К базе данных уязвимостей и дальше

•

1 gostou•354 visualizações

Язык докладаРусскийСпециалист по автоматизации информационной безопасности. В течение 6 лет участвовал в разработке сканеров уязвимостей и продуктов управления соответствием. Работает в крупнейшей интернет-компании России и отвечает за автоматизированный анализ защищенности огромной и разнообразной IT-инфраструктуры. Ведет блог avleonov.com, посвященный в основном вопросам vulnerability management. Александр Леонов Александр Леонов Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакТехнологии

Tecnologia

To Vulnerability
Database and
beyond
Alexander Leonov, PHDays 2017

2
#:whoami
- Security Analyst at Mail.Ru Group
- Security Automation blog at avleonov.com

4
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
Security Content

5
Home-grown Database
CVSS, CPE
Vendor
Bug
Exploit
DBs
Media
Advisories
id
remediation
strategy
CERTs
Customer’s Side
…
…
…
Home-grown
Vulnerability
Database
parser

Commercial Database
Vulnerability
Base
Search System
Notification Service
Vulnerability Intelligence
6
API

Vulnerability
Base
Search System
Notification Service
Vulnerability Intelligence
API
Applicability Verification
+ Detection Rules & Plugins
+ Transports
Vulnerability
Scanner
+ Dashboards
+ TaskTracker
Vulnerability
Management
+ Infrastructure
context
Threat/Risk
Management
7

Still a Vulnerability Database!
Vulnerability
Base
8
- Vulnerabilities your vendor knows/don’t know
- Vulnerabilities your vendor can/can’t detect in
various modes
- How quickly your vendor adds detection
plugins

Subscriptions?
10
Manual vulnerability tracking
Subscriptions to
all vulnerabilities
Subscriptions
to vulnerabilities
in software we use
Automated
applicability
verification

Subscriptions?
11
Manual vulnerability tracking
Subscriptions to
all vulnerabilities
Subscriptions
to vulnerabilities
in software we use
Automated
applicability
verification
https://telegram.me/vulnersBot

13
Vulnerability Hype
- Researchers can overestimate the importance of vulnerability
for self-promotion
- Hyped vulnerability: really critical or not?
- What is out of scope?

14
Vulnerability Hype
GHOST
CVE-2015-0235
Heartbleed
CVE-2014-0160
Shellshock
CVE-2014-6271
Badlock
CVE-2016-2118
ImageTragick
CVE-2016–3714

16
CVSS
- Every CVSS vector was filled manually by some analyst
- Appear in databases with a significant latency
- For the most vulnerabilities Temporal Vector is not available
- Doesn't express current relevance and criticality based on all
factors

17
CVSS
High / CVSS Base Score : 5.0 Medium
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
High / CVSS Base Score : 9.4 High
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
Heartbleed
CVE-2014-0160
https://www.tenable.com/plugins/index.php?view=single&id=73412
Confidentiality Impact: Complete or Partial?
Integrity Impact: None or Complete?

18
CVSS
“CVSSv3 doesn’t fix the major disparities with data confidentiality.
Instead the whole flawed section is exactly the same.”
https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/

20
2 characteristics
- "Danger" an assessment of criticality, exploitability
- "Relevance" shows an attention paid to the vulnerability

21
Vulnerability Danger
- CVSS Base Score ↑
- Potential exploitability ↑
- Exploits ↑
- Malware ↑
- Patches ↓
- Detection plugins ↓
- Age ↓

22
Vulnerability Relevance
- Media coverage ↑
- Descriptions ↑
- Detection plugins ↑
- Search queries ↑
- Search results ↑
- Clicks ↑
- Age ↓

28
PoC
WannaCry
SMB v.1 RCE
CVE-2017-0143

29
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

30
PoC
CVE-2017-2478
RCE
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

31
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

32
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

34
Possibilities
- Watch vulnerabilities in dynamics
- Highlight most critical vulnerabilities and groups
- Identify trends
- Have fun :-)

35
Problems
- It’s all about CVEs
One vulnerability - a lot of CVEs
Vulnerabilities without CVEs
- Subjective formulas for Danger and Relevance
- Data sources

36
Thanks!
- Security Automation Blog avleonov.com
- me@avleonov.com

Mais conteúdo relacionado

Mais de Positive Hack Days

Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений? На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.

