** 2021-W25
*** 2021-06-23 Wednesday
**** IN-PROGRESS DI doc                                                :work:
:LOGBOOK:
CLOCK: [2021-06-23 Wed 10:10]--[2021-06-23 Wed 11:40] =>  1:30
:END:
[2021-06-23 Wed 10:10]


Given a session token (JWT) this is how to retrieve refresh token for a
client bypassing any user interaction or browser redirection.

Given a classical OAuth2 Auth code client with:

- client_id: localtest
- client_password: localpass
- scopes: inspect
- redirect_uris: [ http://localhost:9001/callback ]

Make the following HTTP call:

1. call csrf endpoint => retrieve a CSRF token
2. authorize the client (use the CSRF token) => retrieve a CODE token
3. call /token with client secret and the CODE token => retrieve
   access/refresh tokens

In more detail:

#+begin_src
❯ IROH_URL="https://visibility.amp.cisco.com"

curl -X POST "$IROH_URL/iroh/oauth2/csrf-token"  \
     -H "accept: application/json"  \
     -H "authorization: Bearer $JWT" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=localtest&scope=inspect"
{"csrf":"eyJhGc..."}

❯ CSRF="eyJhGc..."

curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
     -H "accept: application/json" \
     -H "authorization: Bearer $JWT" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
{"url":"http://localhost:9001/callback?code=eyJhGc..."}

❯ CODE="eyJhGc..."

curl -X POST "$IROH_URL/iroh/oauth2/token" \
     -H "accept: application/json" \
     -u localtest:localpass \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
{"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
#+end_src
*** 2021-06-25 Friday
**** IN-PROGRESS Security School                                       :work:
:LOGBOOK:
CLOCK: [2021-06-25 Fri 10:20]--[2021-06-25 Fri 11:23] =>  1:03
:END:
[2021-06-25 Fri 10:20]

What it mean to be a Trusted company

1. Trust is important and changed (erosion of trust)
2. Why should I should pay for premium; built on trust.
3. key point, start with a good point on the reputation
4. Shifting landscape, no more satisfy with implicit trusting.
5. Lack of trust create a huge gap, stop digitizing
   - 71% threat hinder innovation
   - 39% halted mission critical initiative to digitalize due to
     cybersecurity concern
6. How much cisco is a trusting company
   BPI (Brand Performance Index) score 22%
   - 8% -> is an honest ethical company
   - 4% -> company I admire
     ...
7. Trust Landscape
   - Increasing number of data breaches and cyberattacks
   - halting digital projects due to lack of trust
   - transition from implicit to explicit trust "Prove it"
   - US based IT companies are under increased scrutinity, particularly
     outside of the US.
     Distance between Cisco and US government.
8. Cisco BPI: 50% (MS 65%)
9. Trustworthy
   - active measire to safeguard
   - commited to securing our customers and data
   - adhere a secure development lifecycle in the dev of products and services
   - we protect security of our supply chain
10. Transparent
    - access to security vulnerabilities
    - timely actionable breach notifications to impacted parties
    - publish data regarding requests from law enforcement
    - drive and follow open global standards and make deccisions to
      develope and implement new tech based on customers current and
      anticipated
11. Accountable
    - commited to verify and validate our trustworthiness
    - we admit we make mistakes that impact the security of our customers
      and partners and we work to make things right with those customers
      and partners

12. Calls to action
***** Security Vocabulary

1. CIA: Security triangle (of device, service or data) *Is it Secure?*
   - Confidentiality
   - Integrity
   - Availability
2. Confidentiality (who can access )
3. Integrity (information is not unexpectedly modified)
4. Availability (information or resourcces are available when needed)
5. Non-Repudiation & Authenticity
   Non-repudiation: Prove you did or didn't do something
   Authenticity: Assurance that a message or other exchange of information
   is from source it claims to be from
6. Vulnerability:
   - a weekness, design or coding error, lack of protection in a product
     that enable an attack
   - Vulnerability can result from Design, Programming, or
     Operational flaws.
7. Threats
   - Threat: a potential danger that could cause harm to information or a system
   - Threat Agent: an entity that exploits a threat (a hacker)
8. Exploits and Attacks
   - exploits: pratical method to take advantage of a vuln
   - Attack: use an exploit against and actual vuln
   - Attack Vector: theoretical application of an exploit
   - Zero-Day Attack: an attack that exploits a previously unknown
     vuln for which there is not yet a defense
9. Exposure
   1. probability and severity of an attack using a specific exploit
   2. time between the announcement of vuln and a suitable patch
   3. any info leak that facilitate attack
10. Mitigation
    What can we do?
    Strategy for reducing or eliminating the severity of a security issue.
11. Attack Surface - Reality
    collection of all entry point that could potentially be used to attack
    the product. Any code or hardware that an attacker could potentially
    access and exploit.
***** Protecting data and privacy
****** DATA
- data = content + context
.
****** Data is proccessed by each of us
Engineer, Sales, HR
****** Data must be protected at each stage

- classify it as personal data and/or confidential
- determine what controls to embed per stage using Cisco Data Policies

Lifecycle

1. Collection or Creation
2. Usage
3. Sharing
4. Curating
5. Retention
6. Destruction

Data sensitivity
****** Cisco Data Policies

. Cisco Data Quality Policy
. Cisco Data Protection Policy
. Cisco Data Privacy Policy

require secure up-to-date data processing with purpose


- Can be found in Policy Central
- Updated at least once a year
- Cover changing global regulations, marke/customer requirements, and
  Cisco's changes in code of business
****** Embeding Data Controls

Quality / Protection / Privacy
Details ccan be found in Product Seure Baseline Requirements for CSDL.

- Quality: refresh, retention management, destroy when done
- Protection: encryption, confidential/sensitive, role based access, 3rd
  party contracts
- Privacy: minimized processing, notice/purpose, legal basis/consent,
  individual rights