This document summarizes Larissa Shapiro's presentation on internet systems consortium's (ISC) vulnerability disclosure processes. The presentation discusses ISC's current vulnerability disclosure policy version 1.1 and planned updates for version 1.2. It also covers ISC's use of test driven development and how it impacts vulnerability disclosure. Key points include that ISC uses a phased disclosure process to balance responsibility to critical infrastructure with allowing time for upgrades. Future plans include expanding pre-disclosure notification and integrating vulnerability testing back into code at a future time defined in policy version 2.0.
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
What's New In CompTIA Security+ - Course Technology Computing Conference
Presenter: Mark Ciampa, Western Kentucky University
The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in the late spring of 2014. This exam will have several significant changes from the previous exam. These include an expanded emphasis on topics such as securing mobile devices, cloud computing, cryptography, and threats and vulnerabilities. In addition, CompTIA is continuing to use performance-based questions on Security+ exams, requiring test-takers to configure firewall access control lists, match ports with services, and analyze log files. What exactly will the new Security+ exam cover? How will the updated Cengage Security+ Guide to Network Security Fundamentals 5th Edition address these changes? And what are the best ways to help students be prepared for the new Security+ exam with its performance-based questions? This session will look at what's new in CompTIA Security+ and how we can teach security to our students.
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 10 of 10
This Webinar focuses on Advanced Persistent Threats and targeted cyber attacks:
• Advanced Persistent Threats – the shifting paradigm to targeted attacks
• Understanding Advanced Persistent threats
• Overview of popular types of APTs
• Impact of APTs on sensitive data as well as organisation reputation
• Characteristics and Attack sequence of APT attacks and the challenges in detecting APTs
• Assessing, Managing and Auditing APT Risks
• Data loss and Cyber intrusions
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Research
Abstract:
*********
A resilient architecture acts as a strong foundation for secure applications. Designing such an architecture can be challenging, if you’re not relying on security design principles to guide you. Nevertheless, many developers neglect those fundamentals.
Thomas will start by discussing the importance of security design principles and how to apply them in your own projects. He will follow up with a deep-dive into a selection of important principles. Understanding the nuances of those principles allows you to adapt them to your specific needs and decide, whether and where to apply them.
Speaker:
**********
Thomas Kerbl (Team Lead / Principal Security Consultant - SEC Consult)
Talk language: English
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
What's New In CompTIA Security+ - Course Technology Computing Conference
Presenter: Mark Ciampa, Western Kentucky University
The new CompTIA Security+ exam (SY0-401) is projected to be rolled out in the late spring of 2014. This exam will have several significant changes from the previous exam. These include an expanded emphasis on topics such as securing mobile devices, cloud computing, cryptography, and threats and vulnerabilities. In addition, CompTIA is continuing to use performance-based questions on Security+ exams, requiring test-takers to configure firewall access control lists, match ports with services, and analyze log files. What exactly will the new Security+ exam cover? How will the updated Cengage Security+ Guide to Network Security Fundamentals 5th Edition address these changes? And what are the best ways to help students be prepared for the new Security+ exam with its performance-based questions? This session will look at what's new in CompTIA Security+ and how we can teach security to our students.
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 10 of 10
This Webinar focuses on Advanced Persistent Threats and targeted cyber attacks:
• Advanced Persistent Threats – the shifting paradigm to targeted attacks
• Understanding Advanced Persistent threats
• Overview of popular types of APTs
• Impact of APTs on sensitive data as well as organisation reputation
• Characteristics and Attack sequence of APT attacks and the challenges in detecting APTs
• Assessing, Managing and Auditing APT Risks
• Data loss and Cyber intrusions
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Research
Abstract:
*********
A resilient architecture acts as a strong foundation for secure applications. Designing such an architecture can be challenging, if you’re not relying on security design principles to guide you. Nevertheless, many developers neglect those fundamentals.
Thomas will start by discussing the importance of security design principles and how to apply them in your own projects. He will follow up with a deep-dive into a selection of important principles. Understanding the nuances of those principles allows you to adapt them to your specific needs and decide, whether and where to apply them.
