Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SECDEV(OPS).
How to Brace Your IT Security.
Tobiasz Koprowski
Data Platform MVP, MCT, Independent Consultant
Founder of Shadowland Consulting
@KoprowskiT @SHAConsultingUK
3. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1 | Security Foundation for DBA/DEV/OPS
2 | Well Known Risks Manuals (ABC)
a| OWASP4WP
b| OWASP4MP
c| SANS/CIS
6 | SQL Server Security Best Practices
7 | Security Day by Day for BDA/DEV/OPS
8 | The Stack For You
8 | Summary
Appendix
AGENDA
7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Application security | http://bit.ly/18u8J6p
Computing security | http://bit.ly/1ARdRLd
Data security | http://bit.ly/185wfph
Information security | http://bit.ly/1ARe0ya
Network security | http://bit.ly/1C443R8
Categorizing Security - part 1
{IT REALM}
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Airport security | http://bit.ly/1LPZcCZ
Food security | http://bit.ly/1MYnii6
Home security | http://bit.ly/1Gz3VI1
Infrastructure security | http://bit.ly/1Bm8LIF
Physical security | http://bit.ly/1Gz3VI1
Port security | http://bit.ly/1ARewMH
Supply chain security | http://bit.ly/1Ex7ob7
School security | http://bit.ly/17Dl735
Shopping center security | http://bit.ly/1EUb1FV
Categorizing Security - part 2
{PHYSICAL REALM}
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Homeland security | http://bit.ly/1AAwZhE
Human security | http://bit.ly/1DhojtU
International security | http://bit.ly/1MYoyli
National security | http://bit.ly/1FEnldu
Public security | http://bit.ly/1wqpX9P
Categorizing Security - part 3
{POLITICAL REALM}
10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
application security computing security
data security information security
network security home security
infrastructure security physical security
national security public security
Categorizing Security - part 4
{MY OPS REALM}
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security is the degree of resistance to, or protection from, harm. It applies to any
vulnerable and valuable asset, such as a person, dwelling, community, nation, or
organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the
OSSTMM 3 (Open Source Security Testing Methodology Manual), security provides
"a form of protection where a separation is created between the assets and the
threat." These separations are generically called "controls," and sometimes include
changes to the asset or the threat.
Security? What is this?
http://www.isecom.org/research/
13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1 – What You Need to Know
2 – What You Need to Do
3 – Security Analysis
4 – Operational Security Metrics
5 – Trust Analysis
6 – Work Flow
7 - Human Security Testing
8 - Physical Security Testing
9 - Wireless Security Testing
10 - Telecommunications Security Testing
11 - Data Networks Security Testing
12 - Compliance
13 – Reporting with the STAR
14 – What You Get
15 – Open Methodology License
The Open Source Security Testing Methodology Manual
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit
charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and
support for our work at OWASP. OWASP is an international organization and the OWASP Foundation
supports OWASP efforts around the world. OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in
improving application security. We advocate approaching application security as a people, process,
and technology problem because the most effective approaches to application security include
improvements in all of these areas. We can be found at www.owasp.org.
The Open Web Application Security Project
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs
Top 10 Application Security Risks for Web Apps
17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A1: Injection
Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an
interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper authorization.
Top 10 Security Risks for Web Apps
18. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A2: Broken Authentication and Session Management
Application functions related to authentication and session management are often implemented
incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit
other implementation flaws to assume other users’ identities (temporarily or permanently).
Top 10 Security Risks for Web Apps
19. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A3: Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper
validation or escaping, or updates an existing web page with user supplied data using a browser
API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which
can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Top 10 Security Risks for Web Apps
20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A4: Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can
exploit these flaws to access unauthorized functionality and/or data, such as access other users'
accounts, view sensitive files, modify other users’ data, change access rights, etc.
Top 10 Security Risks for Web Apps
21. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A5: Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server, platform, etc. Secure settings should
be defined, implemented, and maintained, as defaults are often insecure. Additionally, software
should be kept up to date.
Top 10 Security Risks for Web Apps
22. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A6: Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare,
and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest
or in transit, as well as special precautions when exchanged with the browser.
Top 10 Security Risks for Web Apps
23. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A7: Insufficient Attack Protection
The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both
manual and automated attacks. Attack protection goes far beyond basic input validation and
involves automatically detecting, logging, responding, and even blocking exploit attempts.
Application owners also need to be able to deploy patches quickly to protect against attacks.
