This document discusses strategies for improving security awareness and practices among employees and organizations. It addresses issues like uninformed employees falling for phishing scams, securing home networks and devices, and ensuring new applications developed during business pivots are secure. The key recommendations are to educate employees and software teams, implement defense in depth with tools like two-factor authentication and encryption, and address security throughout the software development lifecycle when creating new applications and integrating third-party software.
Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
Welcome to the lighter side of the software security world! We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh). This talk is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Overview of Google’s BeyondCorp Approach to SecurityPriyanka Aash
Need a different approach – Google BeyondCorp Principles:
- Connecting from a particular network must not determine your trust level
- Access to service is granted based on what we know about you and your device
- All access to services must be Authenticated, Authorized and Encrypted
- Zero-Trust Model
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
NGAV is the natural (and much needed) evolution of traditional AV that protects computers from the full spectrum of modern cyber attacks, delivering the best endpoint protection with the least amount of work. NGAV speaks to a fundamentally different technical approach in the way malicious activity is detected and blocked.
Vulnerability assessment & Penetration testing Basics Mohammed Adam
In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications makes systems vulnerable to cyber attacks. Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit a vulnerability.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
Presentation on current security trends, prevention and detection. This presentation was initially given at a WatchGuard partner event for Equinox IT. http://www.equinoxits.com/
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
As today’s cyber-attackers become more sophisticated and nefarious, organizations must adopt the right mix of conventional and next-generation security tools to effectively defend their infrastructure from advanced threats. The Critical Security Controls effort is a growing movement that has been helping government agencies and large enterprises prioritize their cyber security spending accordingly.
By leveraging NetFlow and other types of flow data, Lancope’s StealthWatch System delivers continuous network visibility to fulfill a number of the highest priority controls, enhancing timely detection of targeted threats and improving incident response.
Learn the latest about the Critical Security Controls and hear how the StealthWatch System fits in.
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
Welcome to the lighter side of the software security world! We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh). This talk is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Overview of Google’s BeyondCorp Approach to SecurityPriyanka Aash
Need a different approach – Google BeyondCorp Principles:
- Connecting from a particular network must not determine your trust level
- Access to service is granted based on what we know about you and your device
- All access to services must be Authenticated, Authorized and Encrypted
- Zero-Trust Model
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
NGAV is the natural (and much needed) evolution of traditional AV that protects computers from the full spectrum of modern cyber attacks, delivering the best endpoint protection with the least amount of work. NGAV speaks to a fundamentally different technical approach in the way malicious activity is detected and blocked.
Vulnerability assessment & Penetration testing Basics Mohammed Adam
In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications makes systems vulnerable to cyber attacks. Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit a vulnerability.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
Presentation on current security trends, prevention and detection. This presentation was initially given at a WatchGuard partner event for Equinox IT. http://www.equinoxits.com/
Learn what cyber security means for your law firm, your employees, and your bottom line. This presentation will provide a snapshot of the IT Security threats facing law firms today, as well as the knowledge and tools you can use to prevent them.
More and more organization employees are required to work outside the office using tablets, laptops and smartphones. These technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Mobile technologies collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company. This webinar will discuss the risks faced by small to medium size organizations that require employees to work remotely. We will also discuss mitigation strategies.
With 2014 being noted as “The Year of the Breach,” many businesses are still unprepared or not properly protected from numerous security threats. So what can your business do to help keep sensitive data safe? Check out the following slideshow to learn how to protect yourself and your business from threats. Contact the IT Security experts at MTG today to protect your organization!
We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world.
Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.
I tried to cover small information about the present threat, vulnerability and best practices.
Most of information taken from the training material and internet.
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
Presentation I gave at BriForum 2012 where I discuss Mobile Security Risks, BYOD and mobile privacy issues. Lastly, I wrap up with a discussion of Document Rights Management and mobile.
The Mobile Security Risks as adapted and updated from the Veracode Top 10 Mobile Security issues (With permission from Chris Wysopal)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
Wfh security risks - Ed Adams, President, Security Innovation
1. 1
• Securing software in all the challenging places….
