An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
With the increased need for automation in operating systems, every platform now provides a native environment for automating repetitive tasks via scripts. Since 2007, Microsoft has gone “all in” with their PowerShell scripting environment, providing access to every facet of the Microsoft Windows operating system and services via a scriptable interface. Not only can administrators completely administer and audit an operating system from this shell, but most all Microsoft services, such as Exchange, SQL Server, and SharePoint services as well. In this presentation James Tarala of Enclave Security will introduce students to using PowerShell scripts for assessing the security of thee Microsoft services. Auditors, system administrators, penetration testers, and others will all learn practical techniques for using PowerShell to assess and secure these vital Windows services.
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Webinar - Patch Management: Keep up with security updates by using SysKitSysKit Ltd
When it comes to patch management, we can provide you a complete inventory of everything that is installed on every server or any workstation that’s been monitored. With SysKit, you can get reports on time, schedule a time for an update, check available security updates and current version on your system, keep track of planned or unplanned system reboots, and much more.
Learn more at: https://www.syskit.com/blog/patch-management-with-syskit-keep-up-with-security-updates/
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
Each SCADA network, in a healthy state, presents a specific quality of service (QoS) which rarely changes given the repetitive process of the IACS operations. The continuous monitoring of QoS parameters of an automation network may anticipate problems such as malware contamination and equipment failures like switches and routers. It is very important to be aware of these changes in behavior in order to receive alerts and promptly handle them, avoiding incidents that could compromise the operation of the network and be financially or environmentally costly.
In this session Mr. Branquinho presents the results of tests to measure the performance of a simulated automation network parameters using a small SCADA network sandbox. First, the normal operating parameters of the network were measured. Next, several attacks were launched against the simulated automation network. At the conclusion of the work the graphs of the network in healthy state with the graphs of the network with the security incidents described above. The session will show how the network parameters were affected by each kind of incident and built a table showing the way the main parameters of an automation network were affected by the attacks.
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
This session will cover the pro's and con's of virtualization as well as lessons learned from real world virtualization of DCS environments. Chris has deployed virtualization in ICS with and without ICS vendor cooperation.
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started.
In this session, Frank begins by providing an overview of the Microsoft Security Baselines, explaining what they are and how they relate to the Center for Internet Security (CIS) Benchmarks, why Security Baselines are important (especially in PCI- or HIPAA-regulated environments), what to expect to change when implementing a baseline, when it is appropriate to implement a Microsoft Security Baseline, and provide you with project success criteria.
Then it's time for the details: Frank explains how to inventory your systems, how to download the Microsoft Security Baselines, how to apply your first Baseline to Active Directory, and how to manage the implementation---including recommendations on how to make changes (or "overrides") to the Security Baselines both from a process standpoint and a technical standpoint (using Group Policy Management).
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
The Control System Security Center (CSSC) in Japan has an active project in their lab to apply process white list control and computer resource access control to Windows servers and workstations in an ICS. These security controls can be very effective in ICS computers that are relatively static as compared to corporate network systems.
The process white list control limits process creation with parent-child relation, SHA1 hash value of an executable file, and conflict of interest. The computer resource access control limits access from a process to file, network (IP address and port), and device. Attend this session learn how CSSC is applying this technology and lessons learned in the lab environment.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Webinar - Patch Management: Keep up with security updates by using SysKitSysKit Ltd
When it comes to patch management, we can provide you a complete inventory of everything that is installed on every server or any workstation that’s been monitored. With SysKit, you can get reports on time, schedule a time for an update, check available security updates and current version on your system, keep track of planned or unplanned system reboots, and much more.
Learn more at: https://www.syskit.com/blog/patch-management-with-syskit-keep-up-with-security-updates/
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
Each SCADA network, in a healthy state, presents a specific quality of service (QoS) which rarely changes given the repetitive process of the IACS operations. The continuous monitoring of QoS parameters of an automation network may anticipate problems such as malware contamination and equipment failures like switches and routers. It is very important to be aware of these changes in behavior in order to receive alerts and promptly handle them, avoiding incidents that could compromise the operation of the network and be financially or environmentally costly.
