Making Strong Security Easier

Jan 9, 2016Download as PPTX, PDF1 like272 views

This document discusses how open source security scanning tools like OpenSCAP and GovReady can help make compliance with security standards like FISMA easier for developers. It provides tips on using these tools, including using control families to group checks, integrating scans into continuous integration processes, and leveraging shared security content. The document advocates engaging with these open source communities to help expand scanning capabilities to more operating systems and applications. Overall it promotes using automation and open standards to streamline security and reduce the challenges of compliance for developers.

Making Strong
Security Easier
With FOSS Scanners
or: Building Secure Bridges
Fen Labalme, CivicActions, Inc.

● 2013-12 Target - 70 million customers affected (Names, mailing addresses, email
addresses, phone numbers, credit/debit card information) via third party vendor with
authorized access (external javascript libraries, anyone?)
● 2014-11 Home Depot - 56 million credit cards numbers, 53 million email addresses via
stolen third party username/password (two-factor authentication would have prevented)
● 2014-11 Sony - Current and former employees & executives via Targeted attack by
“Guardians of Peace” group, purported to be from North Korea (don’t be stupid)
● 2015-02 Anthem Blue Cross - 80 million current and former customers, as well as
employees (Social Security numbers, birth dates, addresses, emails, employment
information, income data) via Targeted attacks to steal network credentials of a few
employees with highlevel system access (again, two-factor authentication)
● 2015-06 US Office of Personnel Management (OPM) - 4.2 million current and former
employees; 19.7 million individuals whom a Federal background investigation; 1.8 million
referenced spouses and relatives (SSN and full background history) via… China?
Recent Major Security Breaches

Explaining FISMA
Federal Information Security Management Act of 2002

Some Acronyms
There will be no test
FISMA Federal Information Security Management Act of 2002
NIST National Institute of Standards and Technology
RMF Risk Management Framework
FedRAMP Federal Risk and Authorization Management Program
PCI DSS Payment Card Industry Data Security Standard
STIG Security Technical Implementation Guide
SCAP Security Content Automation Protocol
CI Continuous Integration

Time to add
compliance!
Software Supply Chain Can Aid Security

$ risk -a server.agency.gov
$ make artifact=system-security-plan -f doc
FISMA for Happy Developers

Developers reaction to security scans
Problem

Tip #3: Use SCAP
SCAP == Shared
Unit Testing for
Vulnerabilities
Vulnerabilities
● Poor configuration
● Known exploits

Tip #4: Use OpenSCAP + GovReady
Community created portfolio
of tools and content to make
attestations about known
vulnerabilities
https://github.com/OpenSCAP
Open source tool that to
make OpenSCAP scanning
friendlier to developers
https://github.com/GovReady/govready

Next steps
● Include more operating systems (Ubuntu, Debian)
● Add more tests (bash & drush based)
● Create and contribute towards an application baseline:
● Drupal
● Apache/Nginx
● MySQL/Mariadb

HOW TO ENGAGE
OpenSCAP GitHub:
https://github.com/OpenSCAP
OpenSCAP References & Docs:
https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References
SCAP Content Mailing List:
https://fedorahosted.org/mailman/listinfo/scap-security-guide
GovReady user-friendly front-end:
https://github.com/GovReady/govready
Ansible-SCAP demo. See how it all works on the “drupal” branch - painlessly:
https://github.com/openprivacy/ansible-scap
NIST SCAP Website:
https://scap.nist.gov

CONTACT INFO
Fen Labalme
fen@civicactions.com
412-996-4113
Shameless plug:
We’re hiring !

This document discusses various techniques for information gathering, which is the first step of the ethical hacking process. It describes using search engines like Google to find publicly available information, as well as specialized tools like Maltego that can identify relationships within information networks. The document also covers performing people searches to find personal details, using WHOIS to identify domain owners, reverse IP mapping to find sites on the same server, and traceroute to map network routes between computers. The goal of information gathering is to learn as much as possible about potential targets before attempting to find vulnerabilities.

