The document describes how to conduct threat modeling using playing cards. It defines a threat as any circumstance or event with the potential to adversely impact an asset. It discusses guidelines for threat modeling, including considering the target audience, purpose and scope. It then provides an example of using playing cards to gamify the threat modeling process for a vulnerable web application. The steps involve identifying security objectives, surveying the application, decomposing it, identifying threats, documenting threats and rating threats. Various suits and ranks in a deck of cards represent different threats and risk levels.
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Machine learning is a powerful tool with many well-suited applications for malware detection, classification, and risk quantification. Despite its reputation as a "black box" component to an enterprise security solution, designing a robust machine learning model for malware detection is an involved process: its success hinges on understanding the problem you're trying to solve, the underlying data you utilize, and most importantly, its limitations.
In this Malware Most Wanted session, we analyze working models discuss the strengths, pitfalls, and high-level trade-offs of using machine learning for successful malware detection.
Vulnerability Prioritization and PredictionJonathan Cran
Delivered at Gartner SRM 2018 - Discusses original research from Kenna Security and the Cyentia Institute about which vulnerabilities are being targeted today, and what organizations can do to protect themselves. Presented with insight from Reid Shelton of CapitalOne.
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Machine learning is a powerful tool with many well-suited applications for malware detection, classification, and risk quantification. Despite its reputation as a "black box" component to an enterprise security solution, designing a robust machine learning model for malware detection is an involved process: its success hinges on understanding the problem you're trying to solve, the underlying data you utilize, and most importantly, its limitations.
In this Malware Most Wanted session, we analyze working models discuss the strengths, pitfalls, and high-level trade-offs of using machine learning for successful malware detection.
Vulnerability Prioritization and PredictionJonathan Cran
Delivered at Gartner SRM 2018 - Discusses original research from Kenna Security and the Cyentia Institute about which vulnerabilities are being targeted today, and what organizations can do to protect themselves. Presented with insight from Reid Shelton of CapitalOne.
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefieldcentralohioissa
Physical security controls have been found lacking in assessments against targets ranging from financial institutions to health care organizations, and from critical infrastructure and governments- city, state, and federal alike. While complex security programs address complex security problems, successful attacks often result from a cascade of minor security failures being leveraged in a damaging manner. In this session, walk in the shoes of an attacker as organizations are profiled, vulnerabilities cataloged, and attacks launched to gain unauthorized access to restricted areas and/or sensitive data. This 40 minute discussion will conclude with 10 minutes for Q&A on strategies to strengthen the existing physical security posture of an organization without overhauling all the guards, guns, and gates.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints.
Adrian and Steve will present the fundamental steps to securing endpoints:
• Step 1: A Better Malware Mousetrap
• Step 2: More Resilient Endpoints
• Step 3: Stopping Non-Malware Attacks
• Step 4: Full System Visibility with Endpoint Detection and Response
• Step 5: Dynamic Defense with User Behavior
• Step 6: Data Visibility
• Conclusion: Malware is Solved! What Now?
Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.
Presentation Title: How to Get More from Your Security Investment: Protecting Keys and Certificates
Presentation Description:
Join us to learn about ...
- The foundation of online security Changes in the threatscape resulting in the misuse of keys and certificates
- How bad guys bypass your security controls strategies that you can implement to address new threats
Speaker: Mark Sanders, Senior Sales Engineer
Speaker Bio:
With over 15 years of experience working with the Global 2000 in the network and security domains, Mark Sanders has extensive experience solving complex enterprise problems. Mark is a senior sales engineer that focuses on customer advocacy while providing domain and solution expertise.
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
Believe it or not, it has been a year since WannaCry crippled organizations around the world, and since that time ransomware attacks have only accelerated. The ransomware "industry" is now a $5 billion market and is projected to grow to over $11 billion by 2019. Backup alone is not enough, ransomware is the new disaster, and it can impact any organization regardless of size or location. Are you ready for what is coming next? Attend our live webinar as experts from Storage Switzerland and Infrascale help you create a Ransomware Preparedness Checklist.
How to Rapidly Identify Assets at Risk to WannaCry RansomwareQualys
A major ransomware attack using a leaked NSA exploit known as “WannaCry” has hit more than 150 countries since May 12. More than 200,000 infections globally have been detected and the attack, which uses the WannaCry (WanaCrypt0r 2.0) ransomware, continues to spread.
