig Security hier ist.
Aus den Angriffen und einer Prognose über die Weiterentwicklung der System-funktionen werden Sicherheitsanforderungen für eingebettete Systeme der Zukunft abgeleitet. Daraus ergibt sich dann eine Sicherheitsarchitektur für die Systeme mit wichtigen Standardkomponenten als Vertrauensanker. Dazu zählen sogenannte Secure Elements, sichere Identitäten und separierende Betriebssysteme.
Hierzu werden aktuelle Forschungsarbeiten zum Einsatz von Secure Elements im Automobil, Smart Grid und mobilen Endgeräten vorgestellt. Es wird gezeigt, wie sichere Identitäten aus Materialeigenschaften mit Physical Unclonable Functions abgeleitet werden können und wie Betriebssysteme, die Secure Elements und Separierung nutzen, die Sicherheit erhöhen.
Kolloquiumsvortrag von Prof. Georg Sigl, Technische Universität München
Dienstag, 17.12.2013, 16:00 Uhr, Hörsaal 47.03 (Elektrotechnikgebäude, Pfaffenwaldring 47)
Informatik-Forum Stuttgart e.V.
Der Vortrag zeigt anhand von Beispielen für Angriffe auf eingebettete Systeme, wie sie in vernetzten Systemen heute schon praktiziert werden, wie wichtig Security hier ist.
Aus den Angriffen und einer Prognose über die Weiterentwicklung der System-funktionen werden Sicherheitsanforderungen für eingebettete Systeme der Zukunft abgeleitet. Daraus ergibt sich dann eine Sicherheitsarchitektur für die Systeme mit wichtigen Standardkomponenten als Vertrauensanker. Dazu zählen sogenannte Secure Elements, sichere Identitäten und separierende Betriebssysteme.
Hierzu werden aktuelle Forschungsarbeiten zum Einsatz von Secure Elements im Automobil, Smart Grid und mobilen Endgeräten vorgestellt. Es wird gezeigt, wie sichere Identitäten aus Materialeigenschaften mit Physical Unclonable Functions abgeleitet werden können und wie Betriebssysteme, die Secure Elements und Separierung nutzen, die Sicherheit erhöhen.
Kolloquiumsvortrag von Prof. Georg Sigl, Technische Universität München
Dienstag, 17.12.2013, 16:00 Uhr, Hörsaal 47.03 (Elektrotechnikgebäude, Pfaffenwaldring 47)
Informatik-Forum Stuttgart e.V.
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
There are new threats to cybersecurity for HMI/SCADA applications every week, and it can be difficult to stay on top of current threats and concerns. InduSoft is here to help, with an analysis of recent cybersecurity threats and how to take steps to protect SCADA/HMI systems from the vulnerabilities they seek to exploit. We will also be discussing the security features available in InduSoft Web Studio and how to take advantage of them to create the most stable, secure HMI or SCADA application possible.
High dependability of the automated systemsAlan Tatourian
This is the second research talk I gave at the Semiconductor Research Corporation (SRC) in September. Here I bring to attention the need to solve problems of SW maintainability and of the self-adaptable but still reliable architectures. State of the art in the industry now is ‘fail-operational’ which is based on redundancy. We can build a better technology which will optimize itself based on some global minimum function and will be able to adapt both to external changes in the environment and internal operating conditions.
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure.
- ‘Interconnection’ refers to (wireless) networking
- ‘Uniquely identifiable’ reminds (IPv6) addressing
- ‘Embedded’ reminds reduced size and full integration of components ‘Computing’ reminds processing capabilities
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Presentation during the Inaugural IEEE Smart Grid Cybersecurity Workshop (http://sites.ieee.org/ucw/). The talk was in Session 1: Overview of the Security Situation/Risk Managment. The presentation identifies 5 hurdles that need to be addressed before we can secure the grid. Other presentations from the event are available for download at the IEEE Smart Grid Resource Center http://resourcecenter.smartgrid.ieee.org/category/conferences/-/society-featured-articles/subcategory/913483
The Industrial Internet is an internet of - things, machines, computers and people, enabling intelligent industrial operations using advanced data analytics for transformational business outcomes.