SQL injectionRaj Parmar

��

Application security testing an integrated approachIdexcel Technologies

��

This document discusses application security testing and provides recommendations for a comprehensive testing plan. It begins by outlining common application security vulnerabilities like injection flaws, cross-site scripting, and sensitive data exposure. It then recommends using tools like vulnerability scanning, threat modeling, code analysis, and penetration testing to test for vulnerabilities. The document concludes by describing how to test for issues in specific areas like authentication, authorization, data validation, and payment processing.

Phishing Detection using Machine LearningArjun BM

��

This document describes Mudpile, a system for detecting malicious URLs using machine learning. It collects data from URLs, extracts features related to phishing indicators, trains a classification model to label URLs as legitimate or phishing, and exposes the model as a REST API. The system is deployed to classify incoming web traffic in real-time and block phishing sites. It is retrained periodically for improved accuracy and to address new phishing techniques.

Detection of phishing websitesm srikanth

��

The document describes a proposed system called Link Guard for detecting phishing websites and emails. Link Guard utilizes the characteristics of hyperlinks in phishing attacks to classify links as legitimate or phishing. It works by collecting URL information, storing it in a database, analyzing the links using the Link Guard algorithm, alerting users to potential phishing links, and logging events. The algorithm aims to detect both known and unknown phishing attacks in real-time across email and notification systems.

Understandingphone sensor and app data for enhancing securityKamal Spring

��

This document discusses a system called "Secret-QA" that uses smartphone sensor and app data to generate personalized secret questions for account authentication. It aims to improve upon traditional secret questions that can easily be guessed. The system collects data from sensors, calendars, installed apps, and call history to generate questions related to a user's short-term activities and usage. A user study evaluated the memorability and security of these questions, finding that questions based on motion sensors, calendars, installed apps, and calls were best in terms of memorability and resilience to guessing attacks with or without online tools. The system aims to enhance secret question security without violating user privacy.

Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems

��

The document discusses how big data analytics tools can help defend against cybersecurity threats by combining machine learning, text mining, and other techniques to predict, detect, deter, and prevent security risks. It provides examples of cyber incidents in 2015 and describes how analyzing profiles on LinkedIn revealed a network of fake profiles created by an suspected Iranian hacker group. The challenges of cyber threat intelligence using big data are also summarized, such as dealing with large and diverse data sources, performing real-time event processing, and limited analyst bandwidth.

IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGInternational Journal of Technical Research & Application

��

- Security is a concept similar to being cautious or alert against any danger. Network security is the condition of being protected against any danger or loss. Thus safety plays a important role in bank transactions where disclosure of any data results in big loss. We can define networking as the combination of two or more computers for the purpose of resource sharing. Resources here include files, database, emails etc. It is the protection of these resources from unauthorized users that brought the development of network security. It is a measure incorporated to protect data during their transmission and also to ensure the transmitted is protected and authentic. Security of online bank transactions here has been improved by increasing the number of bits while establishing the SSL connection as well as in RSA asymmetric key encryption along with SHA1 used for digital signature to authenticate the user

Hunting the Evil of your InfrastructureA. S. M. Shamim Reza

��

The document discusses threat hunting and provides guidance on how to conduct hypothesis-driven threat hunting. It defines threat hunting as proactively searching networks to detect advanced threats. It dispels myths that hunting can be fully automated or requires vast data/tools. The process involves asking questions, collecting endpoint, network, security data using tools like log analyzers. Hunters generate hypotheses from intelligence, situational awareness, or domain expertise. Case studies show intelligence-driven hypotheses examining phishing emails or acquiring new networks. Domain expertise could involve examining BGP manipulation. Hunters are advised to use formal methods and balance automated/manual activity.

A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri

��

In this technical age there are many ways where an attacker can get access to people’s sensitive information illegitimately. One of the ways is Phishing, Phishing is an activity of misleading people into giving their sensitive information on fraud websites that lookalike to the real website. The phishers aim is to steal personal information, bank details etc. Day by day it’s getting more and more risky to enter your personal information on websites fearing that it might be a phishing attack and can steal your sensitive information. That’s why phishing website detection is necessary to alert the user and block the website. An automated detection of phishing attack is necessary one of which is machine learning. Machine Learning is one of the efficient techniques to detect phishing attack as it removes drawback of existing approaches. Efficient machine learning model with content based approach proves very effective to detect phishing websites. Our proposed system uses Hybrid approach which combines machine learning based method and content based method. The URL based features will be extracted and passed to machine learning model and in content based approach, TF-IDF algorithm will detect a phishing website by using the top keywords of a web page. This hybrid approach is used to achieve highly efficient result. Finally, our system will notify and alert user if the website is Phishing or Legitimate.