Speaker:
**********
Thomas Kerbl (Team Lead / Principal Security Consultant - SEC Consult)
Talk language: English
Ted Gruenloh, Director of Operations, ECONET
The Role of Threat Intelligence and Layered Security for Intrusion Prevention
The term 'Threat Intelligence' is getting a lot of buzz these days, but what does it mean? And, more importantly, how can it help protect your network? In this presentation, we will attempt to answer these questions within the context of a layered security approach that integrates Threat Intelligence with existing security methodologies. We also attempt to demonstrate how Threat Intelligence can improve a network's defenses at the perimeter and allow administrators to gain more visibility on the inside.
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
As attacks on Sony and Target show, the impact of a breach can stretch for months. Knowing how to communicate to the various internal and external audiences is crucial to mitigating the trail of damage.
The webinar features Melanie Dougherty Thomas, a crisis expert with more than 20 years of experience in marketing and communications. Melanie is Managing Director of Inform – a top communications firm that serves Fortune 500s.
Melanie will outline strategies for:
·Incident investigation and assessment
·Public acknowledgement and media management
·Customer and social media responses
·Legal notifications and obligations
Our featured speakers for this webinar will be:
·Melanie Dougherty Thomas, Managing Director, Inform
·Ted Julian, CMO, Co3 Systems
This is a proof-of-concept about creating a creditable, publicly-available, freely-available, and openly-available ICS and SCADA event and incident database.
We are all aware of the current risks when developing a connected product, especially with vehicles since much is at stake both from an information and safety perspective. In this workshop, we will learn how to build Security requirements, architect, design, test and produce Safety and Security critical components using a methodology that works in harmony both with Engineering and Security
Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle.
Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability.
This webinar will review critical components of IR preparation including:
- IR Underpinnings
- Flexible Frameworks
- Leadership Challenges
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Sean Mason, Global Incident Response Leader, CSC
DevOps Indonesia "How Security with DevOps can Deliver more secure software"
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) by Mr. Faisal Yahya
Ted Gruenloh, Director of Operations, ECONET
The Role of Threat Intelligence and Layered Security for Intrusion Prevention
The term 'Threat Intelligence' is getting a lot of buzz these days, but what does it mean? And, more importantly, how can it help protect your network? In this presentation, we will attempt to answer these questions within the context of a layered security approach that integrates Threat Intelligence with existing security methodologies. We also attempt to demonstrate how Threat Intelligence can improve a network's defenses at the perimeter and allow administrators to gain more visibility on the inside.
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
As attacks on Sony and Target show, the impact of a breach can stretch for months. Knowing how to communicate to the various internal and external audiences is crucial to mitigating the trail of damage.
The webinar features Melanie Dougherty Thomas, a crisis expert with more than 20 years of experience in marketing and communications. Melanie is Managing Director of Inform – a top communications firm that serves Fortune 500s.
Melanie will outline strategies for:
·Incident investigation and assessment
·Public acknowledgement and media management
·Customer and social media responses
·Legal notifications and obligations
Our featured speakers for this webinar will be:
·Melanie Dougherty Thomas, Managing Director, Inform
·Ted Julian, CMO, Co3 Systems
This is a proof-of-concept about creating a creditable, publicly-available, freely-available, and openly-available ICS and SCADA event and incident database.
We are all aware of the current risks when developing a connected product, especially with vehicles since much is at stake both from an information and safety perspective. In this workshop, we will learn how to build Security requirements, architect, design, test and produce Safety and Security critical components using a methodology that works in harmony both with Engineering and Security
Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle.
Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability.
This webinar will review critical components of IR preparation including:
- IR Underpinnings
- Flexible Frameworks
- Leadership Challenges
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Sean Mason, Global Incident Response Leader, CSC
DevOps Indonesia "How Security with DevOps can Deliver more secure software"
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) by Mr. Faisal Yahya
If you really want to understand what exactly Database Security is all about,this presentation is yours.
You will understand it just by having one look at the slides.
Presentation contains things which are really simple to understand.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Sverige
IBM Security Systems presents the latest risks and trends from X-Force 2011 Full Year report, and how you can protect your infrastructure from these new evolving threats using Security Intelligence from Q1 Labs and IBM's recently announced Advanced Threat Protection Platform.
Talare: Mikael Andersson, Client Technical Professional, IBM
Besök http://smarterbusiness.se för mer information.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
It's a pivotal challenge to update the software in embedded systems due to many restrictions such as unreliable network and power supply, limited bandwidth, harsh environment, etc. This slide aims to provide the background knowledge and the open source tool to achieve the software update in embedded systems.
