Security
Datenschutz mit SAP
Entwickeln Sie ein Datenschutzkonzept, das den strengen Anforderungen der EU-Datenschutz-Grundverordnung (DSGVO) standhält. Dieses Buch erklärt Ihnen die rechtlichen Grundlagen und zeigt Ihnen Schritt für Schritt, wie Sie mithilfe von SAP-Lösungen Ihre IT-Landschaft (ob on-premise oder in der Cloud) datenschutzkonform gestalten. Von der Einführung eines Sperr- und Löschkonzeptes bis hin zur Umsetzung der Informations- und Berichtspflichten werden alle erforderlichen Maßnahmen praxisnah erläutert. Aus dem Inhalt: Was bedeutet die DSGVO für Sie?Personenbezogene Daten im SAP-SystemDer Weg zur datenschutzkonformen IT-LandschaftSperren und Löschen mit SAP Information Lifecycle ManagementOrganisations- und Stammdatenstrukturen entwickelnData Controller Rule FrameworkAuswirkungen auf das BerechtigungskonzeptInformation Retrieval FrameworkSecurity SafeguardsSAP Read Access LoggingSAP Cloud PlatformAriba, SuccessFactors, Concur, C/4HANASAP-Lösungen für GRCZentrale Kontrollen Geleitwort ... 19 Einleitung ... 21 1. »Maßnehmen für Maßnahmen«: Einführung ... 31 1.1 ... Die DSGVO fiel nicht vom Himmel ... 32 1.2 ... Was bedeutet die DSGVO für Sie? ... 33 1.3 ... Welche Anforderungen sind notwendigerweise technisch zu unterstützen? ... 67 1.4 ... Welche Anforderungen können technisch unterstützt werden? ... 88 1.5 ... Auftragsverarbeitung ... 95 1.6 ... Zusammenfassung ... 97 2. »Wo laufen sie denn«: Wo Sie personenbezogene Daten finden ... 99 2.1 ... SAP Business Suite und SAP S/4HANA ... 100 2.2 ... Stammdaten -- Bewegungsdaten ... 100 2.3 ... Personenbezogene Daten in SAP ERP und SAP S/4HANA ... 102 2.4 ... Personenbezogene Daten in SAP ERP Human Capital Management ... 117 2.5 ... Personenbezogene Daten in SAP Customer Relationship Management ... 121 2.6 ... Zusammenfassung ... 125 3. »Vom ersten Schritt zum Weg zum Ziel«: Vorgehensmodell ... 127 3.1 ... Übersicht zur Vorgehensweise ... 127 3.2 ... Wege zum Verzeichnis von Verarbeitungstätigkeiten ... 148 3.3 ... Zusammenfassung ... 151 4. »Auch das Ende muss bestimmt sein«: Sperren und Löschen mit SAP Information Lifecycle Management ... 153 4.1 ... Einführung ... 154 4.2 ... Überblick über das Sperren und Löschen mit SAP ILM ... 160 4.3 ... Vorbereitungen für das vereinfachte Sperren ... 164 4.4 ... Stamm- und Bewegungsdaten sperren ... 190 4.5 ... Datenvernichtung ... 209 4.6 ... Legal Case Management ... 226 4.7 ... ILM-Benachrichtigungen ... 240 4.8 ... Zeitabhängiges Sperren personenbezogener Daten in der Personaladministration (SAP ERP HCM-PA) ... 250 4.9 ... Zusammenfassung ... 251 5. »Struktur ist alles«: Verarbeitung muss auf dem Zweck basieren ... 253 5.1 ... Verantwortlicher und Zweck ... 253 5.2 ... Organisationsstrukturen (Linienorganisation) ... 257 5.3 ... Prozessorganisation ... 263 5.4 ... Linien- und Prozessorganisation definieren den Zweck ... 270 5.5 ... Zusammenfassung ... 272 6. »Dem Ende Struktur geben«: Data Controller Rule Framework ... 273 6.1 ... Organisation des Löschens in Geschäftsprozessen ... 274 6.2 ... Funktionen und Konfiguration des Data Controller Rule Frameworks ... 278 6.3 ... Zusammenfassung ... 297 7. »Die Struktur berechtigt«: Auswirkungen auf das Berechtigungskonzept ... 299 7.1 ... Benutzer und Berechtigungen -- eine Einführung ... 299 7.2 ... Organisationsebenen neu denken ... 305 7.3 ... Prozessattribute identifizieren ... 308 7.4 ... Berechtigungsrisiken ... 309 7.5 ... Zusammenfassung ... 314 8. »Transparenz gewinnt«: Information Retrieval Framework ... 315 8.1 ... Transparenz -- Auskunft und Vorabinformation ... 316 8.2 ... Neuerungen im Information Retrieval Framework ... 317 8.3 ... Setup des Information Retrieval Frameworks ... 319 8.4 ... Ein Datenmodell erzeugen ... 324 8.5 ... Datenmodell testen ... 335 8.6 ... Beauskunftung durchführen ... 344 8.7 ... Komplexere Feldverknüpfungen ... 349 8.8 ... Datenmodell im Browser anzeigen ... 350 8.9 ... Bestehende Datenmodelle übernehmen ... 352 8.10 ... Zusammenfassung ... 353 9. »Schau mal, wer da liest«: Read Access Logging ... 355 9.1 ... Anforderungen an eine Leseprotokollierung ... 355 9.2 ... Verfügbarkeit und Funktionsumfang von Read Access Logging ... 357 9.3 ... Setup und Pflege ... 358 9.4 ... Festlegen von Zweckbestimmung und Protokolldomänen ... 361 9.5 ... Aufzeichnungen für UI-Kanäle ... 364 9.6 ... Konfigurationen ... 368 9.7 ... Auswertung von Protokollen ... 373 9.8 ... Konfigurationen für Remote-API-Kanäle ... 377 9.9 ... Bedingungen ... 381 9.10 ... Transportmechanismen ... 386 9.11 ... Import und Export ... 386 9.12 ... Zusammenfassung ... 387 10. »Der Herr der Daten werden«: SAP Master Data Governance ... 389 10.1 ... Transparenz erzielen ... 389 10.2 ... Die Szenarien der Stammdatenpflege ... 390 10.3 ... Central Governance in SAP Master Data Governance ... 391 10.4 ... Konsolidierung in SAP Master Data Governance ... 393 10.5 ... Kombination der Szenarien ... 396 10.6 ... Sensible Daten mit SAP Master Data Governance bearbeiten ... 396 10.7 ... Organisatorische Trennung ... 398 10.8 ... Datenqualitätssicherung mit Services ... 400 10.9 ... Zusammenfassung ... 403 11. »Der Kopf in den Wolken«: Datenschutz in Cloud-Lösungen ... 405 11.1 ... Datenschutz aus Sicht der Cloud -- eine Einführung ... 405 11.2 ... Datenschutzservices und -prozesse für die SAP-Cloud-Lösungen ... 412 11.3 ... Zusammenfassung ... 433 12. »Lösungen, die wachsen und nicht wuchern«: Datenschutz in der SAP Cloud Platform ... 435 12.1 ... Was ist SAP Cloud Platform? ... 435 12.2 ... Datenschutzfunktionen von SAP Subscription Billing ... 443 12.3 ... Datenschutzfunktionen der SAP Cloud Platform für kundeneigene Cloud-Anwendungen ... 461 13. »In der Wolke auf Sicht steuern«: Übersicht über die Datenschutzfunktionen in SAP-Cloud-Lösungen ... 477 13.1 ... Einführung ... 477 13.2 ... Datenschutz in SAP Ariba ... 480 13.3 ... Datenschutz in SAP Concur ... 500 13.4 ... Datenschutzfunktionen in SAP SuccessFactors ... 521 13.5 ... Datenschutzfunktionen in SAP Customer Experience ... 553 13.6 ... Zusammenfassung ... 597 14. »Täglich grüßt das ...«: Schützen, Kontrollieren, Nachweisen und Kontrollen nachweisen ... 599 14.1 ... Kontrollrahmen und Grundlagen der Verarbeitung ... 600 14.2 ... Rechtmäßigkeit, Treu und Glauben und Transparenz ... 601 14.3 ... Zweckbindung ... 603 14.4 ... Datenminimierung ... 606 14.5 ... Richtigkeit ... 610 14.6 ... Speicherbegrenzung ... 612 14.7 ... Integrität und Vertraulichkeit ... 614 14.8 ... Rechenschaftspflicht ... 623 14.9 ... Abstrakte technische Kontrollhandlungen ... 625 14.10 ... Beispiele technischer Kontrollhandlungen ... 627 14.11 ... Zusammenfassung ... 658 A. Glossar ... 663 B. Relevante Transaktionen, relevante Reports, Hinweise ... 669 C. Literaturverzeichnis ... 675 D. Die Autoren ... 679 Index ... 683