Detecting Phishing using Machine Learningijtsrd

��

Phishing is a social engineering Technique which they main aim is to target the user Information like user id, password, credit card information and so on. Which result a financial loss to the user. Detecting Phishing is the one of the challenge problem that relay to human vulnerabilities. This paper proposed the Detecting Phishing Web Sites using different Machine Learning Approaches. In this to evaluate different classification models to predict malicious and benign websites by using Machine Learning Algorithms. Experiments are performed on data set consisting malicious and benign, In This paper the results shows the proposed Algorithms has high detection accuracy. Nakkala Srinivas Mudiraj ""Detecting Phishing using Machine Learning"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-4 , June 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23755.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/23755/detecting-phishing-using-machine-learning/nakkala-srinivas-mudiraj

Application Securityflorinc

��

The document summarizes application security best practices. It discusses who is responsible for application security and design considerations like authentication, authorization, privacy and data integrity. It then covers security principles like designing for security by default and in deployment. Top application vulnerabilities like SQL injection, cross-site scripting and access control issues are explained along with remedies. Finally, it provides checklists for designers, developers and testers to follow for application security.

Security and information assurancebdemchak

��

This document discusses challenges in information assurance and authentication. It introduces common web authentication methods like SAML and Shibboleth that enable single sign-on across domains using federated identity. SAML allows sharing of authentication and authorization data in XML format. Shibboleth is an open source single sign-on system that uses SAML and allows identity federations. OpenID is also discussed as a decentralized authentication standard used by many websites. The document compares and contrasts these different authentication methods.

Ethical Hacking ServicesVirtue Security

��

website phishing by NRNARESH GUMMAGUTTA

��

IRJET- Ethical HackingIRJET Journal

��

The document discusses ethical hacking. It begins by defining hacking and different types of hackers, including white hat, black hat, and grey hat hackers. It then defines ethical hacking as hacking done with consent and for beneficial purposes, such as identifying security vulnerabilities. The document outlines the techniques used in ethical hacking, including information gathering, vulnerability scanning, exploitation, and analysis. It discusses the importance of ethical hacking for organizations and the code of conduct ethical hackers follow. Overall, the document provides an overview of ethical hacking, its purpose, and the methods used.

Access dataTechBiz Forense Digital

��

Detecting phishing websites using associative classification (2)Alexander Decker

��

This document summarizes research on using data mining techniques like associative classification algorithms to detect phishing websites. It discusses how phishing aims to steal personal information through fake websites mimicking real ones. The paper reviews previous work applying classification and association rule mining to phishing detection and compares algorithms like CBA and MCAR. The goal is to investigate using automated data mining to help classify websites as phishing or not based on characteristics like URL errors.

PACE-IT, Security+ 6.2: Cryptographic Methods (part 1)Pace IT at Edmonds Community College

��

UEBAChristophe M. Anciaux ☁

��

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon

��

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash

��

This document discusses securing wireless infusion pumps in hospitals. It identifies risks like patient safety and operational downtime. Vulnerabilities of infusion pumps include long useful lifespans, poor protection and patching, and lack of detection and alerting. Demonstrations show how pumps could be exploited by compromising patient information or crashing communication systems. Challenges to securing pumps include firmware version control, access control, and alarms. The National Cybersecurity Center of Excellence's strategy is to help healthcare organizations understand risks and secure medical devices through building example implementations and publishing best practice guides.

Phishing Attacks: A Challenge AheadeLearning Papers

��

Information securitySathyanarayana Panduranga

��

Aujas incident management webinar deck 08162016Karl Kispert

��

Software Security Testingsrivinayak

��

This document discusses software security testing. It outlines various aspects of secure software like confidentiality, integrity, data security, authentication, and availability. It then describes different types of software that require security testing like operating systems, applications, databases, and network software. Various techniques for security testing are explained in detail, such as vulnerability scanning, penetration testing, firewall rule testing, SQL injection testing, and ethical hacking. The document emphasizes the importance of early security testing and providing recommendations to overcome weaknesses found.

SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk

��

Splunk can be used to detect insider threats and fraud through monitoring and correlating machine data from various sources. It summarizes use cases where Splunk helped detect disgruntled employees stealing intellectual property, data leakage, and classroom fraud at an education company. It also discusses how Splunk detected millions of dollars in payment fraud at a cash wire transfer company by identifying emerging patterns. Finally, it provides examples of fraud patterns that could be detected at Etsy such as traffic from cloud services or brute force password attempts.

Splunk for Security Breakout SessionSplunk

��

The document discusses security session presented by Philipp Drieger. It begins with a safe harbor statement noting any forward-looking statements are based on current expectations and could differ from actual results. The agenda includes discussing Splunk for security, enterprise security, and Splunk user behavior analytics. It provides examples of how Splunk can be used to detect threats like fraud and advanced persistent threats by analyzing machine data from various sources. It also discusses how threat intelligence can be incorporated using STIX/TAXII standards and open IOCs. Customer examples show how Nasdaq and Cisco have replaced their SIEMs with Splunk to gain better scalability and flexibility.

More Related Content

What's hot (20)

Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems

��

IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGInternational Journal of Technical Research & Application

��

Hunting the Evil of your InfrastructureA. S. M. Shamim Reza

��

A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri

��

Detecting Phishing using Machine Learningijtsrd

��

Application Securityflorinc

��

Security and information assurancebdemchak

��

Ethical Hacking ServicesVirtue Security

��

website phishing by NRNARESH GUMMAGUTTA

��

IRJET- Ethical HackingIRJET Journal

��

Access dataTechBiz Forense Digital

��

Detecting phishing websites using associative classification (2)Alexander Decker

��

PACE-IT, Security+ 6.2: Cryptographic Methods (part 1)Pace IT at Edmonds Community College

��

UEBAChristophe M. Anciaux ☁

��

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon

��

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash

��

Phishing Attacks: A Challenge AheadeLearning Papers

��

Information securitySathyanarayana Panduranga

��

Aujas incident management webinar deck 08162016Karl Kispert

��

Software Security Testingsrivinayak

��

Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems

��

IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKINGInternational Journal of Technical Research & Application

��

Hunting the Evil of your InfrastructureA. S. M. Shamim Reza

��

A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri

��

Detecting Phishing using Machine Learningijtsrd

��

Application Securityflorinc

��

Security and information assurancebdemchak

��

Ethical Hacking ServicesVirtue Security

��

website phishing by NRNARESH GUMMAGUTTA

��

IRJET- Ethical HackingIRJET Journal

��

Access dataTechBiz Forense Digital

��

Detecting phishing websites using associative classification (2)Alexander Decker

��

PACE-IT, Security+ 6.2: Cryptographic Methods (part 1)Pace IT at Edmonds Community College

��

UEBAChristophe M. Anciaux ☁

��

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon

��

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash

��

Phishing Attacks: A Challenge AheadeLearning Papers

��

Information securitySathyanarayana Panduranga

��

Aujas incident management webinar deck 08162016Karl Kispert

��

Software Security Testingsrivinayak

��

Similar to Making Strong Security Easier (20)

SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk

��

Splunk for Security Breakout SessionSplunk

��

VIKRANT-SHIVHARE_10+Vikrant Shivhare

��

This document provides a summary of Vikrant Shivhare's professional experience in data warehousing, ETL development, and production support. He has over 10 years of experience working with tools like Ab Initio, Oracle, and UNIX. Some of his key roles and responsibilities have included developing ETL workflows, resolving data issues, monitoring batches, automating processes, and providing production support. He has extensive experience working on data warehousing projects in the banking and financial services industry.

Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk

��

This document summarizes how Splunk Enterprise Security can help organizations strengthen their security posture and operationalize security processes. It discusses how Splunk ES allows organizations to centralize analysis of endpoint, network, identity, and threat data for improved visibility. It also emphasizes developing an investigative mindset when handling alerts to efficiently determine the root cause. Finally, it explains how Splunk ES can operationalize security processes by providing a single source of truth and integrating security technologies to automate responses.

