Propelling security

•Als PPTX, PDF herunterladen•

0 gefällt mir•65 views

This document discusses various security topics including application security, injection vulnerabilities, infrastructure security, and developing a security strategy and plan. It covers the Open Web Application Security Project (OWASP) top 10 risks, examples of SQL and OS injection vulnerabilities, mitigation techniques like input validation and web application firewalls, and approaches to infrastructure security like preventing DDoS attacks and unauthorized access. The importance of continuous improvement, monitoring, and prioritizing security is emphasized.

Technologie

Propelling Security
Driving security that makes sense

Why is security important ?
● Data security : protect users who use your website
● Network security : protect your infrastructure from DOS, Spyware & unintended
misuse.
Source : http://breachlevelindex.com/

Application Security
● What is OWASP top 10 ?
○ Open Web Application Security Project
○ Focus on making security visible
○ Help organizations can take informed decisions
○ Top 10 most critical application security risks
○ Available at http://www.owasp.org

How OWASP helps?
● Check if your application is vulnerable
● Sample attack patterns
● Prevention guidelines
● What is the Business impact?
○ sell it to your investors
Most critical vulnerability in 2017 : Injection

SQL / NoSQL injection
Query in code : String sql = "SELECT * FROM USERS WHERE
USERID='"+request.getParameter("id")+"'";
App url : http://mywebsite.com/app/userView?id='123' or '1'='1
Query which gets executed : "SELECT * FROM USERS WHERE USERID='123 or
'1'='1'";
What if someone is able to execute
"SELECT * FROM USERS WHERE USERID='123'; DROP TABLE USERS;"

OS Command injection
Code : delete.php
<?php
$file = $_GET['filename'];
system("rm $file");
?>
URL : http://mywebsite.com/delete.php?filename=abc;ls -l
What if the attacker runs :
URL : http://mywebsite.com/delete.php?filename=abc;cat dbconfig.php

Injection : Story
Vulnerabilities exploited
● file upload
● sql injections
Attacker uploaded webshell
get yours at https://github.com/JohnTroony/php-webshells.git
shell used : c99_locus7s.php
● what did the attacker get ?
● how was the attacker discovered ?

Mitigating injections
● Check user input
○ type check : string, int, float
○ format check : ip address, email
● Web application firewall
○ 3rd party tool
○ WAF by AWS / Akamai

Network / Infrasturcture security
● DDOS
○ Personal experience story
○ Letsbuy DDOS attack
■ SYN flooding
○ How was it mitigated ?
● Common solutions to DDOS
○ Reverse proxy
○ IP Blocking ?
○ Paid solutions - Akamai / AWS

Infrastructure misuse
● AWS Hacking story
● Discovery ?
● Mitigation ?

Security Strategy
● Figure out where you stand
● Prioritize security
● Creating an action plan

Application security plan
● Keep a lookout on latest security vulnerabilities
○ OWASP top 10
● Collect and analyze all data
○ ELK ?
○ Know your users
○ Anomaly alerts based on Traffic / Database query
● Get WAF (specifically startups)
○ Progressive tuning required
● Black Box / gray box scanning
○ On premise tool : Acunetix web application vulnerability scanner
○ 3rd party black box scans at regular intervals

Infrastructure security plan
● DDOS prevention strategy
○ AWS / Firewall / Akamai
● DNS attacks
○ DNS DOS attack
○ SYN Flooding
○ DNS hijacking
● Protect your DNS
○ Use better DNS provider
○ Ultra DNS
○ Route 53

Can I handle phishing ?
● Replica websites
○ Have you received phishing mails of hdfc / icici bank ?
● Strategy to detect phishing
○ Honeypot
○ Logging / monitoring

Continuous improvement plan
● Change organization culture
● Code review : is this code secure ?
● Security roadmap
● Track progress at regular intervals
○ JIRA Epic
○ Prioritization

Remember
Hackers are always 1 step ahead
No lock can stop a skilled thief
Q & A

Weitere ähnliche Inhalte

Was ist angesagt?

The growth of Internet of Things (IoT) in our daily life creates immense opportunities and benefits for our society. However, IoT security has not kept up with the same rapid pace of innovation and development. This situation creates substantial security flaws and putting our privacy at risk. This talk will present the new challenges we are facing with the new revolution of IoT, including concrete demonstrations. In addition, we will present possible solutions how to deal with those challenges. Finally, we will do some fun coding by a POC on one of these solutions.

