The insider Automation: threat you didnt know Cyber
The insider Automation: threat
you didnt know Cyber Wars Day 2 (Technical) 2018
John Gleason DevOps Engineer you had
About ISE Perspective White box Analysts Hackers; Cryptographers; RE Exploits iPhone; Android; Ford; Exxon; Diebold
Research Routers; NAS; Healthcare Customers Companies with high value assets About Me ISE for 6 months
Previously with Accenture I write lots of PowerShell Spend lots of time designing, building, and maintaining cloud environments Introduction Automation is everywhere
I leveraged my experience scripting games to automate IT systems My experience comes from: Automated compliance audit tools Automated orchestration systems CI/CD systems leveraging industry standard toolchains
Goals Describe common automation patterns / problems Classify these issues Pose questions for use in audits Development Automation
GIT Subversion TFVC
Source and Version control systems automate the Business Logic of maintaining source code Source control through a telescope Central system tracks all changes or modifications Keeps full history of changes Allows for simultaneous edits, coordinates conflict resolution
Source code copied to developer machines for edit Secrets in Source If you dont have ANY go get yourself some refreshment But, for the rest of us Whats the Threat?
One compromised development machine = Credentials to production systems exposed Which credentials? 1. 2. 3.
Questions Does the problem exist in your organization? Do you know how to fix it if it does occur?* *Each system has their own way of handling this, I have included links to official documentation in the references
IT Operations Example Architecture Web Tier App Tier
Example Architecture Web Tier App Tier
Example Architecture Web Tier App Tier IT Operations
Automated Process 1. Identify Patch Levels Example Assumptions 1. Infrastructure in place
2. Download Patches 3. Remove from load balancer 4. Maintain Proper sequence 5. Patch and Reboot 6. Test for Success 7. Return to load balancer
2. Actions require elevated rights Approach Web Tier
App Tier Approach Approach ?
Whats the threat? Hard to maintain Hard to teach Application account with admin creds Sustained or Recurring Outages
Resolution? Separate Application and Admin Identities Questions Are independent systems within the application stack running with unique credentials, which
only have the necessary rights to perform that systems tasks? Are there any accounts being used to programmatically manage or manipulate multiple layers of the application stack? Infrastructure Automation
Automation tools can cause outages But as systems scale, tools are necessary Example Tool Server1
Server3 Server2 Server4 Web Tier
App Tier Needs tools at scale! Example Tool Fixed
Tenants Always commit to source control Always peer review Always test in non-production environments Questions Are scripts and tools, as well as the processes and procedures to leverage them, maintained in a
version control system? Are scripts and tools, as well as the management processes, peer reviewed and each capability tested before it is implemented and used against production systems? Security Auditing
Code runs on the client What happened? Maybe a default configuration? The report wasnt reviewed Auditing Tools
Required component of security audits Must be interpreted by a human Otherwise, potential for disillusionment that could let vulnerabilities to go unresolved Questions Were you involved in the process of interpreting
results of an application security assessment to vet and corroborate issues discovered, and were any issues and their respective resolutions documented Wrap Up Automation systems are software too
Even small scripts count Defensive coding Teams and Tools Our Links https://securityevaluators.com https://iotvillage.com
https://blog.securityevaluators.com/ https://blog.securityevaluators.com/iselabs/home Contact Me Twitter: @johnnygtech Email: [email protected]
Maximum energy: tacc ~ 4 Vs/c2 (k1/ u1 + k2/ u2) kB = Eb2/3qB E acceleration rate is inversely proportional to E… A supernova shock lives for ~ 105 years Emax ~ 1014 eV Assignments MHD Exercise get as far...
Persuasion What is persuasion? A means of convincing people: to buy a certain product to believe something or act in a certain way to agree with a point of view Common persuasive techniques often used in advertising Slogan Bandwagon Card...
APE Interface, 1099, etc. Vendor . Management. Ariba Strategy Overview. Goal: Utilize Ariba to manage all procurement functions creating a streamlined, single point of entry for all purchases. This should standardize the process and reduce costs.
Access Project 1 Creating and Using a Database Objectives Describe databases and database management systems Start Access Describe the features of the Access desktop Create a database Create a table and add records Objectives Close a table Close a database...
Måste ha ett intyg - läkarintyg, utredning. GU hjälper inte till med detta. Det finns andra lärosäten där man kan få denna hjälp. Exempel på hjälp: Anpassad examen - dator, förlängd tid. Anteckningsstöd - klasskamrat som antecknar, så man ska...
Measurement Statistics and Bench Comparison Over 300 individual measurement results can be evaluated. ... Mobile system with USB power for 5 ICP sensors BKS03 Accelerometer The BKS03 has a linear frequency range of up to 10 kHz and can be...
We can use cross validation to find k * Minutiae (Galton Details) Ridge Ending Enclosure Bifurcation Island Sir Francis Galton 1822-1911 Galton's mathematical conclusions predicted the possible existence of some 64 billion different fingerprint patterns * 1 1 1 1...
Many TEA have been conducted to measure the economic feasibility of those pathways. We cannot make comparisons based on their results because they used different technical and economic assumptions. Also, most of previous studies are deterministic analyses, which means uncertainties...
Ready to download the document? Go ahead and hit continue!