SplunkLive! - Splunk for SecuritySplunk

��

The document is an agenda for a security session presentation by Splunk. It includes an introduction to Splunk for security use cases, a demo of the Zeus security product, and a discussion of enterprise security and user behavior analytics solutions from Splunk. Key points include how Splunk can provide a unified platform for security data from multiple sources, detect advanced threats that are difficult to find, and help connect related security events to better understand security incidents.

4 Cyber Security KPIsSteven Aiello

��

Powerpoint v7Veronica Pereira

��

The document appears to be a presentation summarizing the 2013 Target data breach. It includes: 1) An overview of the breach, noting that 70 million customer records were stolen, including names, addresses, and 40 million credit/debit card numbers. 2) A breakdown of the attack on Target systems, noting that malware was installed on an HVAC vendor's machine to access Target's systems and steal customer payment data from point-of-sale devices. 3) Estimates of the financial impact on Target, totaling around $292 million, as well as the impacts and costs to other affected companies like Neiman Marcus and Home Depot from related data breaches.

Application Security - Your Success Depends on itWSO2

��

Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase. In this session, Dulanja will discuss the following: The importance of application security - why network and OS security is insufficient. Challenges in securing your application. Making security part of the development lifecycle.

How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs

��

Today’s business world is online and as such is inherently chock full of cyber risks. Cybercriminals continue to take advantage of system vulnerabilities and social engineering to target personally identifiable information, credit card numbers, trade secrets and more. Although there are hundreds of security solutions, products and consultants that claim to solve and address data breaches, the traditional, tactical approach to security is not working. Evaluated cyber intelligence is trapped in your systems, applications and employees – and making that intelligence easily available and quickly understood can help your organization significantly reduce the cyber risks it faces and improve its business resilience. This presentation examines how to reduce your cyber risks by unlocking the door to evaluated intelligence. Learn: • Why the traditional threat intelligence approach is not addressing the problem • Why it’s not just about adding on more security layers, but shifting your cybersecurity approach • How to mine both your tactical and strategic cyber data for improved operational intelligence • How to derive immediate visual insights of relevant trending cyber problems through security analytics

2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™

��

Adjusting Your Security Controls: It’s the New NormalPriyanka Aash

��

The Immune System of InternetMohit Kanwar

��

This document discusses hackers and software security. It provides examples of past hacks such as those on Sony Pictures and Citigroup. It outlines why software security is important when handling sensitive user information. The document discusses how hackers think and different types of hackers. It recommends following security principles like defense in depth, least privilege, and keeping security simple. It provides references for further reading on application security topics.

SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk

��

The document discusses Splunk User Behavior Analytics (UBA) and its capabilities for detecting advanced cyber attacks and insider threats through behavioral threat detection using machine learning. It notes that traditional threat detection focuses only on known threats, while UBA aims to detect unknown threats through automated security analytics and anomaly detection based on establishing user and entity baselines and identifying deviations from normal behavior. The document provides examples of UBA use cases and the types of data sources it can integrate to perform threat detection and security analytics.

CybersecurityEng Hasan Shamroukh CISCO Exams Author

��

The document discusses cybersecurity concepts including encryption, authentication, digital signatures, and penetration testing. It defines cybersecurity as protecting computer systems from threats. Encryption converts data into cipher text for protection. Authentication verifies identities through methods like passwords, certificates, and biometrics. Digital signatures mathematically verify the authenticity and integrity of messages. Penetration testing involves simulated cyber attacks to evaluate security. The document outlines security best practices and roles of security operations centers in monitoring for threats.

Security Breakout Session Splunk

��

The document discusses how Splunk can provide analytics-driven security for higher education through ingesting and analyzing machine data. It outlines how advanced threats have evolved to be more coordinated and evasive. A new approach is needed that fuses technology, human intuition, and processes like collaboration to detect attackers through contextual behavioral analysis of all available data. Examples are provided of security questions that can be answered through Splunk analytics.

Stopping zero day threatsZscaler

��

Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions. Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.

Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies

��

Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av

��

Based on the below and using the 12 categories of threats identify 3 examples you can find online, in the media for each of the threats listed on the right column. You can use news articles to justify the threats. Use the most current news article you can find. Add the reference link for each article and place in APA format. Prepare a memo to your CEO with your finding. On the same memo research current vendors that provide phishing email tools to train your employees and provide a recommendation to the CEO about which to buy. Compare at least 2 vendors and identify the following. Features Cost Add the Phishing Quiz Exercise discussed in class to the bottom of your memo pages. Take the quiz and answer the below Identify which questions you got wrong from the quiz Provide a brief explanation on why you got it wrong. What did you learn about phishing emails and what would you recommend in order to avoid falling for a phishing email? Solution 1) Threat to intellectual property: Hacking , After conducting a forensic review of the drives, Bailey(CEO of IT company) learned that intruders had been lurking on two of his company’s servers for almost a year. These hackers, who were traced to a university in Beijing, had entered the company’s extranet through an unpatched vulnerability in the Solaris operating system. As far as Bailey could tell, they hadn’t accessed any classified information. But they were able to view mountains of intellectual property, including design information and product specifications related to transportation and communications systems, along with information belonging to the company’s customers and partners. Activist hackers, or hacktivists, can also be a danger to companies. For example, early last year members of Anonymous, the hacker collective, copied and publicly released sensitive files of H.B. Gary Federal, a security company. Cpoyrights deviation or piracy : Intellectual property theft involves robbing people or companies of their ideas, inventions, and creative expressions—known as “intellectual property”—which can include everything from trade secrets and proprietary products and parts to movies, music, and software. It is a growing threat—especially with the rise of digital technologies and Internet file sharing networks. And much of the theft takes place overseas, where laws are often lax and enforcement is more difficult. All told, intellectual property theft costs U.S. businesses billions of dollars a year and robs the nation of jobs and tax revenues. Preventing intellectual property theft is a priority of the FBI’s criminal investigative program. It specifically focuses on the theft of trade secrets and infringements on products that can impact consumers’ health and safety, such as counterfeit aircraft, car, and electronic parts. Key to the program’s success is linking the considerable resources and efforts of the private sector with law enforcement partners on local, state, federal, and international levels. .

Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash

��

Want to detect threats in your organization? Stop reading every feed and curate your threat intel and content so they actually work for your security architecture. By managing meaningful threat intelligence so the external intel maps to internal threat models and curating your content sensibly, you can create a high-functioning SOC that both detects and defends against cyberattacks. (Source: RSA Conference USA 2018)

Understanding Identity Management and Security.Chinatu Uzuegbu

��

SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk

��

Splunk for Security Breakout SessionSplunk

��

VIKRANT-SHIVHARE_10+Vikrant Shivhare

��

Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk

��

SplunkLive! - Splunk for SecuritySplunk

��

4 Cyber Security KPIsSteven Aiello

��

Powerpoint v7Veronica Pereira

��

Application Security - Your Success Depends on itWSO2

��

How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs

��

2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™

��

Adjusting Your Security Controls: It’s the New NormalPriyanka Aash

��

The Immune System of InternetMohit Kanwar

��

SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk

��

CybersecurityEng Hasan Shamroukh CISCO Exams Author

��

Security Breakout Session Splunk

��

Stopping zero day threatsZscaler

��

Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies

��

Based on the below and using the 12 categories of threats identify 3 .pdfarri2009av

��

Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash

��

Understanding Identity Management and Security.Chinatu Uzuegbu

��

Making Strong Security Easier

1. Making Strong Security Easier With FOSS Scanners or: Building Secure Bridges Fen Labalme, CivicActions, Inc.

2. ● 2013-12 Target - 70 million customers affected (Names, mailing addresses, email addresses, phone numbers, credit/debit card information) via third party vendor with authorized access (external javascript libraries, anyone?) ● 2014-11 Home Depot - 56 million credit cards numbers, 53 million email addresses via stolen third party username/password (two-factor authentication would have prevented) ● 2014-11 Sony - Current and former employees & executives via Targeted attack by “Guardians of Peace” group, purported to be from North Korea (don’t be stupid) ● 2015-02 Anthem Blue Cross - 80 million current and former customers, as well as employees (Social Security numbers, birth dates, addresses, emails, employment information, income data) via Targeted attacks to steal network credentials of a few employees with highlevel system access (again, two-factor authentication) ● 2015-06 US Office of Personnel Management (OPM) - 4.2 million current and former employees; 19.7 million individuals whom a Federal background investigation; 1.8 million referenced spouses and relatives (SSN and full background history) via… China? Recent Major Security Breaches

