ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Aggregage
The COVID-19 pandemic forced many people into working remotely, opening the floodgates for a host of digital compliance issues. Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. This is especially vital if your workers were (and still are!) using company equipment from home, or are still working remotely.
Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.
In this webinar you will learn:
• What digital compliance looks like for remote, in-office, and hybrid businesses
• What factors to look for when evaluating your company's data privacy and security posture
• The ins and outs of HIPAA/SOC 2 in the context of a transition
• What tools or security measures your company can easily implement
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
If you're like most IT practitioners, you are busy. You have a million things to do and preparing the reports needed to prove PCI DSS compliance requires time you just don't have. It doesn't have to be so hard. Join compliance experts from Terra Verde Services and AlienVault for this practical session on how to take the pain out of PCI DSS reporting.
You'll learn:
The key reporting requirements of the PCI DSS standard
The security technologies you need to collect the required data
How AlienVault USM can generate these reports in minutes, not days
How to use your audit reports to improve security on an on-going basis
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
PCI DSS Implementation: A Five Step GuideAlienVault
Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.
AlienVault PCI DSS Compliance:
https://www.alienvault.com/solutions/pci-dss-compliance
Have a question? Ask it in our forum:
http://forums.alienvault.com
More videos: http://www.youtube.com/user/alienvaulttv
AlienVault Blogs: http://www.alienvault.com/blogs
AlienVault: http://www.alienvault.com
How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Aggregage
The COVID-19 pandemic forced many people into working remotely, opening the floodgates for a host of digital compliance issues. Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. This is especially vital if your workers were (and still are!) using company equipment from home, or are still working remotely.
Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.
In this webinar you will learn:
• What digital compliance looks like for remote, in-office, and hybrid businesses
• What factors to look for when evaluating your company's data privacy and security posture
• The ins and outs of HIPAA/SOC 2 in the context of a transition
• What tools or security measures your company can easily implement
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
If you're like most IT practitioners, you are busy. You have a million things to do and preparing the reports needed to prove PCI DSS compliance requires time you just don't have. It doesn't have to be so hard. Join compliance experts from Terra Verde Services and AlienVault for this practical session on how to take the pain out of PCI DSS reporting.
You'll learn:
The key reporting requirements of the PCI DSS standard
The security technologies you need to collect the required data
How AlienVault USM can generate these reports in minutes, not days
How to use your audit reports to improve security on an on-going basis
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
PCI DSS Implementation: A Five Step GuideAlienVault
Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.
AlienVault PCI DSS Compliance:
https://www.alienvault.com/solutions/pci-dss-compliance
Have a question? Ask it in our forum:
http://forums.alienvault.com
More videos: http://www.youtube.com/user/alienvaulttv
AlienVault Blogs: http://www.alienvault.com/blogs
AlienVault: http://www.alienvault.com
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinAnton Chuvakin
PCI DSS and Logging: What YOU Need To Know by Dr Anton Chuvakin
Logging is a critical element in your security program, and it features prominently in PCI. Many merchants, including Higher Ed institutions, can have difficulty implementing all the requirements. In this session one of the leading Logging and SEIM experts will map the PCI DSS logging requirements to a set of actionable procedures and tasks that you can use to achieve and maintain compliance. Bring your questions!
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This is a whitepaper on Product Security that largely focusses on building key security capabilities for products that are developed using DevOps methodology. It also consists of an effort to set up and accomplish the governance of Product Security in the DevOps world.
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
Demonstrating compliance with PCI DSS is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks, along with the need to access data and reports from many different systems and tools. Join us for this technical demo to learn how AlienVault can simplify PCI DSS compliance and improve your overall security posture.
