© 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING the CYBER THREAT LANDSCAPE

Total Page:16

File Type:pdf, Size:1020Kb

© 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING the CYBER THREAT LANDSCAPE © 2019 RSM US LLP. All Rights Reserved. UNDERSTANDING THE CYBER THREAT LANDSCAPE © 2019 RSM US LLP. All Rights Reserved. About your Speaker • 15+ years security and privacy experience • Originally from Brooklyn, New York; move to Florida 2018 Shan Grant • PCI QSA &PA-QSA, CISSP, CISA, Fair Credit Reporting Act (FCRA) Certification Supervisor • Worked and designed compliance programs Security, Privacy & for financial entities, fintechs, healthcare/heathtech, and non-profit Risk Services • Specializing in regulated environments: • Payment Card Industry (PCI) [email protected] • HIPAA https://www.linkedin.com/in/shan-grant/ • CRA (FCRA) • FDIC/FFIEC • Data Privacy • Career Highlight: Worked Cannes Film Festival 3 © 2019 RSM US LLP. All Rights Reserved. GIMME SOME MO’ PRIVACY © 2019 RSM US LLP. All Rights Reserved. History of privacy 5 © 2019 RSM US LLP. All Rights Reserved. Going down privacy lane 6 © 2019 RSM US LLP. All Rights Reserved. How is CCPA different than GDPR? Different consumer rights: Rights Covered GDPR CCPA Right to know and of access X X Right to deletion/erasure X X ≠ Right to restriction of X processing GDPR CCPA COMPLIANCE COMPLIANCE Right to data portability X X Right to object X In addition to compliance, it’s really all Right to opt of out sale X about the data—what type of data and Right to equal service and how it is used. X price Data governance and management Right to opt In (minors under programs should consider mapping for X 16) both. 7 © 2019 RSM US LLP. All Rights Reserved. Privacy Cliff Notes • Nevada Online Privacy Law • New York Privacy Act • Maine Act to Protect of Online Consumer Information • Massachusetts Data Privacy Law • Hawaii Consumer Privacy Protection Act • Maryland Online Consumer Protection Act 8 © 2019 RSM US LLP. All Rights Reserved. THE THREATS 9 © 2019 RSM US LLP. All Rights Reserved. Primary Exploits Leveraged by Cyber Threats . Hacking – Breaking through vulnerability and moving laterally − Network penetration − Data leakage and theft − Social engineering . APT – “Uninvited Guest” − Arrives into your network and stays there under the radar − Harvesting information over time − Typically not found with anti-virus software − Sophisticated . Malware – Code that is designed to do bad things − Execution of malicious code on an infrastructure − Escalate unauthorized privileges − Shut down your network (DDOS) − Encrypt data (Ransomware) 10 © 2019 RSM US LLP. All Rights Reserved. RANSOMWARE-as-a-Service • Let’s talk about GandCrab − On the scene in Jan 2018 − Off the scene mid 2019—complete shutdown − Reported as RaaS All the good things come to an end. For the year of working with us, people have earned more than $2 billion… Earning with us per week $2,500,000. We personally earned more than 150 million dollars per year. We successfully cashed this money and legalized it…. 11 © 2019 RSM US LLP. All Rights Reserved. Ransomware recovery • There’s no guarantee that all the data will be recovered. • Roughly 5–15% loss with a decryptor • Business are down for an average of nine days. • For complete recovery, it could take weeks to years. Consider: • System wipes • Recover from backups • Repeat the process for each server or computer 12 © 2019 RSM US LLP. All Rights Reserved. Facts & Stats • Hackers attack every 39 seconds • 43% of cyber attacks target small businesses (can we find out middle market companies- how they’re subtible—from our cyber survey- here) • 2018 Hackers tole half a billion personal records • 95% of cybersecurity breaches are due to human error • Cyber-criminals and hackers will infiltrate your company through your weakest link, which is almost never in the IT department. • Most companies take nearly 6 months to detect a data breach, even major ones − Equifax, Capital One, and Facebook just to name a few. Information such as passwords, credit card details, and social security numbers may already be compromised by the time you’re notified. 