RSA 2017 USA 笔记

简介: 1、应用安全:https://bestpractices.coreinfrastructure.

1、应用安全:

https://bestpractices.coreinfrastructure.org/projects/new

https://www.coreinfrastructure.org/resources  华为Google、微软、Facebook等厂商

https://www.sonarqube.org/

AFL

http://frama-c.com/

https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities


培训是安全和开发的桥梁

Creates a connection between security and developers 



2、报告:

http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2017.aspx

http://www.howtomeasureanything.com/cybersecurity/#downloads

https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf

https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-Foundry-2016-Container-Report.pdf

https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2016.pdf

http://www.rightscale.com/blog/cloud-industry-insights/new-devopstrends-2016-state-cloud-survey

https://cispe.cloud/wp-content/uploads/pdf/CISPE-PRESS-RELEASE-27092016.pdf

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm

0 day report Q1 2017 prediction 

http://cybersecurityventures.com/zero-day-vulnerabilities-attacks-exploits-report-2017/

NopSec, 2015 State of Vulnerability Risk Management

http://info.nopsec.com/rs/736-UGK-525/images/NopSec_StateofVulnRisk_WhitePaper_2015.pdf


The State of Digital Third-Party Risk 2016 Report -http://en.softtek.co/tprisk2016


Review:

DHSStrategic Principles For Securing The Internet Of Things

FDAPostmarket Management of Cybersecurity in Medical Devices

NHTSACybersecurity Best Practices for Modern Vehicles

DODDigital Vulnerability Disclosure Policy

White HousePresident’s Commission Report on Enhancing National Cybersecurity

Testimonyto President’s Commission on Enhancing National Cybersecurityby Joshua Corman

Commerce NTIA Department of Commerce Multistakeholder Process: Cybersecurity Vulnerabilities

Consider the 6 ways Safety IoTare different

https://www.iamthecavalry.org/iotdifferences/

Review the 5 Star CybersafetyFramework and Hippocratic Oath

https://www.iamthecavalry.org/5star/

https://www.iamthecavalry.org/oath/


https://www.tag-cyber.com/Annual/2017/



3、Devopssec:

https://vimeo.com/165861695
AWS_IR: 

https://aws-ir.readthedocs.io/en/latest/

Margarita Shotgun (EC2Memory Imaging): 

https://margaritashotgun.readthedocs.io/en/latest/ 


Cloud Custodian:

https://github.com/capitalone/cloud-custodian


FIDO: 

https://github.com/Netflix/Fido


4、云平台安全

csv-t10-what-is-needed-in-the-next-generation-cloud-trusted-platform.pdf

微软云渗透测试视频

https://www.youtube.com/watch?v=dq1FfSTrqwo&index=6&list=PL8nfc9haGeb5IZGM8HvmRozetHRpBDKSw


5、安全管理

https://www.mindtools.com/


6、暗网相关


7、安全趋势

http://www.information-age.com/gartner-picks-out-top-ten-cyber-security-technologies-2016-123461612/


8、安全度量

Measure vs. metric
I had 2 eggs for breakfast this morning
It’s 53 degrees in San Francisco, CA
This session is 40 minutes long
A measure (or measurement) is the value of a specific characteristic of a given entity (collected data).
A metric is the aggregation of one or more measures to create a piece of business intelligence, in context.


GQIM(首先有业务目标,有要达到的安全目标,有问题,有观察指数、有数据证明)

Strategic
Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users.


Goal: Ensure all users have the proper level of system access for their job responsibilities.


Question: Do all users have appropriate system access?


Indicators:Inventory of IT systems with security and access attributes
Current list of users with approved security attributes
An ability to compare IT systems access and users list


Metrics:(more user centric)
Time (min, max, med) to add a new system to inventory
Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes


9、合规

GDPR

GDPR Full Regulations: http://ec.europa.eu/justice/dataprotection/

reform/files/regulation_oj_en.pdf

IAPP Top 10 Operational Impacts of GDPR:

https://iapp.org/resources/article/top‐10‐operational‐impacts‐of‐the‐gdpr/

IBM GDPR Webinar recordings (5): http://ibm.biz/GDPRWebinars

GDPR Blog‐ Learn, Think, Prepare: http://ibm.biz/BdsAye

IBM Security GDPR: http://www‐03.ibm.com/security/campaign/gdpr.html


10、网络犯罪

FireEYE提议

grc-r03-your-sector-doesnt-matter-achieving-effective-threat-prioritization.pdf


11、大数据安全

https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf

PrivacyCon 2017 and 2016


12、书籍

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

ISBN: 9781597496155

Amazon Link: http://amzn.to/hyrMvC

Measuring and Managing Information Risk: A FAIR Approach

ISBN: 978-0124202313

Amazon Link: http://amzn.com/0124202314


13、攻击相关

https://blogs.technet.microsoft.com/uspartner_ts2team/2017/02/14/advanced-threat-analytics-ata-attack-simulation-playbook/