In this session Mr. Branquinho presents the results of tests to measure the performance of a simulated automation network parameters using a small SCADA network sandbox. First, the normal operating parameters of the network were measured. Next, several attacks were launched against the simulated automation network. At the conclusion of the work the graphs of the network in healthy state with the graphs of the network with the security incidents described above. The session will show how the network parameters were affected by each kind of incident and built a table showing the way the main parameters of an automation network were affected by the attacks.
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
This session will cover the pro's and con's of virtualization as well as lessons learned from real world virtualization of DCS environments. Chris has deployed virtualization in ICS with and without ICS vendor cooperation.
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
IT professionals everywhere strive to secure their network, but it can be a daunting task. Luckily, Microsoft provides some boilerplate templates to get you started.
In this session, Frank begins by providing an overview of the Microsoft Security Baselines, explaining what they are and how they relate to the Center for Internet Security (CIS) Benchmarks, why Security Baselines are important (especially in PCI- or HIPAA-regulated environments), what to expect to change when implementing a baseline, when it is appropriate to implement a Microsoft Security Baseline, and provide you with project success criteria.
Then it's time for the details: Frank explains how to inventory your systems, how to download the Microsoft Security Baselines, how to apply your first Baseline to Active Directory, and how to manage the implementation---including recommendations on how to make changes (or "overrides") to the Security Baselines both from a process standpoint and a technical standpoint (using Group Policy Management).
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
The Control System Security Center (CSSC) in Japan has an active project in their lab to apply process white list control and computer resource access control to Windows servers and workstations in an ICS. These security controls can be very effective in ICS computers that are relatively static as compared to corporate network systems.
The process white list control limits process creation with parent-child relation, SHA1 hash value of an executable file, and conflict of interest. The computer resource access control limits access from a process to file, network (IP address and port), and device. Attend this session learn how CSSC is applying this technology and lessons learned in the lab environment.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
HMI/SCADA 리스크 감소
돌발적인 가동중지를 최소화하고 조직을 보호할 수 있는 핵심 단계
Decrease your HMI/SCADA risk
Key steps to minimize unplanned downtime and protect your organization
With 73% of all cyber attacks happening on web applications* last year, there’s little doubt application layers and web-related attacks pose a significant risk to most organizations. However typical investment to protect common attack targets (content management systems and ecommerce platforms) don’t correspond.
This webinar examines the growth of applications in enterprise architecture and the risks associated with agile development, plus expert advice and real world examples on how to scope and build an successful application security program that will maximize coverage and optimize your limited resource
Cyber security series administrative control breaches Jim Kaplan CIA CFE
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 8 of 10
This Webinar focuses on Administrative Control Breaches
• Security Administration
• Purpose of Security Tools
• Examples of Security Tools
• Security Incident Manager (SIM)
• Problems with Security Administration
• Improving Administration
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications.
Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations.
These are some of the themes we covered:
• How to ease your workload with allow-listing.
• Is allow-listing difficult? (A hint: it is not.)
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
The Great Disconnect of Data Protection: Perception, Reality and Best Practicesiland Cloud
iland and Veeam recently conducted a data protection survey of IT organizations worldwide. In this webinar, we summarize and analyze the survey responses so you canunderstand today’s data protection landscape. Then, we cover best practices that can help ensure thatyour organization, and its data,are properly protected
Watch the webinar on-demand: https://www.iland.com/wb-data-protection-report/
45 Minutes to PCI Compliance in the CloudCloudPassage
Join CloudPassage CEO, Carson Sweet and Sumo Logic Founding VP of Product & Strategy, Bruno Kurtic, for a webinar on “45 minutes to PCI Compliance in the Cloud”.
What You Will Learn:
-Understand the typical challenges faced by enterprises for achieving PCI on cloud infrastructure
-Learn how purpose-built SaaS-based cloud security solutions can save you tens of thousands in audit costs by speeding your time to compliance
-Get a quick demo of the CloudPassage Halo and Sumo Logic solutions that provide the telemetry and query/reporting engines respectively for cloud PCI
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
Signatures are dead! We need to focus on machine learning, artificial intelligence, math models, lions, tigers and bears, Oh My!! - STOP!! - How many times have we heard all these buzzwords at conferences, or our managers saying that solution X will solve all our problems. I don't know about you, but I was tired of listening to the hype and the over-use of these terms that really made no sense.
