Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

•

0 recomendaciones•307 vistas

NoNameCon

Video: https://www.youtube.com/edit?o=U&video_id=k4jKZ8dUL6M

Tecnología

Eugene Pilyankevich
Chief Technical Officer, Cossack Labs
GETTING SECURE AGAINST CHALLENGES
OR
GETTING SECURITY CHALLENGES DONE

# whoami
(1997) -> #sprintnet, #x25zine, ru.nethack ;)
(2002) -> security & network engineer.
(2008) -> CTO in finance.
(2012) -> C*O in software dev company.
(2015) -> founder, CTO @ cossacklabs.com

SOME STORIES TO START WITH
Finnish SNAFU

SOME STORIES TO START WITH
How to be smart and
fail miserably.

VALUES.
LANGUAGE.
REALITY MAPS.
ROOT CAUSE?

People frequently suck at  
making risk decisions under 
pressure and uncertainty.
Problem 1

TWO MORE STORIES
Banking fraud prevention.

TWO MORE STORIES
Managing risk for real.

Business risk is the possibility a
company will have lower than
anticipated proﬁts or experience
a loss rather than taking a proﬁt.

Problem 2 
If you’re in an ivory tower, 
no one will bother listening.

TAKE HARD CONTRACTS AND SURVIVE.
- Excellence is domain-speciﬁc.

TAKE HARD CONTRACTS AND SURVIVE.
- Excellence is domain-speciﬁc.
- Knowledge is not distributed evenly.

TAKE HARD CONTRACTS AND SURVIVE.
- Excellence is domain-speciﬁc.
- Knowledge is not distributed evenly. 
- FUD doesn’t work.

TAKE HARD CONTRACTS AND SURVIVE.
- Excellence is domain-speciﬁc.
- Knowledge is not distributed evenly. 
- FUD doesn’t work.
- Speaking in business risk - helps.

TRY WALKING IN CLIENT’S SHOES
Auditing crypto libraries for fun and proﬁt.

Domain-specific thinking
High-level complex skills do not distribute across
all behavior, and get reinforced locally.

FUD counteracts good decisions
Scaring customer who’s facing the unknown
leads to signiﬁcant decrease in quality of
decision-making.

Double-layered risk aversion
Instead of mitigating technological risks (proper
risk aversion), people avoid making decisions
about technological risks they don’t understand.

Compliance and forget
Avoiding substance of compliance
to mitigate risks?

Misalignment and misunderstanding
is default state anyway.
You are to cross the gap.

Communicate risk properly
Technical risk, financial impact.

Communicate risk properly
Technical risk, compliance impact.

Communicate risk properly
Process risks with business impact.

Communicate risk properly
Process risks with market impact.

Examples
Manager is a passthru with process
lubrication capabilities, if you take
care of the hard details.

Examples.
Manager is pain in the ass, if you
don’t take care of technical details.

Talk human.
- Docs & business materials.

Talk human.
- Docs & business materials.
- Talk to customers soon.

Take over processes.
- Self-learning processes.
- Reinforce ownership.

Love compliance.
- PCIDSS, HIPAA, oldschool.
- GDPR.

Avoiding domain speciﬁcity.
- Multi-skilled team.
- Boring smoothie tech is relevant.

web: cossacklabs.com
mail: eugene@cossacklabs.com
Thank you.

Más contenido relacionado

Similar a Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

ICTI presentation on startups upstarts and experience doing that from Australia. I've included some slide notes which hopefully are useful. A list of lessons/mistakes on the last slide but could probably do about 20 slides on that! All comments are practical from founding/working/advising at safeandsurf.com jollo.com encassa.com surfcontrol.com If you want a PDF copy contact me directly (details in the deck)

Some experiences from early-stage Australian startups

David Jones

Will there be an IT Risk Management 2.0?

