Presentation about securing the environment that the Blackboard Learn application runs on. Includes:
* IPS/IDS
* Database Security Recommendations
* Load Balancer
etc.
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.
The document discusses securing assets in the cloud. It outlines benefits of using the cloud like flexibility, disaster recovery, and increased security controls. However, it also notes dangers like data theft, loss of control over outages, and insider attacks. The document recommends securing cloud assets by installing antivirus software, only allowing necessary inbound/outbound traffic, keeping systems patched, restricting privileged access, using two-factor authentication, and encrypting traffic. Common mistakes are not updating applications and OSes, exposing SSH/RDP publicly, lacking security policies, and using weak passwords.
This document discusses deploying Privileged Access Workstations (PAWs) to limit credential theft and lateral movement in an attack. It describes common attack scenarios where attackers leverage stolen credentials to escalate privileges and access sensitive systems. PAWs aim to address this by restricting which accounts can be used to log on to different systems using techniques like logon restrictions, network segmentation, and credential hardening. The document provides guidance on implementing a phased PAW deployment starting with administrative systems and extending to other privileged accounts.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.
The document discusses securing assets in the cloud. It outlines benefits of using the cloud like flexibility, disaster recovery, and increased security controls. However, it also notes dangers like data theft, loss of control over outages, and insider attacks. The document recommends securing cloud assets by installing antivirus software, only allowing necessary inbound/outbound traffic, keeping systems patched, restricting privileged access, using two-factor authentication, and encrypting traffic. Common mistakes are not updating applications and OSes, exposing SSH/RDP publicly, lacking security policies, and using weak passwords.
This document discusses deploying Privileged Access Workstations (PAWs) to limit credential theft and lateral movement in an attack. It describes common attack scenarios where attackers leverage stolen credentials to escalate privileges and access sensitive systems. PAWs aim to address this by restricting which accounts can be used to log on to different systems using techniques like logon restrictions, network segmentation, and credential hardening. The document provides guidance on implementing a phased PAW deployment starting with administrative systems and extending to other privileged accounts.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_F17.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
For a college class in Ethical Hacking and Network Defense at CCSF, by Sam Bowne. More info at https://samsclass.info/123/123_S18.shtml
Based on this book
Hands-On Ethical Hacking and Network Defense, Third Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Deploying privileged access workstations (PAWs) is part of a strategy to limit credential theft and lateral movement in an organization's network. PAWs are hardened administrative workstations designed to isolate privileged accounts and limit the exposure of credentials. An effective PAW strategy involves deploying dedicated hardware for administrators, applying security group policies and logon restrictions, and implementing additional controls like multi-factor authentication and device whitelisting.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
SnapComms is a communication tool that broadcasts visual content to computers using multiple channels and formats. It is an HTTP-based client/server technology with clients for Windows, Mac, iOS, and Android. The SnapComms server provides access to clients via a web service and supports Active Directory integration. SnapComms prioritizes security and provides 24/7 support.
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
This document discusses various ways that back-end components of web applications can be attacked by injecting malicious code or commands. It provides examples of how user input could be used to exploit vulnerabilities in OS commands, scripting languages, file paths, HTTP requests, and SMTP mail services. The key risks are command injection, path traversal, remote file inclusion, XML external entity injection, and HTTP/SMTP parameter injection. The document also offers suggestions for preventing these attacks, such as input validation, output encoding, and limiting file system and network access.
Integrating security into the application development processJerod Brennen
The document provides an overview of integrating security into the application development process. It discusses seeking to understand development methodologies, programming languages, and risk frameworks. It also covers source code security best practices like code reviews and tools. Application security and software quality assurance testing methods are reviewed. The document also discusses analyzing deployed applications and other considerations like training and metrics. Resources for further learning are provided.
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
This document provides an overview of moving from reactive to proactive security. It discusses implementing basic protections like firewalls and BitLocker encryption. It emphasizes applying the principle of least privilege through removing administrator rights and deploying whitelisting solutions like AppLocker. It also recommends blocking lateral movement by securing local administrator accounts and deploying Credential Guard. The document concludes by discussing preparing environments for forensic investigations through tools like Sysmon and advanced threat protection services.