One thing is true, signatures are dead. Today's malware is created with obfuscation and deception and our opponents do not play fair. Do you blame them? They want to get in. Who needs to rob a bank anymore at gun point when the security door is left open and traps are easy to bypass. Thank you Powershell! So what's the answer? Is it Next Generation AV or EDR, or it is Security 101? Over the past 5 months, we have invested significant time building a business case for an Endpoint protection system - understand the problem, creating testing scenarios to evaluate 5 solutions in the market. Over 30,000 pieces of malware were put to the test from our internal private collection, as well as known and unknown samples freely available. With all of the marketing hype, brochureware and buzzwords, it's hard to know what's the real deal. As we talk to colleagues from other companies, one thing is clear, many still struggle with good testing methodologies, what malware to test and how to test their endpoint security.
We will discuss key considerations used in our decision-making process. Testing malware for our company was important, but it was not our only testing criteria. We looked at the ease of installation on the agent, use of their UI, SaaS, on-prem, hybrid, reporting, performance of agent using different system resources, how much the agent replied on their cloud intelligence compared to on-box performance, powershell scenarios, and a variety of other factors. Companies additionally need to take into consideration the cost of any potential new infrastructure, cost per seat, professional services, one off costs, 1, 2, 3 year terms and other factors. Ultimately, we want to extend our resources to help others in the industry and discuss key differences between the solutions that were evaluated.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Similar to GrrCon 2014: Security On the Cheap (20)
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedJoel Cardella
17 years after the Challenger disaster, NASA suffered another loss of life when Columbia burned up on re-entry. Compounding this tragedy was the fact that all the failures of Challenger were repeated. This talk looks at some of those reasons and how to learn the lessons so they won't be repeated.
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.
INFRAGARD 2014: Back to basics securityJoel Cardella
This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
GrrCon 2014: Security On the Cheap
1. SECURITY ON THE CHEAP
Practical Application Of Back to Basics Methods
Joel Cardella GrrCon 2014
2. BIOGRAPHICAL INFO
• Joel Cardella
• 20 years in Information Technology .. Blah blah blah
• Currently Regional Security Officer for multinational
industrial manufacturing organization
• Passionate evangelist of infosec
• But none of this matters because basics is a common
sense method
7. • “…if your roof has leaks, you fix the leaks in the roof before you remodel the house, right ?”
• John Pescatore, SANS
• http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-leaky-roof-before-
remodeling-the-house/
WE ARE ALL SAYING THE SAME THING
8. BASICS FOCUS
Prevention Detection
Risk
Response Recovery
Basics does not address advanced threats!
9. WHAT RISK CAN WE CONTROL?
None of these values is ever zero, but we should work toward zero
THREATS X VULNERABILITIES X TIME = RISK
No control Indirect Control (Vendor Direct Control
reliance)
Direct Control (Issuing
patches & updates)
10. SECURITY BASICS
• Security requires resources; you must invest to get a return
• If you don’t invest the resources, you will increase the vulnerability
and likelihood, and thus the risk
• If you can’t invest money, then you invest time
• NOW: How do we do this cheaply?
12. WHAT ARE YOUR STANDARDS?
• Critical Security Controls (SANS 20)
• Australian Defence Signals Directorate (DSD)
13. CSC FIRST FIVE QUICK WINS
• For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick
Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially
noted in the Controls listings, and consist of:
• 1. Application whitelisting (found in CSC 2 / DSD 1);
• 2. Use of standard, secure system configurations (found in CSC 3);
• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);
• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and
• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC
• 12 / DSD 4).