WannaCry utilizes the ETERNALBLUE exploit targeting newly disclosed vulnerabilities (MS17-010). Once leaked, it took only 28 days for this exploit to be used in a full-scale cyber attack. Organizations that scan for vulnerabilities only monthly or less frequently can still be at risk.
During this webcast (https://www.brighttalk.com/webcast/11673/261293) Mark Butler, CISO at Qualys and Jimmy Graham, Director of Product Management for Qualys ThreatPROTECT and AssetView, show you how to:
• Patch and implement other mitigations for WannaCry
• Detect and get full visibility on impacted assets for prompt remediation
• Institute threat-prioritized remediation processes to mitigate current and future risks
Qualys ThreatPROTECT can detect and identify patches for the vulnerabilities being exploited by ETERNALBLUE and shield your organization’s business-critical data from attacks. Sign up for a free 30 day trial and get unlimited scans. https://qualys.com/wannacry-trial
With new vulnerabilities surfacing daily, businesses need a solid strategy and internal plans to deal with them. This vendor-neutral talk helps people discover the things they need to do to get their house in order before considering costly technology purchases.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
This PPT aims at providing brief information about the malware, Ransomware. This PPT contains information about ransomware’s way of functioning, its prime targets and certain effective measures that need to be taken to alleviate the risks related to this perilous malware.
Do you find it difficult to manage cloud security in your organization? Here are seven tips that will help you effectively secure your cloud environments.
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefieldcentralohioissa
Physical security controls have been found lacking in assessments against targets ranging from financial institutions to health care organizations, and from critical infrastructure and governments- city, state, and federal alike. While complex security programs address complex security problems, successful attacks often result from a cascade of minor security failures being leveraged in a damaging manner. In this session, walk in the shoes of an attacker as organizations are profiled, vulnerabilities cataloged, and attacks launched to gain unauthorized access to restricted areas and/or sensitive data. This 40 minute discussion will conclude with 10 minutes for Q&A on strategies to strengthen the existing physical security posture of an organization without overhauling all the guards, guns, and gates.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints.
Adrian and Steve will present the fundamental steps to securing endpoints:
• Step 1: A Better Malware Mousetrap
• Step 2: More Resilient Endpoints
• Step 3: Stopping Non-Malware Attacks
• Step 4: Full System Visibility with Endpoint Detection and Response
• Step 5: Dynamic Defense with User Behavior
• Step 6: Data Visibility
• Conclusion: Malware is Solved! What Now?
Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.
Presentation Title: How to Get More from Your Security Investment: Protecting Keys and Certificates
Presentation Description:
Join us to learn about ...
- The foundation of online security Changes in the threatscape resulting in the misuse of keys and certificates
- How bad guys bypass your security controls strategies that you can implement to address new threats
Speaker: Mark Sanders, Senior Sales Engineer
Speaker Bio:
With over 15 years of experience working with the Global 2000 in the network and security domains, Mark Sanders has extensive experience solving complex enterprise problems. Mark is a senior sales engineer that focuses on customer advocacy while providing domain and solution expertise.
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
Believe it or not, it has been a year since WannaCry crippled organizations around the world, and since that time ransomware attacks have only accelerated. The ransomware "industry" is now a $5 billion market and is projected to grow to over $11 billion by 2019. Backup alone is not enough, ransomware is the new disaster, and it can impact any organization regardless of size or location. Are you ready for what is coming next? Attend our live webinar as experts from Storage Switzerland and Infrascale help you create a Ransomware Preparedness Checklist.
How to Rapidly Identify Assets at Risk to WannaCry RansomwareQualys
A major ransomware attack using a leaked NSA exploit known as “WannaCry” has hit more than 150 countries since May 12. More than 200,000 infections globally have been detected and the attack, which uses the WannaCry (WanaCrypt0r 2.0) ransomware, continues to spread.
WannaCry utilizes the ETERNALBLUE exploit targeting newly disclosed vulnerabilities (MS17-010). Once leaked, it took only 28 days for this exploit to be used in a full-scale cyber attack. Organizations that scan for vulnerabilities only monthly or less frequently can still be at risk.