Web Application Firewalls provide security features to protect web applications from common attacks. They operate in either passive or active mode, with active mode blocking attacks. Security policies define rules for requests, responses, URLs, parameters and more. The payment card industry standard requires custom code reviews or a WAF for applications that handle credit cards. Barracuda's Vulnerability Remediation Service integrates with WAFs to perform scans and automatically remediate vulnerabilities.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
This document discusses mapping an ideal authentication solution to an organization's IT environment. It summarizes that data breaches are increasing as data moves more widely, requiring authentication approaches to change. Market dynamics are driving convergence of cloud identity and access management with authentication and a shift from hardware-based products to software-as-a-service. The document promotes SafeNet's authentication service, which provides a fully automated, cloud-based strong authentication solution requiring no infrastructure and reducing costs through automation and flexibility. It outlines features like multi-factor authentication options, automated provisioning and reporting, and integration with applications and user directories.
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
This document discusses SQL Server security and provides an overview of SQL Server security best practices and enhancements in SQL Server 2014. It covers categorizing security across IT, physical, political, and SQL Server realms. It outlines best practices for authentication, securing administrator accounts, complex passwords, specific logins, administrator membership, guest access, stored procedure permissions, ports, services, and encryption. New SQL Server 2014 features discussed include transparent data encryption, encryption key management, and new permissions for connecting to any database and impersonating logins.
Windows Azure Multi-Factor Authentication provides an additional layer of security beyond passwords for accessing applications. It works by requiring two or more authentication factors, such as something you know (a password) and something you have (a registered mobile phone). The solution can integrate with on-premises applications and services using an on-premises server, and with cloud applications using Azure Active Directory. Users register their phones through a portal for authentication via calls, texts, or mobile app notifications. The solution is affordable and easy to use compared to hardware tokens since it leverages existing mobile phones.
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
The document discusses security baselines and hardening systems and networks. It covers topics like disabling unused services, using security templates to configure Windows settings, implementing group policy for domain configurations, and applying patches and filters to harden applications, operating systems, databases, and network devices. The document also defines several common acronyms related to information security.
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyAmazon Web Services
Containers accelerate development. They address the very real challenge of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications in a variety of environments. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages containers bring. In this talk, we'll use practical examples to understand the security strategy and tactics you need to continue to accelerate development while meeting your security goals no matter where you're deploying containers.
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago
Vitaliy Shtym from Trend Micro discusses pragmatic container security. He outlines six key areas to focus on: (1) the container host, (2) the network, (3) the management stack, (4) the build pipeline, (5) the application foundation, and (6) the application. Specific security best practices are provided for securing containers within each of these areas, such as hardening the container host operating system, using intrusion prevention controls, and scanning container images for vulnerabilities before deployment. The goal is to implement defense in depth across the entire container environment.
How we breach small and medium enterprises (SMEs)NCC Group
This document summarizes common techniques used to breach small and medium enterprises. It discusses how networks are typically assessed through discovery, vulnerability assessment, exploitation, and post-exploitation. It then outlines several weaknesses that are commonly leveraged, including lack of security patches, default credentials, excessive network footprint, lack of network segregation, exceptions in configurations, and failure to implement whitelisting over blacklisting. Specific scenarios are provided for each to illustrate how access can be gained and privilege escalated within a network. The document stresses the importance of security fundamentals like patching, access control, and network segmentation.