Security in the IoT generation - Guy Rombaut - Codemotion Amsterdam 2017

Codemotion

Living with Determined Attackers MOSI Edition

James '-- Mckinlay

Vault and Security as a Service

Patrick Shields

A session by Pratik Jagdishwala on the best practices while securing your WordPress Powered website. The session was help in the Ctrl+F5 event organised by ResellerClub in cities across the country. The Presentation also includes tips on improving your WordPress powered website speed and performance. The concepts can be applied on WordPress or any other CMS powered website and even normal Websites.

ResellerClub Ctrl+F5 - WordPress Security session

Pratik Jagdishwala

Developers are taught to 'never trust the browser' to execute their client-side JavaScript. The inability for a developer to trust a browser has far reaching implications from not trusting client-side validation, to never being really sure the TLS connection doesn't have a man-in-the-middle. Software security such as white-box cryptography & obfuscation have been used in native environments for many years, but these techniques are hard in JS. We'll explain how these techniques can now be applied to JS code running in a web browser to secure it from MITM attacks.

Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...

Codemotion

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法

inet-lab

Secure wordpress

Prabesh Thapa

An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information. How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself? CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session. For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.

CloudFlare - The Heartbleed Bug - Webinar

Cloudflare

Xss attack

Ambuj Kumar

Basic WordPress Security

⚙ Stephen Harvey

CSRF_RSA_2008_Jeremiah_Grossman

guestdb261a

Openbar Leuven // Top 5 focus areas in cyber security linked to you digital t...

Openbar

CLUSIR INFONORD OWASP iot 2014

Sebastien Gioria

Forcepoint - Analýza chování uživatelů

MarketingArrowECS_CZ

SSH - From Zero to Hero

OWASP Khartoum

Was ist angesagt? (15)

Security in the IoT generation - Guy Rombaut - Codemotion Amsterdam 2017

Living with Determined Attackers MOSI Edition

Vault and Security as a Service

ResellerClub Ctrl+F5 - WordPress Security session

Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...

パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法

Secure wordpress

CloudFlare - The Heartbleed Bug - Webinar

Xss attack

Basic WordPress Security

CSRF_RSA_2008_Jeremiah_Grossman

Openbar Leuven // Top 5 focus areas in cyber security linked to you digital t...

CLUSIR INFONORD OWASP iot 2014

Forcepoint - Analýza chování uživatelů

SSH - From Zero to Hero

Ähnlich wie Propelling security

Ab cs of software security

David Klassen

Owasp top 10 2013

Edouard de Lansalut

Uygulama guvenligi gunu - malicious web sites

Siber Güvenlik Derneği

Web Security: What's wrong, and how the bad guys can break your website

Andrew Sorensen

Bitglass Webinar - 5 Cloud Security Best Practices for 2018

Bitglass

Keeping web servers safe and profitable with Imunify360

CloudLinux

Problems with parameters b sides-msp

Mike Saunders

Security .NET.pdf

Abhi Jain

Sperasoft talks: Android Security Threats

Sperasoft

Is your organization prepared to face a large-scale attack from hacktivists or cybercriminals? This webinar provides a step-by-step plan to protect web applications using proven strategies from application security consultants that have been on the front lines of attack. This presentation from Imperva and WhiteHat Security outlines the steps your organization can take to implement a comprehensive strategy for repelling web attacks. This presentation will (1) describe the modern attack methods and tools used by hacktivists and cybercriminals (2) explain the processes and technologies you can use to safeguard your website (3) help you prioritize security efforts and identify security tips and tricks you might have overlooked.

A Blueprint for Web Attack Survival

Imperva

Glasswall - How to Prevent, Detect and React to Ransomware incidents

Dinis Cruz

6 - Web Application Security.pptx

AlmaOraevi

19BCP072_Presentation_Final.pdf

KunjJoshi14

Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.

Scalar Security Roadshow - Vancouver Presentation

Scalar Decisions

Year Zero

leifdreizler

Scalar Security Roadshow - Calgary Presentation

Scalar Decisions

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Websec México, S.C.