13 © 2019 RSM US LLP. All Rights Reserved. COMBATING THREATS © 2019 RSM US LLP. All Rights Reserved. If you do it at home, you’ll do it at work • Bitwarden • Use a cloud based password safe • 1password • Dashlane − Automatically generates passwords • Lastpass − Prevents reuse of passwords • KeePassXC – not cloud based − Checks for compromised passwords https://www.wired.com/story/best-password- Complicated managers/ Password − Some allow document storage or personal detail storage − It’s in the cloud but you can export it • Use Multifactor Authentication (MFA) Enable MFA − 2 or more of the below • Something you know • Google Authenticator • Authy • Something you have • Yubico Turn on • Something you are Notifications • Consider a VPN provider Why VPN and highly rated providers: https://www.forbes.com/sites/kateoflahertyuk/2019/04/19/h − Research (google) them! eres-why-you-need-a-vpn-and-which-one-to- choose/#6e36315a23c9 • DNS Leakage − Working remotely – hop on corporate VPN © 2019 RSM US LLP. All Rights Reserved. Other cool things about password managers 16 © 2019 RSM US LLP. All Rights Reserved. Social • Review privacy and security • Third-party app authorization – remove when no longer needed. • Consider what you’re posting public vs private • Remember people can screen shot something before you have the chance to take it down • Search yourself 17 © 2019 RSM US LLP. All Rights Reserved. Data retention – can you get rid of it? • Old document • Disable or delete old accounts • Where is your data: − Data hosting (dropbox, box, etc.) − Digital image printing platform − Old email accounts − Old devices 18 © 2019 RSM US LLP. All Rights Reserved. BE VIGILANT BE AWARE 19 © 2019 RSM US LLP. All Rights Reserved. Ransomware Attack Prevention • Cyber Security Tenets are the same − Patch your systems − Limit access to data and systems • Particularly write access • Off Site backups or snap shots backup service • Good AV/anti-malware Trust nothing From Emails to Network Shares 20 © 2019 RSM US LLP. All Rights Reserved. Some personal security suggestions Security, security • Always ask why someone needs your information • Do not use public Wi-Fi • People actually “dumpster dive” Social engineering • “Delivery person,” “corporate IT” • A LinkedIn “recruiter” or “met you at a conference” request to add you to their network Too much information (TMI) • Geolocation tagging in photos or social media posts • Be careful what you post on social media 21 © 2019 RSM US LLP. All Rights Reserved. 22 © 2019 RSM US LLP. All Rights Reserved. 23 © 2019 RSM US LLP. All Rights Reserved. Shan Grant RSM US LLP 100 NE Third Ave., Suite 300 Fort Lauderdale, FL 33301 D: 954.449.8017 [email protected] rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM, the RSM logo and the power of being understood are registered trademarks of RSM International Association. © 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved. .
Recommended publications
  • Technical Guides
    Technical Guides KeePass Password Manager Tutorial Wireguard Ubuntu Deployment SQM for 1 Gbps Lines With OpenWrt KeePass Password Manager Tutorial Introduction I don't trust online password managers because they are closed source and companies have been hacked in the past. If you look up "lastpass breached" in Google you can see my point. Keepass is open source and offline. Why put your trust in a company when you can create and access the database yourself? An honorable mention is bitwarden. They are also open-source and you have the option of hosting your own bitwarden server at home as an option. If you want to pay and are willing to trust a company and have your passwords encrypted on their cloud they would be your best bet. Downloading Keepass https://keepass.info/download.html Get the Installer for Windows (2.45) aka KeePass-2.45-Setup.exe. After you get it install Keepass. Recommended plugins (.plgx) to download: Keepass has a variety of useful plugins listed here: https://keepass.info/plugins.html I recommend the following below for now. Plugins always have a .plgx file extension. WebAutoType-v6.3.0.zip: https://sourceforge.net/projects/webautotype/files/ YetAnotherFaviconDownloader.plgx: https://github.com/navossoc/KeePass-Yet-Another- Favicon-Downloader/releases After you downloaded the necessary .plgx plugins. Copy or move them into the Plugins folder at C:\Program Files (x86)\KeePass Password Safe 2\Plugins. 1.1.1 Master Password To start off you will be creating a master password which is the masterkey to access all your other passwords.