Industrial domain is expected to be largest consumer of IoT devices and systems in terms of value
Security Architecture for Cyber Physical SystemsAlan Tatourian
Slides I presented at the Automotive Cybersecurity conference at Detroit on Friday. The main message is captured in the last bullet in the Summary: We do not know how to build 100% reliable systems, we only know how to manage risk – your system will fail and you have to build for failure. This was one of the first lessons I was taught when I worked in the aerospace.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Reference Security Architecture for Mobility- InsurancePriyanka Aash
The project title for this task force is “Reference security architecture for Mobility”. Some of the key things that you are going to learn from this presentation is:
The reader will learn about the current aspects of mobility, its use cases, control measures and common architectural components
The document highlights the current generic mobility models, business drivers and challenges the enterprise mobility solutions faces
The document also lists out some sample example implementations for better understanding of the concepts presented to the reader
The readers will also learn to create a mobility security architecture framework to successfully build Enterprise Mobility Management program for their organization
Slides from panel talk at the annual IEEE Power and Energy Society meeting on Power System Cybersecurity.
After a 8 hour tutorial and a panel talk, there were a number of consistent themes and challenges that surfaced. The two that concern me the most are: a) blocking engineers from discussing security approaches at technical conferences and b) treating power system cybersecurity as only a compliance issue for the IT, legal, and compliance departments. With the hopes that this sparks a bigger conversation, I’m sharing a copy of my slides from our panel talk. Thoughts and comments are welcomed.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
Topics covered in this presentation:
What is an Embedded system ?
What are MISRA C rules ?
MISRA C conformance and deviations
Tools for MISRA C conformance
Embedded Security Rules
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
There are new threats to cybersecurity for HMI/SCADA applications every week, and it can be difficult to stay on top of current threats and concerns. InduSoft is here to help, with an analysis of recent cybersecurity threats and how to take steps to protect SCADA/HMI systems from the vulnerabilities they seek to exploit. We will also be discussing the security features available in InduSoft Web Studio and how to take advantage of them to create the most stable, secure HMI or SCADA application possible.
High dependability of the automated systemsAlan Tatourian
This is the second research talk I gave at the Semiconductor Research Corporation (SRC) in September. Here I bring to attention the need to solve problems of SW maintainability and of the self-adaptable but still reliable architectures. State of the art in the industry now is ‘fail-operational’ which is based on redundancy. We can build a better technology which will optimize itself based on some global minimum function and will be able to adapt both to external changes in the environment and internal operating conditions.
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure.
- ‘Interconnection’ refers to (wireless) networking
- ‘Uniquely identifiable’ reminds (IPv6) addressing
- ‘Embedded’ reminds reduced size and full integration of components ‘Computing’ reminds processing capabilities
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Presentation during the Inaugural IEEE Smart Grid Cybersecurity Workshop (http://sites.ieee.org/ucw/). The talk was in Session 1: Overview of the Security Situation/Risk Managment. The presentation identifies 5 hurdles that need to be addressed before we can secure the grid. Other presentations from the event are available for download at the IEEE Smart Grid Resource Center http://resourcecenter.smartgrid.ieee.org/category/conferences/-/society-featured-articles/subcategory/913483
The Industrial Internet is an internet of - things, machines, computers and people, enabling intelligent industrial operations using advanced data analytics for transformational business outcomes.
Industrial domain is expected to be largest consumer of IoT devices and systems in terms of value
Security Architecture for Cyber Physical SystemsAlan Tatourian
Slides I presented at the Automotive Cybersecurity conference at Detroit on Friday. The main message is captured in the last bullet in the Summary: We do not know how to build 100% reliable systems, we only know how to manage risk – your system will fail and you have to build for failure. This was one of the first lessons I was taught when I worked in the aerospace.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Reference Security Architecture for Mobility- InsurancePriyanka Aash
The project title for this task force is “Reference security architecture for Mobility”. Some of the key things that you are going to learn from this presentation is:
The reader will learn about the current aspects of mobility, its use cases, control measures and common architectural components
The document highlights the current generic mobility models, business drivers and challenges the enterprise mobility solutions faces
The document also lists out some sample example implementations for better understanding of the concepts presented to the reader
The readers will also learn to create a mobility security architecture framework to successfully build Enterprise Mobility Management program for their organization
Slides from panel talk at the annual IEEE Power and Energy Society meeting on Power System Cybersecurity.