Luke O'Connor

Great product managers are adapting as their teams transition from building products to running services and are embracing DevOps. Learn how Atlassian product managers take on service ownership, incorporate reliability and performance into their roadmaps, and handle incidents as our cloud offerings grow more complex. As a Product owner, you'll learn how you can contribute to running services just as much as building products, how to contribute to incident management and review, support a green build culture, plan for reliability, and roll out features and experiments in a services-first world.

How Product Managers Thrive in a DevOps World

Atlassian

Today's world is a DevOps one, and as a Product Manager that means you're part of the dev team. As teams transition from building products to running services, you must adapt your role as teams embrace DevOps and create dedicated Site Reliability Engineering (SRE) teams. Consider these questions: What's your role during an incident? How do you communicate to customers? Are you incorporating reliability metrics into your product roadmap? The good news is, you can contribute to running services just as much as building products. In this talk, learn how Product Managers on the JIRA team contribute to incident management and review, support a green build culture, plan for reliability, and roll out features and experiments in a services-first world. Dave Meyer, Senior Product Manager, Atlassian

A Product Manager's Place in a DevOps World

Atlassian

Opsec for security researchers

vicenteDiaz_KL

The purpose of this session was to share the contents of the 2 hours workshop we designed to introduce Risk Profiling in eDreams ODIGEO teams. During the presentation we switch between Attendee view experiencing the same activity that teams do, Facilitator view sharing tips about the facilitation, and specially and for me the most important, the Coach view, explaining why we want to introduce this technique, what was its role in the overall strategy to improve demand management and why now.

Risk profiling

Jaume Jornet Rivas

Bilot 3mode

Bilot

My presentation from InfoShare 2016 conference. For many years I was a software developer. I would concentrate on the code, software projects and the interactions with my closes team and the users. I was sure that Agile solves all world’s problems. I would laugh over Scott Adam’s Dilbert comics with his Point Hair Boss. Life was simple, life was good. Now for 8+ years I have been running a software company, not a small one anymore. I became myself a full-time boss who only codes sometimes at home or during hackathons. This session is about sharing with you those critical lessons which I painfully learnt when trying to grow into this new role - transitioning from being a software engineer into being an entrepreneur and top manager. Wheres not all of the lessons may or will (if you dream about your own startup) apply to your case, being aware of them may save you tons of time, energy, money or even help you to avoid the total disaster - burying your own company or dreams. And after all, sharing war stories from the past is fun … when these stories are the past.

Ten lessons I painfully learnt while moving from software developer to entrep...

Wojciech Seliga

“Despite all the testing we do, field issues do not seem to abate. Sometimes it is a few serious issues that cause us to react intensely, sometimes it is a bunch of simple issues that make us consume bandwidth. Clearly the backlog is building up, with debts to be serviced, straining capacity to deliver new ideas.” This is what I hear from senior engineering managers of product companies. How do you go about fixing this? Well, I have seen a flurry of activity to identify root cause(s) and address them. They help to set focus, but fizzle out. Analysing 'quality of technical debt’ to understand types of issues that leak enables practical actions, rather than jumping into the ‘reason of why’ (root cause). Smart QA it is, to do failure analytics differently, to ‘tighten the purse’. Technical debt is indeed a serious drain on engineering capacity, forcing one to fix issues at the expense of building revenue yielding new features. Smart failure analytics visualises problems well, enabling clear actions to strengthen practice and reduce debt significantly. If you are “choked by technical debt”, then you may find our SmartQA consulting (stagsoftware.com/smartqa) interesting, where we unshackle your practice so that you can exploit technology.

Choked by technical debt?