We'll cover:
Common PCI DSS compliance challenges
Questions to ask as you plan and prepare
Core capabilities needed to demonstrate compliance
How AlienVault Unified Security Management simplifies compliance and threat detection
Core capabilities needed to demonstrate compliance
How to simplify compliance with a unified approach to security
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
PCI DSS and Logging: What You Need To Know by Dr. Anton ChuvakinAnton Chuvakin
PCI DSS and Logging: What YOU Need To Know by Dr Anton Chuvakin
Logging is a critical element in your security program, and it features prominently in PCI. Many merchants, including Higher Ed institutions, can have difficulty implementing all the requirements. In this session one of the leading Logging and SEIM experts will map the PCI DSS logging requirements to a set of actionable procedures and tasks that you can use to achieve and maintain compliance. Bring your questions!
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This is a whitepaper on Product Security that largely focusses on building key security capabilities for products that are developed using DevOps methodology. It also consists of an effort to set up and accomplish the governance of Product Security in the DevOps world.
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
Are existing compliance requirements sufficient to prevent data breaches? This session will provide a technical assessment of the 2019 Capital One data breach, illustrating the technical modus operandi of the attack and identify related compliance requirements based on the NIST Cybersecurity Framework. Attendees will learn the unexpected impact of corporate culture on overall cyber security posture.
This talk was presented at RSA Conference 2021 (Session RMG-T15) on May 18, 2021.
Original paper available for download at SSRN: Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (28/04/2020). https://ssrn.com/abstract=3570138
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
Demonstrating compliance with PCI DSS is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks, along with the need to access data and reports from many different systems and tools. Join us for this technical demo to learn how AlienVault can simplify PCI DSS compliance and improve your overall security posture.
We'll cover:
Common PCI DSS compliance challenges
Questions to ask as you plan and prepare
Core capabilities needed to demonstrate compliance
How AlienVault Unified Security Management simplifies compliance and threat detection
Core capabilities needed to demonstrate compliance
How to simplify compliance with a unified approach to security
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
In today’s agile world, every organization is prone to cyber-attacks, as most of the applications have been developed and deployed with more focus on functionality, end user experience and with minimal attention given to security risks. http://www.karyatech.com/blog/security-testing-in-the-secured-world/
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
When parts of a business process are outsourced, how can you as a customer assess that your supplier provides secure services? Of course, certification of their security management process gives some trust, but control is better. This presentation is about a practical approach to check vendor security.
Main points covered:
• How to add structure to the supply chain, so that security policy domains become clear
• Various means to assess security of a supplier, from site visits to audits and technical scans
• Introduction to a lightweight and innovative scan to assess the internet security posture of a company, which delivers amazing results.
Presenter:
Pascal de Koning is qualified as Information Security professional and Cybersecurity with wide experience as consultant. Among many, he holds CISSP qualification and currently working as a Chairman of Security Services at The Open Group and SABSA Institute.
Link of the recorded session published on YouTube: https://youtu.be/M1v-ueKb2OE
INFRAGARD 2014: Back to basics securityJoel Cardella
This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
This whitepaper delves into the security and privacy challenges that are core to Fintech companies and explains how one should go about formulating the security strategy for the Fintech initiative. It also brings into perspective, the various technical aspects of the secured environment from a Fintech point-of-
view.
Cyber security practices involve preventing malicious attacks on computers, servers, mobile devices, electronic systems, networks, and data. It is also called information technology security or electronic information security.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
Many women wear fitness trackers, use period tracking software, and geo tag photos on their phone without thinking about the data ever being used against them. But in a world where states are now exploring private citizen bounties against women suspected of receiving abortions, could the digital trails you create be used against you? Privacy leaks through fitness tech are nothing new -see the secret military bases exposed by Strava a few years ago. But now the confluence of health trackers which record a woman’s body temperature (Oura rings), their locations (maybe you logged a walk in a new city with Apple Fitness), and even period tracking applications can be used to implicate women, even if they just missed periods due to stress, took a work trip to a city, or any other benign reason. What legal and technical protections are in place to shield women from a techno-dystopia in a post-Roe world?