    [Show full text]
  • HACK Enpass Password Manager
    1 / 2 HACK Enpass Password Manager Mar 23, 2021 — So, is this password manager right for you or your business? In our Enpass review, we'll take a closer look at everything this software has to offer.. Results 1 - 100 of 338 — TOTP is an algorithm that computes a one-time password from a shared secret ... codes to protect your online accounts from hackers (bad guys). ... code in my password manager, especially for password managers that can ... Segregate data using Multiple vaults Enpass facilitates you with an option to .... Jan 9, 2019 — Password manager company OneLogin was actually hacked, and the ... EnPass: Here's something unusual—a password manager that goes .... Use Enpass audit tools to identify weak, identical, and old passwords. Your password manager is your digital security best friend. You are using a password .... The Synology Disk Station Manager (DSM) is the Operating System (OS) that runs on your Synology unit. ... a prerequisite while using Enpass it is not really neccessary to me to sync with CloudStation. ... For iOS 13/12 users: Open the Settings app > Passwords & Accounts > Add Account > Other ... Mikrotik hack github.. We will send a One-time password (OTP) to your registered email address and ... set of Enpass users by letting them store their time based one time passwords of ... Hackers use credit card skimmers to obtain the magnetic stripe information of a ... Open Google Chrome and click the GateKeeper Password Manager Chrome .... Jun 16, 2021 — Using an online password manager? … Are they safe from hackers?? Use Enpass to securely organize everything at one place.
    [Show full text]
  • The Case of Interaction Problems Between Password Managers and Websites
    They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites Nicolas HuamanC ∗ Sabrina Amft∗ Marten OltroggeC Yasemin Acary ∗ Sascha FahlC ∗ CCISPA Helmholtz Center for Information Security ∗Leibniz University Hannover yMax Planck Institute for Security and Privacy Abstract—Password managers are tools to support users with previous research on PWMs mostly focuses on PWM security the secure generation and storage of credentials and logins issues and usability and adoption challenges. Multiple studies used in online accounts. Previous work illustrated that building researched the security of different PWM types, finding that password managers means facing various security and usability challenges. For strong security and good usability, the interaction both browser-based and locally installed PWMs are vulner- between password managers and websites needs to be smooth and able to problems such as key theft or secret recovery from effortless. However, user reviews for popular password managers temporary files, as well as weaknesses within typical features suggest interaction problems for some websites. Therefore, to the such as autofill [64]. Other research focused on the usability best of our knowledge, this work is the first to systematically iden- of PWMs and were able to show that user adoption of PWMs tify these interaction problems and investigate how 15 desktop password managers, including the ten most popular ones, are is motivated by convenience of usage and usability [59]. affected. We use a qualitative analysis approach to identify 39 While security benefits can also be a driving factor for PWM interaction problems from 2,947 user reviews and 372 GitHub adoption, in the majority of cases these where only mentioned issues for 30 password managers.
    [Show full text]
  • Automated Malware Analysis Report for Keepassxc-2.5.4-Win64.Msi
    ID: 228573 Sample Name: KeePassXC- 2.5.4-Win64.msi Cookbook: default.jbs Time: 13:23:43 Date: 08/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report KeePassXC-2.5.4-Win64.msi 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification Spiderchart 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 Spreading: 7 Networking: 7 System Summary: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 14 Contacted Domains 14 URLs from Memory and Binaries 14 Contacted IPs 16 Static File Info 16 General 16 File Icon 16 Static OLE Info 16 General 16 Authenticode Signature 16 OLE File "KeePassXC-2.5.4-Win64.msi" 17 Indicators 17 Summary 17 Copyright Joe Security LLC 2020 Page 2 of 32 Streams 17 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 8615 17 General 17 Stream Path:
    [Show full text]
  • Latest Version of Securedrop, and the Server Configuration Must Have Been Updated to Allow for HTTP DELETE Requests
    SecureDrop Workstation Documentation Release 0.0.1 SecureDrop Sep 22, 2021 Guide for Journalists 1 Introduction 3 1.1 What is Qubes OS?............................................3 1.2 What is SecureDrop Workstation?....................................3 2 Starting Qubes 5 3 Starting the SecureDrop Client7 3.1 Performing updates............................................8 3.2 Signing in.................................................9 3.3 Working offline.............................................. 11 4 Communicating with sources 13 4.1 Opening a conversation......................................... 14 4.2 Highlighting conversations........................................ 14 4.3 Sending a reply.............................................. 14 4.4 Deleting a conversation......................................... 15 5 Working with submissions 17 5.1 Downloading............................................... 18 5.2 Viewing.................................................. 19 5.3 Printing.................................................. 20 5.4 Exporting to an Export USB....................................... 20 6 Ending your session 23 7 FAQ 25 7.1 Frequently Asked Questions....................................... 25 8 Recommended hardware 29 8.1 Qubes OS hardware requirements.................................... 29 8.2 Lenovo T series Laptops......................................... 30 9 Installing and Configuring SecureDrop Workstation 33 9.1 Overview................................................. 33 9.2 Prerequisites..............................................
