yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/2021-W25.org
Yann Esposito (Yogsototh) b98cc88eab
2021-W25.org
2021-08-17 14:47:43 +02:00

187 lines
6.6 KiB
Org Mode
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

** 2021-W25
*** 2021-06-23 Wednesday
**** IN-PROGRESS DI doc :work:
:LOGBOOK:
CLOCK: [2021-06-23 Wed 10:10]--[2021-06-23 Wed 11:40] => 1:30
:END:
[2021-06-23 Wed 10:10]
Given a session token (JWT) this is how to retrieve refresh token for a
client bypassing any user interaction or browser redirection.
Given a classical OAuth2 Auth code client with:
- client_id: localtest
- client_password: localpass
- scopes: inspect
- redirect_uris: [ http://localhost:9001/callback ]
Make the following HTTP call:
1. call csrf endpoint => retrieve a CSRF token
2. authorize the client (use the CSRF token) => retrieve a CODE token
3. call /token with client secret and the CODE token => retrieve
access/refresh tokens
In more detail:
#+begin_src
IROH_URL="https://visibility.amp.cisco.com"
curl -X POST "$IROH_URL/iroh/oauth2/csrf-token" \
-H "accept: application/json" \
-H "authorization: Bearer $JWT" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=localtest&scope=inspect"
{"csrf":"eyJhGc..."}
CSRF="eyJhGc..."
curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
-H "accept: application/json" \
-H "authorization: Bearer $JWT" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
{"url":"http://localhost:9001/callback?code=eyJhGc..."}
CODE="eyJhGc..."
curl -X POST "$IROH_URL/iroh/oauth2/token" \
-H "accept: application/json" \
-u localtest:localpass \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
{"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
#+end_src
*** 2021-06-25 Friday
**** IN-PROGRESS Security School :work:
:LOGBOOK:
CLOCK: [2021-06-25 Fri 10:20]--[2021-06-25 Fri 11:23] => 1:03
:END:
[2021-06-25 Fri 10:20]
What it mean to be a Trusted company
1. Trust is important and changed (erosion of trust)
2. Why should I should pay for premium; built on trust.
3. key point, start with a good point on the reputation
4. Shifting landscape, no more satisfy with implicit trusting.
5. Lack of trust create a huge gap, stop digitizing
- 71% threat hinder innovation
- 39% halted mission critical initiative to digitalize due to
cybersecurity concern
6. How much cisco is a trusting company
BPI (Brand Performance Index) score 22%
- 8% -> is an honest ethical company
- 4% -> company I admire
...
7. Trust Landscape
- Increasing number of data breaches and cyberattacks
- halting digital projects due to lack of trust
- transition from implicit to explicit trust "Prove it"
- US based IT companies are under increased scrutinity, particularly
outside of the US.
Distance between Cisco and US government.
8. Cisco BPI: 50% (MS 65%)
9. Trustworthy
- active measire to safeguard
- commited to securing our customers and data
- adhere a secure development lifecycle in the dev of products and services
- we protect security of our supply chain
10. Transparent
- access to security vulnerabilities
- timely actionable breach notifications to impacted parties
- publish data regarding requests from law enforcement
- drive and follow open global standards and make deccisions to
develope and implement new tech based on customers current and
anticipated
11. Accountable
- commited to verify and validate our trustworthiness
- we admit we make mistakes that impact the security of our customers
and partners and we work to make things right with those customers
and partners
12. Calls to action
***** Security Vocabulary
1. CIA: Security triangle (of device, service or data) *Is it Secure?*
- Confidentiality
- Integrity
- Availability
2. Confidentiality (who can access )
3. Integrity (information is not unexpectedly modified)
4. Availability (information or resourcces are available when needed)
5. Non-Repudiation & Authenticity
Non-repudiation: Prove you did or didn't do something
Authenticity: Assurance that a message or other exchange of information
is from source it claims to be from
6. Vulnerability:
- a weekness, design or coding error, lack of protection in a product
that enable an attack
- Vulnerability can result from Design, Programming, or
Operational flaws.
7. Threats
- Threat: a potential danger that could cause harm to information or a system
- Threat Agent: an entity that exploits a threat (a hacker)
8. Exploits and Attacks
- exploits: pratical method to take advantage of a vuln
- Attack: use an exploit against and actual vuln
- Attack Vector: theoretical application of an exploit
- Zero-Day Attack: an attack that exploits a previously unknown
vuln for which there is not yet a defense
9. Exposure
1. probability and severity of an attack using a specific exploit
2. time between the announcement of vuln and a suitable patch
3. any info leak that facilitate attack
10. Mitigation
What can we do?
Strategy for reducing or eliminating the severity of a security issue.
11. Attack Surface - Reality
collection of all entry point that could potentially be used to attack
the product. Any code or hardware that an attacker could potentially
access and exploit.
***** Protecting data and privacy
****** DATA
- data = content + context
.
****** Data is proccessed by each of us
Engineer, Sales, HR
****** Data must be protected at each stage
- classify it as personal data and/or confidential
- determine what controls to embed per stage using Cisco Data Policies
Lifecycle
1. Collection or Creation
2. Usage
3. Sharing
4. Curating
5. Retention
6. Destruction
Data sensitivity
****** Cisco Data Policies
. Cisco Data Quality Policy
. Cisco Data Protection Policy
. Cisco Data Privacy Policy
require secure up-to-date data processing with purpose
- Can be found in Policy Central
- Updated at least once a year
- Cover changing global regulations, marke/customer requirements, and
Cisco's changes in code of business
****** Embeding Data Controls
Quality / Protection / Privacy
Details ccan be found in Product Seure Baseline Requirements for CSDL.
- Quality: refresh, retention management, destroy when done
- Protection: encryption, confidential/sensitive, role based access, 3rd
party contracts
- Privacy: minimized processing, notice/purpose, legal basis/consent,
individual rights
Reference in a new issue View git blame Copy permalink