Мастер-класс «Трущобы Application Security»

Positive Hack Days

Формальные методы защиты приложений

Positive Hack Days

Эвристические методы защиты приложений

Positive Hack Days

Теоретические основы Application Security

Positive Hack Days

Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик

От экспериментального программирования к промышленному: путь длиной в 10 лет

Positive Hack Days

Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей. К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Positive Hack Days

Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных. Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.

Требования по безопасности в архитектуре ПО

Positive Hack Days

Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.

Формальная верификация кода на языке Си

Positive Hack Days

Механизмы предотвращения атак в ASP.NET Core

Positive Hack Days

SOC для КИИ: израильский опыт

Positive Hack Days

Honeywell Industrial Cyber Security Lab & Services Center

Positive Hack Days

Credential stuffing и брутфорс-атаки

Positive Hack Days

Доклад SiteSecure

Positive Hack Days

Практический опыт защиты финансовых транзакций клиентов Банка

Positive Hack Days

Решение SafeTouch — доверенный экран для безопасного подтверждения банковских...

Positive Hack Days

Эффективный контроль сотрудников

Positive Hack Days

Подход к обеспечению безопасности IoT в Enterprise

Positive Hack Days

К началу 2016 года у многих сложилось впечатление, что проблема DDoS-атак исчерпала себя — настолько тривиальными выглядели сами атаки и меры по защите от них. Спустя год ситуация кардинально изменилась. Обсудим эти изменения, их причины, предпосылки и последствия, а также их взаимосвязь с развитием IoT.

DDoS-атаки в 2016–2017: переворот

Positive Hack Days

Эволюция безопасности: от охранников к нейронным сетям

Positive Hack Days

Сегодня информационная безопасность переживает острые внутренние противоречия. Со всех трибун звучат заявления: «Да кому мы нужны?», «Все равно взломают!», «Покупайте новое». Разработчики ИБ-решений и те, кто ими пользуется, подрастеряли веру и мотивацию. Самые яркие представители ИБ-сообщества соберутся, чтобы рассказать о наболевшем и поделиться своими идеями, которые по их мнению могут повлиять на каждого и индустрию в целом. Минимум слайдов и любой мишуры, максимум личного опыта, понимания в предмете и эмоции.

АнтиПленарка. Безопасность и технологии: личный взгляд лидеров мнений

Positive Hack Days

Mais de Positive Hack Days (20)

Мастер-класс «Трущобы Application Security»

Формальные методы защиты приложений

Эвристические методы защиты приложений

Теоретические основы Application Security

От экспериментального программирования к промышленному: путь длиной в 10 лет

Уязвимое Android-приложение: N проверенных способов наступить на грабли

Требования по безопасности в архитектуре ПО

Формальная верификация кода на языке Си

Механизмы предотвращения атак в ASP.NET Core

SOC для КИИ: израильский опыт

Honeywell Industrial Cyber Security Lab & Services Center

Credential stuffing и брутфорс-атаки

Доклад SiteSecure

Практический опыт защиты финансовых транзакций клиентов Банка

Решение SafeTouch — доверенный экран для безопасного подтверждения банковских...

Эффективный контроль сотрудников

Подход к обеспечению безопасности IoT в Enterprise

DDoS-атаки в 2016–2017: переворот

Эволюция безопасности: от охранников к нейронным сетям

АнтиПленарка. Безопасность и технологии: личный взгляд лидеров мнений

Último

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Scaling API-first – The story of a global engineering organization

Radu Cotescu

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

К базе данных уязвимостей и дальше

1. To Vulnerability Database and beyond Alexander Leonov, PHDays 2017

2. 2 #:whoami - Security Analyst at Mail.Ru Group - Security Automation blog at avleonov.com

3. 3 Security Advisories … OVER 9000!