Exploit Sales

Remote browser or document-based exploits can go for >$10K USD

Remote Windows Kernel bugs can go for >$100K USD

Zerodiumpaid $1M USD to a group who disclosed a iOS remote jailbreak exploit -https://www.zerodium.com/ios9.html

Bug Bounty Examples:

United Airlines –Will pay up to 1 million award miles for disclosures

https://www.united.com/web/en-US/content/Contact/bugbounty.aspx

Google –Will pay various amounts depending on the severity of the bug

https://www.google.com/about/appsecurity/reward-program/

Microsoft –Will pay up to $100K USD for exploitable bugs and exploit mitigation bypass techniques

https://technet.microsoft.com/en-us/library/dn425036.aspx

CanSecWestPwn2Own –Annual conference and challenge in Vancouver, CA offering high-priced bounties

https://www.cansecwest.com/


攻击自动化:hta-w02-devoops-attacks-and-defenses-for-devops-toolchains.pdf

案例是AWS的账号被攻击,利用AK竟然开通了N多实例导致一个月50000美金的单子;

自动化攻击获取到GITHUB AWS的AK信息导致泄露2500个比特币;

AWS的ak被获取后导致所有实例被删除导致codebase倒闭;


Pastebin-like sites

GitHub

—Gists

—Code Repositories 

BitBucket, CodeCommit, etc

https://en.wikipedia.org/wiki/Comparison_of_source_code_hosting_facilities

https://github.com/jordan-wright/dumpmon

https://github.com/xme/pastemon

https://github.com/cvandeplas/pystemon


https://api.slack.com/methods/team.accessLogs

https://github.com/maus-/slack-auditor


攻击类型:

Accidental leak

Espionage

Financial fraud

Misuse

Opportunistic data theft

Physical theft

Product alteration

Sabotage

Violence 



14、工具

https://github.com/openstack/syntribos

https://github.com/awslabs/aws-security-benchmark

Serverless Hacking Tools

https://github.com/wickett/lambhack

https://github.com/continuumsecurity/bdd-security

http://gauntlt.org/

github监控:

https://github.com/michenriksen/gitrob

https://gitmonitor.com/

http://www.radare.org/

http://www.hex-rays.com

Zynamics/Google’s BinDiff: Free as of March 18, 2016!

Core Security’s turbodiff:Free

DarunGrim4 by JeongwookOh:Free

patchdiff2 by Nicolas Pouvesle: Free

Diaphoraby JoxeanKoret


Kernel Executive, SRM, Subsystems, System Calls, Kernel Objects

Kernel Structures such as EPROCESS, KPROCESS, ETHREAD, KTHREAD, TLS, KPRCB, KPCR

The Hardware Abstraction Layer (HAL)

Mutexesand SpinLocks

Driver behavior (IOCTL, IRP, Bus)


http://virtualkd.sysprogs.org/


Control Flow Guard (CFG)

—Aimed at stopping Return Oriented Programming (ROP)

Browser Specific Controls: MemGCand Isolated Heaps

—Aimed at stopping Use After Free (UAF) exploitation

Kernel Specific Controls: Guard Pages, Kernel Pool Cookies, Null PtrDerefProt

Proposed Mitigations: Shadow Stacks and Control Flow Integrity (CFI)

Oldies but Goodies: ASLR, DEP, Canaries, Safe Unlink, LFH, EMET**


Osquery
(OSX/Linux/Windows*)
Doorman
Block Block
Little Snitch
Carbon Black / Sysmon
Splunk/ ELK
Simian
Munki



git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.

aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.

aws-config-rules - [Node, Python, Java] Repository of sample Custom Rules for AWS Config

Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account.

Netflix/edda - Edda is a Service to track changes in your cloud deployments.

ThreatResponse - Open Source Security Suite for hardening and responding in AWS.