2014 09-04-pj

Sébastien GIORIA

App Security and Securing App

Andreas Schranzhofer

OISF - AppSec Presentation

ThreatReel Podcast

Ähnlich wie Propelling security (20)

Ab cs of software security

Owasp top 10 2013

Uygulama guvenligi gunu - malicious web sites

Web Security: What's wrong, and how the bad guys can break your website

Bitglass Webinar - 5 Cloud Security Best Practices for 2018

Keeping web servers safe and profitable with Imunify360

Problems with parameters b sides-msp

Security .NET.pdf

Sperasoft talks: Android Security Threats

A Blueprint for Web Attack Survival

Glasswall - How to Prevent, Detect and React to Ransomware incidents

6 - Web Application Security.pptx

19BCP072_Presentation_Final.pdf

Scalar Security Roadshow - Vancouver Presentation

Year Zero

Scalar Security Roadshow - Calgary Presentation

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

2014 09-04-pj

App Security and Securing App

OISF - AppSec Presentation

Kürzlich hochgeladen

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Manulife - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Powerful Google developer tools for immediate impact! (2023-24 C)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Axa Assurance Maroc - Insurer Innovation Award 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Artificial Intelligence Chap.5 : Uncertainty

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Artificial Intelligence: Facts and Myths

A Year of the Servo Reboot: Where Are We Now?

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Manulife - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Why Teams call analytics are critical to your entire business

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Propelling security

1. Propelling Security Driving security that makes sense

2. Why is security important ? ● Data security : protect users who use your website ● Network security : protect your infrastructure from DOS, Spyware & unintended misuse. Source : http://breachlevelindex.com/

3. Application Security ● What is OWASP top 10 ? ○ Open Web Application Security Project ○ Focus on making security visible ○ Help organizations can take informed decisions ○ Top 10 most critical application security risks ○ Available at http://www.owasp.org

4. How OWASP helps? ● Check if your application is vulnerable ● Sample attack patterns ● Prevention guidelines ● What is the Business impact? ○ sell it to your investors Most critical vulnerability in 2017 : Injection

5. SQL / NoSQL injection Query in code : String sql = "SELECT * FROM USERS WHERE USERID='"+request.getParameter("id")+"'"; App url : http://mywebsite.com/app/userView?id='123' or '1'='1 Query which gets executed : "SELECT * FROM USERS WHERE USERID='123 or '1'='1'"; What if someone is able to execute "SELECT * FROM USERS WHERE USERID='123'; DROP TABLE USERS;"

6. OS Command injection Code : delete.php <?php $file = $_GET['filename']; system("rm $file"); ?> URL : http://mywebsite.com/delete.php?filename=abc;ls -l What if the attacker runs : URL : http://mywebsite.com/delete.php?filename=abc;cat dbconfig.php

7. Injection : Story

8. Injection : Story Vulnerabilities exploited ● file upload ● sql injections Attacker uploaded webshell get yours at https://github.com/JohnTroony/php-webshells.git shell used : c99_locus7s.php ● what did the attacker get ? ● how was the attacker discovered ?

9. Mitigating injections ● Check user input ○ type check : string, int, float ○ format check : ip address, email ● Web application firewall ○ 3rd party tool ○ WAF by AWS / Akamai

10. Network / Infrasturcture security ● DDOS ○ Personal experience story ○ Letsbuy DDOS attack ■ SYN flooding ○ How was it mitigated ? ● Common solutions to DDOS ○ Reverse proxy ○ IP Blocking ? ○ Paid solutions - Akamai / AWS

11. Infrastructure misuse ● AWS Hacking story ● Discovery ? ● Mitigation ?

12. Security Strategy ● Figure out where you stand ● Prioritize security ● Creating an action plan

13. Application security plan ● Keep a lookout on latest security vulnerabilities ○ OWASP top 10 ● Collect and analyze all data ○ ELK ? ○ Know your users ○ Anomaly alerts based on Traffic / Database query ● Get WAF (specifically startups) ○ Progressive tuning required ● Black Box / gray box scanning ○ On premise tool : Acunetix web application vulnerability scanner ○ 3rd party black box scans at regular intervals

14. Infrastructure security plan ● DDOS prevention strategy ○ AWS / Firewall / Akamai ● DNS attacks ○ DNS DOS attack ○ SYN Flooding ○ DNS hijacking ● Protect your DNS ○ Use better DNS provider ○ Ultra DNS ○ Route 53

15. Can I handle phishing ? ● Replica websites ○ Have you received phishing mails of hdfc / icici bank ? ● Strategy to detect phishing ○ Honeypot ○ Logging / monitoring

16. Continuous improvement plan ● Change organization culture ● Code review : is this code secure ? ● Security roadmap ● Track progress at regular intervals ○ JIRA Epic ○ Prioritization

17. Remember Hackers are always 1 step ahead No lock can stop a skilled thief Q & A

Propelling security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (15)

Ähnlich wie Propelling security

Ähnlich wie Propelling security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Propelling security