This document provides an overview of system administration basics including hardware, virtualization, networking, load balancing, databases, monitoring, integration, and vendor management. It discusses topics such as choosing hardware vendors, datacenter requirements, hardware sizing, redundancy, virtualization platforms, application and database server virtualization, networking components like firewalls and switches, load balancing options, database best practices around backups, compression, and indexes, monitoring tools, integration, and managing relationships with software vendors and support.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
Deploying privileged access workstations (PAWs) is part of a strategy to limit credential theft and lateral movement in an organization's network. PAWs are hardened administrative workstations designed to isolate privileged accounts and limit the exposure of credentials. An effective PAW strategy involves deploying dedicated hardware for administrators, applying security group policies and logon restrictions, and implementing additional controls like multi-factor authentication and device whitelisting.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
SnapComms is a communication tool that broadcasts visual content to computers using multiple channels and formats. It is an HTTP-based client/server technology with clients for Windows, Mac, iOS, and Android. The SnapComms server provides access to clients via a web service and supports Active Directory integration. SnapComms prioritizes security and provides 24/7 support.
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
This document discusses various ways that back-end components of web applications can be attacked by injecting malicious code or commands. It provides examples of how user input could be used to exploit vulnerabilities in OS commands, scripting languages, file paths, HTTP requests, and SMTP mail services. The key risks are command injection, path traversal, remote file inclusion, XML external entity injection, and HTTP/SMTP parameter injection. The document also offers suggestions for preventing these attacks, such as input validation, output encoding, and limiting file system and network access.
Integrating security into the application development processJerod Brennen
The document provides an overview of integrating security into the application development process. It discusses seeking to understand development methodologies, programming languages, and risk frameworks. It also covers source code security best practices like code reviews and tools. Application security and software quality assurance testing methods are reviewed. The document also discusses analyzing deployed applications and other considerations like training and metrics. Resources for further learning are provided.
CSF18 - Moving from Reactive to Proactive Security - Sami LaihoNCCOMMS
This document provides an overview of moving from reactive to proactive security. It discusses implementing basic protections like firewalls and BitLocker encryption. It emphasizes applying the principle of least privilege through removing administrator rights and deploying whitelisting solutions like AppLocker. It also recommends blocking lateral movement by securing local administrator accounts and deploying Credential Guard. The document concludes by discussing preparing environments for forensic investigations through tools like Sysmon and advanced threat protection services.
Web Application Firewalls provide security features to protect web applications from common attacks. They operate in either passive or active mode, with active mode blocking attacks. Security policies define rules for requests, responses, URLs, parameters and more. The payment card industry standard requires custom code reviews or a WAF for applications that handle credit cards. Barracuda's Vulnerability Remediation Service integrates with WAFs to perform scans and automatically remediate vulnerabilities.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
This document discusses mapping an ideal authentication solution to an organization's IT environment. It summarizes that data breaches are increasing as data moves more widely, requiring authentication approaches to change. Market dynamics are driving convergence of cloud identity and access management with authentication and a shift from hardware-based products to software-as-a-service. The document promotes SafeNet's authentication service, which provides a fully automated, cloud-based strong authentication solution requiring no infrastructure and reducing costs through automation and flexibility. It outlines features like multi-factor authentication options, automated provisioning and reporting, and integration with applications and user directories.
Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
This document discusses SQL Server security and provides an overview of SQL Server security best practices and enhancements in SQL Server 2014. It covers categorizing security across IT, physical, political, and SQL Server realms. It outlines best practices for authentication, securing administrator accounts, complex passwords, specific logins, administrator membership, guest access, stored procedure permissions, ports, services, and encryption. New SQL Server 2014 features discussed include transparent data encryption, encryption key management, and new permissions for connecting to any database and impersonating logins.
Windows Azure Multi-Factor Authentication provides an additional layer of security beyond passwords for accessing applications. It works by requiring two or more authentication factors, such as something you know (a password) and something you have (a registered mobile phone). The solution can integrate with on-premises applications and services using an on-premises server, and with cloud applications using Azure Active Directory. Users register their phones through a portal for authentication via calls, texts, or mobile app notifications. The solution is affordable and easy to use compared to hardware tokens since it leverages existing mobile phones.
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
The document discusses security baselines and hardening systems and networks. It covers topics like disabling unused services, using security templates to configure Windows settings, implementing group policy for domain configurations, and applying patches and filters to harden applications, operating systems, databases, and network devices. The document also defines several common acronyms related to information security.