During this webcast (https://www.brighttalk.com/webcast/11673/261293) Mark Butler, CISO at Qualys and Jimmy Graham, Director of Product Management for Qualys ThreatPROTECT and AssetView, show you how to:
• Patch and implement other mitigations for WannaCry
• Detect and get full visibility on impacted assets for prompt remediation
• Institute threat-prioritized remediation processes to mitigate current and future risks
Qualys ThreatPROTECT can detect and identify patches for the vulnerabilities being exploited by ETERNALBLUE and shield your organization’s business-critical data from attacks. Sign up for a free 30 day trial and get unlimited scans. https://qualys.com/wannacry-trial
With new vulnerabilities surfacing daily, businesses need a solid strategy and internal plans to deal with them. This vendor-neutral talk helps people discover the things they need to do to get their house in order before considering costly technology purchases.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Designing an Incident Response Plan is difficult. On one hand, you have the extremely detailed "Best Practices" while on the other hand you have real world resource constraints.
This PPT aims at providing brief information about the malware, Ransomware. This PPT contains information about ransomware’s way of functioning, its prime targets and certain effective measures that need to be taken to alleviate the risks related to this perilous malware.
Do you find it difficult to manage cloud security in your organization? Here are seven tips that will help you effectively secure your cloud environments.
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
In this presentation from their joint webinar, security experts and trainers at CQURE, Greg Tworek and Mike Jankowski-Lorek, help you put on your hacker cap to better identify dangerous vulnerabilities, strengthen your systems, and STOP the data breaches that litter the news sites today. They will also demonstrate how to exploit systems and how (from the hacker perspective) this can be proactively mitigated.
Catch the full on-demand webinar here:
https://www.beyondtrust.com/resources/webinar/hackers-playbook-think-like-cybercriminal-reduce-risk/?access_code=de936e36f25bb91acaae7593959af3c1
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
This is a presentation on Cyber Threat Intelligence state of the art and trends dating back to 2015! The conference was Secure South West 5 (SSW5) in Plymouth on 2nd April 2015. The content is a) introduction to CTI, b) Cyber Threat Management, and c) Threat Intelligence Platforms and other CTI toolset. Good old days :)
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
This presentation will give you insights into timely information about current cybersecurity threats faced by small and mid-sized businesses, incident response plans, and Cybersecurity Maturity Model Certification (CMMC) compliance protocols required for government contracts and what you need to do now to protect your business from a cyberattack.
Even in good times, insider threats are challenging to identify. Insiders have access. They know what normal behavior is expected. They know the network, the organization, and the culture. All making it easier for them to deceive and hide their tracks. With defensive systems weakened, the opportunity increases for employees with ill intent to gain and maintain enhanced access and privileges undetected.
Anomaly detection and other tools most often used to identify insider behavior have suddenly been rendered useless. Behavioral monitoring never worked well at finding needles in haystacks, but in a crisis like this, when everything looks like a needle, it falls over completely. No normal baseline exists. Everything is an anomaly.
In this webinar, Illusive Networks Field CTO Wade Lance and former City National Bank CISO Karl Mattson will explore how to successfully deal with insider threats during the current moment as workforces massively shift to remote environments. At a time when incident response teams are overrun with alerts, analytical tools are failing to keep up with changing activity patterns, and economies are dealing with unprecedented changes, better insider threat strategies are needed to more accurately identify and respond to potential risk. Join our webinar to hear more about what those insider threat strategies should look like and gain practical tips for implementing those tactics quickly.
Using SurfWatch Labs' Threat Intelligence to Understand Third-Party RiskSurfWatch Labs
Data breaches and cyber-attacks are often tied to vendors, partners, or other external organizations. Threat intelligence can help to shed a light on an organization's third-party risks and help to provide guidance on how to mitigate that risk.
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
Ransomware ist nicht mehr nur ein auf Privatanwender ausgerichtetes Ärgernis, sondern hat sich zu einer ernstzunehmenden Bedrohung für Unternehmen und Regierungseinrichtungen entwickelt.
In unserem Webinar können Sie mehr darüber herausfinden, was Ransomware genau ist und wie es funktioniert. Anschliessend zeigen wir Ihnen das Ganze in einer Live Demo mit Daten aus einer Windows Ransomware Infektion.
Detailliert zeigen wir Ihnen:
- wie Sie mit Splunk Enterprise Ransomware IOCs "jagen"
- wie Sie Malicious Endpoint Verhalten aufdecken
- Abwehrstrategien
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together. Presented at SplunkLive! Stockholm October 2015 for more information please visit http://live.splunk.com/stockholm
Similar to [Hungary] I play Jack of Information Disclosure (20)
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
11. ENISA
definition
Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
12. Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
13. Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
14. Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
15. Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
16. Threat: Any circumstance or event with the
potential to adversely impact an asset through
unauthorized access, destruction, disclosure,
modification of data, and/or denial of service.
