RSA 2017 USA 笔记

1、应用安全：

https://bestpractices.coreinfrastructure.org/projects/new

https://www.coreinfrastructure.org/resources  华为Google、微软、Facebook等厂商

https://www.sonarqube.org/

AFL

http://frama-c.com/

https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities

培训是安全和开发的桥梁

Creates a connection between security and developers 

2、报告：

http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2017.aspx

http://www.howtomeasureanything.com/cybersecurity/#downloads

https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf

https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-Foundry-2016-Container-Report.pdf

https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2016.pdf

http://www.rightscale.com/blog/cloud-industry-insights/new-devopstrends-2016-state-cloud-survey

https://cispe.cloud/wp-content/uploads/pdf/CISPE-PRESS-RELEASE-27092016.pdf

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm

0 day report Q1 2017 prediction 

http://cybersecurityventures.com/zero-day-vulnerabilities-attacks-exploits-report-2017/

NopSec, 2015 State of Vulnerability Risk Management

http://info.nopsec.com/rs/736-UGK-525/images/NopSec_StateofVulnRisk_WhitePaper_2015.pdf

The State of Digital Third-Party Risk 2016 Report -http://en.softtek.co/tprisk2016

Review:

DHSStrategic Principles For Securing The Internet Of Things

FDAPostmarket Management of Cybersecurity in Medical Devices

NHTSACybersecurity Best Practices for Modern Vehicles

DODDigital Vulnerability Disclosure Policy

White HousePresident’s Commission Report on Enhancing National Cybersecurity

—Testimonyto President’s Commission on Enhancing National Cybersecurityby Joshua Corman

Commerce NTIA Department of Commerce Multistakeholder Process: Cybersecurity Vulnerabilities

Consider the 6 ways Safety IoTare different

https://www.iamthecavalry.org/iotdifferences/

Review the 5 Star CybersafetyFramework and Hippocratic Oath

https://www.iamthecavalry.org/5star/

https://www.iamthecavalry.org/oath/

https://www.tag-cyber.com/Annual/2017/

3、Devopssec:

https://vimeo.com/165861695
AWS_IR: 

https://aws-ir.readthedocs.io/en/latest/

Margarita Shotgun (EC2Memory Imaging): 

https://margaritashotgun.readthedocs.io/en/latest/ 

Cloud Custodian:

https://github.com/capitalone/cloud-custodian

FIDO: 

https://github.com/Netflix/Fido

4、云平台安全

csv-t10-what-is-needed-in-the-next-generation-cloud-trusted-platform.pdf

微软云渗透测试视频

https://www.youtube.com/watch?v=dq1FfSTrqwo&index=6&list=PL8nfc9haGeb5IZGM8HvmRozetHRpBDKSw

5、安全管理

https://www.mindtools.com/

6、暗网相关

7、安全趋势

http://www.information-age.com/gartner-picks-out-top-ten-cyber-security-technologies-2016-123461612/

8、安全度量

Measure vs. metric
I had 2 eggs for breakfast this morning
It’s 53 degrees in San Francisco, CA
This session is 40 minutes long
A measure (or measurement) is the value of a specific characteristic of a given entity (collected data).
A metric is the aggregation of one or more measures to create a piece of business intelligence, in context.

GQIM（首先有业务目标，有要达到的安全目标，有问题，有观察指数、有数据证明）

Strategic
Business Objective: Mitigate insider threats by ensuring appropriate levels of system access for all users.

Goal: Ensure all users have the proper level of system access for their job responsibilities.

Question: Do all users have appropriate system access?

Indicators:Inventory of IT systems with security and access attributes
Current list of users with approved security attributes
An ability to compare IT systems access and users list

Metrics:(more user centric)
Time (min, max, med) to add a new system to inventory
Time (min, max, med) to remove access when violation is discovered “Age” Time (min, max, med) of security and access attributes

9、合规

GDPR

GDPR Full Regulations: http://ec.europa.eu/justice/dataprotection/

reform/files/regulation_oj_en.pdf

IAPP Top 10 Operational Impacts of GDPR:

https://iapp.org/resources/article/top‐10‐operational‐impacts‐of‐the‐gdpr/

IBM GDPR Webinar recordings (5): http://ibm.biz/GDPRWebinars

GDPR Blog‐ Learn, Think, Prepare: http://ibm.biz/BdsAye

IBM Security GDPR: http://www‐03.ibm.com/security/campaign/gdpr.html

10、网络犯罪

FireEYE提议

grc-r03-your-sector-doesnt-matter-achieving-effective-threat-prioritization.pdf

11、大数据安全

https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf

PrivacyCon 2017 and 2016

12、书籍

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

ISBN: 9781597496155

Amazon Link: http://amzn.to/hyrMvC

Measuring and Managing Information Risk: A FAIR Approach

ISBN: 978-0124202313

Amazon Link: http://amzn.com/0124202314

13、攻击相关

https://blogs.technet.microsoft.com/uspartner_ts2team/2017/02/14/advanced-threat-analytics-ata-attack-simulation-playbook/