    [Show full text]
  • Bezpečnostní Analýza Programu Keepassxc Student: Michal Kavan Vedoucí: Ing
    ZADÁNÍ BAKALÁŘSKÉ PRÁCE Název: Bezpečnostní analýza programu KeePassXC Student: Michal Kavan Vedoucí: Ing. Josef Kokeš Studijní program: Informatika Studijní obor: Informační technologie Katedra: Katedra počítačových systémů Platnost zadání: Do konce zimního semestru 2019/20 Pokyny pro vypracování 1) Seznamte se s problematikou bezpečné práce s hesly. 2) Proveďte rešerši známých programů pro správu hesel. 3) Zaměřte se na program KeePassXC (https://keepassxc.org). Vyhodnoťte jeho uživatelské prostředí ve vztahu k bezpečnosti práce s hesly. Navrhněte potenciální vektory útoku. 4) Prostudujte zdrojový kód aplikace zadané vedoucím práce vzhledem k zvoleným útočným vektorům. Bude-li to vhodné, otestujte je pomocí vhodných testovacích nástrojů. 5) Nalezené zranitelnosti zdokumentujte, vyhodnoťte jejich závažnost a navrhněte opatření k nápravě. 6) Diskutujte svoje zjištění. Seznam odborné literatury Dodá vedoucí práce. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. vedoucí katedry děkan V Praze dne 19. února 2018 Bakalářská práce Bezpečnostní analýza programu KeePassXC Michal Kavan Katedra počítačových systémů Vedoucí práce: Ing. Josef Kokeš 13. května 2018 Poděkování Rád bych poděkoval vedoucímu práce Ing. Josefu Kokešovi za pozitivní přístup a cenné rady při kompletaci textu. Prohlášení Prohlašuji, že jsem předloženou práci vypracoval(a) samostatně a že jsem uvedl(a) veškeré použité informační zdroje v souladu s Metodickým pokynem o etické přípravě vysokoškolských závěrečných prací. Beru na vědomí, že se na moji práci vztahují práva a povinnosti vyplývající ze zákona č. 121/2000 Sb., autorského zákona, ve znění pozdějších předpisů. V souladu s ust. § 46 odst. 6 tohoto zákona tímto uděluji nevýhradní oprávnění (licenci) k užití této mojí práce, a to včetně všech počítačových programů, jež jsou její součástí či přílohou, a veškeré jejich dokumentace (dále souhrnně jen „Dílo“), a to všem osobám, které si přejí Dílo užít.
    [Show full text]
  • An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices
    University of Tennessee, Knoxville TRACE: Tennessee Research and Creative Exchange Doctoral Dissertations Graduate School 5-2021 An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices Timothy Oesch [email protected] Follow this and additional works at: https://trace.tennessee.edu/utk_graddiss Part of the Information Security Commons, Other Computer Engineering Commons, and the Other Computer Sciences Commons Recommended Citation Oesch, Timothy, "An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices. " PhD diss., University of Tennessee, 2021. https://trace.tennessee.edu/utk_graddiss/6670 This Dissertation is brought to you for free and open access by the Graduate School at TRACE: Tennessee Research and Creative Exchange. It has been accepted for inclusion in Doctoral Dissertations by an authorized administrator of TRACE: Tennessee Research and Creative Exchange. For more information, please contact [email protected]. To the Graduate Council: I am submitting herewith a dissertation written by Timothy Oesch entitled "An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices." I have examined the final electronic copy of this dissertation for form and content and recommend that it be accepted in partial fulfillment of the equirr ements for the degree of Doctor of Philosophy, with a major in Computer Engineering. Scott I. Ruoti, Major Professor We have read this dissertation and recommend its acceptance: Kent Seamons, Jinyuan Sun, Doowon Kim, Scott I. Ruoti Accepted for the Council: Dixie L. Thompson Vice Provost and Dean of the Graduate School (Original signatures are on file with official studentecor r ds.) An Analysis of Password Manager Security and Usage on Desktop and Mobile Devices A Dissertation Presented for the Doctor of Philosophy Degree The University of Tennessee, Knoxville Timothy Sean Oesch May 2021 © by Timothy Sean Oesch, 2021 All Rights Reserved.