4. 4 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … Security Content

5. 5 Home-grown Database CVSS, CPE Vendor Bug Exploit DBs Media Advisories id remediation strategy CERTs Customer’s Side … … … Home-grown Vulnerability Database parser

6. Commercial Database Vulnerability Base Search System Notification Service Vulnerability Intelligence 6 API

7. Vulnerability Base Search System Notification Service Vulnerability Intelligence API Applicability Verification + Detection Rules & Plugins + Transports Vulnerability Scanner + Dashboards + TaskTracker Vulnerability Management + Infrastructure context Threat/Risk Management 7

8. Still a Vulnerability Database! Vulnerability Base 8 - Vulnerabilities your vendor knows/don’t know - Vulnerabilities your vendor can/can’t detect in various modes - How quickly your vendor adds detection plugins

9. What to do? 9

10. Subscriptions? 10 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification

11. Subscriptions? 11 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification https://telegram.me/vulnersBot

12. 12 What will explode next? ?!

13. 13 Vulnerability Hype - Researchers can overestimate the importance of vulnerability for self-promotion - Hyped vulnerability: really critical or not? - What is out of scope?

14. 14 Vulnerability Hype GHOST CVE-2015-0235 Heartbleed CVE-2014-0160 Shellshock CVE-2014-6271 Badlock CVE-2016-2118 ImageTragick CVE-2016–3714

15. 15 CVSS

16. 16 CVSS - Every CVSS vector was filled manually by some analyst - Appear in databases with a significant latency - For the most vulnerabilities Temporal Vector is not available - Doesn't express current relevance and criticality based on all factors

17. 17 CVSS High / CVSS Base Score : 5.0 Medium (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) High / CVSS Base Score : 9.4 High (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N) Heartbleed CVE-2014-0160 https://www.tenable.com/plugins/index.php?view=single&id=73412 Confidentiality Impact: Complete or Partial? Integrity Impact: None or Complete?

18. 18 CVSS “CVSSv3 doesn’t fix the major disparities with data confidentiality. Instead the whole flawed section is exactly the same.” https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/

19. 19 References Heartbleed CVE-2014-0160

20. 20 2 characteristics - "Danger" an assessment of criticality, exploitability - "Relevance" shows an attention paid to the vulnerability

21. 21 Vulnerability Danger - CVSS Base Score ↑ - Potential exploitability ↑ - Exploits ↑ - Malware ↑ - Patches ↓ - Detection plugins ↓ - Age ↓

22. 22 Vulnerability Relevance - Media coverage ↑ - Descriptions ↑ - Detection plugins ↑ - Search queries ↑ - Search results ↑ - Clicks ↑ - Age ↓

23. 23 Quadrants

24. 24 PoC Heartbleed CVE-2014-0160

25. 25 PoC Heartbleed CVE-2014-0160

26. 26 PoC Heartbleed CVE-2014-0160

27. 27 PoC Heartbleed CVE-2014-0160

28. 28 PoC WannaCry SMB v.1 RCE CVE-2017-0143

29. 29 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

30. 30 PoC CVE-2017-2478 RCE Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

31. 31 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

32. 32 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

33. 33 More vulnerabilities!

34. 34 Possibilities - Watch vulnerabilities in dynamics - Highlight most critical vulnerabilities and groups - Identify trends - Have fun :-)

35. 35 Problems - It’s all about CVEs One vulnerability - a lot of CVEs Vulnerabilities without CVEs - Subjective formulas for Danger and Relevance - Data sources

36. 36 Thanks! - Security Automation Blog avleonov.com - me@avleonov.com

К базе данных уязвимостей и дальше

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Positive Hack Days

Mais de Positive Hack Days (20)

Último

Último (20)

К базе данных уязвимостей и дальше