14. THE FIRST FIVE
Mitigation strategy
Overall
security
effectiveness
User
resistance
Upfront cost
(staff,
equipment,
technical
complexity)
Maintenance
cost (mainly
staff)
Helps
detect
intrusions
Helps mitigate
intrusion stage
1: code
execution
Helps mitigate
intrusion
stage 2:
network
propagation
Helps
mitigate
intrusion
stage 3:
data
exfiltration
Application whitelisting Essential Medium High Medium Yes Yes Yes Yes
Standard Configurations Essential Low Medium Medium Possible Yes Yes Yes
Patch applications < 48 hrs Essential Low High High No Yes Possible No
Patch operating system
vulnerabilities < 48 hrs
Essential Low Medium Medium No Yes Possible No
Restrict administrative privileges Essential Medium Medium Low No Possible Yes No
Pareto Principle – 20% of our focus can address 80% of our risk
Focusing on these 5 will address 80% of your risk – Australian DSD
15. FIRST FIVE QUICK WINS
• For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick
Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially
noted in the Controls listings, and consist of:
• 1. Application whitelisting (found in CSC 2 / DSD 1);
• 2. Use of standard, secure system configurations (found in CSC 3);
• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);
• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and
• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC 12 / DSD 4).
16.
17. QUICK WINS DEEP DIVE
• Assess PLAN
• Focus DO
• Measure CHECK
• Remediate ACT
20. CAVEAT EMPTOR
• I will not discuss a tool in context of use unless:
• I have used it myself and found it to be effective
• It is being used effectively by a peer whom I trust
• I am going to focus on Windows systems as being higher risk than others, mostly due to
proliferation and ubiquity
21. CHEAP <> FREE
• Cheap is not permanent, it is a bridge
• Cheap is relative
• Included with other stuff (like an EA)
• Low cost for an enterprise
• Open source / FOSS
• Cheap is more expensive in terms of time when used to cut corners
22. TOOLS FOR CONTROLS
• CSC 1 - NMAP
• CSC 2 – SCCM
• Whitelisting can be implemented using commercial whitelisting tools or application
execution tools that come with anti-virus suites and with Windows (Applocker).
• CSC 3 – SCCM (for distribution)
Lansweeper
Unlimited assets
scanned at your
interval, kept in a
historical database for
$1995
Prevention Detection
Risk
Response Recovery
23. CSC 3 – SECURE CONFIGURATIONS
• Establish and ensure the use of standard secure configurations of your operating
systems.
• Standardized images should represent hardened versions of the underlying operating
system and the applications installed on the system.
• Hardening typically includes: removal of unnecessary accounts (including service
accounts), disabling or removal of unnecessary services, configuring non-executable
stacks and heaps, applying patches, closing open and unused network ports,
implementing intrusion detection systems and/or intrusion prevention systems, and use of
host-based firewalls.
• These images should be validated and refreshed on a regular basis to update their
security configuration in light of recent vulnerabilities and attack vectors.
Prevention Detection
Risk
Response Recovery
24. DO YOUR RESEARCH!
A simple Google search returns many
articles on hardening Windows
Prevention Detection
Risk
Response Recovery
25. HARDENING EXAMPLES
• Uninstall Adobe Reader
• Remove Java, or set your browser settings to “Click To Play Plugins”
• Remove unnecessary services - http://www.blackviper.com/windows-services/
• EMET - http://support.microsoft.com/kb/2458544
http://www.insanitybit.com/2013/03/27/windows-hardening-guide/
Prevention Detection
Risk
Response Recovery
26. CSC 12 – CONTROLLED USE OF ADMIN
• In Active Directory, restrict the membership of
• Enterprise Admins
• Schema Admins
• These are the two most powerful security groups in AD
• Do NOT allow your admins to have accounts idling in these groups – they can add &
remove as needed
Prevention Detection
Risk
Response Recovery
27. CSC 12 – CONTROLLED USE OF ADMIN
• Look at the membership of Domain Admins and Domain Workstation Admins
• Create separate accounts for admins, a regular user and an admin account
• Don’t name the admin account admin<USERNAME>
• Make it distinct but not obvious
• Enforce 2nd factor on admin logins?
Prevention Detection
Risk
Response Recovery
29. PREVENT BRUTE FORCING
• Winfail2ban (Fail2ban for *NIX)
• Scans log files like FTP Logs or Event Viewer and bans IP that make too many password
failures
• http://winfail2ban.sourceforge.net/
• For webapps, don’t fail password attempts in a predictable way
• For example, most Web sites return an "HTTP 401 error" code with a password failure,
although some web sites instead return an "HTTP 200 SUCCESS" code but direct the
user to a page explaining the failed password attempt.