18. Modeling
Guidelines
By Norman Daoust
“The most important advice I can give is to always keep in
mind the following three aspects of your modeling situation:
• Target Audience
• Purpose
• Scope“
22. Modeling
Guidelines
By Norman Daoust
“The most important advice I can give is to always keep in
mind the following three aspects of your modeling situation:
• Target Audience
• Purpose
• Scope“
24. Steps of Threat
Modeling
1.Identify Security Objectives
2.Survey the Application
3.Decompose it
4.Identify Threats
5.Document the Threats
6.Rate the Threats
30. “Methodology”
”bring members of the development and test teams together to conduct an
informed brainstorming session in front of a whiteboard.”
”You get a set of experienced experts in a room, give them a way to
take notes and let them go. The quality of the brainstorm is bounded by
the experience of the brainstormers and the amount of time spent.”
”the thought process that you are going to go through is: what are all
the different types of attacks that could make sense for the threat
agent to get to the assets.”
”Most security professionals can just think and know what bad outcomes
there are.”
Common Weakness Enumeration:
1-1002
Image from screenrant.com
informedbrainstorming
infrontofawhiteboard
experience
timespent
let them go
all
35. Suite
Rank
Threat
References:
- Secure Coding Practices
- Application Security Verification
Standard
- AppSensor project
- Common Attack Pattern Enumeration
and Classification
- Software Assurance Forum for
Excellence in Code
This is my picture in big– or today called a selfie
for those who sit in the back and cannot see
Or who just came in after lunch without knowing what this is
It is true
If you google prophet you will find my picture
I will tell the truth in its raw beauty
But as with every good prophet:If it does not work for you, do not blame meIt worked in my environment
Have you known it was supposed to end?
That at every conference you hear that security is broken for good?
No hope
I am here to say: there is hope
And I will give you the solution to all your problems
I will even make your marriage better
Your kids more happy
Your car consume less
And no: it is not magic
It is not even difficult
If you have no scar on your forehead
Or no wizard hat
Or the force is not strong within you
this talk is for you
If you are a security Voldemort, always saying not possible
Harry Potter will come and take you away
Before we start playing cards
Let us do a recap what threat modeling is
Why do you do it?
When do you do it?
And why in pratice no one does it?
It is like unit testing
Iterative development
Paying taxes
This is where problems begin
When you search for clarification on the internet
You find this picture
Easy, isn’t it?
Hell no
If a crocodile is a threat
This is threat modeling
A good definition is this one
Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
The picture for this is not so nice, but let me try
But let me describe it via a picture
This picture shows what a threat is
Let take it in piece by piece
A threat comes from someone or something
It impacts something: an asset
Something important
That has business value
Stealing your company’s snacks at the booth is no threat
Threat comes through an adverse effect
Like:
Unauthorized access
Destruction
Disclosure
Tampering
DoS
Trying again:
What is threat modeling?
Instead of describing it, I will show you what it is
When doing it, let’s do it correctly
As Norman Daoust says:
Keep in mind target audience, purpose, scope
I will go from the back, it is easier:
1. Scope: easy – my software
2. Purpose: I want to make it secure
Stop here: if your scope is something else
You will be taken away by Harry Potter:
No creating reports, paper towels, beer mat, paper planes, impressing your boss
It is for making stuff secure
3. Target Audience
Synonyms:
Spam filter
My mail is not working
I have a new laptop
If this is where your threat model goes to
Do not do it
More importantly: go stand in the corner, and think what you have done
It is your fault!
You started an epic battle
The battle between developers and security engineers
No, please don’t laugh, this is no joke, this is serious
There is a battle
I am allowed to say this, I have been on both sides
And obviously the mortal kombat side is much cooler
With threat modeling, security engineers are always unhappy
Documentation is not good, design is unclear, I have stomach ache, they make it wrong
Developers are unhappy:
It is long, it is irrelevant, we changed it since, I do not understand it
Look at that guy! He must have been forced. This must be the sign: please help, I have 2 days left to live
Yesterday I was still dressed as he-man
Probably no one understood his cry for help
Let us remember him by using him as an example
Think of your target audience:
Skilled developer
Knows the system
Understands plain and technical English
Wants to fix things:
yes, most developers are proud of their craftsmanship
They want to deliver good software if possible
Now we now what we are modeling for
Let’s do the example
Steps are:
Identify Security Objectives
Survey the Application
Decompose it
Identify Threats
Document the Threats
Rate the Threats
This is the example:
Simple webshop as you would imagine it
There is a website
Server
Products
E-mail newsletter
If there is anything else to a webshop:
Imagine it is there
Identify Security Objectives
Easy:
We have infrastructure
Customer data
Employee accounts
Company reputation
Remember our target audience:
Will Ken understand this?