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Rob Alderfer, Moderator
Vice President Technology Policy, CableLabs
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
Chaz Lever
Lead Reseacher, Georgia Tech
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
it's a presentation about Audit and security application. that was my internship subject in within Leoni Wiring System Tunisia. I hope you like it and get benefits from it. please leave any likes or comments if you need any things ! All the best !
SLTS kernel and base-layer development in the Civil Infrastructure PlatformYoshitake Kobayashi
The Civil Infrastructure Platform (CIP) is creating a super long-term supported (SLTS) open source "base layer" for industrial grade software. We have been working on security fixes and some backported features since the moment we decided that Linux kernel v4.4 would be the first SLTS version. In this talk, we will describe the current development status of the SLTS kernel and testing environment. First, we'll explain our kernel development policy. Then, we'll describe the functionality that has been backported. Second, we'll talk about testing before using our base-layer on real products. We have been developing a test framework to collect and share test results. To build it, we don't want to duplicate existing work such as KernelCI, Fuego and others. For that reason, we are trying to collaborate and contribute to such projects. And finally, we'll discuss the future roadmap.
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxJamie Coleman
More and more organizations are creating a software bill of materials (SBOMs) to find out what is in their applications. With new legislation surrounding SBOMs surfacing, we are having to comply with regulations such as certifying that the open source parts of our applications are not full of vulnerabilities and following good programming practices. But what happens if we cannot verify the source of this code? Can we simply put it down as raw materials to bypass said certification?
In this session, I will talk about what companies are doing to circumnavigate these tricky waters and what types of applications are simply not able to use open source code. Then I will go over some best practices to make sure your applications are secure, robust and compliant to be delivered to your customers, with a great set of materials to keep your ship always floating.
IIoT Endpoint Security – The Model in Practiceteam-WIBU
What is your first line of defense against cyberattacks? Secure endpoints! Endpoints are everywhere in the IIoT landscape. Without proper security, Industrial Internet of Things (IIoT) systems are not trustworthy, putting organizations, their missions and the greater public at increased risk. The viability of the IIoT depends on proper implementation of security to counter the growing and ever changing threats that are emerging.
Addressing this challenge is critical to the success of the Industrial IoT, Industrie 4.0 and the Industrial Internet revolution. To that end, Industrial Internet Consortium members have developed a common security framework and an approach to assess cybersecurity in Industrial Internet of Things systems: The Industrial Internet Security Framework (IISF).
Watch the webinar: https://youtu.be/t0GC4Fp-NXQ
Similar to Can Security Vulnerability Disclosure Processes Be Responsible, Rational and Effective? from LISA 2011 (20)
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Can Security Vulnerability Disclosure Processes Be Responsible, Rational and Effective? from LISA 2011
1. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Can Security Vulnerability
Disclosure Processes Be
Responsible, Rational and
Effective?
Toward a Sane Open Source Security
Vulnerability Disclosure Process
Larissa Shapiro
December 8, 2011
LISA ’11, Boston, MA
Thursday, December 8, 11
2. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
About the Presenter
Larissa Shapiro
ISC Product Manager
larissas@isc.org
@larissashapiro
Thursday, December 8, 11
3. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Agenda
•Vulnerability Disclosure Terminology
–History and Context
•ISC’s Current Vulnerability Disclosure Policy
–version 1.1
•New updates for version 1.2
•ISC’s use of Test Driven Development
(TDD) and the impact on Vulnerability
Disclosure
•Q&A
3
Thursday, December 8, 11
4. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
ISC in a Nutshell
Forum Professional Services Public Benefit Services
Empowerment
• Consulting
• Training
• Software Support Services
• Custom Software Development
• F-Root Corporate Node
• DNS SNS-Com
• Full version of Domain Survey
• DNS F-Root
• DNS Secondary Server Resiliency
(SNS-PB)
• Hosted@ - hosting a range of
open source projects
• Free Domain Survey Report
• Participation in IETF, RIPE WG,
ICANN, ARIN, ISOC, UKNOF, etc
• BIND
• BIND 10 Working Group
• DHCP
• AFTR / PCP
• SRF
• Open Source Routing
• Standards Driver - early implementations of standards based code.
• Policy Meetings - Empowering Spheres of Influence
• Operational Security - Pioneering new approaches to safe guard the Internet (OPSEC-Trust)
• Operational Meetings - (APRICOT, AFNOG, NANOG, LISA, etc)
• Research (DNS OARC)
... and more to come.