• ….while helping clients get smarter
Assessment: show me the gaps
Standards: set goals and make it easy
Education: help me make good decisions
Over
3 Million
Users
Authored
18
Books
Named
6x
Gartner MQ
About Security Innovation
2. 2
• CEO by day; engineer by trade (and heart)
• Mechanical Engineer, Software Engineer
• Ponemon Institute Fellow
• Privacy by Design Ambassador, Canada
• In younger days, built non-lethal weapons
systems for Federal Government
About Me
3. 3
My Topics
Ø Uninformed Employees
Ø Home Networks and Practices
Ø Insecure Applications as Enterprises Pivot
5. 5
Security is Fundamentally a People Problem
• Email is an attack vector in 96% of incidents with social actions*
• Increase in phishing scams with COVID-19 WFH
• Spear, Pharming, SMiShing, Spy-Phishing, Vishing, Whaling, etc
• Plethora of info on web and social networks is making it easy
• Education is helping but unrealistic users won’t click in mass phishing campaign
• 4% of people will fall for any given phish*
• Anti-virus/malware is helping but
• Sophisticated techniques are circumventing it and prolonging exposure time
• Doesn’t help social engineering and credential theft
Small adjustments in user behavior has a large impact on security & privacy
* Verizon Data Breach Investigations Report
6. 6
Defense In Depth
• Often the goal is to gain initial entry to the network, then do
more damage
• For an attack to be successful, it must complete three steps:
1. Email must make its way through the gateway to the user's inbox
2. User must successfully execute the payload
3. Payload must successfully communicate with external command/control
server
• During each step, there are defenses to thwart the attack and
minimize impact
• Informed staff can serve as a human firewall
• Reduced attack surface keeps doors to a minimum
• Mitigating controls can prevent, delay and detect
7. 7
Using a Password Manager
• You only need to remember ONE password for all your sites
§ Make it a good one
• Uses very strong encryption to protect passwords
• Auto-fill forms, auto-capture passwords, 2-factor
authentication support, etc.
• I use Password Safe but there are other good ones, too:
§ LastPass
§ Dashlane
§ Password Boss
§ https://haveibeenpwned.com/
8. 8
Leverage Email Client Settings
• Some mail clients allow you to mark any email to/from people outside of your organization
• Use digital signatures so recipient knows it’s you sending the mail
9. 9
• Those annoying “update” notifications
§ Ignore at your own risk
§ >90% successful attacks exploit unpatched software*
§ Equifax breach anyone?
• What about safe texting/browsing
§ Disable message preview
§ Use private browsing for
o Sites you don’t want “remembered” e.g., banking
o Any shared device (including giving a friend your phone)
• Location services
Safe Texting/Browsing
* sources: Ponemon Institute, Verizon, Gartner
10. 10
Insecure Wi-Fi Comes at a Cost
Convenience often outweighs consequence
• Home Wi-Fi should be password protected (the stronger the better)
• “Evil Twin” attack: Hi1ton Free Wi-Fi
• FireSheep: automated cookie stealing
§ https://en.wikipedia.org/wiki/Firesheep
Counter-measures:
• Use HTTPS and/or VPN https://www.pcmag.com/picks/the-best-vpn-services
• Avoid public Wi-Fi for online shopping, banking
• Turn off the automatic Wi-Fi connectivity feature
on your phone, so it won’t automatically seek out hotspots
• Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
• Implement two-factor authentication when logging into sensitive sites even if malicious
users have password they won’t be able to log in
11. 11
Use 2-Factor Authentication
What is 2-factor authentication (aka 2FA)?
• Pick 2: something you know, possess, or are
• Examples: Password+PhoneCode or
Password+Fingerprint
Why is 2FA Important?
• Avoid single point of failure
• Not necessary for all sites, but ones with sensitive
data… oh yeah!
• Can help thwart many phishing attacks
*Not all sites/apps support 2FA
12. 12
Lock, Encrypt & Back Up Your Devices
Threats
• Lost or stolen device results in
§ all data being lost/compromised
§ ability to impersonate you
§ ability to log into your accounts
• Local/online backup (encrypted!)
• Full disk encryption (often enabled by default
with devices password/setup)
• Use and test a “lost my device” app
§ Enable remote wipe capabilities (never guaranteed)
Defenses
I sign and encrypt every message I can!
