Building world-class security response and secure development processes
|
|
- Theodora Reynolds
- 6 years ago
- Views:
Transcription
1
2 Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX
3 Outline Introduction SDN attack surface Recent OpenDaylight vulnerabilities Defensive technologies Security response best practices Secure engineering best practices OpenDaylight security: current status OpenDaylight security: vision
4 Introduction Software engineer for 15 years, climatology domain Last 5 years focusing on security, mainly Java Led Red Hat's Java middleware security team Currently manager of product security for IIX, and a founding member of the ODL security response team Based in Brisbane, Australia (beautiful place, shame about the timezone)
5 SDN Attack Surface
6 SDN Attack Surface Traditional networks conflate the control and data planes on a physical device Software-defined networks factor the control plane out to a SDN controller The controller uses a protocol such as OpenFlow to control switches, which are now only responsible for handling the data plane Security advantage: easy segregation of the control plane network from the production data plane network Security disadvantage: the SDN controller's ability to control an entire network makes it a very high value target
7 SDN Attack Surface
8 SDN Attack Surface SDN controllers are also exposed via the data plane When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice As a result, it is possible for an attacker who is only able to send data through a switch to exploit a vulnerability on the controller We will see a real-life example later in the presentation
9 SDN Attack Surface
10 Recent OpenDaylight Vulnerabilities
11 Netconf XXE (CVE ) Netconf (and restconf) API processes user-supplied XML By default, Java XML parsers do not disable external entity processing This led to a textbook XXE vulnerability Example of vulnerable code, with the patch applied: controller/opendaylight/netconf/netconfutil/src/main/java/org/opendaylight/controller/netconf/util/xml/xmlutil.java
12 Netconf XXE (CVE )
13 Topology spoofing via host tracking (CVE ) Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network Host tracking is based on monitoring of Packet-In messages, and does not require any validation, authentication, or authorization to identify the host An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controlled by the attacker Data plane access is sufficient for exploitation, so long as the attacker knows the MAC address of the target host Not patched in ODL l2switch Paper:
14 DoS in ONOS packet deserializer (CVE ) When an OpenFlow switch encounters a packet that does not match any forwarding rules, it passes this packet to the controller for advice It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated, or maliciously-crafted packets The exceptions were not caught and handled properly The top-level I/O thread exception handler would then disconnect the relevant switch Proves that attacks from the data plane are possible!
15 Defensive Technologies
16 Topoguard The same research team that reported the topology spoofing flaw developed topoguard to mitigate it Doesn't add authn/authz, but instead verifies the conditions of host migrations A legitimate host migration would involve a Port Down signal before the host migration finishes. The host would also be unreachable at its old physical network location after the migration is complete. Currently tightly coupled to the Floodlight controller
17 Security-mode ONOS A new feature in the ONOS Cardinal release Effectively a mandatory access control (MAC) implementation for ONOS applications Applications can be constrained by a policy dictating which actions they are permitted to perform A vulnerability in an ONOS application could not be exploited to perform actions that are not permitted by security-mode ONOS. This is similar to the protection SELinux provides for applications running on Linux systems. Could this approach be a good model for OpenDaylight?
18 Proposed Controller Shield Project
19 Security Response Best Practices
20 Open Source Security Response All information public Not just source code: bug trackers, mailing lists, etc. Security requires the opposite approach information must be kept private until patches are available How do you handle this in the context of an open source project? Good models: ASF, major OSS vendors like Red Hat and SuSE
21 Open Source Security Response Dedicated mechanism for reporting security issues, separate to normal bugs Dedicated team with a documented process for responding to these reports Ability to quick build a patch asynchronous to normal release schedules Clear documentation of the issue in an advisory, including references to patch commits (advantage of open source)
22 Open Source Security Response
23 Proprietary Security Response
24 Secure Engineering Best Practices
25 Open Source Secure Engineering No well established best practices Few good examples in the open source world. Proprietary software currently does a much better job, for example Microsoft's SDLC. OpenStack is one good example Separate VMT and OSSG organizations
26 Open Source Secure Engineering
27 Open Source Secure Engineering Secure development guidelines (relies on developers to implement) Developer training (expensive and difficult to roll out in a virtual environment with many contributors) Automated QE/CI jobs to catch known-vulnerable dependencies Automated QE/Ci jobs to catch security issues and enforce standards, e.g. via static analysis
28 OpenDaylight security: current status
29 OpenDaylight Security Response Security reporting mechanism Dedicated team with a private mailing list and documented process for handling issues Security advisories page: Advisories sent to mailing lists
30 OpenDaylight Security Response
31 OpenDaylight Security Response Scope currently limited to OpenDaylight code, not dependencies Handling dependencies would involve capturing a manifest, and tracking all relevant upstreams Based on my experience, this would require one full time resource to be feasible Vulnerabilities in dependencies are sometimes handled when they are reported to the security response team
32 OpenDaylight Secure Engineering Great analysis performed in May 2014: Unfortunately quite dated now, and not much progress has been made implementing the recommendations It's a lot of work to implement things, and who has time? Enter the OpenDaylight summer internship program!