Thursday, December 8, 11
5. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Vulnerability Disclosure Terminology
Thursday, December 8, 11
6. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/6
Three Major Vulnerability Management Phases
•There are three main phases to
vulnerability management.
–Phase 1 – Vulnerability Reporting,
Acknowledgment, Validation, and Replication
–Phase 2 – Vulnerability Resolution with
workarounds, patches, and fixes
–Phase 3 – Responsible Disclosure and call to
action
Thursday, December 8, 11
7. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/7
Types of Vulnerability Disclosure
•Full Disclosure
•Responsible Disclosure
•Public Disclosure
•Entitled Disclosure
•Critical Notification Plan (CNP)
•Partner Notification Plan (PNP)
•Phased Disclosure
Thursday, December 8, 11
8. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/8
Full Disclosure
•(Wikipedia) In computer security, full
disclosure means to disclose all the
details of a security problem which are
known. It is a philosophy of security
management completely opposed to the
idea of security through obscurity.
•Usually means that all information about
the vulnerability is made immediately
public.
Thursday, December 8, 11
9. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/9
Responsible Disclosure
• (Wikipedia) Some believe that in the absence
of any public exploits for the problem, full and
public disclosure should be preceded by
disclosure of the vulnerability to the vendors
or authors of the system. This private advance
disclosure allows the vendor time to produce a
fix or workaround.
• Some vendors may choose to maintain a
responsible disclosure stance in perpetuity.
Exploit details are withheld from the
customers as corporate confidential.
Thursday, December 8, 11
10. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/10
Public Disclosure
• Everyone on the Net has access to the details
of the vulnerability and/or the Security
Bulletin providing information about the
vulnerability. This includes all customers of
the vendor and all miscreants with an intent
to do harm to those customers.
• Used by many vendors who have a broad
customer base who may not be support
customers.
Thursday, December 8, 11
11. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/11
Entitled Disclosure
• Security Bulletin only accessible it customers
and partners of the vendor with a legal
agreement.
• Variants of Responsible Disclosure:
–Limit access to customer & partners
–No broadcasting to the public, news, or security
aliases.
–No deniability – if asked, provide interested parties
with the link to the Security Bulletin and the Title –
but requires username/password for further details.
Thursday, December 8, 11
12. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/12
Critical Notification Plan (CNP)
•Where the undisclosed vulnerability poses
a critical threat to critical infrastructure.
•For past dialog, please see
– ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-
Sept-04/SE13-PSIRT-IOS-RELEASE-OPERATIONS-SECURITY-and-SP-
OPERATIONS-v.1.pdf
•Ongoing problems with CNP:
–What is critical infrastructure?
–Who gets notified?
–What are the metrics used for “critical” – where
everyone believes their mission is “critical?”
Thursday, December 8, 11
13. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/13
Partner Notification Plan (PNP)
• PNP is a system to notify and prepare a vendor’s
channel partners before the announcement or
publication of a vulnerability.
• Required if the vendor’s ecosystem is prepared to
support their customers.
• Contracts and NDAs are required to provide some
check and consequence if the disclosure process is
broken.
• Microsoft’s Coordinated Vulnerability Disclosure
(CVD) & Microsoft Active Protections Program
(MAPP) are examples of PNP
Thursday, December 8, 11
14. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/14
Phased Disclosure
• Phased disclosure is a evolution of the
responsible disclosure process – merging
factors of the vulnerability's risk along with the
operational requirements of core infrastructure.
• At times, the operational risk of rushed –
unplanned upgrades is greater than the risk of a
vulnerability moving to active exploit status.
• Disclosure is conducted in phases – notifying
increasingly larger number of organizations –
until the final phase of general public disclosure.
Thursday, December 8, 11
15. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
ISC’s Security Vulnerability
Disclosure Policy
Thursday, December 8, 11
16. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/16
ISC’s Security Vulnerability Disclosure Policy
•ISC has migrated away from a “entitled
disclosure” process to a phased disclosure
process.
•The phased disclosure process mixes
ISC’s responsibility to critical Internet
infrastructure, our customers, our
operating system partners, our
Forum subscribers, our “ISC Inside”
partners, and our large deployment of
software running on networks throughout
the world.
Thursday, December 8, 11
17. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/17
Our Objectives
• The objective of ISC’s phased disclosure is to
provide the opportunity to upgrade within a
reasonable maintenance window to minimize
rushed action and operational anxiety.
