1、应用安全:
https://bestpractices.coreinfrastructure.org/projects/new
https://www.coreinfrastructure.org/resources 华为Google、微软、Facebook等厂商
https://www.sonarqube.org/
AFL
http://frama-c.com/
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities
培训是安全和开发的桥梁
Creates a connection between security and developers
2、报告:
http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2017.aspx
http://www.howtomeasureanything.com/cybersecurity/#downloads
https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-Foundry-2016-Container-Report.pdf
https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2016.pdf
http://www.rightscale.com/blog/cloud-industry-insights/new-devopstrends-2016-state-cloud-survey
https://cispe.cloud/wp-content/uploads/pdf/CISPE-PRESS-RELEASE-27092016.pdf
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm
0 day report Q1 2017 prediction
http://cybersecurityventures.com/zero-day-vulnerabilities-attacks-exploits-report-2017/
NopSec, 2015 State of Vulnerability Risk Management
http://info.nopsec.com/rs/736-UGK-525/images/NopSec_StateofVulnRisk_WhitePaper_2015.pdfThe State of Digital Third-Party Risk 2016 Report -http://en.softtek.co/tprisk2016
Review:
DHSStrategic Principles For Securing The Internet Of Things
FDAPostmarket Management of Cybersecurity in Medical Devices
NHTSACybersecurity Best Practices for Modern Vehicles
DODDigital Vulnerability Disclosure Policy
White HousePresident’s Commission Report on Enhancing National Cybersecurity
—Testimonyto President’s Commission on Enhancing National Cybersecurityby Joshua Corman
Commerce NTIA Department of Commerce Multistakeholder Process: Cybersecurity Vulnerabilities
Consider the 6 ways Safety IoTare different
https://www.iamthecavalry.org/iotdifferences/
Review the 5 Star CybersafetyFramework and Hippocratic Oath
https://www.iamthecavalry.org/5star/
https://www.iamthecavalry.org/oath/
https://www.tag-cyber.com/Annual/2017/
3、Devopssec:
https://vimeo.com/165861695
AWS_IR:
https://aws-ir.readthedocs.io/en/latest/
Margarita Shotgun (EC2Memory Imaging):
https://margaritashotgun.readthedocs.io/en/latest/
Cloud Custodian:
https://github.com/capitalone/cloud-custodian
FIDO:
https://github.com/Netflix/Fido
4、云平台安全
csv-t10-what-is-needed-in-the-next-generation-cloud-trusted-platform.pdf
微软云渗透测试视频
https://www.youtube.com/watch?v=dq1FfSTrqwo&index=6&list=PL8nfc9haGeb5IZGM8HvmRozetHRpBDKSw
5、安全管理
https://www.mindtools.com/
6、暗网相关
7、安全趋势
http://www.information-age.com/gartner-picks-out-top-ten-cyber-security-technologies-2016-123461612/
8、安全度量
Measure vs. metric
I had 2 eggs for breakfast this morning
It’s 53 degrees in San Francisco, CA
This session is 40 minutes long
A measure (or measurement) is the value of a specific characteristic of a given entity (collected data).
A metric is the aggregation of one or more measures to create a piece of business intelligence, in context.
GQIM(首先有业务目标,有要达到的安全目标,有问题,有观察指数、有数据证明)
Strategic
Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users.
Goal: Ensure all users have the proper level of system access for their job responsibilities.
Question: Do all users have appropriate system access?
Indicators:Inventory of IT systems with security and access attributes
Current list of users with approved security attributes
An ability to compare IT systems access and users list
Metrics:(more user centric)
Time (min, max, med) to add a new system to inventory
Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes
9、合规
GDPR
GDPR Full Regulations: http://ec.europa.eu/justice/dataprotection/
reform/files/regulation_oj_en.pdf
IAPP Top 10 Operational Impacts of GDPR:
https://iapp.org/resources/article/top‐10‐operational‐impacts‐of‐the‐gdpr/
IBM GDPR Webinar recordings (5): http://ibm.biz/GDPRWebinars
GDPR Blog‐ Learn, Think, Prepare: http://ibm.biz/BdsAye
IBM Security GDPR: http://www‐03.ibm.com/security/campaign/gdpr.html