STAG Software Private Limited

Product Management - pitfalls of Data Driven Development

Bartek Gatz

Risk Management Process Training Session Victor Allen April 3, 2012 1 What are risks? Project Management Institute definition of risk: “an uncertain event or condition that, if it occurs, has a positive or negative effect on at least one project objective“ (i.e. scope, time, cost, quality, safety, etc…) 2 What are risks? My Definition of risk: “A negative risk event is something that has not yet happened on your project, but if it did happen it would negatively impact your project to the extent that it would be worthwhile to reduce the likelihood that it will occur or reduce the negative impact if it occurred” “A positive risk event is something that has not yet happened on your project, but if it did happen it would positively impact your project to the extent that it would be worthwhile to increase the likelihood that it will occur or increase the positive impact if it occurred” 3 Risk/Issue/Action? 4 (Risk) An undesirable event that has not yet happened (Issue) An undesirable event that has happened and needs attention (Action) Work that needs to be done Which of the following are risks? The project may go over budget I ran over a pot hole coming into work today and my tire is flat Decisions in the site engineering area are not being made in a timely manner Using unproven technology may require frequent re-design work resulting in a schedule delay Which of the following are risks? The project may go over budget This is more of an impact than a risk. There are many reasons why a project may go over budget. The real question is what are the things that would cause you to go over budget? The answer to this question is the risk. Here are some examples of a better way to write this risk statement: It may take more time than planned to secure internal employees to work on this project which will require us to hire consultants resulting in a cost overrun on the project. The contractor productivity level may be less than quoted in the contract resulting in a cost overrun. Which of the following are risks? I ran over a pot hole coming into work today and my tire is flat This is not a risk because it already happened. It has now become an issue that you have to deal with. Time to execute your contingency plan – hopefully you have a spare or AAA. Which of the following are risks? Decisions in the site engineering area are not being made in a timely manner This is not a risk because it already happened. Decisions are already not being made timely, so the risk has occurred. It has now become an issue that you have to deal with. Which of the following are risks? Using unproven technology may require frequent re-design work resulting in a schedule delay This is a risk. 5 Characteristics of a Risk Event Risk is clear and understandable to anyone who reads it Risk describes the impact or “so what” factor Risk has not yet happened Risk is something your actually worrie ...

Risk Management ProcessTraining Session Victor Allen.docx

SUBHI7

With the advent of microservices , containers and on demand computing and the rate at which code is getting churned out every single day we need to automate or perish. DevOps or Build at Scale and how to have a hands free approach like autonomous cars is what companies need the most today. It is no longer OK to say we build it someone will test it and certify it , it needs to happen in real time and all at once the Build, Automate and Test in a continuous pipeline. How can companies stay on top by effectively making use of Automation shall be looked at in this talk.

Build Automate and Test Strategies - BATMAN

Eturnti Consulting Pvt Ltd

Being a professional software tester

Anton Keks

<insert narration> <Title> CMIT 421 <Section #> <Student Name> July 6, 2020 Good morning. My name is <Student Name>. I work in the MERCURY USA Information Security and Technology Department as a cyber threat analyst. Today, I’ll be presenting our proposal to address the CEO’s mandate to protect the organization from dangerous ransomware attacks. Let’s get started. 1 <insert narration> AGENDA 2 Logistics through innovation, dedication, and technology – MERCURY USA Delivers! Tell your audience what you intend to cover in your proposal. This is the PURPOSE of your communication! You should cover the three areas enumerated in the Project 3 instructions. Ensure you link your main points to your earlier work in Project #1 and Project #2. Although three main points is considered ideal, use less or more to fit your project; four main points are shown here for example purposes only. The three projects should be consistent and aligned with Judy “Mac” McNamara’s guidance. 2 Main Point #1 Main Point #2 Main Point #3 Main Point #4 1: OUR BUSINESS CASE 3 Logistics through innovation, dedication, and technology – MERCURY USA Delivers! <insert narration> What are the important factors about the business? What is the CEO’s intent and guidance? How do the first two items relate to the next slides? Example sub-bullet #1 Example sub-bullet #2 Example sub-bullet #3 This is main point #1. Provide no more than six bullets to expand on your topic. Limit each bullet to around six words. This is known as the 6 x 6 rule of presenting. On this slide, you should cover the business case. Think of this as the value to the business that will result from your recommendations. How does your recommendation meet the CEO’s direction and intent? Tell your audience members the what, why, how, and who so that they can make an informed decision about your proposal. If you do not cover these areas adequately, you may not get a decision, you may get a negative decision, or you may be told to come back after you’ve done your due diligence. 3 2: OUR SECURITY POSTURE 4 Logistics through innovation, dedication, and technology – MERCURY USA Delivers! <insert narration> What are the most important vulnerabilities discovered? What is our exposure to known threats? How did you link the results to the business? Transportation industry hit hard by ransomware attacks Example #1: Use your findings and conduct research [1] Example #2: Use your findings and conduct research This is main point #2. Provide no more than six bullets to expand on your topic. Limit each bullet to around six words. This is known as the 6 x 6 rule of presenting. What vulnerabilities did you find in your analysis? What are the most important to tell the CEO about? Why are the vulnerabilities you selected important to the business? Ensure you explain in plain language, not technical jargon or cyber-speak. What are the threats that you see to the business given the scenario? Now consid ...