–We balance the risk of rushed upgrades beside the
risk of the vulnerability.
• As an open source organization, we are
working to have all our vulnerability
management processes public.
–This will allow the processes and procedures to be
used as a reference model for the industry.
Thursday, December 8, 11
18. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/18
Five Phases
• Five phases to our Vulnerability Management
Process:
1. Finder’s Report, Acknowledgment, Validation, CVSS
scoring, and Replication (TDD).
2. Vulnerability Resolution with workarounds,
patches, and fixes.
•Drafting the Security Advisory. Obtaining the CVE number.
3. Phased Disclosure
•Interacting with infrastructure partners, security folks,
vendors, customers.
4. General Public Notification Phase
•Reaching as many constituents as possible
5. Postmortem Review
Thursday, December 8, 11
19. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/19
Two Types of Vulnerability Response
• At ISC, we follow two sorts of process in determining types of
security emergency.
1.Issues reported to ISC through private or secured
channels are treated as “Type I” incidents (see “what to do
if you find something”).
•The normal Vulnerability Management Processes are used.
2.Live Operational Issues or Public Disclosure of
vulnerability are “Type II.”
•Extremely compressed process, public notified as quickly as
possible
•Some lead time for root-ops and other key partners if possible
Note: ISC treats all incidents impacting DNS operations at
multiple sites as security issues until they are confirmed
as non-malicious attacks.
Thursday, December 8, 11
20. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/20
Version 1.1 Disclosure Phases
•Phase One: ISC Forum subscribers, ISC
software support customers, and DNS
Root Operators (where applicable).
–Formal notice and pre-release code snapshot
at least five business days in advance of the
release of the public disclosure.
•Phase Two: CSIRTs and other global
security tracking organizations.
–Written notice of the disclosure ~24 hours
before planned release of the public disclosure
and code.
Thursday, December 8, 11
21. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/21
Version 1.1 Disclosure Phases
• Phase Three: Vendors who package our
code into their operating systems,
appliances, and products, receive written
notice of the disclosure ~24 hours before
planned release of the public disclosure and
code.
–Vendors who are Software Forum Members receive
notification in Phase One.
• Phase Four: General Public disclosure of the
vulnerability, and release of patched versions
of all currently supported affected code.
Thursday, December 8, 11
22. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/22
Factors that Impact Phased Disclosure
• Contractual Trust (working non-disclosure)
and Operational Trust (working discreetly
through the remediation) is critical for a
Phased Disclosure to work.
–The chain of consequences of a disclosure leak
impact the whole community.
–This is why few vendors (software or hardware) use
a phased disclosure approach. It requires more
investment in time and effort to ensure that it
works effectively.
–Non-Disclosure agreements are included in ISC’s
Support, Service, and Forum contracts -- but other
organizations require a NDA.
Thursday, December 8, 11
23. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/23
Factors that Impact Phased Disclosure
•Encrypted communications is required
throughout the phased disclosure.
–It takes time to exchange PGP keys (if keys
are available).
–Not all organizations or individuals use PGP
–Not always easy to exchange keys
Thursday, December 8, 11
24. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/24
What’s Next?
• ISC continuously improves our Vulnerability
Management and Disclosure Processes.
Versions 1.2, 1.3, 1.4 (etc) will have:
–Security Advisories in Multiple Languages –
working with our partners (i.e. ccTLD colleagues,
CSIRTs, Universities) and our international staff.
–Phase 1 disclosure 7 days before the public
release.
–Integration of Vendor and Operating System
Partners into the Phase 1 disclosure to have the
packages ready to go on the General Disclosure
Phase (T0). This is similar to Microsoft’s and
ICASI’s Coordinated Vulnerability Disclosure.
Thursday, December 8, 11
25. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/25
What’s Next (cont)?
–Work with National CSIRTs to provide secured
disclosure sooner than 24 hours before public
advisory.
–Work with global partners to prepare vendor
specific software versions and local language
notification at public disclosure.
–Briefing Calls and Webinars with our support
customers & forum subscribers.
–First publication of our vulnerability
management processes and procedures via
our Knowledge
–Increase compliance with the Common
Vulnerability Reporting Framework (CVRF)
Thursday, December 8, 11
26. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Test Driven Development (TDD) and
Vulnerability Disclosure
Thursday, December 8, 11
27. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/27
TDD and Vulnerabilities
• ISC uses Test Driven
Development extensively as a
key engineering quality process.