    [Show full text]
  • CVL Sep-Oct 2020-Web
    September/October 2020 THROUGH THE FLOOD: ONE MAN’S JOURNEY FROM SURVIVOR TO BAKING HIGH SUCCESS (HIGH ALTITUDE, THAT IS) TWO UNIQUE CARBON VALLEY KIDS ALL-AGES COLORING CONTEST Contents From the Editor 4 BBQ Tip: How to Pick a Good Brisket 6 ALL IS FOR Baking High (High Altitude, That Is) 8 F Decisions for a Family Caregiver 10 FLAVOR Carbon Valley Coloring Contest 16 Estate Planning 32 BBQ TIPS features PAGE 6 Carbon Valley Kids 12 2 Minutes of Tech: Passwords 14 CARBON VALLEY RESOURCES 20 Community Spotlight: HOW TO Weld County Foster Care 34 WIN AT THE Cover Story: Through the Flood 24 YOGA 28 BAKING Oh The Things I Didn’t Know... 36 Values-Based Budgeting 37 GAME AT ALTITUDE New articles go up on PAGE 8 carbonvalley.life every week! Sign up for our weekly email to know when new articles post. Carbon Valley Life is produced and published by Genevieve Mellott Design. Every effort is made to ensure the accuracy of information. Want to share your thoughts? Have ideas? Are there errors or omissions? Email [email protected]. Carbon Valley Life ©2020 Genevieve Mellott Design. All rights reserved. Articles, photos, and artwork © individual authors or artists. 2 3 from the editor I would be lying if I said that most Theo Pangilinan, discovered a number years I don’t heave an exasperated sigh of years ago. when I see Halloween candy in stores When you delve into these pages, August first, or roll my eyes at all the you will discover informative articles, pumpkin-spiced nonsense littering inspiring stories, and a little bit of fun my path all Autumn long (leave it for mixed in for good measure.
    [Show full text]
  • Keepass for Mac
    Keepass For Mac 1 / 5 Keepass For Mac 2 / 5 3 / 5 Unfortunately this passphrase must also be memorable You obviously cant keep your KeePassX master passphrase inside KeePassX but writing it down might defeat the purpose of using an encrypted database in the first place.. If you change an account or register for passphrase you must make changes to both the account and the KeePassX list.. MacPass for MacOS MacPass is the best password Manager for MacOS and a KeePass database client. 1. keepass 2. keepass download 3. keepass android 5 Use the entries in your KeePassX database One of the best features of KeePassX is that it safely stores long strong passphrases so you do not have to memorize them or reuse them which is extremely risky.. Unfortunately this passphrase must also be unforgettable You cant keep the KeePassX Master plassphrase in KeePassX of course but if you write it down the purpose of using an encrypted database can be Scupper at all. keepass keepass, keepassxc, keepass download, keepassx, keepass for mac, keepass ios, keepass2android, keepass vs lastpass, keepass vs keepassxc, keepassxc android, keepass android, keepass chrome, keepass ubuntu, keepass for iphone Mac App To Backup Up Files To Cloud For companies that has a lot of tools which also means a lot of passwords its safe for employees to just access the tool and not have a physically unsecured copy of the list of passwords that someone can easily receive.. I just synch the file that contains the passwords with an external Sync application it can be Dropbox S3 a local rsync whatever and it works without any problems.
    [Show full text]
  • Firefox Addon Web Requests Permission Usernames Passwords
    Firefox Addon Web Requests Permission Usernames Passwords Psychometric Lloyd snubbed no internes profit soonest after Waine fig nobbily, quite bimestrial. Is Butch performing or olden after unturning Rodolph titles so grandiosely? Immedicable Gregor committing triangulately while Nikita always guard his dreadnought etiolating unequally, he oxidates so amply. The clipboard after a virtual backgrounds for example, direct their web requests permission before you use Cleanup: Time taken and release resources used in servicing the huddle and return control themselves to the hosting web server. New web page on sms passcode message keys will be excluded from. Removed support for password, request handlers can also be locked down, building your requested. Firefox password entry in firefox process responsible for permission request that would make. Check the passwords i remove them back your firefox addon web requests permission usernames passwords managers generate new tab in create a session information on? Ck are request permission requests behind a web server does not work will? Apart became the Firefox browser extension the space available extensions are. Log option to Zoho vault manage your browser. It might support team to avoid to be prepared for more accurate and provides interceptors which enables easy. These firefox addon to extend or equivalent leaves some. Out requests permission request logins stored password credentials it can make firefox addon creator is requested web applications at which provides. This feature that phishing attack is embedded english version, logins to work with configured admin performs many more benefits, web requests permission for your criteria. Uncheck the Ask so save logins and passwords for websites box.