Federal law enforcement agencies recently demanded that Apple break the encryption used by iOS in the Apple v FBI fight in 2015, but backed down when an exploit was used to break into the iPhone.What followed was a pause in the demand for encryption backdoors for a few years, but that break has been short lived. This talk will update attendees on the history of the demands for encryption backdoors, from the Clipper chip to the creation of CALEA, and summarize recent demands from law enforcement to the tech industry to weaken strong encryption and allow law enforcement to access any data, any time.
Incident Response and the Attorney Client Privilege - ShmooCon 2019Wendy Knox Everette
Oh no, you’ve suffered a computer security incident. The DFIR team you hired wrote up a great report detailing exactly what happened and making suggestions for how to fix some of these issues. But now you’re being sued, and opposing counsel requests that report!
Many times, companies will seek to protect investigations under the cover of attorney-client privilege. But what is that, when and how does the privilege attach, and how helpful is it most of the time? What should your goal be, and just what are best practices for working with attorneys?
How do you give your personal domain a green "Secure" lock? Can you prevent your domain from being used for spam and phishing emails?
This talk is a little different from most "crypto" talks - it's not about how some neat new encryption algorithm works, or writing code. Instead, it's about how to use the awesome crypto tools already available to make your online presence more secure. This talk came out of my frustration with tutorials online for setting up my personal website domain with TLS and my email domain with DMARC/DKIM/SPF. We'll walk through how to use free services to serve a website over TLS and how to configure a personal email domain to block it from being used to send spam and phishing emails.
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
You’re arrested and your phone is held up to your face to be unlocked by the arresting officer, then sent to a forensics lab. Dystopian future or one where FaceID collides with weak self-incrimination protections for biometrics? This talk will explain how your 4th and 5th Amendment rights interact with advances in biometric technology. Along the way it will offer design suggestions for creators of mobile devices and tips to end users.
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
BSides Las Vegas 2016 - Proving Ground Track -
Video of talk: https://www.youtube.com/watch?v=EFGcZwjw9Q4&t=4s
If a consumer purchases software (like, perhaps, a word processor or a note taking software) and that leads to some harm- perhaps the software allows malware to run on their computer, locking all their data for ransom, or their private data is stolen, then do they have any recourse?
In the area of private law suits, a consumer would likely first look to products liability. Product liability law acts as a form of insurance to protect users - if a product is built in an unsafe way, and it injures you, you may sue the retailer or manufacturer of the product.
There are three general theories a consumer can recover under:
Design defect: the product was designed in an unsafe way
Manufacturing defect: the specific instance of a product was assembled incorrectly and had a one-off manufacturing flaw
Failure to warn claim: the product had non-obvious ways it could harm the consumer, that the consumer should be told about
Although these suits are common for defective products such as lawn mowers, coffee makers, and other consumer goods, they are not used by purchasers or users of software. The primary reason why this is so far is that products liability is so focused on physical harms- it covers serious injuries like losing your finger to a bagel cutter, for instance, and the fact that until somewhat recently, most software couldn’t physically harm you. (Although alternatively, some users can recover if they had a contract with the software creator or provider - as in the Trustwave Incident Response suit)
The rise of the Internet of Things is about to change a lot of that. There have already been a small number of cases where liability was found where buggy software caused physical harm to some consumers. Returning to the fridge, what if someone could connect remotely to your fridge, and adjust the temperature to be a little too warm, leading you to get food poisoning? What if they could do so without the temperature display in the fridge changing, so it looked like it was still cold enough?
This talk will explore the background of product liability law, and discuss how and why IOT might bring about a change in expanding coverage of software flaws.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Review Process From the Ground Up
1. Vendors, and Risk, and
Tigers, and Bears, Oh
My:
How to create a
vendor review process
from the ground up
Wendy Knox Everette
@wendyck
ShmooCon 2020
2. Who am I?
Wendy Knox Everette
@wendyck
Senior Security Advisor,
Leviathan Security Group.