Interconnection Network Reliability Evaluation
THIS BOOK PRESENTS NOVEL AND EFFICIENT TOOLS, TECHNIQUES AND APPROACHES FOR RELIABILITY EVALUATION, RELIABILITY ANALYSIS, AND DESIGN OF RELIABLE COMMUNICATION NETWORKS USING GRAPH THEORETIC CONCEPTS.In recent years, human beings have become largely dependent on communication networks, such as computer communication networks, telecommunication networks, mobile switching networks etc., for their day-to-day activities. In today's world, humans and critical machines depend on these communication networks to work properly. Failure of these communication networks can result in situations where people may find themselves isolated, helpless and exposed to hazards. It is a fact that every component or system can fail and its failure probability increases with size and complexity.The main objective of this book is to devize approaches for reliability modeling and evaluation of such complex networks. Such evaluation helps to understand which network can give us better reliability by their design. New designs of fault-tolerant interconnection network layouts are proposed, which are capable of providing high reliability through path redundancy and fault tolerance through reduction of common elements in paths. This book covers the reliability evaluation of various network topologies considering multiple reliability performance parameters (two terminal reliability, broadcast reliability, all terminal reliability, and multiple sources to multiple destinations reliability).DR. NEERAJ KUMAR GOYAL is currently an Associate Professor in Subir Chowdhury School of Quality and Reliability, Indian Institute of Technology (IIT), Kharagpur, India. He received his PhD degree from IIT Kharagpur in reliability engineering in 2006.His areas of research and teaching are network reliability, software reliability, electronic system reliability, reliability testing, probabilistic risk/safety assessment, and reliability design. He has completed various research and consultancy projects for various organizations, e.g. DRDO, NPCIL, Vodafone, and ECIL. He has contributed several research papers to various international journals and conference proceedings. DR. S. RAJKUMAR received his BE (Distinction) and ME (Distinction) degrees from Anna University, India, in 2009 and 2011, respectively. He obtained his PhD from the Indian Institute of Technology Kharagpur, India in 2017. Currently working as an Assistant Professor in Department of ECE at Adama Science and Technology University (ASTU), Ethiopia. His research interests include reliability engineering and interconnection networks. He has contributed notable research papers to international journals. Series Editor Preface ixPreface xiii1 INTRODUCTION 11.1 Introduction 11.2 Network Reliability Measures 21.3 The Probabilistic Graph Model 41.4 Approaches for Network Reliability Evaluation 61.5 Motivation and Summary 72 INTERCONNECTION NETWORKS 112.1 Interconnection Networks Classification 112.2 Multistage Interconnection Networks (MINs) 142.3 Research Issues in MIN Design 152.4 Some Existing MINs Implementations 192.5 Review of Topological Fault Tolerance 202.5.1 Redundant and Disjoint Paths 222.5.2 Backtracking 262.5.3 Dynamic Rerouting 272.6 MIN Topological Review on Disjoint Paths 272.6.1 Single-Disjoint Path Multistage Interconnection Networks 272.6.2 Two-Disjoint Paths Multistage Interconnection Networks 362.6.3 Three-Disjoint Paths Multistage Interconnection Networks 472.6.4 Four-Disjoint Paths Multistage Interconnection Networks 512.7 Hardware Cost Analysis 552.8 Observations 602.9 Summary 613 MIN RELIABILITY EVALUATION TECHNIQUES 633.1 Reliability Performance Criterion 633.1.1 Two Terminal or Terminal Pair Reliability (TPR) 643.1.2 Network or All Terminal Reliability (ATR) 643.1.3 Broadcast Reliability 653.2 Approaches for Reliability Evaluation 663.2.1 Continuous Time Markov Chains (CTMC) 673.2.2 Matrix Enumeration 673.2.3 Conditional Probability (CP) Method 673.2.4 Graph Models 693.2.5 Decomposition Method 703.2.6 Reliability Block Diagram (RBD) 713.2.7 Reliability Bounds 733.2.7.1 Lower Bound Reliability 753.2.7.2 Upper Bound Reliability 763.2.8 Monte Carlo Simulation 773.2.9 Path-Based or Cut-Based Approaches 783.3 Observations 814 TERMINAL RELIABILITY ANALYSIS OF MIN LAYOUTS 854.1 Chaturvedi and Misra Approach 874.1.1 Path Set Enumeration 884.1.2 Reliability Evaluation using MVI Techniques 964.1.3 Reliability Evaluation Techniques Comparison 994.1.3.1 Terminal Reliability of SEN, SEN+ and SEN+2 1004.1.3.2 Broadcast Reliability of SEN, SEN +, and SEN+2 1014.1.3.3 Comparison 1024.2 Reliability Analysis of Multistage Interconnection Networks 1044.3 Summary 1135 COMPREHENSIVE MIN RELIABILITY PARADIGMS EVALUATION 1155.1 Introduction 1155.2 Reliability Evaluation Approach 1195.2.1 Path Set Enumeration 1205.2.1.1 Assumptions 1205.2.1.2 Applied Approach 1215.2.1.3 Path Tracing Algorithm (PTA) 1225.2.1.4 Path Retrieval Algorithm (PRA) 1235.3 Reliability Evaluation Using MVI Techniques 1405.4 Summary 1566 DYNAMIC TOLERANT AND RELIABLE FOUR DISJOINT MIN LAYOUTS 1576.1 Topological Design Considerations 1606.1.1 Topology 1616.1.2 Switch Selection for Proposed 4DMIN 1626.2 Proposed 4-Disjoint Multistage Interconnection Network (4DMIN) Layout 1646.2.1 Switching Pattern 1646.2.2 Redundant and Disjoint Paths 1656.2.3 Routing and Dynamic Rerouting 1666.2.4 Algorithm: Decision Making by Switches at Each Stage 1686.2.5 Case Example 1706.2.6 Disjoint and Dynamic Rerouting Approach in 4DMIN 1726.2.7 Hardware Cost Analysis 1726.3 Reliability Analysis and Comparison of MINs 1746.4 Reliable Interconnection Network (RIN) Layout 1816.4.1 Topology Design 1856.4.2 Switching Pattern 1876.4.3 Routing and Dynamic Rerouting 1896.5 Reliability Analysis and Comparison of MINs 1976.6 Summary 201References 203Index 213
Systems and Network Infrastructure Integration
