2021-W25.org
This commit is contained in:
parent
2c4b14a4b1
commit
b98cc88eab
1 changed files with 187 additions and 0 deletions
187
2021-W25.org
Normal file
187
2021-W25.org
Normal file
|
@ -0,0 +1,187 @@
|
||||||
|
** 2021-W25
|
||||||
|
*** 2021-06-23 Wednesday
|
||||||
|
**** IN-PROGRESS DI doc :work:
|
||||||
|
:LOGBOOK:
|
||||||
|
CLOCK: [2021-06-23 Wed 10:10]--[2021-06-23 Wed 11:40] => 1:30
|
||||||
|
:END:
|
||||||
|
[2021-06-23 Wed 10:10]
|
||||||
|
|
||||||
|
|
||||||
|
Given a session token (JWT) this is how to retrieve refresh token for a
|
||||||
|
client bypassing any user interaction or browser redirection.
|
||||||
|
|
||||||
|
Given a classical OAuth2 Auth code client with:
|
||||||
|
|
||||||
|
- client_id: localtest
|
||||||
|
- client_password: localpass
|
||||||
|
- scopes: inspect
|
||||||
|
- redirect_uris: [ http://localhost:9001/callback ]
|
||||||
|
|
||||||
|
Make the following HTTP call:
|
||||||
|
|
||||||
|
1. call csrf endpoint => retrieve a CSRF token
|
||||||
|
2. authorize the client (use the CSRF token) => retrieve a CODE token
|
||||||
|
3. call /token with client secret and the CODE token => retrieve
|
||||||
|
access/refresh tokens
|
||||||
|
|
||||||
|
In more detail:
|
||||||
|
|
||||||
|
#+begin_src
|
||||||
|
❯ IROH_URL="https://visibility.amp.cisco.com"
|
||||||
|
|
||||||
|
curl -X POST "$IROH_URL/iroh/oauth2/csrf-token" \
|
||||||
|
-H "accept: application/json" \
|
||||||
|
-H "authorization: Bearer $JWT" \
|
||||||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||||
|
-d "client_id=localtest&scope=inspect"
|
||||||
|
{"csrf":"eyJhGc..."}
|
||||||
|
|
||||||
|
❯ CSRF="eyJhGc..."
|
||||||
|
|
||||||
|
curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
|
||||||
|
-H "accept: application/json" \
|
||||||
|
-H "authorization: Bearer $JWT" \
|
||||||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||||
|
-d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
|
||||||
|
{"url":"http://localhost:9001/callback?code=eyJhGc..."}
|
||||||
|
|
||||||
|
❯ CODE="eyJhGc..."
|
||||||
|
|
||||||
|
curl -X POST "$IROH_URL/iroh/oauth2/token" \
|
||||||
|
-H "accept: application/json" \
|
||||||
|
-u localtest:localpass \
|
||||||
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
||||||
|
-d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
|
||||||
|
{"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
|
||||||
|
#+end_src
|
||||||
|
*** 2021-06-25 Friday
|
||||||
|
**** IN-PROGRESS Security School :work:
|
||||||
|
:LOGBOOK:
|
||||||
|
CLOCK: [2021-06-25 Fri 10:20]--[2021-06-25 Fri 11:23] => 1:03
|
||||||
|
:END:
|
||||||
|
[2021-06-25 Fri 10:20]
|
||||||
|
|
||||||
|
What it mean to be a Trusted company
|
||||||
|
|
||||||
|
1. Trust is important and changed (erosion of trust)
|
||||||
|
2. Why should I should pay for premium; built on trust.
|
||||||
|
3. key point, start with a good point on the reputation
|
||||||
|
4. Shifting landscape, no more satisfy with implicit trusting.
|
||||||
|
5. Lack of trust create a huge gap, stop digitizing
|
||||||
|
- 71% threat hinder innovation
|
||||||
|
- 39% halted mission critical initiative to digitalize due to
|
||||||
|
cybersecurity concern
|
||||||
|
6. How much cisco is a trusting company
|
||||||
|
BPI (Brand Performance Index) score 22%
|
||||||
|
- 8% -> is an honest ethical company
|
||||||
|
- 4% -> company I admire
|
||||||
|
...
|
||||||
|
7. Trust Landscape
|
||||||
|
- Increasing number of data breaches and cyberattacks
|
||||||
|
- halting digital projects due to lack of trust
|
||||||
|
- transition from implicit to explicit trust "Prove it"
|
||||||
|
- US based IT companies are under increased scrutinity, particularly
|
||||||
|
outside of the US.
|
||||||
|
Distance between Cisco and US government.