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyAmazon Web Services
Containers accelerate development. They address the very real challenge of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications in a variety of environments. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages containers bring. In this talk, we'll use practical examples to understand the security strategy and tactics you need to continue to accelerate development while meeting your security goals no matter where you're deploying containers.
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago
Vitaliy Shtym from Trend Micro discusses pragmatic container security. He outlines six key areas to focus on: (1) the container host, (2) the network, (3) the management stack, (4) the build pipeline, (5) the application foundation, and (6) the application. Specific security best practices are provided for securing containers within each of these areas, such as hardening the container host operating system, using intrusion prevention controls, and scanning container images for vulnerabilities before deployment. The goal is to implement defense in depth across the entire container environment.
How we breach small and medium enterprises (SMEs)NCC Group
This document summarizes common techniques used to breach small and medium enterprises. It discusses how networks are typically assessed through discovery, vulnerability assessment, exploitation, and post-exploitation. It then outlines several weaknesses that are commonly leveraged, including lack of security patches, default credentials, excessive network footprint, lack of network segregation, exceptions in configurations, and failure to implement whitelisting over blacklisting. Specific scenarios are provided for each to illustrate how access can be gained and privilege escalated within a network. The document stresses the importance of security fundamentals like patching, access control, and network segmentation.
This document provides an overview of system administration basics including hardware, virtualization, networking, load balancing, databases, monitoring, integration, and vendor management. It discusses topics such as choosing hardware vendors, datacenter requirements, hardware sizing, redundancy, virtualization platforms, application and database server virtualization, networking components like firewalls and switches, load balancing options, database best practices around backups, compression, and indexes, monitoring tools, integration, and managing relationships with software vendors and support.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Shared Security Responsibility for the Azure CloudAlert Logic
This document discusses shared security responsibility in Azure. It provides an overview of security best practices when using Azure, including understanding the shared responsibility model, implementing network security practices, securing data and access, securely developing code, log management, and vulnerability management. It also describes Alert Logic security solutions that can help monitor Azure environments for threats across the application stack.
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
Nowadays having a proper security configuration is a huge challenge, especially looking at the global hacks and personal data leak incidents that happened in IT a while back. Oracle EBS is not perfect and has lots of vulnerabilities covered by Oracle almost every quarter. A very small percent of Apps DBAs know all the features and options available, and usually, do not go over firewall/reverse proxy layer.
This presentation is going to cover an overview and recommendations of options and security features that are available and can be used out-of-the-box, and some of the non-trivial configurations that can help to keep your Oracle EBS system protected, per our experience.
The cloud is a cost-effective way to provide maximum accessibility for your customers. However, organizations often fail to optimize and configure it properly for their environment, leaving them inadvertently exposed.
These slides are from our recent webinar covering proven techniques that reduce cloud risk, including:
• Building applications to leverage automation and built-in cloud controls
• Securing access control and key management
• Ensuring essential services are running, reachable, and securely hardened
Cloud Design Pattern at Carlerton University
External Config Pattern, Cache Aside, Federated Identity Pattern, Valet Key Pattern, Gatekeeper Pattern, Circuit Breaker Pattern, Retry Pattern and the Strangler Pattern. These patterns depicts common problems in designing cloud-hosted applications and design patterns that offer guidance.
As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.
Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures
The document discusses the basics of IT security including the CIA triad of confidentiality, integrity and availability. It also covers common security concepts such as assets, vulnerabilities, threats, countermeasures and risks. Additionally, it summarizes authentication, authorization and accounting (AAA) protocols, common attacks and how to implement secure network architecture.
This document discusses Alert Logic's Security-as-a-Service offering which provides an integrated multi-layer security solution to protect enterprise applications and cloud workloads across hosted data centers and hybrid environments. It protects against web application attacks, server and network activity, and vulnerabilities across software stacks. Alert Logic also provides security experts and services including assessment, blocking, detection, and compliance. The document then discusses best practices for securing an AWS environment including logical network segmentation, access management, configuration management, and understanding the shared responsibility model between cloud providers and customers.
