2. We are talking about
Things like
• BIND TSIG CVE-2017-3143
• Intel AMT CVE-2017-5689
• Doorkeeper CVE-2016-6582
• Google groups for business default settings
• Source engine
• Ovidiy Stealer
• Kerberos CVE-2017-11368
• sudo CVE-2017-1000367
• Skype CVE-2017-6517
• RubyGems CVE-2017-0901
5. Hardware Threats
• Physical
• Not only about servers
• Not only about computers
• Hidden hardware in your
computers
• Closed-source firmware
• Virtualization
• Escaping from guest OS
• Clouds
6. Software Threats
• OS security
• Vulnerabilities in libraries
• Vulnerabilities in server software
• 3rd party software can have unexpected side effects
• Open source software can be compromised
• Insecurity in security software
7. Network Threats
• Passive
• Monitoring
• Eavesdropping
• Active
• Tampering
• DoS
• Buffer Overflow
• DNS poisoning
• XSS/CSRF/SSRF/SQLi
• Networking devices
• IoT devices
8. Data Threats
• Can be violated by 3rd persons
• Data integrity can be broken by hardware/software
failures
• Fake data can be used as primary source of truth
• Small leak can compromise whole system
9. Social Engineering
Hack by using human psychology vulnerabilities
• Giving people what they want
• Provoking by content
• Road Apple Attack
• Phishing
• Using information from social networks
• Reverse SE
10. Insiders
• You can buy insider info
• Insider can be hired by you
• Someone can compromise your normal employee
• Life circumstances can turn your employees against you
• Firing process
22. OWASP Zed Attack Proxy
Project
• Opensource
• Dynamically developing
• Easy to use
• No paid version
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
23. nikto
• Checks for outdated components
• Scan multiple ports on a server, or multiple servers via
input file
• Identifies installed software via headers, favicons and files
• Subdomain guessing
• Can log to Metasploit
• https://cirt.net/Nikto2
24. • Scanner for RoR applications
• https://brakemanscanner.org/