After a 8 hour tutorial and a panel talk, there were a number of consistent themes and challenges that surfaced. The two that concern me the most are: a) blocking engineers from discussing security approaches at technical conferences and b) treating power system cybersecurity as only a compliance issue for the IT, legal, and compliance departments. With the hopes that this sparks a bigger conversation, I’m sharing a copy of my slides from our panel talk. Thoughts and comments are welcomed.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
Topics covered in this presentation:
What is an Embedded system ?
What are MISRA C rules ?
MISRA C conformance and deviations
Tools for MISRA C conformance
Embedded Security Rules
Cisco forecasts that by 2020 there will be 50 billion connected devices on the planet spanning everything from entertainment and information to the industrial and medical markets. The benefits are obvious. The risks are significant with catastrophic consequences. Internet of Things (IoT) security is a broad issue with many dimensions.
Security experts from RTI, Texas Instruments, Thingworx, and Wibu-Systems describe risks and solutions for securing IoT devices.
Topics include:
• Secure software updates via integrity protection
• Data centric security for the IoT
• Protecting Internet communications in IoT devices
• Secure IoT deployments
Watch webinar recording: https://youtu.be/ra0Ii7Y2EyA
It is a presentation for the Embedded System Basics. It will be very useful for the engineering students who need to know the basics of Embedded System.
Next Generation Embedded Systems Security for IOT: Powered by KasperskyL. Duke Golden
In an increasingly connected world full of new IOT technologies, the security risks are becoming the single biggest challenge as we advance toward a fully tech-enabled society. Kaspersky's security strategy is always - SECURE BY DESIGN.
Enabling embedded security for the Internet of Thingsteam-WIBU
Innovators, manufacturers, and economists agree on one crucial vision for our future: Industry 4.0 is a huge potential for value creation waiting to be tapped. The payoff is enormous: third party sources predict that global investment in the industrial Internet of Things will reach USD 500 billion by 2020, a 2,500 percent increase from the USD 20 billion spent in 2012.
The pervasive connectivity of the Internet of Things (IoT) exposes embedded devices to more security risks than ever before. As a result, safeguarding devices, data, and intellectual property becomes a key requirement embedded device manufacturers must meet to succeed in IoT.
The strategic partnership between Wind River® and Wibu-Systems aims at offering modern techniques to tackle the security risks associated with vulnerabilities of interconnected cyber-physical systems. Together, we have developed a scalable protection and licensing system for VxWorks-based applications that grows along with your needs.
Learn:
• Ways to protect connected embedded devices, data, and intellectual property in the Internet of Things
• Software-based security features delivered by the VxWorks® 7 Real-Time Operating System together with Security Profile for VxWorks
• Complementary hardware-based CodeMeter® Security solution by Wibu-Systems
• Benefits of a joint integrated solution featuring software- and hardware-based security for security-sensitive applications.
Watch the webinar: https://youtu.be/NrZrAs9uOEQ
********************************
Request CodeMeter SDK and try out Wibu-Systems' premier technology for yourself
http://www.wibu.com/cm
********************************
Your Thing is Pwned - Security Challenges for the IoTWSO2
The Internet of Things and Machine to Machine are growing areas, and security and privacy are prime issues. In this session security challenges are examined around using M2M devices with protocols such as MQTT & CoAP - encryption, federated identity and authorisation models in particular.
On the topic of encryption, we’ll examine securing MQTT with TLS, challenges with Arduino, and using hardware encryption for microcontrollers. A key privacy requirement for user-centric IoT use cases will be giving users control over how their things collect and share data. On the Internet, protocols like OAuth 2.0, OpenID Connect & User Managed Access have been defined to enable a privacy-respecting user consent & authorization model. We'll look at the issues with applying these protocols to the M2M world and review existing proposals & activity for extending the above M2M protocols to include federated identity concepts.
The session included a live demonstration of Arduino and Eclipse Paho inter-operating secured by OAuth 2.0.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies.
(Source: RSA Conference USA 2018)
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
Want to detect threats in your organization? Stop reading every feed and curate your threat intel and content so they actually work for your security architecture. By managing meaningful threat intelligence so the external intel maps to internal threat models and curating your content sensibly, you can create a high-functioning SOC that both detects and defends against cyberattacks.
(Source: RSA Conference USA 2018)
In response to this challenge, inSOC has
developed a layered security solution
comprised of enterprise grade tool sets,
framework-driven onboarding and escalation
processes and a team of highly qualified
security professionals that have eyes on glass
24/7/365.