CloudSploit – Capturing things like open security groups, misconfigured VPCs and more.

Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

Capitalone/cloud-custodian - Rules engine for AWS fleet management.


15、研究者BLOG

http://carnal0wnage.attackresearch.com


16、ServerLess安全

http://martinfowler.com/articles/serverless.html


17、政府外包相关

https://www.challenge.gov/list/

https://www.fbo.gov/?s=opportunity&mode=list&tab=list


18、Container Security

csv-r03-orchestration-ownage-exploiting-container-centric_-datacenter-platforms.pdf


19、密码安全

https://emergency.cdc.gov/


20、威胁分析

Analysis by Intel’s Threat Agent Analysis Group

http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf

https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Intel%20-%20Threat%20Agent%20Library%20Helps%20Identify%20Information%20Security%20Risks.pdf


https://communities.intel.com/docs/DOC-23914

https://communities.intel.com/docs/DOC-1151


21、内部威胁

http://ow.ly/CLux308vUbP

https://www.cert.org/insider-threat

http://www.charlottesafetyconference.com/Health%20and%20Safetys%20Role%20in%20Mitigating%20Insider%20Threats.pdf

https://hrinsider.ca/hot-topic-centres/workplace-violence

https://hrinsider.ca/specialreports/WPV%20Compliance%20Kit%20-%20140%20pg.pdf

https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjT2JPTuY_SAhWEFpQKHWGUBJUQFggpMAI&url=https%3A%2F%2Fwww.sans.org%2Freading-room%2Fwhitepapers%2Fincident%2Fmitigating-insider-sabotage-33189&usg=AFQjCNG_BR3fe81O7gI_w44EEklGiOmDCw&sig2=l_ezAxUR6EF1_jsZ2V57Mw

Insider Cyber Sabotage

Insider Workplace Violence

http://www.sei.cmu.edu/reports/12tr012.pdf

http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=484738



22、投资和预算

momentum.partners

Improving Healthcare Risk Assessments to Maximize Security

Budgets(how to tailor the model for your environment):

http://ow.ly/1W2H308vUfx


23、风控

设备指纹

https://github.com/Song-Li/cross_browser

http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf


24、国内外网络犯罪

http://www.zdnet.com/article/string-of-cyberattacks-against-global-banks-linked-to-lazarus-cybercrime-group/

https://github.com/secmobi/slides/blob/master/2017.UndergroundEconomyAppleID_BSidesSF.pdf


25、基础设施监控

https://www.datadoghq.com/


26、IAM

PCMA(认证成熟度)

Identity Proofing  身份证明

Primary Credential Usage

C0 No credential 

Ca Session cookies 

Cb Known device 

Cc Shared secret such as a username and password combination

Cd Cryptographic proof of key possession using shared key 

Ce Cryptographic proof of key possession using asymmetric key 


Primary Credential Management

Assertion Presentation

Aa No protection / unsigned assertion 

Ab Signed and verifiable assertion, passed through the browser 

Ac Signed and verifiable assertion, passed through a back channel 

Ad Assertion encrypted to the relying party’s key and audience protected


http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf


人在说话的时候涉及到70-100个肌肉,包括喉咙(9块肌肉、4个神经、4个声带、6个肉骨)、声道、脑、听力、肺部


[ISO/IEC JTC1 2382-37:2012 


http://www.biometricsinstitute.org


www.PingIdentity.com 

www.Swirlds.com


Identity Analytics and Intelligence (IAI)

https://www.attachmate.com/library/docs/02_identity_analytics.pdf

https://www.google.com.hk/search?num=100&newwindow=1&safe=strict&site=&source=hp&q=Identity+Analytics+and+Intelligence+%28IAI%29&oq=Identity+Analytics+and+Intelligence+%28IAI%29&gs_l=hp.3...327.327.0.522.2.2.0.0.0.0.82.154.2.2.0....0...1c.1.64.hp..0.0.0.0.tY--F89ZnGA


Electronically Stored Information

http://searchcompliance.techtarget.com/definition/electronically-stored-information-ESI


27、RSA的书籍

https://www.rsaconference.com/blogs?category=security-reading-room


28、CVE相关

https://cveform.mitre.org/

https://cvementor.org/


29、安全架构

fon1-w03-cybersecurity-roadmap-global-healthcare-security-architecture_copy.pdf


30、IOT相关

https://www.iotvillage.org/

https://www.dhs.gov/news/2016/11/15/dhs-releases-strategic-principles-securing-internet-things



