2021-W25.org

2021-08-17 14:47:43 +02:00 · 2021-08-17 14:47:43 +02:00 · b98cc88eab
commit b98cc88eab
parent 2c4b14a4b1
1 changed files with 187 additions and 0 deletions
--- a/2021-W25.org
+++ b/2021-W25.org
@ -0,0 +1,187 @@
 ** 2021-W25
 *** 2021-06-23 Wednesday
 **** IN-PROGRESS DI doc                                                :work:
 :LOGBOOK:
 CLOCK: [2021-06-23 Wed 10:10]--[2021-06-23 Wed 11:40] =>  1:30
 :END:
 [2021-06-23 Wed 10:10]
 Given a session token (JWT) this is how to retrieve refresh token for a
 client bypassing any user interaction or browser redirection.
 Given a classical OAuth2 Auth code client with:
 - client_id: localtest
 - client_password: localpass
 - scopes: inspect
 - redirect_uris: [ http://localhost:9001/callback ]
 Make the following HTTP call:
 1. call csrf endpoint => retrieve a CSRF token
 2. authorize the client (use the CSRF token) => retrieve a CODE token
 3. call /token with client secret and the CODE token => retrieve
   access/refresh tokens
 In more detail:
 #+begin_src
 ❯ IROH_URL="https://visibility.amp.cisco.com"
 curl -X POST "$IROH_URL/iroh/oauth2/csrf-token"  \
     -H "accept: application/json"  \
     -H "authorization: Bearer $JWT" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=localtest&scope=inspect"
 {"csrf":"eyJhGc..."}
 ❯ CSRF="eyJhGc..."
 curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
     -H "accept: application/json" \
     -H "authorization: Bearer $JWT" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
 {"url":"http://localhost:9001/callback?code=eyJhGc..."}
 ❯ CODE="eyJhGc..."
 curl -X POST "$IROH_URL/iroh/oauth2/token" \
     -H "accept: application/json" \
     -u localtest:localpass \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
 {"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
 #+end_src
 *** 2021-06-25 Friday
 **** IN-PROGRESS Security School                                       :work:
 :LOGBOOK:
 CLOCK: [2021-06-25 Fri 10:20]--[2021-06-25 Fri 11:23] =>  1:03
 :END:
 [2021-06-25 Fri 10:20]
 What it mean to be a Trusted company
 1. Trust is important and changed (erosion of trust)
 2. Why should I should pay for premium; built on trust.
 3. key point, start with a good point on the reputation
 4. Shifting landscape, no more satisfy with implicit trusting.
 5. Lack of trust create a huge gap, stop digitizing
   - 71% threat hinder innovation
   - 39% halted mission critical initiative to digitalize due to
     cybersecurity concern
 6. How much cisco is a trusting company
   BPI (Brand Performance Index) score 22%
   - 8% -> is an honest ethical company
   - 4% -> company I admire
     ...
 7. Trust Landscape
   - Increasing number of data breaches and cyberattacks
   - halting digital projects due to lack of trust
   - transition from implicit to explicit trust "Prove it"
   - US based IT companies are under increased scrutinity, particularly
     outside of the US.
     Distance between Cisco and US government.
 8. Cisco BPI: 50% (MS 65%)
 9. Trustworthy
   - active measire to safeguard
   - commited to securing our customers and data
   - adhere a secure development lifecycle in the dev of products and services
   - we protect security of our supply chain
 10. Transparent
    - access to security vulnerabilities
    - timely actionable breach notifications to impacted parties
    - publish data regarding requests from law enforcement
    - drive and follow open global standards and make deccisions to
      develope and implement new tech based on customers current and
      anticipated
 11. Accountable
    - commited to verify and validate our trustworthiness
    - we admit we make mistakes that impact the security of our customers
      and partners and we work to make things right with those customers
      and partners
 12. Calls to action
 ***** Security Vocabulary
 1. CIA: Security triangle (of device, service or data) *Is it Secure?*
   - Confidentiality
   - Integrity
   - Availability
 2. Confidentiality (who can access )
 3. Integrity (information is not unexpectedly modified)
 4. Availability (information or resourcces are available when needed)
 5. Non-Repudiation & Authenticity
   Non-repudiation: Prove you did or didn't do something
   Authenticity: Assurance that a message or other exchange of information
   is from source it claims to be from
 6. Vulnerability:
   - a weekness, design or coding error, lack of protection in a product
     that enable an attack
   - Vulnerability can result from Design, Programming, or
     Operational flaws.
 7. Threats
   - Threat: a potential danger that could cause harm to information or a system
   - Threat Agent: an entity that exploits a threat (a hacker)
 8. Exploits and Attacks
   - exploits: pratical method to take advantage of a vuln
   - Attack: use an exploit against and actual vuln
   - Attack Vector: theoretical application of an exploit
   - Zero-Day Attack: an attack that exploits a previously unknown
     vuln for which there is not yet a defense
 9. Exposure
   1. probability and severity of an attack using a specific exploit
   2. time between the announcement of vuln and a suitable patch
   3. any info leak that facilitate attack
 10. Mitigation
    What can we do?
    Strategy for reducing or eliminating the severity of a security issue.
 11. Attack Surface - Reality
    collection of all entry point that could potentially be used to attack
    the product. Any code or hardware that an attacker could potentially
    access and exploit.
 ***** Protecting data and privacy
 ****** DATA
 - data = content + context
 .
 ****** Data is proccessed by each of us
 Engineer, Sales, HR
 ****** Data must be protected at each stage
 - classify it as personal data and/or confidential
 - determine what controls to embed per stage using Cisco Data Policies
 Lifecycle
 1. Collection or Creation
 2. Usage
 3. Sharing
 4. Curating
 5. Retention
 6. Destruction
 Data sensitivity
 ****** Cisco Data Policies
 . Cisco Data Quality Policy
 . Cisco Data Protection Policy
 . Cisco Data Privacy Policy
 require secure up-to-date data processing with purpose
 - Can be found in Policy Central
 - Updated at least once a year
 - Cover changing global regulations, marke/customer requirements, and
  Cisco's changes in code of business
 ****** Embeding Data Controls
 Quality / Protection / Privacy
 Details ccan be found in Product Seure Baseline Requirements for CSDL.
 - Quality: refresh, retention management, destroy when done
 - Protection: encryption, confidential/sensitive, role based access, 3rd
  party contracts
 - Privacy: minimized processing, notice/purpose, legal basis/consent,
  individual rights