IT infrastructures are now essential in all areas and sectors of human activity; they are the cornerstone of any information system. Thus, it is clear that the greatest of care must be given to their design, implementation, security and supervision in order to ensure optimum functionality and better performance. Within this context, Systems and Network Infrastructure Integration presents the methodological and theoretical principles necessary to successfully carry out an integration project for network and systems infrastructures. This book is aimed at anyone interested in the field of networks in general. In particular, it is intended for students of fields relating to networks and computer systems who are called upon to integrate their knowledge and skills, gained throughout their academic study, into a comprehensive project to set up a complete infrastructure, while respecting the necessary specifications.SAIDA HELALI is a university lecturer in Information Technology (specializing in networks and information systems) at the Institut Supérieur des Etudes Technologiques de Radès (Tunisia). He holds an ACREDITE master's degree (Analysis, Conception and Research in the Domain of Educational Technology Engineering), which was jointly awarded by the Université de Cergy-Pontoise (France), the Université de MONS (Belgium) and the Université de Genève (Switzerland). In 2017, he was chair of the Tunisian branch of the IEEE Education Society and he is also an acting member of AIPU TUNISIE, an international association about university pedagogy.Preface ixCHAPTER 1. INTRODUCTION TO PROJECT MANAGEMENT 11.1. Introduction 11.2. Project management 21.3. Project management methods and tools 31.3.1. Gantt diagram 51.3.2. RACI (Responsible, Accountable, Consulted, Informed) matrix 51.3.3. The concept of specifications 61.4. Chapter summary 8CHAPTER 2. SIMULATING NETWORK ARCHITECTURES WITH GNS3 92.1. Introduction 92.2. Definition 102.3. Introduction to GNS3 112.3.1. Functionalities of GNS3 122.3.2. Limitations 122.3.3. GNS3 installation 122.3.4. Getting started with GNS3 132.4. Chapter summary 25CHAPTER 3. GREEN IT 273.1. Introduction 273.2. Introduction of concept 283.3. Green IT trigger factors 293.4. Benefits of Green IT 293.5. The lifecycle of ICTs 303.6. Mechanisms and technical solutions for the implementation of a Green IT infrastructure 313.7. Green IT labels and standards 333.8. Some examples of Eco-ICTs 343.9. Chapter summary 36CHAPTER 4. DESIGN OF NETWORK INFRASTRUCTURES 374.1. Introduction 374.2. The founding principles of networks 384.2.1. Definition and preliminaries 384.2.2. Classification of digital data networks 394.2.3. Components of a network 404.2.4. Measuring network performance 454.2.5. Concepts of collision domain/broadcast domain and VLANs 474.3. Methods and models of IT network design 484.3.1. Principles of structured engineering 484.4. Assessment of needs and choice of equipment 544.5. Chapter summary 56CHAPTER 5. NETWORK SERVICES 575.1. Introduction 575.2. DHCP service 585.2.1. Introduction 585.2.2. Operating principle 585.2.3. Renewal of lease 625.2.4. The concept of a DHCP relay 625.3. DNS service 635.3.1. Introduction 635.3.2. Operating principle 635.4. LDAP service 665.4.1. Introduction 665.4.2. LDAP protocol 675.4.3. LDAP directory 685.5. E-mail service 705.5.1. Introduction 705.5.2. Architecture and operating principle. 715.5.3. Protocols involved 725.6. Web server 735.6.1. Introduction 735.6.2. Operating principle 735.6.3. The principle of virtual hosting 745.7. FTP file transfer service 765.7.1. Definition 765.7.2. Operating principle 775.7.3. Types 775.8. Chapter summary 78CHAPTER 6. SYSTEM AND NETWORK SECURITY 796.1. Introduction 796.2. Definitions, challenges and basic concepts 806.3. Threats/attacks 826.3.1. Access attacks 826.3.2. Modification attacks 836.3.3. Saturation attacks 836.3.4. Repudiation attacks 836.4. Security mechanisms 836.4.1. Encryption tools 846.4.2. Antivirus programs 846.4.3. Firewalls/IDS and IPS 846.4.4. VPNs 866.4.5. Other means of security 896.5. Security management systems: norms and security policies 916.5.1. Norms 916.5.2. The idea of security policy 926.6. Chapter summary 93CHAPTER 7. VIRTUALIZATION AND CLOUD COMPUTING 957.1. Introduction 957.2. Virtualization 967.2.1. Definition 967.2.2. Benefits of virtualization 967.2.3. Areas of application 977.2.4. Categories of virtualization 1007.2.5. Limits of virtualization 1037.3. Cloud computing 1037.3.1. Definitions 1037.3.2. Leverage factors and generic principles 1047.3.3. Architecture models 1047.3.4. Types of cloud 1077.3.5. Areas of application 1097.3.6. Advantages and limitations 1107.4. Chapter summary 111CHAPTER 8. QUALITY OF SERVICE AND HIGH AVAILABILITY 1138.1. Introduction 1138.2. Quality of service 1148.2.1. Motivation 1148.2.2. Definition(s) 1158.2.3. Objectives of QoS 1168.2.4. Metrics of QoS 1178.2.5. General principles of QoS 1188.2.6. QoS mechanisms 1208.3. High availability 1418.3.1. Redundancy in the physical layer 1438.3.2. Redundancy in the data link layer 1438.3.3. Redundancy in the network layer 1498.3.4. Redundancy in the application layer 1548.4. Chapter summary 156CHAPTER 9. MONITORING SYSTEMS AND NETWORKS 1579.1. Introduction 1579.2. Main concepts of network and service supervision 1589.2.1. Definition 1589.2.2. Challenges of monitoring 1589.2.3. Typology 1599.3. Monitoring protocols 1619.3.1. SNMP protocol (Simple Network Management Protocol) 1619.3.2. WMI (Windows Management Instrumentation) 1649.3.3. WS-Management (Web Services for Management) 1649.3.4. IPMI (Intelligent Platform Management Interface) 1649.3.5. NetFlow/IPFIX 1659.3.6. Netconf 1659.4. Monitoring tools 1659.4.1. Commercial monitoring solutions (HP OpenView, Tivoli) and software publisher solutions 1669.4.2. Free monitoring solutions 1679.5. Chapter summary 171References 173Index 179
Datenbanken
Fundierte Einführung in relationale Datenbanken und die Anfragesprache SQL Datenbanken für die Berufspraxis verstehen, anwenden und entwickelnMit zwei durchgängigen Beispielen und zahlreichen ÜbungenDatenbanken haben sich zu einem unverzichtbaren Bestandteil jeglicher Informationssysteme entwickelt, um größere Mengen strukturierter Daten verwalten, wiederauffinden und analysieren zu können.Die Autoren vermitteln fundiert und kompakt die zum Verständnis und auch zur Entwicklung solcher Systeme notwendigen Kenntnisse aus den Bereichen Datenbankentwurf, Datenmodellierung, Datenänderungen und Datenanalysen und stellen die relationale Datenbanksprache SQL ausführlich vor. Alle Konzepte und Sprachelemente erläutern die Autoren anhand von zwei durchgängigen Beispielen. Des Weiteren besprechen die Autoren Themen wie Nutzersichten, Datenschutz, Integritätssicherung, Tuning von Datenbankanwendungen sowie statistische Datenanalysen (Data Warehousing, Data Mining). Sie erläutern auch neuere Entwicklungen wie NoSQL-Datenbanksysteme, spaltenorientierte Speicherungsformen und die Analyse von Big Data.Das Buch richtet sich vor allem an Schüler und Studenten außerhalb des Fachbereichs Informatik, die schnell und dennoch fundiert die Grundlagen zur Entwicklung und zum Einsatz von Datenbanken lernen wollen. Übungsaufgaben am Ende jedes Kapitels machen das Buch ideal für Studium und Selbststudium.Aus dem Inhalt:Was sind Datenbanken? Relationale Datenbanken:Daten als Tabellen Das Entity-Relationship-Modell Datenbankentwurf Normalisierung für eine redundanzfreie DatenbankDatendefinition und Updates in SQLAnfragen in SQLSichten und DatenschutzIntegrität und TriggerStatistische Datenanalysen (Data Warehousing, Data Mining)Arbeitsweise eines DBMS und TuningOLTP- und OLAP-SystemRow und Column Stores, NoSQL und NewSQLAusblick inklusive Verarbeitung von Big DataZwei durchgängige Beispiele mit Datenbankentwurf und relationaler RepräsentationAndreas Heuer, Gunter Saake und Kai-Uwe Sattler sind Professoren für Informatik an den Universitäten von Rostock, Magdeburg und Ilmenau. Holger Meyer ist wissenschaftlicher Oberrat und Hannes Grunert wissenschaftlicher Mitarbeiter an der Universität Rostock.