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Enterprise Node - Securing Your EnvironmentKurtis Kemple
This document discusses securing an enterprise Node.js environment. It recommends using Node LTS versions for stability, containerizing applications for isolation, and securing dependencies by whitelisting modules. It also covers authenticating users with JWT, authorizing access with scopes and roles, validating input data, encrypting sensitive data, and ensuring HTTPS is used everywhere. Securing the runtime is important to protect the company from threats, improve confidence, and meet regulations.
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
You have lots of data you have painstakingly collected over the years. How do you ensure that data is protected from hackers, spies and other ne’er-do-wells? Understanding the vast array of security features available in SQL Server is the first step in helping you determine what actions you need to take now to protect your data.
Fonts used: SkyFall Done
Calibri
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
The document discusses security best practices and features for MariaDB and MaxScale databases. It describes threats like SQL injection, denial of service attacks, and excessive trust. It recommends defenses like limiting network access, restricting user privileges, and enabling encryption, auditing, and firewall features. It also explains how MaxScale provides selective data masking, database firewall filtering, and other protections to prevent unauthorized access and secure sensitive data.
Web application security is complex due to a wide range of attacks at every layer of the application stack. Hackers use various reconnaissance methods like crawling target websites, mass vulnerability scans, open forums, and the dark web to find vulnerabilities. They then attempt to escalate privileges to access sensitive data and maintain remote access. Organizations need to implement strategies like secure coding practices, access management policies, patching, and monitoring to help protect their applications and data. Cloud security is a shared responsibility between the provider and customer.
Ensuring Efficiency and Speed with Practical Solutions for Clinical OperationsOnePlan Solutions
Clinical operations professionals encounter unique challenges. Balancing regulatory requirements, tight timelines, and the need for cross-functional collaboration can create significant internal pressures. Our upcoming webinar will introduce key strategies and tools to streamline and enhance clinical development processes, helping you overcome these challenges.
Streamlining End-to-End Testing Automation with Azure DevOps Build & Release Pipelines
Automating end-to-end (e2e) test for Android and iOS native apps, and web apps, within Azure build and release pipelines, poses several challenges. This session dives into the key challenges and the repeatable solutions implemented across multiple teams at a leading Indian telecom disruptor, renowned for its affordable 4G/5G services, digital platforms, and broadband connectivity.
Challenge #1. Ensuring Test Environment Consistency: Establishing a standardized test execution environment across hundreds of Azure DevOps agents is crucial for achieving dependable testing results. This uniformity must seamlessly span from Build pipelines to various stages of the Release pipeline.
Challenge #2. Coordinated Test Execution Across Environments: Executing distinct subsets of tests using the same automation framework across diverse environments, such as the build pipeline and specific stages of the Release Pipeline, demands flexible and cohesive approaches.
Challenge #3. Testing on Linux-based Azure DevOps Agents: Conducting tests, particularly for web and native apps, on Azure DevOps Linux agents lacking browser or device connectivity presents specific challenges in attaining thorough testing coverage.
This session delves into how these challenges were addressed through:
1. Automate the setup of essential dependencies to ensure a consistent testing environment.
2. Create standardized templates for executing API tests, API workflow tests, and end-to-end tests in the Build pipeline, streamlining the testing process.
3. Implement task groups in Release pipeline stages to facilitate the execution of tests, ensuring consistency and efficiency across deployment phases.
4. Deploy browsers within Docker containers for web application testing, enhancing portability and scalability of testing environments.
5. Leverage diverse device farms dedicated to Android, iOS, and browser testing to cover a wide range of platforms and devices.
6. Integrate AI technology, such as Applitools Visual AI and Ultrafast Grid, to automate test execution and validation, improving accuracy and efficiency.
7. Utilize AI/ML-powered central test automation reporting server through platforms like reportportal.io, providing consolidated and real-time insights into test performance and issues.