31、DEVSECOPS

http://www.devsecops.org/presentations/


32、容器相关(Docker)

http://www.infoq.com/cn/articles/docker-kernel-knowledge-namespace-resource-isolation


33、云安全

https://www.rsaconference.com/writable/presentations/file_upload/tech-t09r-a-virtual-and-software-defined-security-architecture-workshop.pdf

NIST IR 7904 –USG recommendation for “Trusted Geolocation in the Cloud” 

Hardware TXT, AESNI, DRNG, CryptoNI 

Software Linux, KVM, OpenStack, CloudForms, Ceph, VMWare (VCenter, VSphere, ESXi), OpenCIT, Hytrust, Cloud Raxak


OpenStack Security

https://docs.openstack.org/security-guide/


OpenCIT 

https://01.org/


Account Breach Phishing Protect Identity through FIDO Asses and Protect yourself in Office 365 Ransomware #RSAC

Stay Safe

AccountBreach


https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/https://blogs.office.com/2016/06/01/gain-enhanced-visibility-and-control-with-office-365-advanced-security-management/https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

Phishing

https://products.office.com/en-us/exchange/online-email-threat-protection

Protect Identitythrough FIDO


https://fidoalliance.org

Assesand Protectyourself in Office365


https://securescore.office.com/https://products.office.com/en-us/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy

Ransomware

https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspxhttps://blogs.technet.microsoft.com/sposupport/2016/09/19/handling-ransomware-in-sharepoint-online/

14





33、小型机测试

Logica Breach, Tools: https://github.com/mainframed

Nmap, Metasploit Scripts: https://github.com/zedsec390

Blog Chad: https://www.bigendiansmalls.com/

Blog Phil: http://mainframed767.tumblr.com/

Other Talks: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n

IBM Emulated Mainframe: http://www-03.ibm.com/software/products/en/ibm-z-systems-development-and-testenvironment



目录
相关文章
|
7月前
|
Go
go 生成 License 公钥 私钥
go 生成 License 公钥 私钥
124 0
|
5月前
|
存储 算法 Unix
Linux命令sha384sum详解
`sha384sum`是Linux中用于计算文件SHA-384散列值的工具,确保文件完整性。它基于不可逆的SHA-384算法,提供48字节的安全散列。命令用于验证下载、存储文件的完整性,软件分发的身份验证。主要参数包括检查已计算的散列值(-c)、二进制或文本模式(-b, -t)。示例:计算文件`example.txt`的散列值`sha384sum example.txt`,验证使用`sha384sum -c example.txt.sha384`。注意,散列用于检查文件未篡改,不适用于密码存储。
|
5月前
|
存储 算法 安全
Linux命令sha224sum详解
`sha224sum`是Linux中用于计算文件SHA-224哈希的工具,确保数据完整性和安全。它基于不可逆的SHA-224算法,产生224位哈希值,适用于文件校验、数字签名场景。命令支持多种参数,如 `-c` 验证校验和文件,`-b` 处理二进制。最佳实践包括定期验证文件、自动化脚本和安全保存校验和文件。例如,`sha224sum filename.txt` 计算哈希,`sha224sum -c filename.txt.sha224` 验证。
|
7月前
|
安全 网络安全
jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 如何处理
【5月更文挑战第24天】jsch 报错 no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 如何处理
594 1
|
7月前
|
算法 Serverless 数据安全/隐私保护
2024蓝桥杯RSA-Theorem
2024蓝桥杯RSA-Theorem
|
7月前
|
算法 网络安全
no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 问题解决
【5月更文挑战第8天】no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha> 问题解决
1540 0
|
7月前
|
安全 搜索推荐 API
【现代密码学】笔记 补充7-- CCA安全与认证加密《introduction to modern cryphtography》
【现代密码学】笔记 补充7-- CCA安全与认证加密《introduction to modern cryphtography》
337 0
|
7月前
|
Go 数据安全/隐私保护
Go License 公钥 私钥 加密 解密
Go License 公钥 私钥 加密 解密
75 0
|
算法 数据安全/隐私保护
CDKEY制作:为什么不能使用RSA?
CDKEY制作:为什么不能使用RSA?
114 0
easy-rsa2的使用
使用easy-rsa
2204 0