I am a lawyer. I am very
much not your lawyer.
3. What in the world
is a vendor
review?
#WoCInTech
4. At a high level, this is the process of trying
to ensure that partners we give trusted
access or data to will take reasonable
care of that access or data.
15. Goals
Short term
• Set up a way to track the
external services and tools we
use
• Do an initial risk triage
Long term
• Better understand and track the
risk we take on from using third
party tools and services
17. Understand the
major steps
1. Intake
2. Gather information
3. Evaluate
4. Document the decision
5. Set up the accepted services
6. Iterate & Improve
33. SOC 2 Type 1 and Type 2
SOC 2 reports assess a company on at least three of five “Trust Factors”
• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy
A Type 1 looks at a control set and asserts that the control set, if it operated, would
fulfill the requirements.
A Type 2 is over a time period (3 months, 6 months, 1 year) and asserts that the
controls DID operate during that time period.
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
36. My top questions for a place that builds
software
1. Could you briefly explain your SDLC and change management?
2. Do run any security tests on code as part of your deployment
process?
3. Are there reviews or any approvals of the code committed by your
SDE contractors before they go live?
4. Does your dev/staging environment hold live customer data?
37. My top questions – Access Control
1. Do you do access control reviews, particularly for access to
any production/cloud environments or your source control repos?
38. My top questions – Monitoring/Incident
Response
1. What sort of alerting and monitoring do you do,
particularly around availability and security?
2. Do you have an Incident Response playbook or any plans?
42. What should we consider when
deciding what information we’d
need to evaluate a service?
• what are its touchpoints
• into our network or
• on our website or
• with our data?
50. Some ideas to guide
the review process
What threats to our company’s data are we
concerned about?
What business processes will depend on this new
tool, and what happens if it goes down?
53. Attack can be
completed
with
common
skills
Are there tools that automate the exploit, and if so,
what tools are they?
• A Metasploit plugin or similar likely means that it is
relatively easy to perform the attack.
• XSS or XSRF or SQLi would generally be considered
easy to complete with common skills, although
some chained exploits or particularly uncommon
XSS attacks may be considered skilled attacks. If an
attack normally classified as “YES” for this question
is instead determined to require advanced skills, the
risk assessor should document this in the Jira ticket.
For example, “XSS attack requires novel technique
not in common use” or similar.
54. Attack can be
completed
without
significant
resources
• Resources should be interpreted as requiring
the attacker to invest time and research into the
attack. Must they acquire a particular type of
account?
• Can the attack be completed from anywhere on
the Internet (for example exploiting an XSS flaw
on an unauthenticated web page) or does it
require authentication or a position on an
internal network?
• Does it require breaking into a physical data
center or document storage facility? The
investment of time and research to acquire this
sort of access should be considered significant
resources.
55. The Asset is
undefended
• Are there mitigating controls? These may be
corrective controls (a VM that is re-set if it strays
from a baseline); defense in depth (asset can be
breached but the data is encrypted, and the key
is not reachable) or similar protections.
• A ransomware attack against an end user on
a laptop would not be considered an attack
against an undefended computer if there are
protections in the email to flag suspicious
emails; if the user must click past a warning
to run Office macros; if the laptop is fully
backed up, and so forth.
• Are there detective controls such as logging and
alerting in place which would trip on this
attack? Are the people who receive these logs
aware of the type of activity that would be
consistent with an attack of this kind?
56. The
vulnerability
is always
present in
the asset
• Is the vulnerability something inherent in the
activity or asset, such as a business need to
take in a large quantity of PII and store it? Or
can it be eliminated, such as redacting or
blurring PII?
• Is the asset vulnerable only during certain
time periods, such as during an intake
process?
• Is the item a legacy system that is lacking an
upgrade path?
79. Stay organized
• Review pipeline and individual request
statuses
• History of vendors reviewed, accepted,
rejected
• Updating risk registers
• Who is the internal owner of the
service? Do you know if they leave the
company?