These solutions not only facilitate comprehensive testing across platforms but also promote the principles of shift-left testing, enabling early feedback, implementing quality gates, and ensuring repeatability. By adopting these techniques, teams can effectively automate and execute tests, accelerating software delivery while upholding high-quality standards across Android, iOS, and web applications.
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...kalichargn70th171
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...Luigi Fugaro
Vector databases are transforming how we handle data, allowing us to search through text, images, and audio by converting them into vectors. Today, we'll dive into the basics of this exciting technology and discuss its potential to revolutionize our next-generation AI applications. We'll examine typical uses for these databases and the essential tools
developers need. Plus, we'll zoom in on the advanced capabilities of vector search and semantic caching in Java, showcasing these through a live demo with Redis libraries. Get ready to see how these powerful tools can change the game!
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
In this infographic, we have explored cost-effective strategies for iOS app development, focusing on building high-quality apps within a budget. Key points covered include prioritizing essential features, leveraging existing tools and libraries, adopting cross-platform development approaches, optimizing for a Minimum Viable Product (MVP), and integrating with cloud services and third-party APIs. By implementing these strategies, businesses and developers can create functional and engaging iOS apps while minimizing development costs and time-to-market.
Stork Product Overview: An AI-Powered Autonomous Delivery FleetVince Scalabrino
Imagine a world where instead of blue and brown trucks dropping parcels on our porches, a buzzing drove of drones delivered our goods. Now imagine those drones are controlled by 3 purpose-built AI designed to ensure all packages were delivered as quickly and as economically as possible That's what Stork is all about.
Orca: Nocode Graphical Editor for Container OrchestrationPedro J. Molina
Tool demo on CEDI/SISTEDES/JISBD2024 at A Coruña, Spain. 2024.06.18
"Orca: Nocode Graphical Editor for Container Orchestration"
by Pedro J. Molina PhD. from Metadev
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
Secure-by-Design Using Hardware and Software Protection for FDA ComplianceICS
This webinar explores the “secure-by-design” approach to medical device software development. During this important session, we will outline which security measures should be considered for compliance, identify technical solutions available on various hardware platforms, summarize hardware protection methods you should consider when building in security and review security software such as Trusted Execution Environments for secure storage of keys and data, and Intrusion Detection Protection Systems to monitor for threats.
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Nashik's top web development company, Upturn India Technologies, crafts innovative digital solutions for your success. Partner with us and achieve your goals
Assure Contact Center Experiences for Your Customers With ThousandEyes
Going outside the application
1. Going Outside
the Application
Securing the Environment for Blackboard Learn
Matthew Saltzman, Security Engineer
Blackboard Inc.
2. ABOUT ME
Matthew Saltzman
Security Engineer
Blackboard Inc.
matthew.saltzman@blackboard.com
I have been at Blackboard for over 5 years, 4 of
those in Blackboard Support
3. INTRODUCTION
• Blackboard contains Sensitive Information
• Names
• Addresses
• Social Security Numbers
• Should be removed if present
• Grade Information for Courses
• This data must be protected
• Securing the application can only be one
component in securing this information
• Also need to secure the environment it runs on
4. COMPONENTS TO
SECURE
• Application
• Network
• Operating System
• Database
• 3rd Party components external to Blackboard
• Institution Policies
5.