Exploit Sales

Remote browser or document-based exploits can go for >$10K USD

Remote Windows Kernel bugs can go for >$100K USD

Zerodiumpaid $1M USD to a group who disclosed a iOS remote jailbreak exploit -https://www.zerodium.com/ios9.html

Bug Bounty Examples:

United Airlines –Will pay up to 1 million award miles for disclosures

—https://www.united.com/web/en-US/content/Contact/bugbounty.aspx

Google –Will pay various amounts depending on the severity of the bug

—https://www.google.com/about/appsecurity/reward-program/

Microsoft –Will pay up to $100K USD for exploitable bugs and exploit mitigation bypass techniques

—https://technet.microsoft.com/en-us/library/dn425036.aspx

CanSecWestPwn2Own –Annual conference and challenge in Vancouver, CA offering high-priced bounties

—https://www.cansecwest.com/

攻击自动化：hta-w02-devoops-attacks-and-defenses-for-devops-toolchains.pdf

案例是AWS的账号被攻击，利用AK竟然开通了N多实例导致一个月50000美金的单子；

自动化攻击获取到GITHUB AWS的AK信息导致泄露2500个比特币；

AWS的ak被获取后导致所有实例被删除导致codebase倒闭；

Pastebin-like sites

GitHub

—Gists

—Code Repositories 

BitBucket, CodeCommit, etc

—https://en.wikipedia.org/wiki/Comparison_of_source_code_hosting_facilities

https://github.com/jordan-wright/dumpmon

https://github.com/xme/pastemon

https://github.com/cvandeplas/pystemon

https://api.slack.com/methods/team.accessLogs

https://github.com/maus-/slack-auditor

攻击类型：

Accidental leak

Espionage

Financial fraud

Misuse

Opportunistic data theft

Physical theft

Product alteration

Sabotage

Violence 

14、工具

https://github.com/openstack/syntribos

https://github.com/awslabs/aws-security-benchmark

Serverless Hacking Tools

https://github.com/wickett/lambhack

https://github.com/continuumsecurity/bdd-security

http://gauntlt.org/

github监控：

https://github.com/michenriksen/gitrob

https://gitmonitor.com/

http://www.radare.org/

http://www.hex-rays.com

Zynamics/Google’s BinDiff: Free as of March 18, 2016!

Core Security’s turbodiff:Free

DarunGrim4 by JeongwookOh:Free

patchdiff2 by Nicolas Pouvesle: Free

Diaphoraby JoxeanKoret

Kernel Executive, SRM, Subsystems, System Calls, Kernel Objects

Kernel Structures such as EPROCESS, KPROCESS, ETHREAD, KTHREAD, TLS, KPRCB, KPCR

The Hardware Abstraction Layer (HAL)

Mutexesand SpinLocks

Driver behavior (IOCTL, IRP, Bus)

http://virtualkd.sysprogs.org/

Control Flow Guard (CFG)

—Aimed at stopping Return Oriented Programming (ROP)

Browser Specific Controls: MemGCand Isolated Heaps

—Aimed at stopping Use After Free (UAF) exploitation

Kernel Specific Controls: Guard Pages, Kernel Pool Cookies, Null PtrDerefProt

Proposed Mitigations: Shadow Stacks and Control Flow Integrity (CFI)

Oldies but Goodies: ASLR, DEP, Canaries, Safe Unlink, LFH, EMET**

Osquery
(OSX/Linux/Windows*)
Doorman
Block Block
Little Snitch
Carbon Black / Sysmon
Splunk/ ELK
Simian
Munki

git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.

aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.

aws-config-rules - [Node, Python, Java] Repository of sample Custom Rules for AWS Config

Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account.

Netflix/edda - Edda is a Service to track changes in your cloud deployments.

ThreatResponse - Open Source Security Suite for hardening and responding in AWS.

CloudSploit – Capturing things like open security groups, misconfigured VPCs and more.

Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

Capitalone/cloud-custodian - Rules engine for AWS fleet management.

15、研究者BLOG

http://carnal0wnage.attackresearch.com

16、ServerLess安全

http://martinfowler.com/articles/serverless.html

17、政府外包相关

https://www.challenge.gov/list/

https://www.fbo.gov/?s=opportunity&mode=list&tab=list

18、Container Security

csv-r03-orchestration-ownage-exploiting-container-centric_-datacenter-platforms.pdf

19、密码安全

https://emergency.cdc.gov/

20、威胁分析

Analysis by Intel’s Threat Agent Analysis Group

http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf

https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Intel%20-%20Threat%20Agent%20Library%20Helps%20Identify%20Information%20Security%20Risks.pdf

https://communities.intel.com/docs/DOC-23914

https://communities.intel.com/docs/DOC-1151

21、内部威胁

http://ow.ly/CLux308vUbP

https://www.cert.org/insider-threat

http://www.charlottesafetyconference.com/Health%20and%20Safetys%20Role%20in%20Mitigating%20Insider%20Threats.pdf

https://hrinsider.ca/hot-topic-centres/workplace-violence

https://hrinsider.ca/specialreports/WPV%20Compliance%20Kit%20-%20140%20pg.pdf

https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjT2JPTuY_SAhWEFpQKHWGUBJUQFggpMAI&url=https%3A%2F%2Fwww.sans.org%2Freading-room%2Fwhitepapers%2Fincident%2Fmitigating-insider-sabotage-33189&usg=AFQjCNG_BR3fe81O7gI_w44EEklGiOmDCw&sig2=l_ezAxUR6EF1_jsZ2V57Mw