insert narrationTitleCMIT 421 Section #Student Na

TatianaMajor22

insert narrationTitleCMIT 421 Section #Student Na

LaticiaGrissomzz

Shifting security left to the earliest part of development is currently in the spotlight in the developer world. What teams are now discovering is, this approach results in misdirected ownership for developers and a frustrated security team. In the current climate, we cannot afford to let security implementations falter. It's time to manage your team's energies to maximize DevOps efficiency, all the while maintaining top security standards. Join Shlomo Bielak, and learn how to keep your DevSecOps team focused and connected without creating silos.

Shift Left Security: Development Does Not Want to Own It.

Aggregage

ISACA_21st century technologist

Donald Tabone

Cloud has brought in the concept of managing security within bounded contexts. All else is outside the scope of the service provider or the hosting vendor. How do you plan for scope security activities around the nebulous scope of the cloud especially in a hybrid / multi cloud scenarios where clear cut boundaries are not well defined.How can architecture frameworks help you to fix this issue which is like trying to safeguard a fort not knowing which doors to lock and where to start ?The talk will focus on how enterprise architecture frameworks can help create the much needed trace ability and help define the scope of the security architecture activity. Using tried and tested means has the advantage of not having to reinvent the wheel and avoid missing out plugging the weak links within your enterprise.

Fixing security in the cloud, you can't secure what you cannot see 11 oct2019

Eturnti Consulting Pvt Ltd

Running outdated and unsupported technology is a real risk for organizations. Discover how to mitigate this risk by keeping your technology product data clean and up to date. LeanIX offers an innovative software-as-a-service solution for Enterprise Architecture Management (EAM), based either in a public cloud or the client’s data center. Companies like Adidas, Axel Springer, Helvetia, RWE, Trusted Shops and Zalando use LeanIX Enterprise Architecture Management tool. Free Trial: http://bit.ly/LeanIXDemoS

How to manage technology obsolescence with LeanIX Enterprise Architecture Man...

LeanIX GmbH

TDWI Munich 2019 What does it take to operationalize machine learning and AI in an enterprise setting? Machine learning in an enterprise setting is difficult, but it seems easy. All you need is some smart people, some tools, and some data. It’s a long way from the environment needed to build ML applications to the environment to run them in an enterprise. Most of what we know about production ML and AI come from the world of web and digital startups and consumer services, where ML is a core part of the services they provide. These companies have fewer constraints than most enterprises do. This session describes the nature of ML and AI applications and the overall environment they operate in, explains some important concepts about production operations, and offers some observations and advice for anyone trying to build and deploy such systems.

Operationalizing Machine Learning in the Enterprise

mark madsen

Similar a Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done (20)

Some experiences from early-stage Australian startups

Will there be an IT Risk Management 2.0?