- so recipient knows I am sender
- so if it’s stolen it’s gibberish
- …consider how it travels
14. 14
Today’s IoT Devices
• Devices are still devices, but…
• Run on LOTS of code; made to serve single/multiple purposes
• Real-time changes; no “wait for compile” and see
• Make changes from anywhere via cellular or wifi connection
• Sharing data is instantaneous and digital
15. 15
Recent IoT Trouble
Consumer & Medical Devices
• 465,000 vulnerable pacemakers from St. Jude
• Implantable cardiac devices have vulnerabilities
• Unauthorized remote access
• Deplete battery, change pacing, or deliver shocks
• Owlet WiFi Baby Heart Monitor
• Alerts parents when babies have heart troubles
• Connectivity element makes them exploitable
Best intentions exploited via careless manufacture configuration
16. 16
Dyn DDoS Attack: A not so oldie but goodie
• Domain Name System (DNS) service disrupted
• Affected nearly 1/3 of all Internet users in US and Europe
• No access to (short list):
• Amazon.com
• Comcast
• DirecTV
• GitHub
• Netflix
• Twitter
• PayPal
• Starbucks
• Verizon
• Visa
• Walgreens
• Xbox Live
• PlayStation Network
• iHeart Radio
• BBC
• NY Times
• GrubHub
• Slack
Millions of IoT Devices (printers, IP cameras, baby monitors) infected
with Mirai malware and used to flood Dyn with traffic (DDoS)
17. 17
Smart Home Devices
• Consider disconnecting for
sensitive business, e.g., legal
• Some are always in “listen” mode
• Require authorization
• To access device
• For device to access home Wi-Fi
• Put them all on a separate
network (or segment)
19. 19
Businesses Pivot to Conduct More Online
• Creating and Deploying New Software Applications
• Curbside pickup/delivery
• Customer self-service
• Support staff no longer in secure call centers
• Web applications have become the #1 target for the
exploitation of vulnerabilities*
• 20.4%: Share of web traffic carrying malicious bots*
Need to secure software never greater than right now
*https://techbeacon.com/security/31-cybersecurity-stats-matter
20. 20
Education & Guidance
• Train your team to understand the implications of insecure
applications to prevent code- and business- logic mistakes
• InfoSec & GRC
• Executive
• Technical/Practitioner (Dev, IT, Audit)
• Arm your personnel with knowledge and resources to design,
develop, and deploy software securely
• Train staff to “think like an attacker”
• Reducing attack vectors is everyone’s responsibility
• Hands on simulations are most effective at fostering this attitude
21. 21
Training Software Teams on Security – from Gartner
• InfoSec team can help, but not scalable
• Practitioners can serve as mentors
• Determine when to engage the security team
• Single point of contact w/in their group
• Clearly define goals and responsibilities
• Conduct and/or verify security reviews
• Guard and promote “best practices”
• Raise issues for risks in existing/new software
• Build threat models for new features
• Should be knowledgeable (and passionate)
about software engineering
Gartner Report: 3 Steps to Integrate Security Into DevOps:
https://web.securityinnovation.com/gartner-report-devops
22. 22
COTS: Co-Owning the Software
• 73% of breaches from 3rd-party ecosystem
• Quest Diagnostics: hacker accessed data via billing collections software
• Facebook: passwords & email addresses exposed via 3rd party app
• Focus Brands: Point of Sale (PoS) software hacked
• Target fined and sued
• Point of entry was 3rd-party HVAC vendor software
• Ruling is they failed to identify and mitigate data risks
• Can’t just rely on patching - vendor can’t anticipate all deployed scenarios
• Inaccessibility to code forces you to take a more risk-based approach
• Need to train ALL stakeholders from requirement definition to live deployment
*2019 Verizon Data Breach Report:
23. 23
Final Thoughts
• People can be critical elements of a proper defense – treat them like other IT defenses
• The are distributed across the network like sensors
• They can act like firewalls, allowing or blocking attacks
• They can detect attacks and raise alarms
• They need “configuration and patching”
• Reduce smart device access during WFH
• Segment or remove
• Secure with authorizations
• Train software teams on security
• New Apps = New Threats
• All stakeholders need education (not just developers)
• Understand attacker techniques to build situational awareness
24. 24
How Can We Help?
DevOps/SDLC Risk Review
• Fill compliance gaps with tools,
activities and skills
• Roadmap with optimal sequencing
Computer Based Training
• Specific to DevOps roles
• Covers all major technologies,
roles, frameworks
Cyber Range
• Turn-key, fun
• Automated scoring
• Real-world applications,
platforms, systems