Alice and Bob Learn Application Security
LEARN APPLICATION SECURITY FROM THE VERY START, WITH THIS COMPREHENSIVE AND APPROACHABLE GUIDE!Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.Topics include:* Secure requirements, design, coding, and deployment* Security Testing (all forms)* Common Pitfalls* Application Security Programs* Securing Modern Applications* Software Developer Security HygieneAlice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.TANYA JANCA, also known as SheHacksPurple, is the founder of We Hack Purple, an online learning academy dedicated to teaching everyone how to create secure software. With over twenty years of IT and coding experience, she has won numerous awards and worked as a developer, pentester, and AppSec Engineer. She was named Hacker of the Year by the Cybersecurity Woman of the Year 2019 Awards and is the Founder of WoSEC International, #CyberMentoringMonday, and OWASP DevSlop.Foreword xxiIntroduction xxiiiPART I WHAT YOU MUST KNOW TO WRITE CODE SAFE ENOUGH TO PUT ON THE INTERNET 1CHAPTER 1 SECURITY FUNDAMENTALS 3The Security Mandate: CIA 3Confidentiality 4Integrity 5Availability 5Assume Breach 7Insider Threats 8Defense in Depth 9Least Privilege 11Supply Chain Security 11Security by Obscurity 13Attack Surface Reduction 14Hard Coding 15Never Trust, Always Verify 15Usable Security 17Factors of Authentication 18Exercises 20CHAPTER 2 SECURITY REQUIREMENTS 21Requirements 22Encryption 23Never Trust System Input 24Encoding and Escaping 28Third-Party Components 29Security Headers: Seatbelts for Web Apps 31Security Headers in Action 32X-XSS-Protection 32Content-Security-Policy (CSP) 32X-Frame-Options 35X-Content-Type-Options 36Referrer-Policy 36Strict-Transport-Security (HSTS) 37Feature-Policy 38X-Permitted-Cross-Domain-Policies 39Expect-CT 39Public Key Pinning Extension for HTTP (HPKP) 41Securing Your Cookies 42The Secure Flag 42The HttpOnly Flag 42Persistence 43Domain 43Path 44Same-Site 44Cookie Prefixes 45Data Privacy 45Data Classification 45Passwords, Storage, and Other Important Decisions 46HTTPS Everywhere 52TLS Settings 53Comments 54Backup and Rollback 54Framework Security Features 54Technical Debt = Security Debt 55File Uploads 56Errors and Logging 57Input Validation and Sanitization 58Authorization and Authentication 59Parameterized Queries 59URL Parameters 60Least Privilege 60Requirements Checklist 61Exercises 63CHAPTER 3 SECURE DESIGN 65Design Flaw vs. Security Bug 66Discovering a Flaw Late 67Pushing Left 68Secure Design Concepts 68Protecting Sensitive Data 68Never Trust, Always Verify/Zero Trust/Assume Breach 70Backup and Rollback 71Server-Side Security Validation 73Framework Security Features 74Security Function Isolation 74Application Partitioning 75Secret Management 76Re-authentication for Transactions (Avoiding CSRF) 76Segregation of Production Data 77Protection of Source Code 77Threat Modeling 78Exercises 82CHAPTER 4 SECURE CODE 83Selecting Your Framework and Programming Language 83Example #1 85Example #2 85Example #3 86Programming Languages and Frameworks: The Rule 87Untrusted Data 87HTTP Verbs 89Identity 90Session Management 91Bounds Checking 93Authentication (AuthN) 94Authorization (AuthZ) 96Error Handling, Logging, and Monitoring 99Rules for Errors 100Logging 100Monitoring 101Exercises 103CHAPTER 5 COMMON PITFALLS 105OWASP 105Defenses and Vulnerabilities Not Previously Covered 109Cross-Site Request Forgery 110Server-Side Request Forgery 112Deserialization 114Race Conditions 115Closing Comments 117Exercises 117PART II WHAT YOU SHOULD DO TO CREATE VERY GOOD CODE 119CHAPTER 6 TESTING AND DEPLOYMENT 121Testing Your Code 121Code Review 122Static Application Security Testing (SAST) 123Software Composition Analysis (SCA) 125Unit Tests 126Infrastructure as Code (IaC) and Security as Code (SaC) 128Testing Your Application 129Manual Testing 130Browsers 131Developer Tools 131Web Proxies 132Fuzzing 133Dynamic Application Security Testing (DAST) 133VA/Security Assessment/PenTest 135Testing Your Infrastructure 141Testing Your Database 141Testing Your APIs and Web Services 142Testing Your Integrations 143Testing Your Network 144Deployment 145Editing Code Live on a Server 146Publishing from an IDE 146“Homemade” Deployment Systems 147Run Books 148Contiguous Integration/Continuous Delivery/Continuous Deployment 148Exercises 149CHAPTER 7 AN APPSEC PROGRAM 151Application Security Program Goals 152Creating and Maintaining an Application Inventory 153Capability to Find Vulnerabilities in Written, Running, and Third-Party Code 153Knowledge and Resources to Fix the Vulnerabilities 154Education and Reference Materials 155Providing Developers with Security Tools 155Having One or More Security Activities During Each Phase of Your SDLC 156Implementing Useful and Effective Tooling 157An Incident Response Team That Knows When to Call You 157Continuously Improve Your Program Based on Metrics, Experimentation, and Feedback 159Metrics 159Experimentation 161Feedback from Any and All Stakeholders 161A Special Note on DevOps and Agile 162Application Security Activities 162Application Security Tools 164Your Application Security Program 165Exercises 166CHAPTER 8 SECURING MODERN APPLICATIONS AND SYSTEMS 167APIs and Microservices 168Online Storage 171Containers and Orchestration 172Serverless 174Infrastructure as Code (IaC) 175Security as Code (SaC) 177Platform as a Service (PaaS) 178Infrastructure as a Service (IaaS) 179Continuous Integration/Delivery/Deployment 180Dev(Sec)Ops 180DevSecOps 182The Cloud 183Cloud Computing 183Cloud Native 184Cloud Native Security 185Cloud Workflows 185Modern Tooling 186IAST Interactive Application Security Testing 186Runtime Application Security Protection 187File Integrity Monitoring 187Application Control Tools (Approved Software Lists) 187Security Tools Created for DevOps Pipelines 188Application Inventory Tools 188Least Privilege and Other Policy Automation 189Modern Tactics 189Summary 191Exercises 191PART III HELPFUL INFORMATION ON HOW TO CONTINUE TO CREATE VERY GOOD CODE 193CHAPTER 9 GOOD HABITS 195Password Management 196Remove Password Complexity Rules 196Use a Password Manager 197Passphrases 198Don’t Reuse Passwords 198Do Not Implement Password Rotation 199Multi-Factor Authentication 199Incident Response 200Fire Drills 201Continuous Scanning 202Technical Debt 202Inventory 203Other Good Habits 204Policies 204Downloads and Devices 204Lock Your Machine 204Privacy 205Summary 206Exercises 206CHAPTER 10 CONTINUOUS LEARNING 207What to Learn 208Offensive = Defensive 208Don’t Forget Soft Skills 208Leadership != Management 209Learning Options 209Accountability 212Create Your Plan 213Take Action 214Exercises 214Learning Plan 216CHAPTER 11 CLOSING THOUGHTS 217Lingering Questions 218When Have You Done Enough? 