82. Finding data creep
• Would you find it if a department started
sending more data types to a service than
was originally approved?
83. Accounts on 3rd party tools and websites
•Updating access – do your access control reviews
and offboarding processes handle third party
accounts?
•What happens if the person with admin access
on a third party leaves your company?
You’ve just been tasked with creating a vendor review management process at your company! What in the world does that even involve?
Vendor review management programs are designed to review tools and services used by an enterprise, with the goal of making an informed decision about whether the risk of using a particular tool is worth taking on.
Third party risk can be a blind spot at some companies, and many organizations aren’t sure how to deal with it even if they are aware of it.
Over the last few years, vendor security reviews have been moving from somewhat of a niche thing that only organizations in niche, regulated, areas do (I started doing them for financial firms) to something that more and more organizations are taking on
TWO MIN
One reason why third party risk has been getting more attention is the increasing number of SAAS tools.
SAAS: software as a service
your company’s data is no longer just in your server closet, and there are other organizations that you need to trust in order to run an enterprise now.
Many tools are hosted elsewhere now, and so a lot of sensitive data leaves the networks that your company controls.
Combine this with a general increase in the awareness of security best practices and some other trends, and all of a sudden we have a lot of security teams being asked to implement some form of vendor review.
The audience for this talk is a security engineer at a smaller company who either has been getting worried about all the tools they see being used within their company, with access to lots of sensitive data, or one who has been asked to stand up a risk management and vendor review program to meet some compliance need.
Really, this talk is for me, circa 2016, when I started doing these and couldn't find anything about third party risk management that made sense to me.
Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? No.
GRC --> Governance Risk Compliance
There’s not a lot out there about the DIY approach and breaking things down for understaffed teams.
5 min
I’ve tried to structure this talk so that it would give a lot of operational takeaways that will help practitioners.
So instead of recommending a lot of expensive GRC software, this talk tries to focus on tools-agnostic approaches and simple solutions that teams likely already have access to, like shared drives and Slack. I’m also going to talk about how to cooperate with other teams at your company to get this program off the ground and running.
Hopefully: ensuring that our company’s data and systems stay secure. Maybe we also need to generate compliance artifacts- do we need to show that we’ve done these reviews for a SOC II, HITRUST, or other audit?
Vendor reviews are a big part of capturing and cataloging the third party risk taken on by an enterprise. Cataloging who has our sensitive data or who has privileged access in our systems helps give a fuller picture of the overall risk our organization carries.
The third party libraries that your development teams depend on could be seen as part of your overall vendor review process. However, that introduces a lot of complexity, and is more often own directly by the development teams, so I’m going to set that aside.
Just note that the libraries that they use should be reviewed, and you’ll want to make sure you’re regularly patching them.
Instead, we’re going to focus on three goals with this talk.
First, let’s figure out a way to do a security review of external tools & services that our company relies on.
Next, let’s do an initial risk triage of all the vendors that we’re already using.
Long term, we’ll want to set up a program to track and assess our overall third party risk profile.
7. min
We’ll begin with the idea that we need a way to assess third party risk when an employee comes to us and says “Hey, I’d like to use this cool new service!” – how do we start?
There are six big steps to our review process, and we’ll go through them one by one and explore what they’ll entail.
First –intake.
This is the process by which you have employees tell you about new services they will want to evaluate. When you start, this might be more of a discovery process, as you'll have to decide if you're going to evaluate all the vendors and tools you already have. We’ll go through this as if we have a single new service to review.
Before we getting into the specifics of running the program, remember that we need buy-in from management, developers, marketing teams: users of the systems that we want to review. Without their cooperation and active interest, you’re going to be shuffling pointless paperwork. We need some way to partner with them, without being seen as “the security team always says no” or “they’re just a roadblock to getting work done.”
The way we overcome this is to focus on being a partner organization, remembering that our co-workers are subject matter experts in their domains, and communicating business risk, not specific vulns or hacks.