Top 10 Security Risks for Web Apps
24. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A8: Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s
session cookie and any other automatically included authentication information, to a vulnerable
web application. Such an attack allows the attacker to force a victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Top 10 Security Risks for Web Apps
25. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A9: Using Components with known Vulnerability
Components, such as libraries, frameworks, and other software modules, run with the same privileges
as the application. If a vulnerable component is exploited, such an attack can facilitate serious data
loss or server takeover. Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.
Top 10 Security Risks for Web Apps
26. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A10: Underprotected APIs
Modern applications often involve rich client applications and APIs, such as JavaScript in the browser
and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.).
These APIs are often unprotected and contain numerous vulnerabilities.
Top 10 Security Risks for Web Apps
28. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous Functionality
Top 10 Application Security Risks for Mobile Apps
29. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M1: Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform security controls. It might
include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security
control that is part of the mobile operating system. There are several ways that mobile apps can
experience this risk.
Top 10 Security Risks for Mobile Apps
30. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M2: Insecure Data Storage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data
storage and unintended data leakage.
Top 10 Security Risks for Mobile Apps
31. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M3: Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of
sensitive assets, etc.
Top 10 Security Risks for Mobile Apps
32. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M4: Insecure Authentication
This category captures notions of authenticating the end user or bad session management. This can
include:
Failing to identify the user at all when that should be required
Failure to maintain the user's identity when it is required
Weaknesses in session management
Top 10 Security Risks for Mobile Apps
33. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M5: Insufficient Cryptography
The code applies cryptography to a sensitive information asset. However, the cryptography is
insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if
the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for
issues where cryptography was attempted, but it wasn't done correctly.
Top 10 Security Risks for Mobile Apps
34. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M6: Insecure Authorization
This is a category to capture any failures in authorization (e.g., authorization decisions in the client
side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user
identification, etc.). If the app does not authenticate users at all in a situation where it should (e.g.,
granting anonymous access to some resource or service when authenticated and authorized access is
required), then that is an authentication failure not an authorization failure.
Top 10 Security Risks for Mobile Apps
35. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M7: Client Code Quality
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would
be the catch-all for code-level implementation problems in the mobile client. That's distinct from
server-side coding mistakes. This would capture things like buffer overflows, format string
vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's
running on the mobile device.
Top 10 Security Risks for Mobile Apps
36. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M8: Code Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling,
and dynamic memory modification. Once the application is delivered to the mobile device, the code
and data resources are resident there. An attacker can either directly modify the code, change the
contents of memory dynamically, change or replace the system APIs that the application uses, or
modify the application's data and resources. This can provide the attacker a direct method of
subverting the intended use of the software for personal or monetary gain.
Top 10 Security Risks for Mobile Apps
37. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M9: Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries,
algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection
tools give the attacker insight into the inner workings of the application. This may be used to exploit
other nascent vulnerabilities in the application, as well as revealing information about back end
servers, cryptographic constants and ciphers, and intellectual property.
Top 10 Security Risks for Mobile Apps
38. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
M10: Extraneous Functionality
Often, developers include hidden backdoor functionality or other internal development security
controls that are not intended to be released into a production environment. For example, a developer
may accidentally include a password as a comment in a hybrid app. Another example includes
disabling of 2-factor authentication during testing.
Top 10 Security Risks for Mobile Apps
41. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
1. Inventory of Authorized & Unauthorized Devices:
Actively manage (inventory, track & correct) all hardware devices on the network so that only
authorized devices are given access, and unauthorized & unmanaged devices are found and
prevented from gaining access.
42. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
2. Inventory of Authorized & Unauthorized Software:
Actively manage (inventory, track & correct) all software on the network so that only authorized
software is installed and can execute, and that unauthorized & unmanaged software is found and
prevented from installation or execution.
43. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
3. Secure Configurations for Hardware & Software
on Mobile Devices, Laptops, Workstations, & Servers:
Establish, implement, and actively manage (track, report on, correct) the security configuration of
laptops, servers, workstations using a rigorous configuration management and change control
process in order to prevent attackers from exploiting vulnerable services and settings.
44. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
4. Continuous Vulnerability Assessment & Remediation:
Continuously acquire, assess, and take action on new information in order to identify
vulnerabilities, remediate, & minimize the window of opportunity for attackers.
45. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
5. Controlled Use of Administrative Privileges:
The processes and tools used to track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on computers, networks, and applications.
46. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
6. Maintenance, Monitoring, & Analysis of Audit Logs:
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover
from an attack.
48. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
7. Email and Web Browser Protections:
Minimize the attack surface and the opportunities for attackers to manipulate human behavior
through their interaction with web browsers & email systems.
49. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
8. Malware Defenses:
Control the installation, spread, and execution of malicious code at multiple points in the
enterprise, while optimizing the use of automation to enable rapid updating of defense, data
gathering, & corrective action.
50. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
9. Limitation and Control of Network Ports, Protocols, and Services:
Manage (track/control/ correct) the ongoing operational use of ports, protocols, and services on
networked devices in order to minimize windows of vulnerability available to attackers.
51. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
10. Data Recovery Capability:
The processes and tools used to properly back up critical information with a proven methodology
for timely recovery of it.
52. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
11. Secure Configurations for Network Devices:
Establish, implement, and actively manage (track, report on, correct) the security configuration of
network infrastructure devices using a rigorous configuration management and change control
process.
53. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
12. Boundary Defense:
Detect/prevent/correct the flow of information transferring networks of different trust levels with
a focus on security-damaging data.
54. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
13. Data Protection:
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data,
and ensure the privacy and integrity of sensitive information.
55. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
14. Controlled Access Base on the Need to Know:
The processes and tools used to track/control/prevent/correct secure access to critical assets
according to the formal determination of which persons, computers, and applications have a need
and right to access these critical assets based on an approved classification.
56. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
15. Wireless Access Control:
The processes and tools used to track/control/prevent/correct the security use of wireless local
area networks (LANS), access points, and wireless client systems.
57. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
16. Account Monitoring & Control:
Actively manage the life cycle of system and application accounts – their creation, use, dormancy,
deletion – in order to minimize opportunities for attackers to leverage them.
59. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
17. Security Skills Assessment & Appropriate Training to Fill Gaps:
For all functional roles in the organization, identify the specific knowledge, skills, and abilities
needed to support defense of the enterprise.
60. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
18. Application Software Security:
Manage the security life cycle of all in-house developed and acquired software in order to prevent,
detect, and correct security weaknesses.
61. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
19. Incident Response Management:
Protect the organization’s information, as well as its reputation, by developing and implementing
and incident response infrastructure for quickly discovering an attack and then effectively
containing the damage, eradicating the attacker’s presence, and restoring the integrity of the
network and systems.
62. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
CIS Critical Security Control
20. Penetration Tests & Red Team Exercises:
Test the overall strength of an organization’s defenses (the technology, the processes, and the
people) by simulating the objectives and actions of an attacker.
65. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Risk Management
NASA's illustration showing high impact risk areas
for the International Space Station
67. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the database
systems, the database servers and the associated network links) against compromises of their
confidentiality, integrity and availability.
It involves various types or categories of controls, such as technical, procedural/administrative and
physical. Database security is a specialist topic within the broader realms of computer security,
information security and risk management.
Risk Management for DB
68. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• unintended activity or misuse by authorized database users, database administrators, or
network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to
sensitive data, metadata or functions within databases, or inappropriate changes to the database
programs, structures or security configurations);
• Malware infections causing incidents such as unauthorized access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or
denial of authorized access to the database, attacks on other systems and the unanticipated
failure of database services;
Risk Management for DBA
69. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• Overloads, performance constraints and capacity issues resulting in the inability of authorized
users to use databases as intended;
• Physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and
obsolescence;
• Design flaws and programming bugs in databases and the associated programs and systems,
creating various security vulnerabilities (e.g. unauthorized privilege escalation ), data
loss/corruption, performance degradation etc.;
• Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage etc.
Risk Management for DBA
70. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Step 1: Make A List Of What You're Trying To Protect
Step 2: Draw A Diagram And Add Notes
Step 3: Make A List Of Your Adversaries And What They Want
Step 4: Brainstorm Threats From These Adversaries
Step 5: Estimate Probability And Potential Damage (The Overall Risk)
Step 6: Brainstorm Countermeasures And Their Issues
Step 7: Plan, Test, Pilot, Monitor, Troubleshoot and Repeat
Cyber Defense
| Practical Risk Analysis and Threat Modeling
71. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Even a crude risk analysis and hardening plan is vastly better
than just winging it,
and in many ways a crude plan is better than an overly formal one
if the formal one will never be completed...
or even started
(another case of "the perfect is the enemy of the good").
