188 lines
6.6 KiB
Org Mode
188 lines
6.6 KiB
Org Mode
|
** 2021-W25
|
|||
|
*** 2021-06-23 Wednesday
|
|||
|
**** IN-PROGRESS DI doc :work:
|
|||
|
:LOGBOOK:
|
|||
|
CLOCK: [2021-06-23 Wed 10:10]--[2021-06-23 Wed 11:40] => 1:30
|
|||
|
:END:
|
|||
|
[2021-06-23 Wed 10:10]
|
|||
|
|
|||
|
|
|||
|
Given a session token (JWT) this is how to retrieve refresh token for a
|
|||
|
client bypassing any user interaction or browser redirection.
|
|||
|
|
|||
|
Given a classical OAuth2 Auth code client with:
|
|||
|
|
|||
|
- client_id: localtest
|
|||
|
- client_password: localpass
|
|||
|
- scopes: inspect
|
|||
|
- redirect_uris: [ http://localhost:9001/callback ]
|
|||
|
|
|||
|
Make the following HTTP call:
|
|||
|
|
|||
|
1. call csrf endpoint => retrieve a CSRF token
|
|||
|
2. authorize the client (use the CSRF token) => retrieve a CODE token
|
|||
|
3. call /token with client secret and the CODE token => retrieve
|
|||
|
access/refresh tokens
|
|||
|
|
|||
|
In more detail:
|
|||
|
|
|||
|
#+begin_src
|
|||
|
❯ IROH_URL="https://visibility.amp.cisco.com"
|
|||
|
|
|||
|
curl -X POST "$IROH_URL/iroh/oauth2/csrf-token" \
|
|||
|
-H "accept: application/json" \
|
|||
|
-H "authorization: Bearer $JWT" \
|
|||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|||
|
-d "client_id=localtest&scope=inspect"
|
|||
|
{"csrf":"eyJhGc..."}
|
|||
|
|
|||
|
❯ CSRF="eyJhGc..."
|
|||
|
|
|||
|
curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
|
|||
|
-H "accept: application/json" \
|
|||
|
-H "authorization: Bearer $JWT" \
|
|||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|||
|
-d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
|
|||
|
{"url":"http://localhost:9001/callback?code=eyJhGc..."}
|
|||
|
|
|||
|
❯ CODE="eyJhGc..."
|
|||
|
|
|||
|
curl -X POST "$IROH_URL/iroh/oauth2/token" \
|
|||
|
-H "accept: application/json" \
|
|||
|
-u localtest:localpass \
|
|||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|||
|
-d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
|
|||
|
{"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
|
|||
|
#+end_src
|
|||
|
*** 2021-06-25 Friday
|
|||
|
**** IN-PROGRESS Security School :work:
|
|||
|
:LOGBOOK:
|
|||
|
CLOCK: [2021-06-25 Fri 10:20]--[2021-06-25 Fri 11:23] => 1:03
|
|||
|
:END:
|
|||
|
[2021-06-25 Fri 10:20]
|
|||
|
|
|||
|
What it mean to be a Trusted company
|
|||
|
|
|||
|
1. Trust is important and changed (erosion of trust)
|
|||
|
2. Why should I should pay for premium; built on trust.
|
|||
|
3. key point, start with a good point on the reputation
|
|||
|
4. Shifting landscape, no more satisfy with implicit trusting.
|
|||
|
5. Lack of trust create a huge gap, stop digitizing
|
|||
|
- 71% threat hinder innovation
|
|||
|
- 39% halted mission critical initiative to digitalize due to
|
|||
|
cybersecurity concern
|
|||
|
6. How much cisco is a trusting company
|
|||
|
BPI (Brand Performance Index) score 22%
|
|||
|
- 8% -> is an honest ethical company
|
|||
|
- 4% -> company I admire
|
|||
|
...
|
|||
|
7. Trust Landscape
|
|||
|
- Increasing number of data breaches and cyberattacks
|
|||
|
- halting digital projects due to lack of trust
|
|||
|
- transition from implicit to explicit trust "Prove it"
|
|||
|
- US based IT companies are under increased scrutinity, particularly
|
|||
|
outside of the US.
|
|||
|
Distance between Cisco and US government.