    [Show full text]
  • Devops Secrets Management
    DevOps Secrets Management 2020 Murriel Perez-McCabe | @xmurriel apiVersion: scale/v18 kind: Bio metadata: name: murriel labels: job: devops job: cloud spec: containers: - name: orion image: russianblue command: ["cat"] spec: replicas: 3 hobbies: - name: making - name: gardening - name: community 2020 Murriel Perez-McCabe | @xmurriel tell me…. can you r systems keep a secret? share a secret? 2020 Murriel Perez-McCabe | @xmurriel what are secrets? 2020 Murriel Perez-McCabe | @xmurriel personal and team secrets ● Passwords / Passphrases ● Cloud Provider Logins ● Service Provider (SaaS) Logins ● SSH Keys ● Certificates ● Kubeconfigs ● DB Credentials ● App Dashboards and Logins not focusing on email passwords, computer logins, etc managed by IT 2020 Murriel Perez-McCabe | @xmurriel Systems like... system* secrets Servers Microservices ● API Keys Serverless functions Web application ● Certificates Mobile App On Premise App ● DB Credentials IoT Device Firmware Other machines ● Encryption Keys ● Tokens ● SSH Keys ● System-to-System Authentication Secrets 2020 Murriel Perez-McCabe | @xmurriel why is this important? 2020 Murriel Perez-McCabe | @xmurriel cost of breaches https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 2020 Murriel Perez-McCabe | @xmurriel ● Credentials in Git ● Inadvertently published secrets ○ Artifacts ○ Machine or Container Images ○ Compiled binaries ● Exposed S3 buckets ● Ex-Employees vectors for ● Internal unauthorized access ● Unauthorized password use ○ Weak passwords cracked compromise
    [Show full text]
  • El Cómputo En Los Cursos De La Facultad De Ciencias, UNAM
    El Cómputo en los Cursos de la Facultad de Ciencias, UNAM Antonio Carrillo Ledesma y Karla Ivonne González Rosas Facultad de Ciencias, UNAM http://academicos.fciencias.unam.mx/antoniocarrillo Una copia de este trabajo se puede descargar de la página: https://sites.google.com/ciencias.unam.mx/acl/en-desarrollo Con…namiento 2020-2021, Versión 1.0 1 1El presente trabajo está licenciado bajo un esquema Creative Commons Atribución CompartirIgual (CC-BY-SA) 4.0 Internacional. Los textos que compo- nen el presente trabajo se publican bajo formas de licenciamiento que permiten la copia, la redistribución y la realización de obras derivadas siempre y cuando éstas se distribuyan bajo las mismas licencias libres y se cite la fuente. ¡Copiaeste libro! ... Compartir no es delito. El Cómputo en los Cursos de la Facultad de Ciencias, UNAM Índice 1 Introducción 7 1.1 Software Propietario y Libre ................... 7 1.1.1 Software Propietario ................... 8 1.1.2 Software Libre ....................... 9 1.2 El Cómputo en las Carreras de Ciencias ............ 11 1.2.1 Algunos Cursos que Usan Cómputo ........... 14 1.3 Paquetes de Cómputo de Uso Común .............. 17 1.3.1 Sistemas Operativos ................... 21 1.3.2 Paquetes de Cálculo Numérico .............. 21 1.3.3 Paquetes de Cálculo Simbólico .............. 22 1.3.4 Paquetes Estadísticos ................... 23 1.3.5 Paquetes O…máticos ................... 24 1.3.6 Lenguajes de Programación y Entornos de Desarrollo . 24 1.3.7 Otros Programas de Cómputo .............. 24 1.4 Sobre los Ejemplos de este Trabajo ............... 25 1.5 Agradecimientos .......................... 25 2 Sistemas Operativos 26 2.1 Windows .............................
    [Show full text]