How Product Managers Thrive in a DevOps World

A Product Manager's Place in a DevOps World

Opsec for security researchers

Risk profiling

Bilot 3mode

Ten lessons I painfully learnt while moving from software developer to entrep...

Choked by technical debt?

Product Management - pitfalls of Data Driven Development

Risk Management ProcessTraining Session Victor Allen.docx

Build Automate and Test Strategies - BATMAN

Being a professional software tester

insert narrationTitleCMIT 421 Section #Student Na

Shift Left Security: Development Does Not Want to Own It.

ISACA_21st century technologist

Fixing security in the cloud, you can't secure what you cannot see 11 oct2019

How to manage technology obsolescence with LeanIX Enterprise Architecture Man...

Operationalizing Machine Learning in the Enterprise

Más de NoNameCon

https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/ For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...

NoNameCon

Originally published https://speakerdeck.com/vixentael/data-encryption-cyberkids-edition Exercises https://www.dropbox.com/s/rbyvvaw9c7vs4ib/cyberkids-encryption-example.pdf?dl=0 NoName CyberKids – charity event for kids and their parents during NoNameCon to teach basics of privacy, security, encryption, anti-bullying, behaviour in social networks, lock picking. https://nonamecon.org https://www.facebook.com/events/2048121308814429/

Anastasiia Vixentael – Encryption basics [NoName CyberKids]

NoNameCon

Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]

NoNameCon

Original slides https://www.slideshare.net/OlgaPasko/hunting-fileless-malware-149129867 Workshop by Olha Pasko at NoNameCon 2019. https://nonamecon.org Fileless malware and system tools as bypass techniques in cyber-attack. Hunting with SysInternals tools and Digital Forensics techniques. 1. Fileless malware and system tools as bypass technique: an explanation of “bypass technique” and “fileless malware”. Creating custom fileless malware by abusing Powershell. 2. Threat hunting with Sysinternals tools: an explanation of system processes, threads, jobs, resources. Anomaly detection of system processes with Sysinternals tools. Fileless malware detection. 3. Threat hunting with Digital Forensics techniques: an explanation of “digital forensics”. Acquisition and analysis of RAM memory dump with Digital Forensics tools. 4. Summary or “what can participant obtain from this workshop”: knowledge about top bypass techniques, hard skills for detection and hunting malicious code, understand differences of hunting with SysInternals and Digital Forensics tools.

Olha Pasko - Hunting fileless malware [workshop]

NoNameCon

Talk by Nazar Tymoshyk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/ Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes. In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered. We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...

NoNameCon

Talk by Ruslan Kiyanchuk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/NKB9UF/ Огляд українських криптографічних алгоритмів та стандартів З метою замінити застарілий радянський стандарт шифрування ГОСТ 28147-89 успадкований багатьма країнами СНД, у 2006-му році Служба Безпеки України оголосила відкритий конкурс криптографічних алгоритмів. Знадобилося 8 років розробки, бюрократії, Майдан та революція, щоб стандарт нарешті прийняли: і ось у 2015-му році світ побачили ДСТУ 7624:2014 та ДСТУ 7564:2014 — українські національні стандарти криптографічного захисту інформації, розроблені українськими криптографами. Стандартизованими алгоритмами стали блоковий шифр «Калина» та функція хешування «Купина». У доповіді розглянемо умови та хід проведення конкурсу, криптоалгоритми, котрі брали участь у конкурсі, їхні властивості, переваги та недоліки, а також перспективи застосування у сучасних інформаційних системах.

Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії

NoNameCon

Talk by Artem Storozhuk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/NUMHDY/ The search over encrypted data is the modern cryptographic engineering problem. We will talk about existing approaches (both well-known and modern), and concentrate on practical solution based on blind index technique to search data in databases. What’s inside: cryptographic and functional schemes, implementation details, practical security evaluation (risk modelling and potential attacks). We will show how theoretical models turn into real, usable, maintainable, security tools. Lately most conscious companies store data in databases encrypted, but search over encrypted data is still a challenge. There are many existing academic solutions, proposed over the course of years, like CryptDB, Homomorphic/SSE, PEKS, Mylar. Unfortunately, most approaches are far from being production ready, usable and maintainable. We will show the practical solution, that is based on a hardened version of blind indexing, a long-known technique that has several usability constraints and security caveats. There is an open source implementation CipherSweet, and cryptographically it’s pretty solid, but it stores keys on a client side, which may lead to potential problems during usage. Our solution doesn't share this design approach, since the generation of index references and keys to them are stored in a separate node, away from all untrusted sides (client application, backend application, database). Also, our solution enforces several limitations on data, which is going to limit collision risks mentioned in the original technique. We will explain in details how it works, show the functional and cryptographic schemes, and dig into implementation details. We will show to the attendees the process of building complex security tool from theoretical concepts (and mathematical models) to production-ready software.

Artem Storozhuk - Search over encrypted records: from academic dreams to prod...

NoNameCon

Talk by Stephanie Vanroelen at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/ This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS? This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do. The focus will be on the top 5 android apps: Kaspersky Mobile Antivirus Avast Mobile Security Norton Security & Antivirus Sophos Mobile Security Security Master This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built? Finally, I will address the following: Do I recommend any of these apps and if so which one and why?

Stephanie Vanroelen - Mobile Anti-Virus apps exposed

NoNameCon

Talk by Oksana Safronova at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/AXCDXU/ Before the real incident happens, security team must test their detection capabilities in different ways. An overview of MITRE ATT&CK Matrix, test environments and other friends of Blue Team. Obstacles, unexpected discoveries, lack of information, a flood of logs, new technologies - you will meet them all if you want to build an effective defense team. The talk will expend the next topics based on the experience we have: How to test the security team's detection and incident response processes Best practices for endpoint monitoring tools configuration Some problems, that defense team can encounter Additional resources that can help you detect threats

Oksana Safronova - Will you detect it or not? How to check if security team i...

NoNameCon

Talk by Bert Heitink at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/DXN7DM/ There's no such thing as 100% security, but this talk will demonstrate 10 main topics what needs attention to reduce the risk of being hacked. Our current digital era creates a lot of possibilities, also for Ukraine! But how to deal with the threats on business and national level? 10 pragmatic steps you cannot ignore and are indisputable. Some are easy to implement, even tomorrow.

Bert Heitink - 10 major steps for Cybersecurity

NoNameCon

Talk by Ievgen Kulyk at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/HMVMNL/ There are a lot of packers/protectors used to hide the functionality of the software. Sometimes this software is legal, sometimes malicious. It is vital to be able to unpack such software for future investigation. But the main issue is that many commercial protections use different algorithms to make automation of unpacking difficult. We will discuss more advanced techniques that are powerful and can be used to break strong protection. We will talk about debugging without debugging API. Year, it's strange but it's real life. During the debugging, we often talk about debugging API on windows or ptrace routine on Linux. These mechanisms are provided by OS developers. So it is strongly recommended to use them for user-mode debugging (debugging in ring3). But software protection systems can use a lot of techniques for detecting and preventing debugging. In practical reverse engineering anti-anti debugging plugins can be used. The most famous of them: - Phantom and StrongOD (for OllyDbg); - ScyllaHide (for x64dbg, IDA Pro) But such plugins can only protect from well-known detection algorithms. If some unknown technique will be used they will fail. So we will talk about how to implement your own tracing/debugging engine without debugging API and hide such an engine from anti-debug. We will dive into kernel development and implement our engine from scratch.

