Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
An overview of the legal, privacy, and security issues surrounding modern cloud services and cryptography
Created as an alumnus talk for the Computer & Network Support Technology Fairfield Career Center senior class of 2016.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
Talk by Marcel van der Heijden, SpeedInvest & Aircloak (Silicon Valley | AT | DE), at Stanford on Feb 26 2018, in our session: 'New EU Data Privacy Rules : Lessons & Risks for Silicon Valley Corporations & Startups || GDPR'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
An overview of the legal, privacy, and security issues surrounding modern cloud services and cryptography
Created as an alumnus talk for the Computer & Network Support Technology Fairfield Career Center senior class of 2016.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
Talk by Marcel van der Heijden, SpeedInvest & Aircloak (Silicon Valley | AT | DE), at Stanford on Feb 26 2018, in our session: 'New EU Data Privacy Rules : Lessons & Risks for Silicon Valley Corporations & Startups || GDPR'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Cybersecurity 2014: The Impact of Policies and Regulations on Companies by Andrea Almeida from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
Today’s cyber attackers survive by hiding their attack communications from the prying eyes of network security. It’s a critical part of an attacker’s arsenal and it lets them patiently manage and propagate attacks throughout network, while remaining undetected.
• The latest techniques attackers use to hide their traffic in plain sight
• Why simple techniques like signatures and reputations of domains or IPs come up short in finding these evolving forms of communication
• Why this isn’t really just a malware problem
• What techniques can be used to systematically identity these forms of communication and to treat them as a strong indicator of compromise
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
Welcome to the lighter side of the software security world! We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh). This talk is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Cybersecurity 2014: The Impact of Policies and Regulations on Companies by Andrea Almeida from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.
Chris Haley - Understanding Attackers' Use of Covert Communicationscentralohioissa
Today’s cyber attackers survive by hiding their attack communications from the prying eyes of network security. It’s a critical part of an attacker’s arsenal and it lets them patiently manage and propagate attacks throughout network, while remaining undetected.
• The latest techniques attackers use to hide their traffic in plain sight
• Why simple techniques like signatures and reputations of domains or IPs come up short in finding these evolving forms of communication
• Why this isn’t really just a malware problem
• What techniques can be used to systematically identity these forms of communication and to treat them as a strong indicator of compromise
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
Welcome to the lighter side of the software security world! We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh). This talk is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Top 20 certified ethical hacker interview questions and answerShivamSharma909
The technique of discovering vulnerabilities in a software, website, or agency’s structure that a hacker might exploit is known as ethical hacking. They employ this method to avoid cyberattacks and security breaches by legitimately hacking into systems and looking for flaws. CEH was designed to include a hands-on environment and a logical procedure across each ethical hacking area and technique. This is to provide you the opportunity to work towards proving the knowledge and skills to earn the CEH certificate and perform the tasks of an ethical hacker.
Read more: https://www.infosectrain.com/blog/top-20-certified-ethical-hacker-interview-questions-and-answer/
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
A penetration test is often a key requirement for compliance with key regulations. But while many organizations know they need penetration testing, it can be hard to know how to fit them in to a larger security program, or even how to get started. Our whitepaper, "What is Penetration Testing? An Introduction for IT Managers," is a clear and succinct introduction to the core principles and best practices of penetration testing.
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
Have you ever wondered why our web apps, and mobile web apps in particular, are hard to secure?
Be sure to read the speakers notes in this presentation
In this lengthy presentation, you will observe where researchers and hackers corrupt the developer's intentions...then, you will look at the Good, the Bad and the Ugly of Secure Software Development, WAF considerations, and Mobile Device Management...
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
Talking about Application Security with Dev, QA and Ops. This presentation is based on my own personal experience with developers, deployments and the implementations of such systems. #nightmares
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 6
Intro to INFOSEC
1. Intro to INFOSEC
Sean Whalen
sean@seanpwhalen.com
https://seanpwhalen.com
@SeanTheGeek
2. To view this slide deck with links
https://j.mp/infosecintro
3. Disclaimer
The views and opinions expressed
here are my own, and may not
represent those of my past,
current, and post-apocalyptic
employers.
4. Who is this guy
• I’m an Information Security Engineer
• Specializations: Intelligence, malware analysis, and network defense
• Human log parser
• Fairfield CC/Reynoldsburg HS ’09 – Ohio Dominican University ‘13
• Work(ed) for
• DISA/DoD (Columbus, OH)
• CBTS/GE Aviation (Cincinnati, OH)
• Cardinal Health (Dublin, OH)
5. Topics
• What INFOSEC is and isn’t
• The importance of INFOSEC at it relates to business
• How attacks work, and how they can be prevented
• The challenge and fun of security
• The state of the industry and job market
• The benefits and limits of a college education
• Thoughts on career
6. What is INFOSEC
Information Security (INFOSEC) is the
practice of applying reasonable controls that
mitigate threats to the integrity,
confidentiality, and availability of
information.