218How Do You Get Management on Board? 220How Do You Get Developers on Board? 221Where Do You Start? 222Where Do You Get Help? 223Conclusion 223APPENDIX A RESOURCES 225Introduction 225Chapter 1: Security Fundamentals 225Chapter 2: Security Requirements 226Chapter 3: Secure Design 227Chapter 4: Secure Code 228Chapter 5: Common Pitfalls 228Chapter 6: Testing and Deployment 229Chapter 7: An AppSec Program 229Chapter 8: Securing Modern Applications and Systems 230Chapter 9: Good Habits 231Chapter 10: Continuous Learning 231APPENDIX B ANSWER KEY 233Chapter 1: Security Fundamentals 233Chapter 2: Security Requirements 235Chapter 3: Secure Design 236Chapter 4: Secure Code 238Chapter 5: Common Pitfalls 241Chapter 6: Testing and Deployment 242Chapter 7: An AppSec Program 244Chapter 8: Securing Modern Applications and Systems 245Chapter 9: Good Habits 247Chapter 10: Continuous Learning 248Index 249
Smart Mobility
MIT DIESEM BUCH GELINGT DER EINSTIEG IN DAS TRENDTHEMA „SMART MOBILITY“Dieses Buch bietet Ihnen einen umfassenden Zugang zum aktuellen Trendthema Smart Mobility. Die thematisch vielfältigen Beiträge maßgeblicher Expertinnen und Experten – zusammengetragen von Herausgeberin Barbara Flügge – beleuchten u. a. folgende Schwerpunkte:• Sozio-ökologische und sozio-ökonomische Aspekte der Mobilität• Die Anforderungen von Anbietern und Nachfragern• Mobilitätsansprüche ganzer Ökosysteme (Stadt, Land und Ballungsräume)• Anwendbarkeit digitaler Lösungen für die Lebensbereiche jedes EinzelnenMit diesem Setup setzt das Buch wirkungsvoll die Ausgangssituation in der Smart Mobility in den Kontext von unterschiedlichsten Nutzungsszenarien und Initiativen. Die Beiträge erläutern einzelne Bausteine Intelligenter Mobilität (BIM) und Vorgehensmodelle. Zudem liefert Ihnen dieses Herausgeberwerk zahlreiche praxisorientierte Handlungsempfehlungen und Best Practices, die Ihnen die Analyse-, Planungs- und Umsetzungsphasen von Mobilitätsvorhaben erleichtern.Damit richtet sich dieses Buch über Smart Mobility in erster Linie an:a) Chief Digital Officersb) Entscheider in öffentlichen Verwaltungen und in der Privatwirtschaftc) Innovationstreiber und Entrepreneure aus der Praxisd) Projektleiter und -mitarbeiter – sei es im Personen- oder FrachtverkehrDIE GEGENWART UND ZUKUNFT IM BLICKUm Ihnen den Einstieg zu erleichtern, geben Ihnen die Beiträge zunächst einen Überblick über das große Themenfeld der Smart Mobility. Hier erfahren Sie, welche Vorgehensweisen sich zur Bewertung von Mobilität eignen, wodurch sich das Kauf- und Nutzverhalten im Personenverkehr heutzutage auszeichnet und wie Sie ein sicheres sowie nachhaltiges Verkehrsmanagement gestalten können. Weitere inhaltliche Schwerpunkte dieses Buchs sind:• Indoor- und Outdoor-Navigation in Smart Mobility-Szenarien• Inter- und multimodale Routenplanung• Smart Ticketing• Mobilitätsrelevante Diagnostik• Bausteine Intelligenter Mobilität für die Zukunft• Das Smart Mobility VorgehensmodellEIN UMFASSENDES GRUNDLAGENWERKMit der zweiten aktualisierten Auflage bringt Ihnen dieses Buch den Themenkomplex der Smart Mobility anschaulich und nachvollziehbar näher. Die inhaltliche Mischung aus theoretischem Basiswissen sowie aktuellen Trends (wie z. B. Mega Cities oder Zero Traffic) und hilfreichen Checklisten machen dieses Werk zu einem nachvollziehbaren und anschaulichen Grundlagenwerk für alle Themeninteressierten. BARBARA FLÜGGE, Gründerin der digital value creators (DVC) GmbH, erarbeitet Transformationsstrategien unter Einsatz digitaler Technologien und Services und setzt diese mit Entscheidern und Belegschaft in physischen, digitalen und virtuellen Räumen um. Das Beratungsangebot öffnet Märkte für private und öffentliche Auftraggeber unabhängig von Größe und Industriefokus. Durch Konsensfindung, dem Service Design Modell und dem Ecosystems Thinking Ansatz von DVC gelingen nachhaltige Smart Cities und Smart Mobility Vorhaben.Trendthema Smart Mobility - Mobil im digitalen Ökosystem - Smart Mobility im Einsatz - Die Zukunft der Mobilität - Handlungsempfehlungen
Hacking
* METHODEN UND TOOLS DER HACKER, CYBERKRIMINELLEN UND PENETRATION TESTER* MIT ZAHLREICHEN SCHRITT-FÜR-SCHRITT-ANLEITUNGEN UND PRAXIS-WORKSHOPS* INKLUSIVE VORBEREITUNG AUF DEN CERTIFIED ETHICAL HACKER (CEHV10) MIT BEISPIELFRAGEN ZUM LERNENDies ist ein praxisorientierter Leitfaden für angehende Hacker, Penetration Tester, IT-Systembeauftragte, Sicherheitsspezialisten und interessierte Poweruser. Mithilfe vieler Workshops, Schritt-für-Schritt-Anleitungen sowie Tipps und Tricks lernen Sie unter anderem die Werkzeuge und Mittel der Hacker und Penetration Tester sowie die Vorgehensweise eines professionellen Hacking-Angriffs kennen. Der Fokus liegt auf der Perspektive des Angreifers und auf den Angriffstechniken, die jeder Penetration Tester kennen muss.Dabei erläutern die Autoren für alle Angriffe auch effektive Gegenmaßnahmen. So gibt dieses Buch Ihnen zugleich auch schrittweise alle Mittel und Informationen an die Hand, um Ihre Systeme auf Herz und Nieren zu prüfen, Schwachstellen zu erkennen und sich vor Angriffen effektiv zu schützen.Das Buch umfasst nahezu alle relevanten Hacking-Themen und besteht aus sechs Teilen zu den Themen: Arbeitsumgebung, Informationsbeschaffung, Systeme angreifen, Netzwerk- und sonstige Angriffe, Web Hacking sowie Angriffe auf WLAN und Next-Gen-Technologien.Jedes Thema wird systematisch erläutert. Dabei werden sowohl die Hintergründe und die zugrundeliegenden Technologien als auch praktische Beispiele in konkreten Szenarien besprochen. So haben Sie die Möglichkeit, die Angriffstechniken selbst zu erleben und zu üben. Das Buch ist als Lehrbuch konzipiert, eignet sich aber auch als Nachschlagewerk.Sowohl der Inhalt als auch die Methodik orientieren sich an der Zertifizierung zum Certified Ethical Hacker (CEHv10) des EC Council. Testfragen am Ende jedes Kapitels helfen dabei, das eigene Wissen zu überprüfen und für die CEH-Prüfung zu trainieren. Damit eignet sich das Buch hervorragend als ergänzendes Material zur Prüfungsvorbereitung.AUS DEM INHALT:* Aufbau einer Hacking-Laborumgebung* Einführung in Kali Linux als Hacking-Plattform* Sicher und anonym im Internet kommunizieren* Reconnaissance (Informationsbeschaffung)* Vulnerability-Scanning* Password Hacking* Bind und Reverse Shells* Mit Malware das System übernehmen* Spuren