6. SSL
• Protection against network monitoring tools
• Traffic Sniffing
• Protection against Man in the Middle Attacks
• Easy to configure Blackboard to use SSL
• Requires an SSL certificate from a signing
authority (SA)
• Configure webserver to use SSL certificate
• Turn on SSL
• Through the Application
• Via SSL offloading
7. TYPES OF
CERTIFICATES
Regular SSL Certificate • single site
• up to 256-bit encryption
EV Certificate • single site
• up to 256-bit encryption
• Much stricter issuing criteria
Wildcard Certificate • multiple sites in the same
domain
• up to 256-bit encryption
Intermediary Certificate • single site
• Used in conjunction with a
Wildcard Certificate to validate
the identity of the individual site
8. ALTERNATE CONTENT
DOMAIN
• Purpose: XSS Prevention from files
• Creates a single-use session for downloading
the file
• Prevents session stealing from main Blackboard
session
• Expires as soon as the file is downloaded
• Requires separate SSL certificate for
alternate domain
• Otherwise SSL errors will appear
9. CHANGES DUE TO
ALTERNATE DOMAIN
Without Alternate Domain for serving content:
With Alternate Domain for serving content:
10. PATCHES AND
UPGRADE SCHEDULE
• Application Vulnerabilities often fixed via
patches
• Released via bbpatch
• Publish a Security Advisory to Behind the
Blackboard
• Not all vulnerabilities fixed this way
• Too complex a fix
• Fixed by a new security feature
• Capturing Security Events (SP12)
• Secure User Password Storage (SP12)
• Keep Blackboard version up to date as well
11.
12. FIREWALL
• Helps prevent unauthorized access to the
server
• Limits access to allowed ports
• Blocks access from devices that should not
have access
• Required Ports (Defaults):
80 - HTTP port 8011 - Collab HTTP Port
443 - SSL port 8443 - Collab SSL Port
8009 - Tomcat Port number 8006 - Collab Shutdown Port
8005 - Tomcat Shutdown Port 1521 - (Oracle DB) 1433 - (SQLServer)
8010 - Collab TCP Port 8016 - BBExec Service Port
61616 – ActiveMQ Port
13. DEMO
• How Firewalls help prevent network
penetration
• Demonstration of how port scanning works
15. NETWORK
SEGMENTING
• Different types of servers should be in
different network zones
• DMZ – perimeter network containing external
facing servers
• Most vulnerable
• Any other network zone – Should not contain
external servers
• Firewall present between DMZ and rest of
network
• Application servers should be in the DMZ
• Database should not
17. TRAFFIC SHAPER
• Device that does “Rate Limiting” on network traffic to
specific devices
• Packet Shaping
• Helps prevent DoS attacks
• Slows rate of traffic hitting server
• Requires statistics
• Expected Incoming Traffic
• Acceptable incoming traffic Rates
• Traffic rate too low causes performance issues for
end users
• Traffic rate too high could allow DoS attack to
succeed
• Could be done through Load Balancer
19. SSL OFFLOADING
• Can use either Load Balancer or specific
offloading tool (SSL Accelerator)
• Cuts down cost of encryption
• Tool (Load Balancer or otherwise) much faster at
encryption then Application Server
• Allows Longer SSL encryption key
• Thus, helps prevent DoS due to SSL
20. INTRUSION DETECTION/
PREVENTION SYSTEM
• Monitors network for malicious traffic
• Can take various actions when discovered:
• Send an Alert
• Log malicious traffic for review
• Drop malicious traffic (Prevention only)
• Can be configured using custom rules
• Different types
• Network Based – prevents network attacks
• Host based – prevents OS level attacks
• Some examples (Open Source):
• Snort (Network IPS)
• OSSEC (Host IPS)
• Suricata (Network IPS)
24. ALTER PORTS,
REMOVE BANNERS
• Port Scans
• Tells scanner which ports are open
• Reports any banners associated with open ports
• Default ports describe which application is
running
• Therefore, do not use default ports
• Exceptions: ports 80 and 443
• Banners on ports explain what non-default
ports do
• Therefore, remove any descriptions of the ports
as well
27. PROTECT ANY
OPERATING SYSTEM
• Keep Operating System up to Date
• OS Patches
• Application/Service Packs
• Dedicate Servers to specific tasks
• Prevents vulnerabilities in one application or
task from affecting others
• Use domain accounts for users
• Allows for simpler auditing of user activity
• Require strong passwords for all accounts
• Helps prevent unwanted access to servers
28. DEMO
• Why dedicating servers to specific tasks is a
good idea
• Insecure tool running on same server as
Blackboard
33. SECURING LINUX
SERVERS
• Require SSH instead of Telnet
• Telnet is insecure
• Traffic sniffing Telnet session is possible
• Use public/private key authentication
• Private Key file never leaves the client machine
• Private key cannot be computed from public key
• Add a strong passphrase to the private key
file
• Prevents a user from using a stolen private key
35. APACHE2
• All Linux application servers should run
Apache2
• Added security, as is current version
• Can keep up-to-date with patches and new
versions
• Does not require Blackboard intervention
• Can add MOD_SECURITY
• Application firewall
• Can prevent some application vulnerabilities
• Not easy in Blackboard Apache, if even possible
• Allows for audit logging of HTTP
• Information about potential malicious activity
within the application
38. SECURING WINDOWS
SERVERS
• Group Policy
• Strong password Requirements
• Require password changes often
• Audit log (covered earlier)
• IIS Settings
• IIS User with minimal permissions to everything
except application
• MOD_SECURITY for IIS possible
• SCW (Security Configuration Wizard)
• Wizard for setting security configuration
39.