10、网络犯罪
FireEYE提议
grc-r03-your-sector-doesnt-matter-achieving-effective-threat-prioritization.pdf
11、大数据安全
https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf
PrivacyCon 2017 and 2016
12、书籍
Security Risk Management: Building an Information Security Risk Management Program from the Ground Up
ISBN: 9781597496155
Amazon Link: http://amzn.to/hyrMvC
Measuring and Managing Information Risk: A FAIR Approach
ISBN: 978-0124202313
Amazon Link: http://amzn.com/0124202314
13、攻击相关
https://blogs.technet.microsoft.com/uspartner_ts2team/2017/02/14/advanced-threat-analytics-ata-attack-simulation-playbook/
Exploit Sales
Remote browser or document-based exploits can go for >$10K USD
Remote Windows Kernel bugs can go for >$100K USD
Zerodiumpaid $1M USD to a group who disclosed a iOS remote jailbreak exploit -https://www.zerodium.com/ios9.html
Bug Bounty Examples:
United Airlines –Will pay up to 1 million award miles for disclosures
—https://www.united.com/web/en-US/content/Contact/bugbounty.aspx
Google –Will pay various amounts depending on the severity of the bug
—https://www.google.com/about/appsecurity/reward-program/
Microsoft –Will pay up to $100K USD for exploitable bugs and exploit mitigation bypass techniques
—https://technet.microsoft.com/en-us/library/dn425036.aspx
CanSecWestPwn2Own –Annual conference and challenge in Vancouver, CA offering high-priced bounties
攻击自动化:hta-w02-devoops-attacks-and-defenses-for-devops-toolchains.pdf
案例是AWS的账号被攻击,利用AK竟然开通了N多实例导致一个月50000美金的单子;
自动化攻击获取到GITHUB AWS的AK信息导致泄露2500个比特币;
AWS的ak被获取后导致所有实例被删除导致codebase倒闭;
Pastebin-like sites
GitHub
—Gists
—Code Repositories
BitBucket, CodeCommit, etc
—https://en.wikipedia.org/wiki/Comparison_of_source_code_hosting_facilities
https://github.com/jordan-wright/dumpmon
https://github.com/xme/pastemon
https://github.com/cvandeplas/pystemon
https://api.slack.com/methods/team.accessLogs
https://github.com/maus-/slack-auditor
攻击类型:
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
14、工具
https://github.com/openstack/syntribos
https://github.com/awslabs/aws-security-benchmark
Serverless Hacking Tools
https://github.com/wickett/lambhack
https://github.com/continuumsecurity/bdd-security
http://gauntlt.org/
github监控:
https://github.com/michenriksen/gitrob
https://gitmonitor.com/Zynamics/Google’s BinDiff: Free as of March 18, 2016!
Core Security’s turbodiff:Free
DarunGrim4 by JeongwookOh:Free
patchdiff2 by Nicolas Pouvesle: Free
Diaphoraby JoxeanKoret
Kernel Executive, SRM, Subsystems, System Calls, Kernel Objects
Kernel Structures such as EPROCESS, KPROCESS, ETHREAD, KTHREAD, TLS, KPRCB, KPCR
The Hardware Abstraction Layer (HAL)
Mutexesand SpinLocks
Driver behavior (IOCTL, IRP, Bus)
http://virtualkd.sysprogs.org/
Control Flow Guard (CFG)
—Aimed at stopping Return Oriented Programming (ROP)
Browser Specific Controls: MemGCand Isolated Heaps
—Aimed at stopping Use After Free (UAF) exploitation
Kernel Specific Controls: Guard Pages, Kernel Pool Cookies, Null PtrDerefProt
Proposed Mitigations: Shadow Stacks and Control Flow Integrity (CFI)
Oldies but Goodies: ASLR, DEP, Canaries, Safe Unlink, LFH, EMET**
Osquery
(OSX/Linux/Windows*)
Doorman
Block Block
Little Snitch
Carbon Black / Sysmon
Splunk/ ELK
Simian
Munki
git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.
aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.
aws-config-rules - [Node, Python, Java] Repository of sample Custom Rules for AWS Config
Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account.
Netflix/edda - Edda is a Service to track changes in your cloud deployments.
ThreatResponse - Open Source Security Suite for hardening and responding in AWS.
CloudSploit – Capturing things like open security groups, misconfigured VPCs and more.
Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
Capitalone/cloud-custodian - Rules engine for AWS fleet management.