• Once we have validated &
replicated the vulnerability, we
then write a unit test.
• We then fix the code and verify
using the test.
• When we get ready to release
the code, we pull out the test so
people will not know how to
build an exploit.
• This unit test is a regression
test. We need to find an
appropriate time to put it back
into the code.
Thursday, December 8, 11
28. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/28
Version 2.0
•In the future ISC will move to v2.0 of our
Vulnerability Disclosure Process.
•The major change in 2.0 will be a public
policy stating when the unit test/
regression test for the defect
(vulnerability) will be integrated back
into the code.
–Operators ask us for this information for their
own verification processes.
–This could make it easier to build an exploit.
Thursday, December 8, 11
29. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/29
Prerequisites to Version 2.0
•ISC has a lot of work to do to prepare the
our constituents for the impact of TDD in
open source.
–We need to have on-line training for our
support customers, forum subscribers, and
submitters.
–We need to improve communications channel
with our customers and the global community
(i.e. let them know they should upgrade)
–We need to interact with the FIRST community
to review the impact this will have greater
community.
Thursday, December 8, 11
30. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/30
Path to Version 2.0
•We’re asking our support customers,
forum subscribers, submitters, and
global user community for feedback as
we integrate TDD practices with our
vulnerability disclosure process.
–What do we need to prepare?
–What do you need to prepare?
–How might this impact your operations?
–What is the appropriate time between the
general disclosure and when we integrate the
unit/regression test back into the code?
Thursday, December 8, 11
31. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
ISC’s Use of the Common
Vulnerability Scoring System (CVSS)
Thursday, December 8, 11
32. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/32
Common Vulnerability Scoring System (CVSS)
•CVSS provides ISC with an industry tool
that improves our security risk,
communications, and disclosure
processes.
•It allows us to perform an initial risk
assessment and dialog with the
vulnerability’s finder to insure we apply
the appropriate level of response.
•The CVSS Base Score is now included as
part of our Security Advisory.
Thursday, December 8, 11
33. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/33
How does CVSS work?
• The Common Vulnerability Scoring System
(CVSS) is a tool that allows two very different
organizations to have a meaningful
conversation about the risk a vulnerability can
have on a network.
• CVSS uses metrics and formulas to yield a
score that can be used to assess potential risk.
Thursday, December 8, 11
34. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Components of CVSS Score
• Base Score
– Based on the
parameters that are
intrinsic to any given
vulnerability that do not
change over time
• Temporal Score
– Based on the
parameters of a
vulnerability that
change over time
• Environmental Score
– Based on the
parameters of a
vulnerability that are
specific to a user’s
environment
34
Thursday, December 8, 11
35. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
CVSS is a Metric which drives action
•CVSS is used by CSIRT/SIRT Team for:
–Consultation inside the organization on the risk
–Setting priority of assigned Support Resources
–Setting priority of assigned Engineering
Resources
–Determining which images will be fixed
–Deciding when we would need a security
advisory to drive upgrades and mitigations with
our customers
•cf. Security Notice, Security FYI, or ordinary KB article
–Defining how to communicate risk to our
customers
35
Thursday, December 8, 11
36. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
ISC CVSS Scoring
CVSS Base Score Internal Description Disclosure Build Plan
8 - 10 Critical & Catastrophic
Potential Critical Notification
Process
Fix all images to cover the
majority of deployed code
(i.e. open EOL images.)
7 Critical Security Advisory Fix all Non-EOL Images
5 - 6 High Security Advisory Fix all Non-EOL Images
3 - 4 Medium No Advisory Fix all Non-EOL Images
0 - 2 Low No Advisory
Just Fix it and Move
Forward
Thursday, December 8, 11
37. ?Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Questions
Thursday, December 8, 11
39. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Keeping in Contact
http://www.facebook.com/InternetSystemsConsortium
http://www.linkedin.com/company/internet-systems-consortium
http://twitter.com/ISCdotORG
Thursday, December 8, 11
40. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
ISC Resources
bind-announce for release notifications
http://lists.isc.org/mailman/listinfo/bind-announce
bind-users for community assistance
http://lists.isc.org/mailman/listinfo/bind-users
Knowledge Base articles about many things
http://deepthought.isc.org/
Thursday, December 8, 11
41. Copyright (c) 2011 Internet Systems Consortium http://www.isc.org/
Thank you for your time.
www.isc.org
Thursday, December 8, 11