Ievgen Kulyk - Advanced reverse engineering techniques in unpacking

NoNameCon

Talk byStanislav Kolenkin & Igor Khoroshchenko at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/3EXNKX/ We will try to describe the most interesting security problems with Kubernetes environments from a DevOps and Security side. We'll discuss the actual cloud security threats and trends for 2019. Look behind the curtain of modern data breaches, weak identity and access management and incident response flaws. The rise of Serverless and Kubernetes as Enterprise solutions and lack of related security expertise during SDLC. Summarize the analytics and practical researches on adversaries techniques and tactics, a mass scan of cloud services and the uncertainty of business impacts behind them. Provide materials for further education.

Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...

NoNameCon

Talk by Pavlo Zhavoronkov at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/BARKBD/ This speech will give you a complete understanding of how to get in jail by doing cybercrimes in Ukraine. What is autumn like in prison camps? This speech will give you a complete understanding of how to get in jail by doing cybercrimes in Ukraine. Speech contents: The complete overview of Ukrainian court practice on articles in the section "CRIME IN THE FIELD OF USE OF ELECTRONIC COMPUTING MACHINES (COMPUTERS), SYSTEMS AND COMPUTER NETWORKS AND DIGITAL COMMUNICATIONS NETWORKS" of the Criminal Code of Ukraine. Stories about the most famous Ukrainian cybercriminals. Thoughts on current state of Ukrainian judicial system.

Pavlo Zhavoronkov - What is autumn like in prison camps?

NoNameCon

Talk by Alexander Olenyev & Andrey Voloshin at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/AARZTL/ The complete list of (I hope) all {not only} publicly disclosed vulnerabilities in car hacking. Contains a detailed description of Who When How has been hacked, toolz and technics. Encourage every other-field pentester to use their skills in car hacking giving fundamental knowledge of where to start and what to expect. Tesla, BMW, Toyota, Nissan — few words about all of them 

Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!

NoNameCon

Talk by Kostiantyn Korsun at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/DA3TLK/ Про роль кібер-волонтерів та кібер-чиновників у сучасній кібер-війні Кібервійна проти України триває вже п'ять років. За цей час регулярні війська України стали однією з найбільш боєздатних армій Європи та Світу. Але чи став таким ж крутими кіберзахист України? У виступі серед інших обговорюватимуться наступні питання: Роль кібер-волонтерів та кібер-чиновників у сучасній кібер-війні; Наскільки ефективний кіберзахист державним коштом та скільки це коштує платнику податків; Оціночна ефективність роботи кібер-чиновників та кібер-міністерства; Яким шляхом краще йти кібер-Україні: довгим чи коротким, дешевим чи дорогим, закритим чи прозорим? Презентація майже повністю складається зі скріншотів #FRD та демонструє ретроспективу ролі волонтерської ініціативи #FRD та зміну ставлення до неї з часом.

Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...

NoNameCon

Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon

NoNameCon

Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop

NoNameCon

Serhii Korolenko - Passing Security By

NoNameCon

Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access

NoNameCon

Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...

NoNameCon

Más de NoNameCon (20)

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...

Anastasiia Vixentael – Encryption basics [NoName CyberKids]

Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]

Olha Pasko - Hunting fileless malware [workshop]

Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...

Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії

Artem Storozhuk - Search over encrypted records: from academic dreams to prod...

Stephanie Vanroelen - Mobile Anti-Virus apps exposed

Oksana Safronova - Will you detect it or not? How to check if security team i...

Bert Heitink - 10 major steps for Cybersecurity

Ievgen Kulyk - Advanced reverse engineering techniques in unpacking

Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...

Pavlo Zhavoronkov - What is autumn like in prison camps?

Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!

Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...

Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon

Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop

Serhii Korolenko - Passing Security By

Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access

Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...