All inclusive pricing structures
Mix and match offerings
Flexible contract lengths
Sales enablement
Minimal operational overhead
MSSP Accelerator self paced training
Advanced cybersecurity certification leading
to SSAE 19 certification
MSSP Accelerator
program is designed to
fast track the MSP's
security practice and
unlock the potential
revenue streams available
by delivering enterprisegrade security services, via
a self-paced online course
and sales enablement.
The Accelerator program
can then lead to SSAE-19
certification underlining
your value and enabling you
to establish yourself as a
leader in the field. SSAE 19
is a consultancy led
certification program, taking
a minimum 12 months to
complete.
We provide an
advanced onboarding
to harden
environments to a set
standard
Our wraparound SOC
team is lead by highly
qualified security
professionals including
CISSPs and CCIEs, to
ensure best-in-class
delivery 24/7/365
And we base
everything on the NIST
Cybersecurity
Framework
inSOC’s tools and processes are centred
around the NIST 800 Cybersecurity
framework and the Centre for Internet
Security’s Top 20 Critical Security Controls.
The implementation of this known and
trusted security framework significantly
reduces the risk of breach in the first place,
minimising alert noise and pinpointing true
threats proactively and reactivel
Benchmarks
• Base on established security frameworks
• We recommend the Center for Internet Security
• Windows OS benchmark is 1200+ pages
• Subscription to CIS for preconfigured GPO scripts
Playbooks
• Create benchmark playbooks to manage hardening tasks consistently
• Base playbooks on established security frameworks and benchmarks
• Capture audit ready evidence and attach to playbook
• Manage tasks and dependent projects
Change Control
• Manage any hardening initiative with a standard change control methodology
• Beta testing, user acceptance testing, release
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
During this talk we will be discussing hardware reverse engineering and why this is becoming a new way for attackers to compromise company networks. We will discuss how vendors are now leaving potentially malicious code within firmware and how some attackers could exploit these vulnerabilities. We will also discuss why it is important for companies to spend time reviewing hardware for vulnerabilities prior to deploying the systems within your company’s network and outlining a process on how to perform this work.
The presenters will outline each phase of the hardware reverse engineering assessment, outlining how to exploit various vulnerabilities that you may discover and provide a list the software and tools that will be needed to support this work. Finally we will talk about how you should be documenting your findings for management and how to properly disclose the findings to the vendor once the test has been completed.
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.
(Source: RSA USA 2016-San Francisco)
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.
(Source: RSA USA 2016-San Francisco)
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
As companies evolve their IT stack, traditional security approaches/architectures need to be reconsidered. This session will review some of the new risks introduced by SaaS/IaaS adoption and show how to mitigate these risks using new approaches to security architecture. Presenters will also review the transition of security architecture itself to the cloud.
(Source: RSA USA 2016-San Francisco)
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Securing 100 products - How hard can it be?Priyanka Aash
Many companies establish their Secure Development Lifecycle. The adoption of it crucial especially for corporations with dozens of applications. The main challenges they face are the diversity of architecture, dev languages, methodologies, compliance, regulations, etc. This talk will shed light on scaling up and out the application security capabilities and maximizing the software security maturity.
(Source : RSA Conference USA 2017)
As seen with the IoT-based MIRAI botnet, security vulnerabilities can have their root cause several layers down in the supply chain. The session will corroborate this with concrete vulnerability results of over 5,000 IoT software packages. It also will show how, to stop this bug passing, developers, integrators and regulating bodies need to work together to build a trustworthy IoT software supply chain.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
3. #RSAC
Poll
3
Which operating system is your software most commonly
developed for?
Which language is your software most commonly
developed for?
Which hardware does your system run on?
What are your thoughts on the following statement: My
system is standalone, therefore many Cybersecurity or
Software Assurance (SwA) requirements do not apply?
What do you perceive as the biggest threats to your
embedded system’s security?
Given the rise of IoT, do you feel IoT and its issues are
related to your embedded system’s security issues?