3. Explaining FISMA Federal Information Security Management Act of 2002

4. Some Acronyms There will be no test FISMA Federal Information Security Management Act of 2002 NIST National Institute of Standards and Technology RMF Risk Management Framework FedRAMP Federal Risk and Authorization Management Program PCI DSS Payment Card Industry Data Security Standard STIG Security Technical Implementation Guide SCAP Security Content Automation Protocol CI Continuous Integration

5. NIST Risk Mgt Framework Takes Months

6. NIST 800-53 Controls Hurt Your Brain

7. Time to add compliance! Software Supply Chain Can Aid Security

8. $ risk -a server.agency.gov $ make artifact=system-security-plan -f doc FISMA for Happy Developers

9. Scanning as Part of CI

10. Developers reaction to security scans Problem

11. Tip #1: Use the Families

12. Tip #2: Give Control Families Tickets

13. Tip #3: Use SCAP SCAP == Shared Unit Testing for Vulnerabilities Vulnerabilities ● Poor configuration ● Known exploits

14. Tip #4: Use OpenSCAP + GovReady Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP Open source tool that to make OpenSCAP scanning friendlier to developers https://github.com/GovReady/govready

15. OpenSCAP $ oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --report /root/scan-report.html /usr/share/xml/scap/content.xml GovReady $ govready scan $ govready fix $ govready compare

16. Next steps ● Include more operating systems (Ubuntu, Debian) ● Add more tests (bash & drush based) ● Create and contribute towards an application baseline: ● Drupal ● Apache/Nginx ● MySQL/Mariadb

19. HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide GovReady user-friendly front-end: https://github.com/GovReady/govready Ansible-SCAP demo. See how it all works on the “drupal” branch - painlessly: https://github.com/openprivacy/ansible-scap NIST SCAP Website: https://scap.nist.gov

20. CONTACT INFO Fen Labalme fen@civicactions.com 412-996-4113 Shameless plug: We’re hiring !

Editor's Notes

#2: I’ve been online for 40 years (started on the ARPAnet). With CivicActions - a 100% virtual company - the last decade. Been working for socially responsible non-profits for most of that time, recently began building sites for Federal, State & Local governments. Our goal is to Transform Government (if there’s time at the end, you can ask me how that’s going.)
#3: Why? (I’ve been personally affected by four of these - not “The Interview”)
#4: Has anyone here heard of FISMA? If you’re talking FISMA, FedRAMP (Federal Risk and Authorization Management Program), DoD STIG (Security Technical Implementation Guide), or PCI DCC (Payment Card Industry Data Security Standard), security is feels as procedural encumbrance. IT’s document based in digital world.
#6: Note that even after this, your system may not be secure, as “Compliance does not mean Security - and vice versa”) NIST: National Institute of Standards and Technology // RMF: Rick Management Framework
#8: Why do you want automation? 1. Put security into the SDLC; 2. Catch issues before someone else does.
#9: Goal: we want a condensed command line output so we created a “quick reports” filter on the scan results.
#10: I’m building ansible provisioning scripts that will run openscap and govready automatically
#11: If you’re talking FISMA, FedRamp, DoD STIG, or PCI, security is feels as procedural encumbrance. IT’s document based in digital world.
#16: I wanted condensed command line output so I created a “quick reports” filter on the scan results.
#17: Historically, getting the ATO for an online product required contracting with a security company to draft a custom security “baseline” for the product. Being closed source and generally inflexible, such rules would be brittle and often simply disabled (rather than updated) as the application or the environment in which it ran changed over time. Free and open source security scanning tools can change all this.
#18: The goal is to take tests that can be automatically run and create SCAP content so that they can be shared with - and improved by - the FOSS community
#19: An example run of a security check
#20: We’d love to see you on the mailing lists.
#21: We’d love to see you on the mailing lists.

�ݺ�ߣ

Making Strong Security Easier

Recommended

More Related Content

What's hot (20)

Similar to Making Strong Security Easier (20)

Making Strong Security Easier

Editor's Notes