33 OpenDaylight Secure Engineering Intern Project
34 OpenDaylight Secure Engineering Intern Project Establish automated QE/CI jobs to catch security issues and regressions. This will involve integrating the findsecbugs tool into Gerrit/Jenkins. Establish automated QE/CI jobs to catch known-vulnerable dependencies. This will involve integrating tools such as dependency-check and victims into Gerrit/Jenkins. Document a threat model for OpenDaylight Improve documentation to capture security best practices at installation and configuration time
35 OpenDaylight security: vision
36 OpenDaylight Security Vision - Reactive High performing security response team X Equipped to handle vulnerabilities in dependencies Able to co-ordinate disclosure and patches for issues across the community development team and affected vendors of OpenDaylight distributions or products Geographically distributed and able to quickly respond in all timezones
37 OpenDaylight Security Vision - Proactive Documentation of best practices, threat model, etc. X Remove default credentials X Security hardening features applying a sandbox or MAC to the environment Automated checks for known-vulnerable dependencies Automated static analysis checks X Security training for developers: considering donating javapentesting.com course content to the community
38 Questions?
Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title
Defend Your Web Applications Against the OWASP Top 10 Security Risks Speaker Name, Job Title Application Security Is Business Continuity Maintain and grow revenue Identify industry threats Protect assets
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : HP0-Y24 Title : Securing HP ProCurve Networks Vendors : HP Version : DEMO Get Latest
More informationLecture 14 SDN and NFV. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 14 SDN and NFV Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Traditional network vs SDN TRADITIONAL Closed equipment Software + hardware Cost Vendor-specific management.
More informationIdentifier Binding Attacks and Defenses in Software-Defined Networks
Identifier Binding Attacks and Defenses in Software-Defined Networks Samuel Jero 1, William Koch 2, Richard Skowyra 3, Hamed Okhravi 3, Cristina Nita-Rotaru 4, and David Bigelow 3 1 Purdue University,
More informationSecuring Network Application Deployment in Software Defined Networking 11/23/17
Securing Network Application Deployment in Software Defined Networking Yuchia Tseng, Farid Naıı t-abdesselam, and Ashfaq Khokhar 11/23/17 1 Outline Introduction to OpenFlow-based SDN Security issues of
More informationSecurity in Mobile Ad-hoc Networks. Wormhole Attacks
Security in Mobile Ad-hoc Networks Wormhole Attacks What are MANETs Mobile Ad-hoc Network (MANET) is a collection of wireless mobile hosts without fixed network infrastructure and centralized administration.