Yes
Great, 2. step
Survey the application and decompose it
Important part, because your developers never did this before
Literally, I had senior developers saying: Poo, this is how this works? Yes, I said poo
We usually create a data flow diagram
After you have an overview, look at the datastreams
What data travels where, where is the trust boundary, Where do you accept or send out data
Here rely on the developers
They know the system
More importantly, you too learn about the system
Identify threats
There are a number of approaches here
I will call them classical and gamified
Open the stage for:
The Classical approach
Here I must say, it is disappointing
When I first had to do threat modeling, I did a lot of research
How do you do it?
What is the best method?
How do you find threats?
This is what I found
”bring members of the development and test teams together to conduct an informed brainstorming session in front of a whiteboard.”
I don’t know what an informed brainstorm is. And how does a whiteboard help in methodically finding threats?
”You get a set of experienced experts in a room, give them a way to take notes and let them go. The quality of the brainstorm is bounded by the experience of the brainstormers and the amount of time spent.”
Quality is bound by experience and time? Ok, but how much? No clue – well, there is
Something strange about the sentence: you have to let them go
Security engineers like this make me sad
”the thought process that you are going to go through is: what are all the different types of attacks that could make sense for the threat agent to get to the assets.”
Think of all attacks. Really: all? I don’t know whether you are familiar with the common weakness enumeration
It contains 1000 attacks; 1000 for each asset and threat agent combination – and that as a thought process
”Most security professionals can just think and know what bad outcomes there are.”
Next one says security engineers can simply do this. Just think – and you know. So next time this guy comes along, hire him as a security engineer – because he is the only one who can do everything by thinking.
Well, this is what you can find on methodology. No wonder that we have problems with making it right.
Document and rate threats
Classical approach does this together
In a report (this is taken from a voting system threat model)
Nice, right? – Let’s just look at it
Seriously, who thought this can work?
This is what you give your developer?
He will kill you.
No really, he will cause you intolerable pain and death
He will use those two fingers and cause agony
Look at this sentence: Voter ballot selections are accessed off election information systems by individuals with authorized access to these machines, resulting in loss of voter privacy. WHAT?
If this were a threat model for buildings: this is what you get
An attacker may get unauthorized access to a car
An attacker causes larger weight on overhead cable, causing a larger force on post
Best western guest might be insulted by the word straight
If this was how you did threat modeling
Forget it
No one reads it, everyone hates security engineering
The world will end
How does the gamified approach look like?
There are two card games available: OWASP cornucopia, Microsoft Elevation of privilege
Rules are almost identical
Cornucopia is currently more focused on web applications
Explain rules
Explain card:
Suite: authentication, data validation, session mgmt., cryptography, all the rest
Rank
Threat
Cross references:
Secure coding practices
Application Security Verification Standard
Common attack pattern enumeration
Explain how we play here
5. Document the threats
I usually have a developer document
Mainly because I do not know the name of the developers
You write down which card
Who said it
What the exact description is
Here you will have actionable items
Where developer know which functionality and how affected
For Ken it is clear what is happening here
6. Rate the threats
Add them to your ticketing system
Because you can, they are immediate stories
Organize a meeting with developers
There you discuss what the vulnerability wasYou can ask them about its functionality
Provide an estimation of the risk
The talk presented you the difference between
Classical and gamified threat modeling
Let me recap what we learned today
Making pictures of a women in a crocodile dress is not threat modeling
Classical security engineers have no real methodology for threat modeling
No time limit, no guarantees regarding quality
Your best chances to get results is by hiring X-men
Classically security engineers are weirdos, who are constantly fighting with developmentThey come up with irrelevant world problems, therefore are little effective in improving security
If your threat models only describe what not to do, they are as effective as a hammer
You can use it for everything, but eventually you are going to make more damage until get a screw in
Gamified threat modeling brings us together
Includes all stakeholders
Raises awareness for both developers and security engineers
And will make a stormtrooper strip by the end
Gamified approaches make security actionable
Provides clear items obvious for developers to work on
With cards items might remain hidden
Developers might dive in too deep