15、研究者BLOG
http://carnal0wnage.attackresearch.com
16、ServerLess安全
http://martinfowler.com/articles/serverless.html
17、政府外包相关
https://www.challenge.gov/list/
https://www.fbo.gov/?s=opportunity&mode=list&tab=list
18、Container Security
csv-r03-orchestration-ownage-exploiting-container-centric_-datacenter-platforms.pdf
19、密码安全
https://emergency.cdc.gov/
20、威胁分析
Analysis by Intel’s Threat Agent Analysis Group
http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf
https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Intel%20-%20Threat%20Agent%20Library%20Helps%20Identify%20Information%20Security%20Risks.pdf
https://communities.intel.com/docs/DOC-23914
https://communities.intel.com/docs/DOC-1151
21、内部威胁
http://ow.ly/CLux308vUbP
https://www.cert.org/insider-threat
http://www.charlottesafetyconference.com/Health%20and%20Safetys%20Role%20in%20Mitigating%20Insider%20Threats.pdf
https://hrinsider.ca/hot-topic-centres/workplace-violence
https://hrinsider.ca/specialreports/WPV%20Compliance%20Kit%20-%20140%20pg.pdf
https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjT2JPTuY_SAhWEFpQKHWGUBJUQFggpMAI&url=https%3A%2F%2Fwww.sans.org%2Freading-room%2Fwhitepapers%2Fincident%2Fmitigating-insider-sabotage-33189&usg=AFQjCNG_BR3fe81O7gI_w44EEklGiOmDCw&sig2=l_ezAxUR6EF1_jsZ2V57Mw
Insider Cyber Sabotage
Insider Workplace Violence
http://www.sei.cmu.edu/reports/12tr012.pdf
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=484738
22、投资和预算
momentum.partners
Improving Healthcare Risk Assessments to Maximize Security
Budgets(how to tailor the model for your environment):
23、风控
设备指纹
https://github.com/Song-Li/cross_browser
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
24、国内外网络犯罪
http://www.zdnet.com/article/string-of-cyberattacks-against-global-banks-linked-to-lazarus-cybercrime-group/
https://github.com/secmobi/slides/blob/master/2017.UndergroundEconomyAppleID_BSidesSF.pdf
25、基础设施监控
https://www.datadoghq.com/
26、IAM
PCMA(认证成熟度)
Identity Proofing 身份证明
Primary Credential Usage
C0 No credential
Ca Session cookies
Cb Known device
Cc Shared secret such as a username and password combination
Cd Cryptographic proof of key possession using shared key
Ce Cryptographic proof of key possession using asymmetric key
Primary Credential Management
Assertion Presentation
Aa No protection / unsigned assertion
Ab Signed and verifiable assertion, passed through the browser
Ac Signed and verifiable assertion, passed through a back channel
Ad Assertion encrypted to the relying party’s key and audience protected
人在说话的时候涉及到70-100个肌肉,包括喉咙(9块肌肉、4个神经、4个声带、6个肉骨)、声道、脑、听力、肺部
[ISO/IEC JTC1 2382-37:2012
http://www.biometricsinstitute.org
www.PingIdentity.com
www.Swirlds.com
Identity Analytics and Intelligence (IAI)
https://www.attachmate.com/library/docs/02_identity_analytics.pdf
https://www.google.com.hk/search?num=100&newwindow=1&safe=strict&site=&source=hp&q=Identity+Analytics+and+Intelligence+%28IAI%29&oq=Identity+Analytics+and+Intelligence+%28IAI%29&gs_l=hp.3...327.327.0.522.2.2.0.0.0.0.82.154.2.2.0....0...1c.1.64.hp..0.0.0.0.tY--F89ZnGA
Electronically Stored Information
http://searchcompliance.techtarget.com/definition/electronically-stored-information-ESI
27、RSA的书籍
https://www.rsaconference.com/blogs?category=security-reading-room
28、CVE相关
https://cveform.mitre.org/
https://cvementor.org/
29、安全架构
fon1-w03-cybersecurity-roadmap-global-healthcare-security-architecture_copy.pdf
30、IOT相关
https://www.iotvillage.org/
https://www.dhs.gov/news/2016/11/15/dhs-releases-strategic-principles-securing-internet-things
31、DEVSECOPS
http://www.devsecops.org/presentations/
32、容器相关(Docker)
http://www.infoq.com/cn/articles/docker-kernel-knowledge-namespace-resource-isolation
33、云安全
https://www.rsaconference.com/writable/presentations/file_upload/tech-t09r-a-virtual-and-software-defined-security-architecture-workshop.pdf
NIST IR 7904 –USG recommendation for “Trusted Geolocation in the Cloud”
Hardware TXT, AESNI, DRNG, CryptoNI
Software Linux, KVM, OpenStack, CloudForms, Ceph, VMWare (VCenter, VSphere, ESXi), OpenCIT, Hytrust, Cloud Raxak
OpenStack Security
https://docs.openstack.org/security-guide/
OpenCIT
https://01.org/
Account Breach Phishing Protect Identity through FIDO Asses and Protect yourself in Office 365 Ransomware #RSAC
Stay Safe
AccountBreach
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/https://blogs.office.com/2016/06/01/gain-enhanced-visibility-and-control-with-office-365-advanced-security-management/https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
Phishing
https://products.office.com/en-us/exchange/online-email-threat-protection
Protect Identitythrough FIDO
https://fidoalliance.org
Assesand Protectyourself in Office365
https://securescore.office.com/https://products.office.com/en-us/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy
Ransomware
https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspxhttps://blogs.technet.microsoft.com/sposupport/2016/09/19/handling-ransomware-in-sharepoint-online/
14
33、小型机测试
Logica Breach, Tools: https://github.com/mainframed
Nmap, Metasploit Scripts: https://github.com/zedsec390
Blog Chad: https://www.bigendiansmalls.com/
Blog Phil: http://mainframed767.tumblr.com/
Other Talks: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n
IBM Emulated Mainframe: http://www-03.ibm.com/software/products/en/ibm-z-systems-development-and-testenvironment
