~/Cedric

MITRE ATT&CK - Mobile Mitigations Recommendations

Mobile Mitigations from MITRE ATT&CK® © 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Coronavirus: COVID-19 Recommendations

Remommendations for Coronavirus: COVID-19, inspired from gouvernement.lu/coronavirus.

Preventive Measure Recommendations

Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.

ANSSI-LU - KPI et Recommandations Recommendations

ANSSI-LU - KPI et Recommandations

A03:2021 – Injection Vulnerabilities

Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections. Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged. Organizations can include the static source (SAST) and dynamic application test (DAST) tools into the CI/CD pipeline to identify introduced injection flaws before production deployment.

A10:2021 – Server-Side Request Forgery (SSRF) Vulnerabilities

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL.

A07:2021 – Identification and Authentication Failures Vulnerabilities

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

A04:2021 – Insecure Design Vulnerabilities

Insecure design is a broad category representing many different weaknesses, expressed as “missing or ineffective control design.” Missing insecure design is where a control is absent. For example, imagine code that should be encrypting sensitive data, but there is no method. Ineffective insecure design is where a threat could be realized, but insufficient domain (business) logic validation prevents the action. For example, imagine domain logic that is supposed to process pandemic tax relief based upon income brackets but does not validate that all inputs are correctly signed and provides a much more significant relief benefit than should be granted.

ISO/IEC 27002 [2013][de] Security referentials

ISO/IEC 27002:2013 controls

ISO/IEC 27002 [2013][fr] Security referentials

Contrôles ISO/IEC 27002:2013