verwischen* Lauschangriffe und Man-in-the-Middle* Social Engineering* Web- und WLAN-Hacking* Angriffe auf IoT-Systeme* Cloud-Hacking und -Security* Durchführen von PenetrationstestsEric Amberg ist selbstständiger Experte für IT-Netzwerke und -Sicherheit und hat in den letzten 20 Jahren zahlreiche Projekte aller Größenordnungen durchgeführt. Seine große Leidenschaft ist die Wissensvermittlung, die er in Büchern, Magazinen und insbesondere Videotrainings stets praxisnah und lebendig präsentiert. Eric verfügt über zahlreiche Zertifizierungen, unter anderem CEHv10, CISSP, CCNP Security, LPIC-2 und ist zertifizierter Cisco-Trainer (CSI # 34318).Daniel Schmid ist bei einem großen Energiekonzern im Bereich Netzwerke und Security tätig. Als Projektleiter für diverse große, teils internationale Projekte hat er in über 10 Jahren viel Erfahrung in der Planung und Implementation sicherheitskritischer Infrastruktur gesammelt und hat dabei seine Leidenschaft für das Thema "Hacking und Penetration Testing" entdeckt.Eric und Daniel haben bereits viele gemeinsame Projekte erfolgreich umgesetzt und sind die Gründer der Hacking-Akademie (https://hacking-akademie.de).
Serverless Security
Apply the basics of security in serverless computing to new or existing projects. This hands-on guide provides practical examples and fundamentals. You will apply these fundamentals in all aspects of serverless computing: improving the code, securing the application, and protecting the infrastructure. You will come away having security knowledge that enables you to secure a project you are supporting and have technical conversations with cybersecurity personnel.At a time when there are many news stories on cybersecurity breaches, it is crucial to think about security in your applications. It is tempting to believe that having a third-party host the entire computing platform will increase security. This book shows you why cybersecurity is the responsibility of everyone working on the project.WHAT YOU WILL LEARN* Gain a deeper understanding of cybersecurity in serverless computing* Know how to use free and open source tools (such as the Node Package Manager, ESLint, and VSCode) to reduce vulnerabilities in your application code* Assess potential threats from event triggers in your serverless functions* Understand security best practices in serverless computing* Develop an agnostic security architecture while reducing risk from vendor-specific infrastructureWHO THIS BOOK IS FORDevelopers or security engineers looking to expand their current knowledge of traditional cybersecurity into serverless computing projects. Individuals just beginning in serverless computing and cybersecurity can apply the concepts in this book in their projects.MIGUEL CALLES is a freelance cybersecurity content writer. He has an information assurance certification, and works as an engineer on a serverless project. He started in cybersecurity in 2016 for a US government contract, and has been doing technical writing since 2007, and has worked in various engineering roles since 2004. Miguel started his interest in cybersecurity when he was in middle school and was trying to backward engineer websites.INTRODUCTIONPART I: THE NEED FOR SECURITYCHAPTER 1: DETERMINING SCOPEUnderstanding the ApplicationScopingCHAPTER 2: PERFORMING A RISK ASSESSMENTUnderstanding the Threat LandscapeThreat ModelingPreparing the Risk AssessmentPart II: Securing the ApplicationCHAPTER 3: SECURING THE CODEAssessing DependenciesUsing Static Code Analysis ToolsWriting Unit TestsCHAPTER 4: SECURING THE INTERFACESIdentifying the InterfacesDetermining the Interface InputsReducing the Attack SurfaceCHAPTER 5: SECURING THE CODE REPOSITORYUsing a Code RepositoryLimiting Saved ContentPART III: SECURING THE INFRASTRUCTURECHAPTER 5: RESTRICTING PERMISSIONSUnderstanding PermissionsIdentifying the ServicesUpdating the PermissionsCHAPTER 6: ACCOUNT MANAGEMENTUnderstanding Account AccessRestricting Account AccessImplementing Multi-Factor AuthenticationUsing SecretsPART IV: MONITORING AND ALERTINGCHAPTER 7: MONITORING LOGSUnderstanding Logging MethodsReviewing LogsCHAPTER 8: MONITORING METRICSUnderstanding MetricsReviewing MetricsCHAPTER 9: MONITORING BILLINGUnderstanding BillingReviewing BillingCHAPTER 10: MONITORING SECURITY EVENTSUnderstanding Security EventsReviewing Security EventCHAPTER 10: ALERTINGUnderstanding AlertingImplementing AlertingCHAPTER 11: AUDITINGUnderstanding AuditingImplementing AuditingPART V: SECURITY ASSESSMENT AND REPORTCHAPTER 12: FINALIZING THE RISK ASSESSMENTScoring the Identified RisksDefining the Mitigation StepsAssessing the Business ImpactDetermining the Overall Security Risk Level
Learn Android Studio 4
Build and deploy your Java-based Android apps using the popular and efficient Android Studio 4 suite of tools, an integrated development environment (IDE) for today's Android developers. With this book, you’ll learn the latest and most productive tools in the Android tools ecosystem, ensuring quick Android app development and minimal effort on your part.Among these tools, you'll use the new Android Studio 4 features, including an upgraded CPU profiler UI, a new build speed window, the multi-preview feature, and the live layout inspector.After reading and using this book, you'll be able to efficiently build complete Java-based Android apps that run on any Android smartphone, tablet, smart watch and more. You’ll also be able to publish those apps and sell them online and in the Google Play store.WHAT YOU WILL LEARN* Use Android Studio 4 to quickly and confidently build your first Android apps* Build an Android user interface using activities and layouts, event handling, images, menus, and the action bar* Work with new tools in Android Studio 4: Jetpack compose support, a smart editor for ProGuard rules, a new motion layout editor, a new Android Gradle plugin, and a fragment wizard with new fragment templates * Integrate data with data persistence * Access the cloud WHO THIS BOOK IS FORThose who may be new to Android Studio 4 or Android Studio in general. You may or may not be new to Android development. Some prior experience with Java is recommended.Ted Hagos is currently heading the software development group of a Dublin-based software development company. He is a certified Java programmer and enterprise architect. He has over 15 years of software development experience, and many years of experience in corporate training. He held a post as instructor in IBM Advanced Career Education, Ateneo ITI and Asia Pacific College, and has trained hundreds of programmers in various languages and platforms.1. Overview2. Android Studio3. Project Basics4. Android Studio IDE5. Android Programming Basics6. Activities and Layouts7. Event Handling8. Intents9. Fragments10. Navigation Components11. Running in the background12. Debugging13. Testing14. Working with Files15. BroadcastReceivers16. Jetpack LiveData, ViewModel, LiveData and Room17. App Distribution18. Appendix : Java Refresher