More informationProduct Security Briefing
Product Security Briefing Performed on: Adobe ColdFusion 8 Information Risk Management Plc 8th Floor Kings Building Smith Square London SW1 P3JJ UK T +44 (0)20 7808 6420 F +44 (0)20 7808 6421 Info@irmplc.com
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationSUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud
SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud Joachim Werner Senior Product Manager joe@suse.com Jeff Lindholm Sales Engineer Jlindholm@suse.com SUSE and Linux Workloads
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationDetecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time
Detecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time Takahiro Shimizu, Naoya Kitagawa, Kohta Ohshima, Nariyoshi Yamai Tokyo University of Agriculture and Technology Tokyo University
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationSynology Security Whitepaper
Synology Security Whitepaper 1 Table of Contents Introduction 3 Security Policy 4 DiskStation Manager Life Cycle Severity Ratings Standards Security Program 10 Product Security Incident Response Team Bounty
More informationCyberP3i Course Module Series
CyberP3i Course Module Series Spring 2017 Designer: Dr. Lixin Wang, Associate Professor Firewall Configuration Firewall Configuration Learning Objectives 1. Be familiar with firewalls and types of firewalls
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationNetwork Layer: The Control Plane
Network Layer: The Control Plane 7 th Edition, Global Edition Jim Kurose, Keith Ross Pearson April 06 5- Software defined networking (SDN) Internet network layer: historically has been implemented via
More informationINTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
INTRODUCTION: DDOS ATTACKS 1 DDOS ATTACKS Though Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common attack techniques used by malicious actors for some time now, organizations
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationRed Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide
Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide Overview of Red Hat OpenDaylight OpenStack Team Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide Overview of Red Hat OpenDaylight
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationCYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
More informationPerformance and Security Evaluation of SDN Networks in OMNeT++/INET. Marco Tiloca, Alexandra Stagkopoulou, Gianluca Dini
Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra Stagkopoulou, Gianluca Dini Software Defined Networking - Overview Key concepts Separation of Control plane and
More informationA Software-Defined Networking Security Controller Architecture. Fengjun Shang, Qiang Fu
4th International Conference on Machinery, Materials and Computing Technology (ICMMCT 2016) A Software-Defined Networking Security Controller Architecture Fengjun Shang, Qiang Fu College of Computer Science
More informationSDN Security: Two Sides of the Same Coin. Scott Hogg, CTO GTRI. CCIE #5133, CISSP #4610 Thursday June 22, 2017
SDN Security: Two Sides of the Same Coin WWW.GTRI.COM 2017 Global Technology Resources, Inc. All rights reserved. Scott Hogg, CTO GTRI CCIE #5133, CISSP #4610 Thursday June 22, 2017 Today s Agenda Brief
More informationAbout Us. Innovating proven technology for practical security solutions
Rethink Security About Us Innovating proven technology for practical security solutions Virtualization Security Application Security Platform Security Cross Domain Security Desktop Consolidation Case Study
More informationSoftware-Defined Networking (SDN) Overview
Reti di Telecomunicazione a.y. 2015-2016 Software-Defined Networking (SDN) Overview Ing. Luca Davoli Ph.D. Student Network Security (NetSec) Laboratory davoli@ce.unipr.it Luca Davoli davoli@ce.unipr.it
More informationThe Open Web Application Security Project. VulnXML Proof of Concept Vision Document. Version 1.1
The Open Web Application Security Project VulnXML Proof of Concept Vision Document Version 1.1 Revision History Date Version Description Author 7/5/2002 1.0 First Mark Curphey July 8, 2002 1.1 Comments
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationLast time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control
Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationTrends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview 2 Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis
More informationNetwork Access Control and VoIP. Ben Hostetler Senior Information Security Advisor
Network Access Control and VoIP Ben Hostetler Senior Information Security Advisor Objectives/Discussion Points Network Access Control Terms & Definitions Certificate Based 802.1X MAC Authentication Bypass
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationTaxonomy of SDN. Vara Varavithya 17 January 2018
Taxonomy of SDN Vara Varavithya 17 January 2018 Modern Data Center Environmentally protected warehouses Large number of computers for compute and storage Blades Computer- Top-of-Rack (TOR) Switches Full
More informationFrequently Asked Questions WPA2 Vulnerability (KRACK)
Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key
More informationWhiteboard Hacking / Hands-on Threat Modeling. Introduction
Whiteboard Hacking / Hands-on Threat Modeling Introduction Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP
More informationNETCONF Call home. Rajendra Nagabhushan, Senior Staff Engineer, ADVA Optical Networking Vikram Darsi, Senior Lead Engineer, ADVA Optical Networking
NETCONF Call home Rajendra Nagabhushan, Senior Staff Engineer, ADVA Optical Networking Vikram Darsi, Senior Lead Engineer, ADVA Optical Networking 15/11/2016 Agenda Introduction to Reverse SSH (call home)
More informationEnding the Confusion About Software- Defined Networking: A Taxonomy
Ending the Confusion About Software- Defined Networking: A Taxonomy This taxonomy cuts through confusion generated by the flood of vendor SDN announcements. It presents a framework that network and server