40. UNIQUE DATABASE
CONCERNS
• Contains all data from the application
• Need to configure OS Security
• Access to the OS means access to the DB,
usually
• Also need database specific security
• DB is meant to be accessed remotely
41. DATABASE USER
SECURITY
• Strong Database
Passwords
• Should not match OS
Passwords
• Each Password
should be Unique
• Users should not use
system accounts
• sa, root, master, etc.
• Allows for auditing of
individual users’
activity
42. DATABASE SECURITY
MEASURES
• Limit DB permissions to bare minimum
• Helps prevent database privilege escalation
• Limit login by IP Address
• Prohibits access to Database by unauthorized
machines
• Potential Solution:
• Encrypt traffic to and from Database
• Please performance test this first, may not
perform well
43.
44. REDIS
• 3rd Party Caching
Database
• Blackboard Developed
B2 to replace server
caches
• See Nori’s presentation
on performance impact:
• 8:30 – 9:15 AM
Tuesday in Murano
3301B
45. REDIS SECURITY
FEATURES
• Should never manually log into Redis cache
• Password should be far more complex than
normal
• Stored in a properties file
• Block Unused Redis commands
• Prevent users who gain access from affecting
Redis in unauthorized ways
• Keep Redis Application up to date
46. OTHER 3RD PARTY
APPLICATIONS
• Understand scope of server
• What needs to access it
• Expected network traffic
• Expected paths to and from
server
• Size the application properly
• Utilize all security features of
the application
• Secure the server itself
47.
48. INSTITUTION
POLICIES
• Policies meant to encourage secure behavior
by all personnel
• Help to prevent privileged user mistakes
• Such as sharing security information at a bar
49. PASSWORD POLICIES
• Strong passwords should be encouraged
• Require minimum password strength
• Require users to change passwords often
• Do not re-use passwords
• Do not share passwords
• Can prevent malicious user from accessing
privileged account
• Privileged accounts can bypass most security
• Renders all previous actions essentially moot
50. DOMAIN USER
POLICIES
• Each user has a domain account
• Each account has a set of associated roles
• Defines level of access
• Administration
• IIS/Apache
• Etc.
• Limit Access to servers or admin features by
role
• Prevents unauthorized or unexpected access
51. THANK YOU!
Matthew Saltzman
Security Engineer
Blackboard Inc.
matthew.saltzman@blackboard.com
Editor's Notes
Begin by blocking all ports
Open Loopback, and remote connection ports
Each AppServer
Open Port 443 (and 80 without SSL System Wide) to all traffic in and out
Open Ports 8009, 8005 to the local server and all other appservers only
Open Port 8016
Collab Server
Open the Collab Ports (8010, 8011, 8443, 8005)
Database Server
Open DB Port (1521 for Oracle, 1433 for SqlServer) to all appservers
Windows: Group Policy Manager: gpedit.msc
Linux: /etc/audit/auditd.conf and /etc/audit/audit.rules.