It includes layers of non-technical controls,
such as policies, training, and locks.
The goal is to make attacks impractical,
while respecting business needs.
The tricky part is finding balance.
Wikipedia/John Manuel
11. How encryption is used
• To protect data at rest (e.g. on a portable hard drive)
• To protect data in transit (e.g. login submission)
• A system that uses encrypted data must be able to decrypt it
• A vulnerable application can leak keys and/or plaintext data
12. Windows is inherently insecure.
Macs don’t get viruses.
Of course it’s secure, it’s open source!
13. Operating system
security
Any operating system can and should be
hardened: Installing patches, disabling
unused features, limiting users, etc.
Malware can be written for any OS.
The security of an OS is largely dependent
on the vigilance of its admin, and the
trustworthiness of its users.
Windows security has steadily improved
since XP SP2.
Apple still adjusting to being a larger target
as its market share grows.
Decades-old flaws have been discovered in
extremely common open source software.
16. It’s easy to hide on the internet.
Catch me if you can!TOR andVPNs FTW!
17. OPSEC
Operational Security –Securing the details of
what people do.
Only sharing
• Who?
• What?
• When?
• Why?
• How?
On a “need-to-know” basis
Changing behavior, passwords, and keys
Securing communications
It goes against human nature. People like to
brag/help.
18. Meet Ross Ulbricht
Convicted of charges related to operating
the “hidden” online illegal drug marketplace,
Silk Road.
While an IRS Special Agent was looking for
directions on how to access the hidden site,
he found early forum posts from a user
named altoid, promoting the site on the
normal internet.
Looking at the altoid’s earlier posts, he
found the user posted his email as
rossulbricht@gmail.com.
He was sentenced to life in prison without
the possibility of parole, as required by the
“Super Kingpin” section of the CCE statute.
His lawyers are appealing.
The incredibly simple story of how the gov’t Googled Ross Ulbricht
20. Industrial Espionage
It’s real.
A group of PLA officers/employees were
indicted by grand jury in the US.
Evidence shows that they were actively
engaged in industrial espionage, something
China denies.
Although it is extremely unlikely that the
group will be extradited, such attribution
shows that even state actors can be sloppy
with OPSEC, and the state can be called out
on its actions, if desired.
An attacker’s sloppy OPSEC can be used for
defense, even if the attackers cannot be
directly identified and/or arrested.
United States of America v.Wang Dong, et al. (Crim. No. 14-118 W.D.Pa.)
21. The Cyber Kill Chain
A concept for modeling attacks, developed
by Lockheed Martin.
Allows defenders to build intelligence from
both failed and successful attacks.
By building intelligence-driven defenses for
each stage of an attack, you are more likely
to catch future attacks.
Force the attacker to change tactics across
all attack stages, providing more intel.
The more they try, the more you learn.
Can be used to group attacks/attackers.
Intel can be shared among groups for herd
immunity. Intelligence-Driven Computer Network Defense
Informed by Analysis of Adversary Campaigns and
Intrusion KillChains
22. Sharing is hard
What do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber
Intrusions ofTRANSCOM Contractors
23. Standards
IT INFOSEC is still a very new field.
Organizations want to be secure.
Most are trying to figure out how to do that.
How do we hire? What tools do we need?
There are many “standards” for sharing
security information –none are compatible
with each other.
xkcd
25. Motivation matters!
• More than anything, good employers look for these things in a candidate:
• Basic understanding of the concepts
• Ability to communicate and work with peers and management
• Willingness/eagerness to learn
• Passion for the work you do
• Don’t chase a job just for the big bucks
• Find your niche in CS/engineering/networking/programing
• Do what you enjoy doing, you’ll be great at it, and the big bucks will follow
• It’s pretty easy to change roles in an IT career; stick around for a couple
years at least and build reputation unless you absolutely hate it
26. Tips for career building
• Create a GitHub account, create little projects for things that interest you
• Doesn’t have to be anything fancy
• Could be something to make your life/school a little easer
• Could be something fun and wacky, so long as it’s SFW
• Shows employers that you know how to code be creative
• Buy your own domain after your name (they’re cheap)
• Create a simple, one-page web version of your resume
• Add a professional photo, and links to projects
• Maybe add a journal blog to track what you are learning
• Showcase all of these things on your paper resume to show employers you
are motivated!