More informationPotential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group
Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group Submitted on behalf of the U.S. Department of Energy National
More informationCSC 401 Data and Computer Communications Networks
CSC 401 Data and Computer Communications Networks Network Layer ICMP (5.6), Network Management(5.7) & SDN (5.1, 5.5, 4.4) Prof. Lina Battestilli Fall 2017 Outline 5.6 ICMP: The Internet Control Message
More informationSecurity Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities Table of Contents SUMMARY 3 REMOTE COMMAND EXECUTION 4 VULNERABILITY DETAILS 4 TECHNICAL DETAILS 4 INFORMATION LEAKAGE 5 VULNERABILITY
More informationSentry Power Manager (SPM) Software Security
Sentry Power Manager (SPM) Software Security Purpose This technical note is a detailed review of the security areas of the SPM enterprise software product, version 6.0 and greater, and provides a brief
More informationInvestigating. Flow Networks. Focusing on the control-data plane communications M.L. Pors
Investigating current state Security of Open- Flow Networks Focusing on the control-data plane communications M.L. Pors Investigating current state Security of OpenFlow Networks Focusing on the control-data
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationEnabling Dynamic Access Control for Controller Applications in Software-Defined Networks
Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks Hitesh Padekar San Jose State University hitesh.padekar@sjsu.edu Younghee Park San Jose State University younghee.park@sjsu.edu
More informationEnabling Dynamic Access Control for Controller Applications in Software-Defined Networks
Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks Hitesh Padekar, Younghee Park, Hongxin Hu, and Sang-Yoon Chang San Jose State University Clemson University Advanced
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationManaging Linux Servers Comparing SUSE Manager and ZENworks Configuration Management
Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management Product Support As of September 30,2012, Novell no longer offers general support and will only provide limited updates
More informationAdversarial Network Forensics in Software Defined Networking
Computer Science and Engineering, Pennsylvania State University University Park, PA 16802 {sachleitner,tlp,tjaeger,mcdaniel}@cse.psu.edu ABSTRACT Software Defined Networking (SDN), and its popular implementation
More informationCSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague
Brmlab, hackerspace Prague Lightning talks, November 2016 in general in general WTF is an? in general WTF is an? Computer Security in general WTF is an? Computer Security Incident Response in general WTF
More informationLet's cyber: hacking, 0days and vulnerability research. PATROKLOS ARGYROUDIS CENSUS S.A.
Let's cyber: hacking, 0days and vulnerability research PATROKLOS ARGYROUDIS CENSUS S.A. argp@census-labs.com www.census-labs.com Who am I Researcher at CENSUS S.A. - Vulnerability research, reverse engineering,
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationDevelop, Deploy and Deliver with NetIDE: An Integrated Service Level Network Programming Framework
Develop, Deploy and Deliver with NetIDE: An Integrated Service Level Network Programming Framework Matteo Gerola, Roberto Doriguzzi Corin (Create-net) Pedro A. Aranda Gutiérrez (Telefónica) This work is
More informationOverview of Web Application Security and Setup
Overview of Web Application Security and Setup Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security
More informationAttacking Networks. Joshua Wright LightReading LIVE! October 1, 2003
Attacking 802.11 Networks Joshua Wright Joshua.Wright@jwu.edu LightReading LIVE! October 1, 2003 Attention The material presented here reflects the personal experience and opinions of the author, and not
More informationIOActive Security Advisory
IOActive Security Advisory Title Severity Discovered by Protocol Handling Issues in X Window System Servers Medium/High Ilja van Sprundel Advisory Date December 9, 2014 Affected Products Impact 1. X server
More informationSubmitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)
Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group (CSSWG) Submitted on behalf of the DOE National SCADA Test
More informationMulti-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date
Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12 What is Cloud? What is IaaS? IaaS = Infrastructure-as-a-Service What is PaaS? PaaS = Platform-as-a-Service
More informationStorageTek Linear Tape File System, Library Edition
StorageTek Linear Tape File System, Library Edition Security Guide Release 1 E38511-02 July 2016 StorageTek Linear Tape File System, Library Edition Security Guide, Release 1 E38511-02 Copyright 2013,
More informationSecurity Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
More informationSOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management
SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com
More informationIntegrity attacks (from data to code): Cross-site Scripting - XSS
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Cross-site Scripting - XSS Igino Corona igino.corona (at) diee.unica.it Computer Security April 12, 2018 Department of Electrical
More informationCloud Security Standards Supplier Survey. Version 1
Cloud Security Standards Supplier Survey Version 1 Document History and Reviews Version Date Revision Author Summary of Changes 0.1 May 2018 Ali Mitchell New document 1 May 2018 Ali Mitchell Approved Version
More informationWhitepaper. Endpoint Strategy: Debunking Myths about Isolation
Whitepaper Endpoint Strategy: Debunking Myths about Isolation May 2018 Endpoint Strategy: Debunking Myths about Isolation Endpoints are, and have always been, a major cyberattack vector. Attackers, aiming
More informationStandard: Vulnerability Management & Standard
October 24, 2016 Page 1 Contents Revision History... 3 Executive Summary... 3 Introduction and Purpose... 4 Scope... 4 Standard... 4 Management of Technical Vulnerabilities... 4 Patching Application...