Usually we’re going to need the employee to kick off this process, by letting us know what service they want to begin using.
10 min?
From our perspective, we have a few things we need to learn from them.
For instance -
What do they expect to use this for, and what are the failure cases?
How does the service interact with our accounts or customers?
One way that we can run this intake process is with a web form that we can direct users to. We’ll go through an example one to see what it might look like.
* What does your project do?
* How will the product be used?
* Does the vendor have a TOS?
* Does the vendor have a privacy policy?
* What service are you planning to use?
* When do you hope to have this in place?
* URL to product
* What alternatives did you look at
* Why is this one best?
* What will it cost?
* What classes of information will it process?
* Does it require a service account connection to other systems?
* Does it support SAML/Single Sign On?
13 min?
Now that we have information from the employee, we need to pivot to getting some information about the security and privacy of the tool or service.
Here you'll reach out to the vendor for that information.
Do your users already have a sales contact? Many time they will come to you having already opened a dialog with the vendor. If so, it’s very helpful to leverage that channel when you talk to the vendor.
We know we want to ask “how secure is your service?” – but how do we get the information we need to make that assessment?
Security Questionnaires are the primary way people gather information about vendors under consideration. They're a set of privacy and security questions for the company being considered to fill out. There are several standard ones in the industry , and we’ll go through a few of them first.
The standard ones are very comprehensive, and it can be quick turn around since many larger orgs have these available to send to you right away.
The Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire - it has a little something for everybody: A little policy, a little governance, some infrastructure information and basic control responses.
the CAIQ, mapped to many of the most popular (NIST, ISO, FedRAMP, ENISA, etc.) works for many customer industry verticals . For many companies, if you aren't subscribing to their enterprise level, the most they will give you is a standard questionnaire, like the CAIQ
Google VSAQ: Created by Google, open source (hosted on GitHub), and it's basically an essay question about your systems and your network. These kind of feel like you’re back in school where you’re not quite sure how much you should write.
Vendor Security Alliance Questionnaire: Confusingly, also called VSAQ, because fuck it, I guess. Created by lots of well-meaning companies, including Uber and Palantir, and---I swear to god---marketed in conjunction with a company that will collect your VSAQ responses AND MARKET BASED ON YOUR CONFIDENTIAL INFORMATION.
I made the mistake of letting browser autofill put in my work number for this once and got months of phone calls from them.
Standardized Information Gathering (SIG) is a set of questionnaires- light or medium. All of them are awful, but they tend to be used by people who are over 50. First expose to vendor security Qs, doing this for finance firms
This isn’t a questionnaire, but you’ll often see third parties offer you a SOC report. SOC stands for “System and Organization” controls, and a
SOC 2 reports assess a company on at least three of five “Trust Factors”
Security
Availability
Processing Integrity
Confidentiality
Privacy
There are two type of SOC 2 reports, Type 1 and Type 2. One looks at a point in time, and the other looks at how controls operated over the audit period.
You can also create your own questionnaire.
But note that if you’re not subscribing to the enterprise tier of a service, the vendor may not be willing to fill out your questionnaire. Or they may not have staff who are used to filling out these questionnaires and aren’t sure what to answer.
Also note, that often these are filled in by sales people, so you should think about how you word your questions – could a non-technical person successfully look up the answer, or understand the context?
Sometimes they will offer to answer just a few questions for you, if you ask.
18 min?
This is an example of a vendor security questionnaire that focuses on the internal audit controls at a vendor
If we’re looking at a SAAS platform that is built by a smaller company, these are some of my smell test questions that try to get a handle on how mature they are and how much risk we’d be taking on by entrusting some of our data to this organization.
Asking about access control reviews is important if they’ll have access to sensitive data, such as customer data or personal information of your employees.
I like to ask about their monitoring & incident response programs to get a handle on how likely I think it is that they might even notice if they lose our data.