Programmieren ganz einfach
So leicht kann Programmieren sein! Der ultimative Einstieg in die Welt des Programmierens! Dieses Programmier-Buch führt Sie mit anschaulichen Anleitungen, Grafiken & benutzerfreundlichen Bausteinen Schritt für Schritt in die wichtigsten Programmiersprachen ein – ob Python oder Scratch. In praktischen Projekten bauen Sie Webseiten, programmieren Spiele, designen Apps, arbeiten mit Raspberry Pi und lernen die gängigen Fachbegriffe wie Algorithmus & Variable – mit leicht verständlichen Erklärungen. Basis-Wissen rund ums Programmieren: • Die wichtigsten Programmiersprachen: Ob Sie HTML oder Scratch nutzen, Python oder Java lernen möchten – diese Sprachen werden anschaulich und leicht verständlich erklärt. • Programmieren lernen Schritt-für-Schritt: Vom Spiel bis zur Website – in detaillierten Projekten mit einfachen Anleitungen setzen Sie das Gelernte in die Praxis um und lernen so die Hauptanwendungen jeder Programmiersprache kennen. Informationen zum Lernziel vermitteln die benötigte Zeit sowie den Schwierigkeitsgrad. Symbole, farbige Fenster mit Rastern und Ablaufpläne, die die Programmstruktur erklären, leiten durch die Projekte. • Visuelle & leicht verständliche Aufbereitung: Durch Einteilung in benutzerfreundliche Bausteine und grafische Erklärungen werden selbst komplexe Zusammenhänge begreifbar gemacht.
Creating Good Data
Create good data from the start, rather than fixing it after it is collected. By following the guidelines in this book, you will be able to conduct more effective analyses and produce timely presentations of research data.Data analysts are often presented with datasets for exploration and study that are poorly designed, leading to difficulties in interpretation and to delays in producing meaningful results. Much data analytics training focuses on how to clean and transform datasets before serious analyses can even be started. Inappropriate or confusing representations, unit of measurement choices, coding errors, missing values, outliers, etc., can be avoided by using good dataset design and by understanding how data types determine the kinds of analyses which can be performed.This book discusses the principles and best practices of dataset creation, and covers basic data types and their related appropriate statistics and visualizations. A key focus of the book is why certain data types are chosen for representing concepts and measurements, in contrast to the typical discussions of how to analyze a specific data type once it has been selected.WHAT YOU WILL LEARN* Be aware of the principles of creating and collecting data* Know the basic data types and representations* Select data types, anticipating analysis goals* Understand dataset structures and practices for analyzing and sharing* Be guided by examples and use cases (good and bad)* Use cleaning tools and methods to create good dataWHO THIS BOOK IS FORResearchers who design studies and collect data and subsequently conduct and report the results of their analyses can use the best practices in this book to produce better descriptions and interpretations of their work. In addition, data analysts who explore and explain data of other researchers will be able to create better datasets.HARRY J. FOXWELL is a professor. He teaches graduate data analytics courses at George Mason University in the department of Information Sciences and Technology and he designed the data analytics curricula for his university courses. He draws on his decades of experience as Principal System Engineer for Oracle and for other major IT companies to help his students understand the concepts, tools, and practices of big data projects. He is co-author of several books on operating systems administration. He is a US Army combat veteran, having served in Vietnam as a Platoon Sergeant in the First Infantry Division. He lives in Fairfax, Virginia with his wife Eileen and two bothersome cats.INTRODUCTIONGoal: The problem of dataset cleaning and why better design is neededWho this book is forCHAPTER 1: BASIC DATA TYPESGoal: understanding data typesNominal, ordinal, interval, ratio, otherHow/why to choose specific representationsCHAPTER 2: PLANNING YOUR DATA COLLECTIONGoal: preventive action, avoiding data creation errorsAnticipating your required analysisThe goals of descriptive statistics and visualizationsThe goals of relationship statistics and visualizationsIndependent and dependent variablesCHAPTER 3: DATASET STRUCTURESGoal: Understanding how to structure/store dataTypes of datasets.csv, SQL, Excel, Web, JSON,Sharing data (open formats)Managing datasetsCHAPTER 4: DATA COLLECTION ISSUESGoal: Understanding how to collect dataUnderstand and avoid BiasSamplingCHAPTER 5: EXAMPLES AND USE CASESGoal: Illustrate good & not so good datasetsCHAPTER 6: TOOLS FOR DATASET CLEANINGGoal: still need some data cleanup? here’s some helpData cleaning using R, Python, commercial tools (e.g., Tableau)ANNOTATED REFERENCESGoal: include helpful data design and cleaning references
Empower Decision Makers with SAP Analytics Cloud
Discover the capabilities and features of SAP Analytics Cloud to draw actionable insights from a variety of data, as well as the functionality that enables you to meet typical business challenges. With this book, you will work with SAC and enable key decision makers within your enterprise to deliver crucial business decisions driven by data and key performance indicators. Along the way you’ll see how SAP has built a strong repertoire of analytics products and how SAC helps you analyze data to derive better business solutions.This book begins by covering the current trends in analytics and how SAP is re-shaping its solutions. Next, you will learn to analyze a typical business scenario and map expectations to the analytics solution including delivery via a single platform. Further, you will see how SAC as a solution meets each of the user expectations, starting with creation of a platform for sourcing data from multiple sources, enabling self-service for a spectrum of business roles, across time zones and devices. There’s a chapter on advanced capabilities of predictive analytics and custom analytical applications. Later there are chapters explaining the security aspects and their technical features before concluding with a chapter on SAP’s roadmap for SAC.Empower Decision Makers with SAP Analytics Cloud takes a unique approach of facilitating learning SAP Analytics Cloud by resolving the typical business challenges of an enterprise. These business expectations are