Insider Cyber Sabotage

Insider Workplace Violence

http://www.sei.cmu.edu/reports/12tr012.pdf

http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=484738

22、投资和预算

momentum.partners

Improving Healthcare Risk Assessments to Maximize Security

Budgets(how to tailor the model for your environment):

http://ow.ly/1W2H308vUfx

23、风控

设备指纹

https://github.com/Song-Li/cross_browser

http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf

24、国内外网络犯罪

http://www.zdnet.com/article/string-of-cyberattacks-against-global-banks-linked-to-lazarus-cybercrime-group/

https://github.com/secmobi/slides/blob/master/2017.UndergroundEconomyAppleID_BSidesSF.pdf

25、基础设施监控

https://www.datadoghq.com/

26、IAM

PCMA（认证成熟度）

Identity Proofing  身份证明

Primary Credential Usage

C0 No credential 

Ca Session cookies 

Cb Known device 

Cc Shared secret such as a username and password combination

Cd Cryptographic proof of key possession using shared key 

Ce Cryptographic proof of key possession using asymmetric key 

Primary Credential Management

Assertion Presentation

Aa No protection / unsigned assertion 

Ab Signed and verifiable assertion, passed through the browser 

Ac Signed and verifiable assertion, passed through a back channel 

Ad Assertion encrypted to the relying party’s key and audience protected

http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

人在说话的时候涉及到70-100个肌肉，包括喉咙（9块肌肉、4个神经、4个声带、6个肉骨）、声道、脑、听力、肺部

[ISO/IEC JTC1 2382-37:2012 

http://www.biometricsinstitute.org

www.PingIdentity.com 

www.Swirlds.com

Identity Analytics and Intelligence (IAI)

https://www.attachmate.com/library/docs/02_identity_analytics.pdf

https://www.google.com.hk/search?num=100&newwindow=1&safe=strict&site=&source=hp&q=Identity+Analytics+and+Intelligence+%28IAI%29&oq=Identity+Analytics+and+Intelligence+%28IAI%29&gs_l=hp.3...327.327.0.522.2.2.0.0.0.0.82.154.2.2.0....0...1c.1.64.hp..0.0.0.0.tY--F89ZnGA

Electronically Stored Information

http://searchcompliance.techtarget.com/definition/electronically-stored-information-ESI

27、RSA的书籍

https://www.rsaconference.com/blogs?category=security-reading-room

28、CVE相关

https://cveform.mitre.org/

https://cvementor.org/

29、安全架构

fon1-w03-cybersecurity-roadmap-global-healthcare-security-architecture_copy.pdf

30、IOT相关

https://www.iotvillage.org/

https://www.dhs.gov/news/2016/11/15/dhs-releases-strategic-principles-securing-internet-things

31、DEVSECOPS

http://www.devsecops.org/presentations/

32、容器相关(Docker)

http://www.infoq.com/cn/articles/docker-kernel-knowledge-namespace-resource-isolation

33、云安全

https://www.rsaconference.com/writable/presentations/file_upload/tech-t09r-a-virtual-and-software-defined-security-architecture-workshop.pdf

NIST IR 7904 –USG recommendation for “Trusted Geolocation in the Cloud” 

Hardware TXT, AESNI, DRNG, CryptoNI 

Software Linux, KVM, OpenStack, CloudForms, Ceph, VMWare (VCenter, VSphere, ESXi), OpenCIT, Hytrust, Cloud Raxak

OpenStack Security

https://docs.openstack.org/security-guide/

OpenCIT 

https://01.org/

Account Breach Phishing Protect Identity through FIDO Asses and Protect yourself in Office 365 Ransomware #RSAC

Stay Safe

AccountBreach

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/https://blogs.office.com/2016/06/01/gain-enhanced-visibility-and-control-with-office-365-advanced-security-management/https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

Phishing

https://products.office.com/en-us/exchange/online-email-threat-protection

Protect Identitythrough FIDO

https://fidoalliance.org

Assesand Protectyourself in Office365

https://securescore.office.com/https://products.office.com/en-us/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy

Ransomware

https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspxhttps://blogs.technet.microsoft.com/sposupport/2016/09/19/handling-ransomware-in-sharepoint-online/

14

33、小型机测试

Logica Breach, Tools: https://github.com/mainframed

Nmap, Metasploit Scripts: https://github.com/zedsec390

Blog Chad: https://www.bigendiansmalls.com/

Blog Phil: http://mainframed767.tumblr.com/

Other Talks: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n

IBM Emulated Mainframe: http://www-03.ibm.com/software/products/en/ibm-z-systems-development-and-testenvironment