I hope this seven-step recipe will help you get your own security projects underway!
Conclusion
76. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Pillar One: risk assessment and management
– A definition of the risks that apply to various asset(s), based on their business criticality.
– An assessment of the current status of each risk before it’s moved to the cloud. Using this information, each
risk can be accepted, mitigated, transferred or avoided.
– An assessment of the risk profile of each asset, assuming it has been moved to the cloud.
• Pillar Two: policy and compliance
– Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with
the mantra of transparency explored in the previous point, providers should take a proactive stance to
sharing their security implementations and controls.
Dimension Data often assists clients by providing them with a list of questions
that we believe they should be posing to cloud providers as part of the
evaluation process, to ensure they’re covering all the bases.’
Three Pillars of a Secure Hybrid Cloud Environment
77. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Governance: the ability of an organisation to govern and measure enterprise risk introduced by cloud.
• Legal issues: regulations, and requirements to protect the privacy of data, and the security of information and
computer systems.
• Compliance and audit: maintaining and proving compliance when using the cloud.
• Information management and data security: managing cloud data, and responsibility for data confidentiality,
integrity and availability.
• Portability and interoperability: the ability to move data or services from one provider to another, or bring
them back in-house.
• Business continuity and disaster recovery: operational processes and procedures for business continuity and
disaster recovery.
Three Pillars of a Secure Hybrid Cloud Environment
78. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Data centre: evaluating any elements of a provider’s data centre architecture and operations that could be
detrimental to ongoing services.
• Incident response, notification and remediation: adequate incydent detection, response, notification, and
remediation.
• Application security: securing application software running on or developed in the cloud.
• Encryption and key management: identifying proper encryption usage and scalable key management.
• Identity and access management: assessing an organisation’s readiness to conduct cloud-based identity,
entitlement, and access management.
• Virtualisation: risks associated with multi-tenancy, virtual machine isolation and co- residence, hypervisor
vulnerabilities, etc.
Three Pillars of a Secure Hybrid Cloud Environment
80. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Driving DevOps Security
Operations have become increasingly important as the software world
shifts to a more service-oriented approach. Implementing a DevOps
model is an essential move for most software companies to maintain
success. The recent adoption of DevOps has been rapid and widespread
while security best practices have been slow to keep pace. It is clear that
the transformation has helped organizations improve their velocity and
improve their products as they grow.
As cybersecurity risks continue to mount, security best practices must be
included in every team's workflow. By understanding and facilitating the
cultural shift that DevOps requires, you can help your team work faster
and more securely, with sustainable results. Download the book above
to learn everything you need to know to start running DevOps securely
at scale.
https://www.tripwire.com/solutions/devops/devops-book/
81. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SANS / CIS Critical Security Controls
Trusted by security leaders in both the
private and public sector, the CIS Controls:
➢ Leverage the battle-tested expertise of
the global IT community to defeat over
85% of common attacks
➢ Focus on proven best practices, not on
any one vendor’s solution
➢ Offer the perfect on-ramp to execute
compliance programs with mappings to
PCI, NIST, ISO, and HIPAA
➢ All 20 CIS Controls V7
https://learn.cisecurity.org/20-controls-
download
82. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
SANS Supports the CIS Critical Security Controls with
Training, Research and What Works
To support information security practitioners and managers implement the CIS Critical Security Controls, SANS
provide a number of resources and information security courses.
Critical Security Controls Courses
SEC440: Critical Security Controls: Planning, Implementing and Auditing
SEC566: Implementing and Auditing the Critical Security Controls - In-Depth
Security Operations Center Courses
SEC511: Continuous Monitoring and Security Operations
SEC555: SIEM with Tactical Analysis (NEW!)
MGT517: Managing Security Operations: Detection, Response, and Intelligence (NEW!)