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationAn introduction to the Katsuni theorem and its application to sandboxing and software emulation. Jonathan Brossard (Toucan System)
An introduction to the Katsuni theorem and its application to sandboxing and software emulation Jonathan Brossard (Toucan System) 25/09/2013 Who am I? - Security researcher, publishing since 2005. - Past
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationSoftware Security and Exploitation
COMS E6998-9: 9: Software Security and Exploitation Lecture 8: Fail Secure; DoS Prevention; Evaluating Components for Security Hugh Thompson, Ph.D. hthompson@cs.columbia.edu Failing Securely and Denial
More informationIBM Managed Security Services PHP Exploit - FreePBX
1 IBM Managed Security Services PHP Exploit - FreePBX By David McMillen, Senior Threat Researcher, IBM June 17, 2014 2 Table of Contents Executive Overview/Key Findings... 3 Situation/What Happened...
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationBuilding Security Services on top of SDN
Building Security Services on top of SDN Gregory Blanc Télécom SudParis, IMT 3rd FR-JP Meeting on Cybersecurity WG7 April 25th, 2017 Keio University Mita Campus, Tokyo Table of Contents 1 SDN and NFV as
More informationPND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access
The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 5+ hours of video material 10 virtual labs
More informationIPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016
IPv6 Security David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016 Outline MORE MATERIAL HERE THAN TIME TO PRESENT & DISCUSS (BUT SLIDES AVAILABLE FOR LATER REFERENCE) IPv6 security & threats
More informationONOS YANG Tools. Thomas Vachuska Open Networking Foundation
ONOS YANG Tools Thomas Vachuska Open Networking Foundation background SDN and Dynamic Control Dynamic control over forwarding plane behaviour from a logically centralized vantage point Configuration and
More informationIntroduction to OpenDaylight and Hydrogen, Learnings from the Year, and What s Next for OpenDaylight
Introduction to OpenDaylight and Hydrogen, Learnings from the Year, and What s Next for OpenDaylight David Meyer, CTO and Chief Scientist, Brocade dmm@{brocade.com,uoregon.edu,cs.uoregon.edu,1-4-5.net,
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationEBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.
EBOOK Stopping Email Fraud How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats www.proofpoint.com EBOOK Stopping Email Fraud 2 Today s email attacks have
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More information9 Steps to Protect Against Ransomware
9 Steps to Protect Against Ransomware IT Support Analyst Task Overview Security Manager Security Dashboard Self Service log Secur Devices With Vulnerabilities Critical Important/High Moderate/Medium 40
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationWP1. DIGIT B1 - EP Pilot Project 645. Deliverable 4: Analysis of Software Development Methodologies Used in the FOSS Communities
WP1 DIGIT B1 - EP Pilot Project 645 Deliverable 4: Analysis of Software Development Methodologies Used in the Specific contract n 226 under Framework Contract n DI/07172 ABCIII February 2016 Author: Disclaimer
More informationIT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)
IT Security Protecting Ourselves From Phishing Attempts Ray Copeland Chief Information Officer (CIO) Phishing Defined The fraudulent practice of sending emails claiming to be from reputable people or companies
More informationVulnerability Management
Vulnerability Management Service Definition Table of Contents 1 INTRODUCTION... 2 2 SERVICE OFFERINGS VULNERABILITY MANAGEMENT... 2 3 SOLUTION PURPOSE... 3 4 HOW IT WORKS... 3 5 WHAT S INCLUDED... 4 6
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationThe Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency
The Case for Security Enhanced (SE) Android Stephen Smalley Trusted Systems Research National Security Agency Background / Motivation Increasing desire to use mobile devices throughout the US government.
More information