|
||||||
|
8. Cisco BPI: 50% (MS 65%)
|
||||||
|
9. Trustworthy
|
||||||
|
- active measire to safeguard
|
||||||
|
- commited to securing our customers and data
|
||||||
|
- adhere a secure development lifecycle in the dev of products and services
|
||||||
|
- we protect security of our supply chain
|
||||||
|
10. Transparent
|
||||||
|
- access to security vulnerabilities
|
||||||
|
- timely actionable breach notifications to impacted parties
|
||||||
|
- publish data regarding requests from law enforcement
|
||||||
|
- drive and follow open global standards and make deccisions to
|
||||||
|
develope and implement new tech based on customers current and
|
||||||
|
anticipated
|
||||||
|
11. Accountable
|
||||||
|
- commited to verify and validate our trustworthiness
|
||||||
|
- we admit we make mistakes that impact the security of our customers
|
||||||
|
and partners and we work to make things right with those customers
|
||||||
|
and partners
|
||||||
|
|
||||||
|
12. Calls to action
|
||||||
|
***** Security Vocabulary
|
||||||
|
|
||||||
|
1. CIA: Security triangle (of device, service or data) *Is it Secure?*
|
||||||
|
- Confidentiality
|
||||||
|
- Integrity
|
||||||
|
- Availability
|
||||||
|
2. Confidentiality (who can access )
|
||||||
|
3. Integrity (information is not unexpectedly modified)
|
||||||
|
4. Availability (information or resourcces are available when needed)
|
||||||
|
5. Non-Repudiation & Authenticity
|
||||||
|
Non-repudiation: Prove you did or didn't do something
|
||||||
|
Authenticity: Assurance that a message or other exchange of information
|
||||||
|
is from source it claims to be from
|
||||||
|
6. Vulnerability:
|
||||||
|
- a weekness, design or coding error, lack of protection in a product
|
||||||
|
that enable an attack
|
||||||
|
- Vulnerability can result from Design, Programming, or
|
||||||
|
Operational flaws.
|
||||||
|
7. Threats
|
||||||
|
- Threat: a potential danger that could cause harm to information or a system
|
||||||
|
- Threat Agent: an entity that exploits a threat (a hacker)
|
||||||
|
8. Exploits and Attacks
|
||||||
|
- exploits: pratical method to take advantage of a vuln
|
||||||
|
- Attack: use an exploit against and actual vuln
|
||||||
|
- Attack Vector: theoretical application of an exploit
|
||||||
|
- Zero-Day Attack: an attack that exploits a previously unknown
|
||||||
|
vuln for which there is not yet a defense
|
||||||
|
9. Exposure
|
||||||
|
1. probability and severity of an attack using a specific exploit
|
||||||
|
2. time between the announcement of vuln and a suitable patch
|
||||||
|
3. any info leak that facilitate attack
|
||||||
|
10. Mitigation
|
||||||
|
What can we do?
|
||||||
|
Strategy for reducing or eliminating the severity of a security issue.
|
||||||
|
11. Attack Surface - Reality
|
||||||
|
collection of all entry point that could potentially be used to attack
|
||||||
|
the product. Any code or hardware that an attacker could potentially
|
||||||
|
access and exploit.
|
||||||
|
***** Protecting data and privacy
|
||||||
|
****** DATA
|
||||||
|
- data = content + context
|
||||||
|
.
|
||||||
|
****** Data is proccessed by each of us
|
||||||
|
Engineer, Sales, HR
|
||||||
|
****** Data must be protected at each stage
|
||||||
|
|
||||||
|
- classify it as personal data and/or confidential
|
||||||
|
- determine what controls to embed per stage using Cisco Data Policies
|
||||||
|
|
||||||
|
Lifecycle
|
||||||
|
|
||||||
|
1. Collection or Creation
|
||||||
|
2. Usage
|
||||||
|
3. Sharing
|
||||||
|
4. Curating
|
||||||
|
5. Retention
|
||||||
|
6. Destruction
|
||||||
|
|
||||||
|
Data sensitivity
|
||||||
|
****** Cisco Data Policies
|
||||||
|
|
||||||
|
. Cisco Data Quality Policy
|
||||||
|
. Cisco Data Protection Policy
|
||||||
|
. Cisco Data Privacy Policy
|
||||||
|
|
||||||
|
require secure up-to-date data processing with purpose
|
||||||
|
|
||||||
|
|
||||||
|
- Can be found in Policy Central
|
||||||
|
- Updated at least once a year
|
||||||
|
- Cover changing global regulations, marke/customer requirements, and
|
||||||
|
Cisco's changes in code of business
|
||||||
|
****** Embeding Data Controls
|
||||||
|
|
||||||
|
Quality / Protection / Privacy
|
||||||
|
Details ccan be found in Product Seure Baseline Requirements for CSDL.
|
||||||
|
|
||||||
|
- Quality: refresh, retention management, destroy when done
|
||||||
|
- Protection: encryption, confidential/sensitive, role based access, 3rd
|
||||||
|
party contracts
|
||||||
|
- Privacy: minimized processing, notice/purpose, legal basis/consent,
|
||||||
|
individual rights
|
Loading…
Reference in a new issue