|
|||
|
8. Cisco BPI: 50% (MS 65%)
|
|||
|
9. Trustworthy
|
|||
|
- active measire to safeguard
|
|||
|
- commited to securing our customers and data
|
|||
|
- adhere a secure development lifecycle in the dev of products and services
|
|||
|
- we protect security of our supply chain
|
|||
|
10. Transparent
|
|||
|
- access to security vulnerabilities
|
|||
|
- timely actionable breach notifications to impacted parties
|
|||
|
- publish data regarding requests from law enforcement
|
|||
|
- drive and follow open global standards and make deccisions to
|
|||
|
develope and implement new tech based on customers current and
|
|||
|
anticipated
|
|||
|
11. Accountable
|
|||
|
- commited to verify and validate our trustworthiness
|
|||
|
- we admit we make mistakes that impact the security of our customers
|
|||
|
and partners and we work to make things right with those customers
|
|||
|
and partners
|
|||
|
|
|||
|
12. Calls to action
|
|||
|
***** Security Vocabulary
|
|||
|
|
|||
|
1. CIA: Security triangle (of device, service or data) *Is it Secure?*
|
|||
|
- Confidentiality
|
|||
|
- Integrity
|
|||
|
- Availability
|
|||
|
2. Confidentiality (who can access )
|
|||
|
3. Integrity (information is not unexpectedly modified)
|
|||
|
4. Availability (information or resourcces are available when needed)
|
|||
|
5. Non-Repudiation & Authenticity
|
|||
|
Non-repudiation: Prove you did or didn't do something
|
|||
|
Authenticity: Assurance that a message or other exchange of information
|
|||
|
is from source it claims to be from
|
|||
|
6. Vulnerability:
|
|||
|
- a weekness, design or coding error, lack of protection in a product
|
|||
|
that enable an attack
|
|||
|
- Vulnerability can result from Design, Programming, or
|
|||
|
Operational flaws.
|
|||
|
7. Threats
|
|||
|
- Threat: a potential danger that could cause harm to information or a system
|
|||
|
- Threat Agent: an entity that exploits a threat (a hacker)
|
|||
|
8. Exploits and Attacks
|
|||
|
- exploits: pratical method to take advantage of a vuln
|
|||
|
- Attack: use an exploit against and actual vuln
|
|||
|
- Attack Vector: theoretical application of an exploit
|
|||
|
- Zero-Day Attack: an attack that exploits a previously unknown
|
|||
|
vuln for which there is not yet a defense
|
|||
|
9. Exposure
|
|||
|
1. probability and severity of an attack using a specific exploit
|
|||
|
2. time between the announcement of vuln and a suitable patch
|
|||
|
3. any info leak that facilitate attack
|
|||
|
10. Mitigation
|
|||
|
What can we do?
|
|||
|
Strategy for reducing or eliminating the severity of a security issue.
|
|||
|
11. Attack Surface - Reality
|
|||
|
collection of all entry point that could potentially be used to attack
|
|||
|
the product. Any code or hardware that an attacker could potentially
|
|||
|
access and exploit.
|
|||
|
***** Protecting data and privacy
|
|||
|
****** DATA
|
|||
|
- data = content + context
|
|||
|
.
|
|||
|
****** Data is proccessed by each of us
|
|||
|
Engineer, Sales, HR
|
|||
|
****** Data must be protected at each stage
|
|||
|
|
|||
|
- classify it as personal data and/or confidential
|
|||
|
- determine what controls to embed per stage using Cisco Data Policies
|
|||
|
|
|||
|
Lifecycle
|
|||
|
|
|||
|
1. Collection or Creation
|
|||
|
2. Usage
|
|||
|
3. Sharing
|
|||
|
4. Curating
|
|||
|
5. Retention
|
|||
|
6. Destruction
|
|||
|
|
|||
|
Data sensitivity
|
|||
|
****** Cisco Data Policies
|
|||
|
|
|||
|
. Cisco Data Quality Policy
|
|||
|
. Cisco Data Protection Policy
|
|||
|
. Cisco Data Privacy Policy
|
|||
|
|
|||
|
require secure up-to-date data processing with purpose
|
|||
|
|
|||
|
|
|||
|
- Can be found in Policy Central
|
|||
|
- Updated at least once a year
|
|||
|
- Cover changing global regulations, marke/customer requirements, and
|
|||
|
Cisco's changes in code of business
|
|||
|
****** Embeding Data Controls
|
|||
|
|
|||
|
Quality / Protection / Privacy
|
|||
|
Details ccan be found in Product Seure Baseline Requirements for CSDL.
|
|||
|
|
|||
|
- Quality: refresh, retention management, destroy when done
|
|||
|
- Protection: encryption, confidential/sensitive, role based access, 3rd
|
|||
|
party contracts
|
|||
|
- Privacy: minimized processing, notice/purpose, legal basis/consent,
|
|||
|
individual rights
|