Now that we have some idea of the information we want to gather, we have to go get it. Often having the requestor reach out initially is helpful, to let them know that we’ll be asking some questions about the service. Have a template that you fill in to send this out, it makes things go much faster.
Track where you are with each vendor so that you don’t waste time re-creating steps or forget to follow up: either through a Slack channel, a whiteboard list, or some other way.
Many of these reviews take a lot of going back-and-forth initially to get the material you need (see word salad from sales people in vendor Q forms)
20 min?
Now you have to analyze all the information you gathered. Here’s where we’ll do the risk assessment part of this process.
Does the service run javascript on our company website? Do you send it data? Does it have access to a DB that you operate?
Do you have a data classification policy already? Does your legal department?
Remember when we said that we’d ask about access control reviews and practices at the vendor if we’re sending highly confidential data like customer data or personal information of our employees to the vendor?
We should have some agreed-upon definition internally of what our sensitive data types are. This helps us understand what level of risk we should assign to the vendor, which informs the level of scrutiny we’re going to apply during our vendor review.
Some of the data our company has are highly confidential, like our source code, or employee Social Security Numbers, or customer content we might store. Maybe we hold health data (PHI).
Publicly available information may be less sensitive regarding disclosure, but we may be granting the tool the ability to speak on our behalf
This is a vendor that doesn’t have good monitoring and detection.
The big question we can keep asking ourselves is, what's the worst thing that could happen if this tool has the access it wants, or if this vendor loses the type of data we want to give them?
25 minutes
There should be a documented process that you use to assess each vendor, based on the initial level of risk that we think we’d be taking on based on the data we’ll send to them, what level of access they have, and where the touchpoints to our company.
For instance, if you’ll send customer data to a vendor, you may require that they have a written IR plan and run Incident Response exercises, and that they be able to explain what sort of monitoring for data exfiltration they have in place. You might get that information from a security questionnaire they filled out, or by looking for certain controls in their SOC 2 report.
We want to think about how to get a handle on the risk that this vendor introduces. You can use a variety of tools to do this; one that we’ve found can help guide conversations well is Binary Risk Assessment.
There’s a white paper on this website that explains the whole process, and also a little web app that can guide you through an assessment.
This is the binary workcard on the website. As you say yes/no, it updates the risk/likelihood/impact.
It can be hard to come to agreement on the yes/no for some of these answers, so sometimes we like to come up with "guard rails" or assumptions to guide us
These are some sample guidelines we’ve created for filling out the Binary Risk Assessment that help keep everyone on the same page.
Common skills/metaspolit plugins
Significant investment of resources - is this drive-by exploitation/mass scanning?
What mitigating controls are in place?
Is the asset always vulnerable?
28 minutes?
think about what your biggest worries are with this service, and make sure that you have enough information here to make a reasonably informed decision.
Is this a javascript library we’re putting on our homepage? Let’s ask about change management controls so make sure they don’t break our homepage.
Is this a payroll tool that gives their employees access to our employees bank account numbers? We should ask about their background check process.
Now is a great time to document them.
For instance, we might find that a service poses a high risk to our enterprise – it has to hold very sensitive data, but they seem to be immature and not take security seriously. However, our business needs to partner with this company for a critical business purpose. Once we’ve communicated the risk to the stakeholders and company management, and they’ve accepted this risk, we should think about what compensating controls we can put in place.
Is there any form of monitoring we can institute that catch a some malicious activity or data leakage as soon as it happens?
Some companies will get into endless loops of asking for follow ups to their questionnaires. And it can be really frustrating to send out your questions and get back vague, hand-wavy non-answers. If you’re in a highly regulated industry, you may have an obligation to dig into a lot of the details of how your data is being stored or processed.
30 min?
You’ll want to coordinate with some other departments within your company in order to run a successful review process.