27. INFOSEC job market
• Columbus is (IMO), the best job market for IT in Ohio, and among the
top in the country
• INFOSEC specialists are in demand at mid-to-large size businesses
• However, most businesses require some experience before they will
hire someone for INFOSEC, even at entry level
• It’s common for someone to start as a sysadmin or developer, and
gain INFOSEC-related experience as they work
• Security+ could give your resume a little boost
29. Common INFOSEC roles
• Incident Responder – Responds to alerts generated by security tools
• Information Assurance Manager (IAM) – DoD role that checks
systems to ensure compliance with policy
• Vulnerability Manager – Responsible for running vulnerability scans
on systems and applications
• Risk manager – Helps to define IT policy, and ensure compliance with
that policy
30. Specialized roles
• These roles are usually only found within large organizations, or
security firms:
• Intelligence Analyst – Responsible for collecting, managing, and
sharing threat intel
• Reverse Engineer – Responsible for reverse engineering malware,
and determining Indicators of compromise
• Pentester – Responsible for conducting penetration tests against the
organization
31. News sources
• Please don’t get your INFOSEC news from gadget blogs.They have
no idea what they are talking about.
• Come Good sources
• ArsTechnica
• Krebs on Security
• https://twitter.com/SeanTheGeek/lists/infosec
• /r/netsec (great aggregation!)
• The Full Disclosure mailing list
32. Education
• Most employers require a bachelors degree
• Your degree can be general CS, but there is one NSA certified program in
Ohio
• UC’s cybersecurity program (Dr. Franco)
• To make the most out of your college education, start looking at
internships. Ask questions in class. Make tuition worth it.
• Find topics that interest you, and start learning.There are lots of
great free, online resources.
33. Learning resources
• How to be an INFOSEC Geek
• Iron Geek –Videos of almost every conference talk, podcasts, and
more!
• Reverse engineering – Practical Malware Analysis
• Pentesting – HackYourself First
• Web app security – OWASP –Web Security Dojo
• Attack detection – Security Onion
• Automate the Boring Stuff with Python – Awesome, free online book
• The InfoSec Speakeasy –Tutorials and news
42. Security tips
• Always install up-to-date patches for your OS, browsers, browser plugins, and office suites
• If you useWindows
• Upgrade toWindows 10 (its free), and be sure to configure the privacy settings to your liking
• You should turn off Wi-Fi Sense
• Install Microsoft EMET
• Avoid free third partyAV like Avast and AVG.Windows 10 comes with free AV that is quite good, assuming
you follow safe computing habits like these
• Remember: Malware is increasing for Mac, Linux, and, mobile devices too
• Don’t download or install freeware, shareware, pirated software, cracks, keygens, or warez
• Use separate passwords for key accounts (e.g. OS,Wi-Fi. Email, banking, social media)
• Limit third party app access to your accounts
• Never loan or borrow devices, storage media, or credentials
I used to say “Hollywood-style *never* happens!”…and then it happened, to hollywood! Screenshot of ransom note left on SONY Picture’s PCs by North Korean hackers.
You might me thinking of a nice new work at home job right now, but…
Here we have the creatively named “Stealer” program used by the “Ajax Security Team” in Iran. They are my favorite APT group to talk about because there’s
so much public documentation on them. Not because FireEye is so awesome, but because their OPSEC was so poor as they transitioned from hacktivisim to
espionage.
I did some digging on VirusTotal, and found a sample of their Stealer bundled with a copy of UltraSurf, a legit tool to circumvent internet censorship.
This suggests that their espionage targets included Iranian dissidents, thus aligning themselves with an Iranian government agenda.
The main part of the program is an unobfiscated .NET PE, so you can decompile it to source code in a few clicks with ILSpy. Winning!
Reverse engineering is rarely this easy.
You can see they set static variables for a passphrase and salt; bad practices right off the bat…
They also run a DLL, whose sole purpose in life is to ship out files Stealer makes via FTP.
Then they proceed to completely ignore the variables they created in AES crypto calls, which are copypastad over and over...and they misspelled proxy.
The combination of FTP and symmetric encryption left the attackers open to being pwned.
Yet, once you start digging through the rest of the code beyond the main class, you’ll find it is well-written. There’s even code to send and receive files via various protocols, including FTP and HTTP (which would be most successful), and stubs for SFTP and SMTP. That makes AppTransferWiz.dll completely unnecessary. The stark contrast in quality suggests that Ajax team appropriated most of this code from someone else, which isn’t surprising given their start as hacktivists.
It’s easy to laugh about this, until you see they were targeting the aerospace industry with well-designed phishing attacks during a time of heightened US-Iran tensions.
According to FireEye, there is evidence that they continued to use this malware for some time. This suggests that Stealer was successful at least some of the time.
If it ain’t broke, don’t fix it. Right
Stealer can steal credentials from common browsers and IM programs
This is from a much less sophisticated attacker from Nigeria who uses OWA creds to send scam emails, but this crude phishing still works in a lot of organizations
Many companies have ESL employees who might not spot bad grammar or spelling. Some employees may not be familiar with standard IT procedures. These people aren’t stupid, just under-informed.