• Vary the behaviors to fool automation
• https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Prevention Detection
Risk
Response Recovery
30. EASY 2ND FACTOR
• Duo Security has an enterprise plan for $3/user/month
• Got a small team? Up to 10 users are free
• https://www.duosecurity.com/
• Google authenticator for web apps which use OAUTH tokenization
• Authy – http://www.authy.com
• Microsoft Phone Factor - http://azure.microsoft.com/en-us/services/multi-factor-authentication/
Prevention Detection
Risk
Response Recovery
31. THREAT MODELING FOR INCIDENT RESPONSE
• Not just for web apps! Threat modeling can be used for incident response & planning
• 3 parts
1. Establish attack path
2. Table top exercise to identify controls
3. Create a security exercise that tests the controls along the path
• http://www.irongeek.com/i.php?page=videos/circlecitycon2014/117-how-to-create-
an-attack-path-threat-model-wolfgang-goerlich
Prevention Detection
Risk
Response Recovery
34. NETWORK FORENSICS
• Wireshark
• Open source multi-platform network protocol analyzer
• Hard to learn, easy to use
• Then after a while, easy to use once your use cases are established
• Time sink but it’s time well spent
• https://www.wireshark.org/
Prevention Detection
Risk
Response Recovery
35. PASSWORD CRACKING
• Cain & Abel
• It can recover passwords by
• sniffing the network,
• cracking encrypted passwords using dictionary, brute-force and cryptanalysis
attacks,
• recording VoIP conversations,
• decoding scrambled passwords,
• revealing password boxes,
• uncovering cached passwords and
• analyzing routing protocols.
• http://www.oxid.it/cain.html
• Wordlists: http://hashcrack.blogspot.com/p/wordlist-downloads_29.html
Prevention Detection
Risk
Response Recovery
37. OFT OVERLOOKED
• Don’t underestimate the power of governance and policy
• They can not only help you manage your security workload, they can be used in legal
defense
38. CHANGE MANAGEMENT
• Who approves your security changes?
• Is this documented and reviewed periodically?
• Who reviews your security changes for accuracy?
• Who follows up to verify the changes are still accurate?
• Document reasons for changes, approvals and mitigations
• ARE YOU SURE?
Prevention Detection
Risk
Response Recovery
39. ESTABLISH A GOVERNANCE CALENDAR
• The calendar contains your regular cadence of review activity
• You can script reminders to the entities responsible for the
review
• SharePoint
• Google scripts (Google calendar)
• Internal calendaring software X
• Work this activity into your existing processes so they get
prioritized
• Time box those activities!
• Get SLAs/SLOs for teams on which you rely to perform
these activities
40. Sample Governance Calendar
Q1 Q2 Q3 Q4
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
DR Testing
Recon
Recon
Backup
testing
Backup
testing
Backup
testing
AD
review
AD
AD review
review
Mid year audit
Operations Security Data Center
Audit
SAMPLE GOVERNANCE CALENDAR
42. SOCIAL VECTORS
• This is the cheapest thing you can address which has the best ROI
• TALK TO YOUR USERS!
• Don’t lecture
• Don’t debate
• Give them usable information
• Ex: with the busiest shopping day of the year coming up, create a newsletter or
workshop that shows how to buy a PC – and subtly include how to secure it
Prevention Detection
Risk
Response Recovery
43. A WORD ON RECOVERY
• There is no “cheap” data recovery option or configuration
• Backups must be maintained, tested and verified
• Backups are a critical security strategy, but not focused on in the CSC or DSD
44. These are ideas, pick and choose and twist and tinker and make it work for you
45. TOOLS & REFERENCES LIST
• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site
• http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights
delegation
• http://sectools.org/ - List of pay and free network tools
• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC
• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35
• http://www.counciloncybersecurity.com – Council on Cybersecurity
• http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven-
Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling
• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-
retail-industry - Brian Kreb’s op-ed on the Target breach and some of the false
pretense
46. THANK YOU
• GrrCon staff, especially EggDropX and
P1nkN1ghtmare for making it happen
• #misec for being an awesome community
• You, for listening and turning your attention to
the basics
47. CONTACT INFO
• Twitter: @JoelConverses
• Email: jscardella@pobox.com
• IRC: FreeNODE #misec (joel_s_c)
• Info about misec: www.michsec.org