The Legal team is tasked with reviewing contracts like NDAs, or Master Service Agreements. Often they will also want to do a Privacy review, or make sure a Data Protection Agreement is signed.
set up a process with your legal team to review and sign these, since most vendors won’t give you a SOC II report without one in place. What to think about:
how much time do they need to review?
Can they authorize you to sign some of them?
IT will usually need to onboard the services you approve, and they may be the ones to integrate a tool into your Single Sign On.
Many times we see sales and marketing teams coming to us with the most asks for new tools, so it will make sense to reach out to them early and get them onboard with your process. They’re interested in protecting the company’s reputation, so you share many of the same end goals.
Finance will need to set up payments for services, and they may want to review service contracts.
They can also be a great team to partner with as you launch your program.
Finance can also alert you to new charges they see, such as on corporate cards, which might mean a new vendor or service to review.
You should figure out a way to communicate approved services to them, so that they can alert you if they see charges for unapproved services or tools.
While we aren’t going to dive into the use of third party libraries by development teams, engineering teams do often use other third party tools you’ll want to review.
Some teams use code review tools, or github plugins. They may want to onboard an AB test tool, or some performance analysis tools. These will run on your website, but you may or may not end up hosting the code.
33 min?
Especially if you were asked to do this process for a SOC 2 or similar audit: document everything that you do. Take meeting notes, or use slack channels you can archive. Or create Jira tickets; whatever works for your company's culture.
Create some form of a tracking system that can help you list approved or rejected vendors. Ideally it will also have a way to help you track in-process reviews, especially if you have to wait for legal or other external sign offs, or if some vendors are slow in returning the security questionnaire you sent out.
This is tracking can be done with an excel spreadsheet, or jira, or within Slack.
If you’re doing this for a SOC audit, you’ll want to be able to show that you considered the security risk of any vendor you onboarded.
There are a lot of stakeholders who will want to know where the review process is. Especially when you first launch the program, the initial requestor may be expecting to begin using a new tool quickly, and may be very impatient while we perform the security risk assessment.
To help track status and communicate it to stake holders, think about what sort of tools you might be able to leverage.
This is an example of aa slackbot that we use at a company to track our signoffs. If you invoke the slackbot in the channel, it will tell you what signoffs its received already, and we can tell it which ones we’re submitting.
As you vet the third parties, make a master list of all the approved and onboarded vendors, as well as the internal company owner. You may want to also track your internal risk rating of them, or some other metric that alerts you to what sort of data they hold or how key they are to the company’s operations.
34 min?
35 min?
After the approval, there are some onboarding steps that may largely be owned by IT or other groups
do they use SSO?
Who will be an admin? And all kinds of other fun account management things like required password rotations, account recovery, etc.
The third party contacts can go into your master spreadsheet of vendors, along side the internal company owner.
Sometimes there are different security and availability contacts at the company, and youll want to be able to track that distinction. Otherplaces may give you a single account rep, and you would usually work with them on anything that comes up.
Availability might be owned by another group at your company, but many times it will fall to you to be the point person. Do you have any visibility into the availability and performance of these services? How would you be alerted if defined SLAs are exceeded? What do you do then?
40 min
After a few iterations, you'll get the hang of it. So this section is some tips that we've picked up from running these programs at small companies.
this can be key to getting buy-in from the rest of the company.
Would you like the process started by slack?
Can you create a Google Form for your co-workers to fill out with their new requests?
Update your tracking spreadsheet - you should have one Source of Truth that has all your vendors/services/tools/other 3rd party integrations. How you structure this is up to you, because it should make sense to your team.
Reviewing the questions you ask: if you made your own questionnaire, or if you have a checklist of the items you look for in a CAIQ or a SOC II report, don’t just let it stagnate. Learn from past issues, from news reports, etc
Do users skip your intake form because it’s too unwieldy and asks for information they don’t have yet?
Do deadlines for contract renewals catch you unaware and cause scrambles? Both of these are examples of pain points that should point towards places where we can try to improve our processes.