Último

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Real Time Object Detection Using Open CV

Khem

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

1. Eugene Pilyankevich Chief Technical Officer, Cossack Labs GETTING SECURE AGAINST CHALLENGES OR GETTING SECURITY CHALLENGES DONE

2. # whoami (1997) -> #sprintnet, #x25zine, ru.nethack ;) (2002) -> security & network engineer. (2008) -> CTO in finance. (2012) -> C*O in software dev company. (2015) -> founder, CTO @ cossacklabs.com

3. Why security projects fail? ?

4. Problem 1

5. SOME STORIES TO START WITH Finnish SNAFU

6. SOME STORIES TO START WITH How to be smart and fail miserably.

7. CONCLUSIONS?

8. CONCLUSIONS? Clients are dumb!

9. CONCLUSIONS? So are engineers!

10. Nope.

11. ROOT CAUSE?

12. VALUES. ROOT CAUSE?

13. VALUES. LANGUAGE. ROOT CAUSE?

14. VALUES. LANGUAGE. REALITY MAPS. ROOT CAUSE?

15. ROOT CAUSE –

16. ROOT CAUSE –

17. ( ) ROOT CAUSE – ? ? ? ? ? ?

18. ROOT CAUSE – ? ? ? ? ? ? ? ? ?

19. ROOT CAUSE – ? ? ? ? ? ? ? ? ?

20.   People frequently suck at   making risk decisions under  pressure and uncertainty. Problem 1

21.

22. Problem 2?

23. TWO MORE STORIES Banking fraud prevention.

24. TWO MORE STORIES Managing risk for real.

25. Business risk is the possibility a company will have lower than anticipated proﬁts or experience a loss rather than taking a proﬁt.

26.

27. Problem 2  If you’re in an ivory tower,  no one will bother listening.

28. Let’s take a closer look: client.

29. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-speciﬁc.

30. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-speciﬁc. - Knowledge is not distributed evenly. 

31. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-speciﬁc. - Knowledge is not distributed evenly.  - FUD doesn’t work. 

32. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-speciﬁc. - Knowledge is not distributed evenly.  - FUD doesn’t work. - Speaking in business risk - helps.

33. TRY WALKING IN CLIENT’S SHOES Auditing crypto libraries for fun and proﬁt.

34. Domain-specific thinking High-level complex skills do not distribute across all behavior, and get reinforced locally.

35. FUD counteracts good decisions Scaring customer who’s facing the unknown leads to signiﬁcant decrease in quality of decision-making.

36. Double-layered risk aversion Instead of mitigating technological risks (proper risk aversion), people avoid making decisions about technological risks they don’t understand.

37. Compliance and forget Avoiding substance of compliance to mitigate risks?

38. Quid faciam?

39. Let’s take a closer look: supplier.

40. supplier client

41. Who has to cross the gap?

42. You are to cross the gap.

43. Misalignment and misunderstanding is default state anyway. You are to cross the gap.

44.

45. Own the problems

46. Ownership: example

47. Communicate risk properly

48. Communicate risk properly Technical risk, financial impact.

49. Communicate risk properly Technical risk, compliance impact.

50. Communicate risk properly Process risks with business impact.

51. Communicate risk properly Process risks with market impact.

52. Lead up the chain

53. Lead down the chain Lead up the chain

54. Leadership: Example

55. It’s actually fun!

56. Examples: talk to your manager

57. Examples: talk to your customer

58. Examples Manager is a passthru with process lubrication capabilities, if you take care of the hard details.

59. Examples. Manager is pain in the ass, if you don’t take care of technical details.

60. Examples are sad

61. Praxis.

62. Talk human. - Docs & business materials. 

63. Talk human. - Docs & business materials. - Talk to customers soon.

64. Take over processes. - Self-learning processes. - Reinforce ownership.

65. Love compliance. - PCIDSS, HIPAA, oldschool. - GDPR.

66. Avoiding domain speciﬁcity. - Multi-skilled team. - Boring smoothie tech is relevant.

67. Talk real risk.

68. Ain’t no fun unless you ﬁnd it.

69. web: cossacklabs.com mail: eugene@cossacklabs.com Thank you.

Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

Recomendados

Recomendados

Más contenido relacionado

Similar a Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

Similar a Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done (20)

Más de NoNameCon

Más de NoNameCon (20)

Último

Último (20)

Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done