Information Security Resources
NewsBites: Bi-weekly email of top news stories with commentary from SANS Editors. View recent editions &
Subscribe
Whitepapers: Research from SANS instructors and masters students. Download the latest papers related to the
Critical Controls
Webcasts: Topical content presented by SANS Instructors, vendors, and leaders in infosec security. View
upcoming webcasts
83. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• ISECOM (the Institute for Security and Open Methodologies)
– http://www.isecom.org/about-us.html
• OSSTMM (Open Source Security Testing Methodology Manual)
– http://www.isecom.org/research/osstmm.html
• Library of Resources for Industrial Control System Cyber Security
– https://scadahacker.com/library/index.html
• patterns & practices: Cloud Security Approach in a Nutshell
– https://technet.microsoft.com/en-us/ff742848.aspx
• Microsoft Azure Trust Center: Security
– http://azure.microsoft.com/en-us/support/trust-center/security/
• 10 Things to know about Azure Security
– https://technet.microsoft.com/en-us/cloud/gg663906.aspx
• Security Best Practice and Label Security Whitepapers
– http://blogs.msdn.com/b/sqlsecurity/archive/2012/03/07/security-best-practice-and-label-security-
whitepapers.aspx
links
84. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Hello Secure World
– http://www.microsoft.com/click/hellosecureworld/default.mspx
• SQL Server Label Security Toolkit
– http://sqlserverlst.codeplex.com/
SQL Server Best Practices Analyzer
• Microsoft Baseline Configuration Analyzer 2.0
– http://www.microsoft.com/en-us/download/details.aspx?id=16475
• SQL Server 2005 Best Practices Analyzer (August 2008)
– http://www.microsoft.com/en-us/download/details.aspx?id=23864
• Microsoft® SQL Server® 2008 R2 Best Practices Analyzer
– http://www.microsoft.com/en-us/download/details.aspx?id=15289
• Microsoft® SQL Server® 2012 Best Practices Analyzer
– http://www.microsoft.com/en-us/download/details.aspx?id=29302
links
85. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Microsoft Security Assessment Tool
– http://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-
0BE72B430212&displaylang=en
• Microsoft Application Verifier
– http://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-
2619bd93b3a2&DisplayLang=en
• Microsoft Threat Analysis & Modelling Tool
– http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-
944703479451&DisplayLang=en
• How To: Protect From SQL Injection in ASP.NET
– http://msdn2.microsoft.com/en-us/library/ms998271.aspx
• Securing Your Database Server
– http://msdn.microsoft.com/en-us/library/aa302434.aspx
links
86. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Threats and Countermeasures
– http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx
• Configure Windows Service Accounts and Permissions
– https://msdn.microsoft.com/en-us/library/ms143504.aspx#Network_Service
• Select an Account for the SQL Server Agent Service
– https://msdn.microsoft.com/en-us/library/ms191543.aspx
• Server Configuration - Service Accounts
– https://msdn.microsoft.com/en-us/library/cc281953.aspx
links
87. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Azure Security: Technical Insights
Security Best Practices for Developing Azure Solutions
Protecting Data in Azure
Azure Network Security
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Microsoft Enterprise Cloud Red Teaming
Microsoft Azure Security and Audit Log Management
Security Management in Microsoft Azure
Crypto Services and Data Security in Azure
azure resources: security
88. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Business Continuity for Azure
Understanding Security Account Management in Azure
Azure Data Security: Cleansing and Leakage
Scenarios and Solutions Using Azure Active Directory Access Control
Securing and Authenticating a Service Bus Connection
Azure Privacy Overview (PDF)
Azure Privacy Statement
Law Enforcement Request Report
Protecting Data and Privacy in the Cloud
azure resources: security & privacy
89. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Response to Cloud Security Alliance Cloud Controls Matrix (DOC)
Azure HIPAA Implementation Guidance (PDF)
Azure Customer PCI Guide (PDF)
The Microsoft Approach to Cloud Transparency (PDF)
Microsoft Trustworthy Computing
Operational Security for Online Services Overview (PDF)
Data Classification for Cloud Readiness
CISO Perspectives on Data Classification (PDF)
An Introduction to Designing Reliable Cloud Services (PDF)
Deploying Highly Available and Secure Cloud Solutions (PDF)
azure resources: compliance & more
90. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Yes, 123456 is the most common password, but here’s why that’s misleading
http://arstechnica.com/security/2015/01/yes-123456-is-the-most-common-password-but-heres-why-thats-misleading/
• CIO’s are Listening, Security is Important…
https://communities.intel.com/community/itpeernetwork/blog/2014/05/20/cio-s-are-listening-security-is-important
• The Three Pillars of a Secure Hybrid Cloud Environment
http://www.dimensiondata.com/Global/Latest-Thinking/The-Three-Pillars-of-a-Secure-Hybrid-Cloud-
Environment/Pages/Home.aspx
credits
91. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Tobiasz J Koprowski
@KoprowskiT | @SHAConsultingUK
https://about.me/KoprowskiT
http://KoprowskiT.eu/geek
after session