4. #RSAC
Results (Predicted)
OS: Green Hills and VxWorks
Language: C++
Hardware: PPC (SoC)
Standalone: Systems are not
actually standalone
Threats: Supply chain, physical
access
IoT Threats: IoT mirror without
legacy issues
4
5. #RSAC
Results (Actual)
OS: Large increase in the use of Linux
and even Windows
Language: C/C++, Java, and even Ada
Hardware: x86 (SoC)
Standalone: Systems are not actually
standalone
Threats: Supply chain, physical access,
reverse engineering
IoT Threats: IoT mirror without legacy
issues
5
7. #RSAC
Example Embedded Computing Environment
7
Computing Environment
OS APIs
Multi-Core Hardware
Other Processing
Nodes / Payloads
Virtualization Hypervisor (Optional)
OS - Linux
Vendor Provided
C++ Service “B”
& Libraries
Vendor Provided
C++ Service “A”
& Libraries
Vendor Provided
Java Service “A”
& Libraries
Vendor Provided
Java Service “B”
& Libraries
Network Service Bus
Java Runtime Environment (JRE)Java Runtime Environment (JRE)
8. #RSAC
Traditional Embedded System Issues
Storage components
Processing power
Battery life
Time-to-market
Overall cost
8
Functionality, Security, and Cost: Pick Two
9. #RSAC
The Troublesome 12 Embedded Systems
Cybersecurity Threats
9
Supply Chain/Counterfeit Parts Legacy Systems Cascading Faults
Physical Access Patch update process No Secure Configuration
Reverse Engineering Custom protocols Design Mistakes
Network Access Custom libraries Humans
0x0c
10. #RSAC
Threat: Supply Chain/Counterfeit Parts
Make vs. buy
Quality vs. counterfeiting vs. malicious
alteration
Vendor tracking database
ASICS, FPGAs, and microprocessors
Destructive and non-destructive analysis
Information storage in volatile memory and
permanent storage
Nano tagging
10
15. #RSAC
Threat: Patch Update Process
None
Systems are permanent and not
updated
Unauthenticated
No digital signature on
software/firmware
Invalid
No integrity
No fail secure
15
18. #RSAC
Threat: Cascading Faults
Information flow – authentication and
integrity for end-to-end protection of
information between partitions
Data isolation – confidentiality of data
Periods processing – protect against
covert channels
Damage limitation – protection from a
failure in one partition will not cascade to
another partition.
MILS Separation Kernel
OS
(Level 1)
OS
(Level 2)
OS
(Level 3)
Middleware Services
Privileged
Mode
User Mode
18
Separation kernels keep execution separate
19. #RSAC
Threat: No Secure Configuration
Tampered configuration
Not secure by default
Shared passwords across
collection’s embedded systems
19
20. #RSAC
Threat: Design Issues
Hard-coded credentials
Weak or missing authentication
Improper segregation of sensitive and
non-sensitive data
Weak, custom, or excessive use of
encryption
Debug functions left in
20
22. #RSAC
How does this apply to IoT?
How closely does IoT mirror these
Threat?
Does IoT have legacy issues?
What about the future?
Does the key word “Internet”
mean higher risk?
22
23. #RSAC
Conclusion
23
Protect Application, Execution, Data and IP
Security functions should be built in and
defend against threats within the
environment.
It is important to understand CPI and
what is done to protect it.
Host systems must maintain ultimate
control over security algorithms to
protect the data and prevent IP theft.
24. #RSAC
Applying What You Have Learned Part 1
24
Educate + Learn = Apply
Take any new knowledge
and apply to your
development system
As a student hopefully you
got 2-3 key items you
learned today
As an instructor, hopefully I
provided some good
lessons learned.
Let me know what you learned in the Question and Answers!
25. #RSAC
Applying What You Have Learned Part 2
25
Next week you should:
Consider the 2-3 key items you learned from this
session and start to consider where do they apply to
your work?
In the first three months following this
presentation you should:
Do an initial Risk Assessment and consider The
Troublesome 12 Embedded Systems Cybersecurity
Threats
Within six months you should:
Seek the advise of a 3rd party vulnerability research
or assessment team
Train developers on Application Security/Software
Assurance
27. #RSAC
Biography
27
Randall Brooks is an Engineering Fellow for Raytheon
Company (NYSE: RTN), representing the company
within the U.S. International Committee for
Information Technology Standards Cyber Security 1
(CS1) and the Cloud Security Alliance. Brooks has
nearly 20 years of experience in Cybersecurity with a recognized
expertise in Software Assurance (SwA) and secure development life
cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP,
CSSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue
University with a Bachelors of Science from the School of Computer
Science. E-mail: brooks@raytheon.com