6.6 KiB
2021-W25
2021-06-23 Wednesday
IN-PROGRESS DI doc work
CLOCK: [2021-06-23 Wed 10:10]–[2021-06-23 Wed 11:40] => 1:30
[2021-06-23 Wed 10:10]
Given a session token (JWT) this is how to retrieve refresh token for a client bypassing any user interaction or browser redirection.
Given a classical OAuth2 Auth code client with:
- client_id: localtest
- client_password: localpass
- scopes: inspect
- redirect_uris: [ http://localhost:9001/callback ]
Make the following HTTP call:
- call csrf endpoint => retrieve a CSRF token
- authorize the client (use the CSRF token) => retrieve a CODE token
- call /token with client secret and the CODE token => retrieve access/refresh tokens
In more detail:
❯ IROH_URL="https://visibility.amp.cisco.com"
curl -X POST "$IROH_URL/iroh/oauth2/csrf-token" \
-H "accept: application/json" \
-H "authorization: Bearer $JWT" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=localtest&scope=inspect"
{"csrf":"eyJhGc..."}
❯ CSRF="eyJhGc..."
curl -X POST "$IROH_URL/iroh/oauth2/authorize" \
-H "accept: application/json" \
-H "authorization: Bearer $JWT" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=localtest&scope=inspect&csrf=$CSRF&redirect_uri=http://localhost:9001/callback&response_type=code&state="
{"url":"http://localhost:9001/callback?code=eyJhGc..."}
❯ CODE="eyJhGc..."
curl -X POST "$IROH_URL/iroh/oauth2/token" \
-H "accept: application/json" \
-u localtest:localpass \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "scope=inspect&code=$CODE&redirect_uri=http://localhost:9001/callback&grant_type=authorization_code&"
{"access_token":"eyJhGc...","scope":"inspect","token_type":"bearer","expires_in":600,"refresh_token":"eyJhGc..."}
2021-06-25 Friday
IN-PROGRESS Security School work
CLOCK: [2021-06-25 Fri 10:20]–[2021-06-25 Fri 11:23] => 1:03
[2021-06-25 Fri 10:20]
What it mean to be a Trusted company
- Trust is important and changed (erosion of trust)
- Why should I should pay for premium; built on trust.
- key point, start with a good point on the reputation
- Shifting landscape, no more satisfy with implicit trusting.
-
Lack of trust create a huge gap, stop digitizing
- 71% threat hinder innovation
- 39% halted mission critical initiative to digitalize due to cybersecurity concern
-
How much cisco is a trusting company BPI (Brand Performance Index) score 22%
- 8% -> is an honest ethical company
- 4% -> company I admire …
-
Trust Landscape
- Increasing number of data breaches and cyberattacks
- halting digital projects due to lack of trust
- transition from implicit to explicit trust "Prove it"
- US based IT companies are under increased scrutinity, particularly outside of the US. Distance between Cisco and US government.
- Cisco BPI: 50% (MS 65%)
-
Trustworthy
- active measire to safeguard
- commited to securing our customers and data
- adhere a secure development lifecycle in the dev of products and services
- we protect security of our supply chain
-
Transparent
- access to security vulnerabilities
- timely actionable breach notifications to impacted parties
- publish data regarding requests from law enforcement
- drive and follow open global standards and make deccisions to develope and implement new tech based on customers current and anticipated
-
Accountable
- commited to verify and validate our trustworthiness
- we admit we make mistakes that impact the security of our customers and partners and we work to make things right with those customers and partners
- Calls to action
Security Vocabulary
-
CIA: Security triangle (of device, service or data) Is it Secure?
- Confidentiality
- Integrity
- Availability
- Confidentiality (who can access )
- Integrity (information is not unexpectedly modified)
- Availability (information or resourcces are available when needed)
- Non-Repudiation & Authenticity Non-repudiation: Prove you did or didn't do something Authenticity: Assurance that a message or other exchange of information is from source it claims to be from
-
Vulnerability:
- a weekness, design or coding error, lack of protection in a product that enable an attack
- Vulnerability can result from Design, Programming, or Operational flaws.
-
Threats
- Threat: a potential danger that could cause harm to information or a system
- Threat Agent: an entity that exploits a threat (a hacker)
-
Exploits and Attacks
- exploits: pratical method to take advantage of a vuln
- Attack: use an exploit against and actual vuln
- Attack Vector: theoretical application of an exploit
- Zero-Day Attack: an attack that exploits a previously unknown vuln for which there is not yet a defense
-
Exposure
- probability and severity of an attack using a specific exploit
- time between the announcement of vuln and a suitable patch
- any info leak that facilitate attack
- Mitigation What can we do? Strategy for reducing or eliminating the severity of a security issue.
- Attack Surface - Reality collection of all entry point that could potentially be used to attack the product. Any code or hardware that an attacker could potentially access and exploit.
Protecting data and privacy
- data = content + context
.
Engineer, Sales, HR
- classify it as personal data and/or confidential
- determine what controls to embed per stage using Cisco Data Policies
Lifecycle
- Collection or Creation
- Usage
- Sharing
- Curating
- Retention
- Destruction
Data sensitivity
. Cisco Data Quality Policy . Cisco Data Protection Policy . Cisco Data Privacy Policy
require secure up-to-date data processing with purpose
- Can be found in Policy Central
- Updated at least once a year
- Cover changing global regulations, marke/customer requirements, and Cisco's changes in code of business
Quality / Protection / Privacy Details ccan be found in Product Seure Baseline Requirements for CSDL.
- Quality: refresh, retention management, destroy when done
- Protection: encryption, confidential/sensitive, role based access, 3rd party contracts
- Privacy: minimized processing, notice/purpose, legal basis/consent, individual rights