mapped to specific features and capabilities of SAC, while covering its technical architecture block by block.WHAT YOU WILL LEARN* Work with the features and capabilities of SAP Analytics Cloud* Analyze the requirements of a modern decision-support systemUse the features of SAC that make it a single platform for decision support in a modern enterprise. * See how SAC provides a secure and scalable platform hosted on the cloud WHO THIS BOOK IS FOREnterprise architects, SAP BI analytic solution architects, and developers.VINAYAK is a seasoned analytics consultant with experience across multiple business domains and roles. As senior architect at Tata Consultancy Services Ltd., Vinayak has been engaged in technology consulting and architecting solutions across the SAP analytics portfolio for Fortune 500 firms. He has been instrumental in building, mentoring, and enabling teams delivering complex digital transformations for global clients. Passionate about technology, Vinayak regularly publishes articles and technical papers with well-known publications. He is also an active contributor to the SAP community and regularly publishes blogs on technologies in the SAP analytics portfolio.SHREEKANT is a senior management professional with expertise on leading and managing business functions and technology consulting. He established and developed business units for Fortune 500 firms, namely the public service business for the world’s leading professional services company, launched the Shell Gas business in India for a JV of Shell. Shreekant grew the SAP technology business for Tata Consultancy Services Ltd. by winning strategic clients in new and existing geographies, creating innovative service offerings. He played a critical part in multiple transformation programs for Bharat Petroleum Corporation Ltd. He has mentored authors, published best seller books and white papers on technology, and has patents on technology and service delivery. He specializes in realizing concepts to their value-creation stage, innovation and transformation, and building organizations.CHAPTER 1: CURRENT TRENDS IN ANALYTICS AND SAP’S ROAD MAPChapter Goal: To understand the latest trends in analytics and how SAP is adapting to these trends. To understand SAP’s digital core and how analytics forms a pillar of the methodology.CHAPTER 2: BUSINESS SCENARIO FOR ANALYTICS LANDSCAPE TRANSFORMATIONChapter Goal: To understand a real-world scenario of an enterprise which is planning to upgrade its traditional business intelligence to a modern analytics landscape.SUB TOPICS:Customer introductionCustomer’s current landscape and pain pointsCustomer’s expectation from analytics landscapeExpected landscapeCHAPTER 3: SAC FOR ENABLING “SINGLE VERSION OF TRUTH”Chapter Goal: Understand how SAP Analytics Cloud enables a single platform for multiple data sources to come together for analysis.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 4: LEVERAGE SAC TO CREATE “ALL-IN-ONE” ANALYTICS PLATFORMChapter Goal: SAC enables analytics for multiple business roles in an organization with options for 360 degree dashboards to self service data analysis to planning. This chapter explores these capabilities in detail.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 5: EXPLOIT “AUGMENTED ANALYTICS” CAPABILITY OF SACChapter Goal: SAC enables self-service with augmented analytics like search to insight and multiple smart features. This chapter explores each of these concepts in detail along with benefits of each feature.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 6: DEVELOP SAC FOR “ANYTIME AVAILABLE” PLATFORMChapter Goal: One of the advantages of cloud application is the accessibility in addition to the freedom from maintaining costly infrastructure. This chapter explores how SAC is available across time zones and across devices.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 7: CAPITALIZE ON “PREDICTIVE ANALYTICS” CAPABILITY THROUGH SACChapter Goal: SAC includes built in capabilities to create predictive models and incorporate predictive analytics in data analysis and dashboards. This chapter explores this capability in detail.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 8: CRAFT SPECIAL BUSINESS REQUIREMENTS ON SAC VIA CUSTOM APPLICATION DESIGNChapter Goal: One of the recently added capability is to build custom applications using a scripting language very similar to JavaScript. This enables developers to create custom apps and make them available for the business. This capability is the focus of this chapterSUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 9: DESIGN A SECURE PLATFORM USING SACChapter Goal: Especially with cloud applications, security is always a major concern in terms of data protection and authenticated access. This chapter explores SAC’s security capabilities in terms of data and application access.SUB TOPICS:Analysis of customer requirementAlignment to specific SAP Analytics Cloud capabilityStep by step process to implement the capabilityCustomer benefits and future directionCHAPTER 10: PRODUCT ROAD MAP & FUTURE DIRECTION FOR SACChapter Goal: This chapter explores the future road map of SAC and how SAP’s direction for the toolAppendix AAppendix B
SAP Business One
Umfassend und randvoll mit praxistauglichen Anleitungen: Diese 5. Auflage zeigt Ihnen, wie Sie SAP Business One 10.0 in Ihrer täglichen Arbeit effizient nutzen. Ob Einkauf, Vertrieb, Service, Lager, Produktion und MRP oder Buchhaltung und HR – Helmut Hochberger und Robert Mayerhofer führen Sie durch alle relevanten Prozesse und Funktionen. Zahlreiche Beispiele und Übungen unterstützen Sie bei der Umsetzung. Aus dem Inhalt: Grundlagen und NavigationStammdatenEinkauf (Materialwirtschaft)Verkauf (Sales)LagerverwaltungProduktionsplanungMaterialbedarfsplanung (Material Requirements Planning)RessourcenRahmenverträgeFinanzwesen und BankenabwicklungPersonal (Human Resources, HR)Vertrieb und ServiceKampagnenmanagementProjektmanagement 1. Wie können Sie mit diesem Buch arbeiten? ... 17 1.1 ... Übersicht ... 17 1.2 ... An wen richtet sich dieses Buch? ... 20 1.3 ... Methoden ... 23 1.4 ... Informationen - Übungsaufgaben ... 26 1.5 ... Einstieg in SAP Business One - Zusatzmaterial ... 27 2. Einführung in SAP Business One ... 29 2.1 ... Was ist SAP Business One? ... 29 2.2 ... Wer verwendet SAP Business One? ... 34 3. Grundlegende Programmbedienung ... 39 3.1 ... Installation, Einstieg und Firmenauswahl ... 39 3.2 ... Navigation ... 45 3.3 ... Navigation mit dem Cockpit (SQL-basierte Installationen) ... 51 3.4 ... Navigation mit dem Cockpit (SAP-HANA-basierte Installationen) ... 59 3.5 ... Weitere Bedienelemente ... 74 3.6 ... Mit Datensätzen arbeiten ... 79 3.7 ... Rechte Maustaste - mit dem Kontextmenü arbeiten ... 98 3.8 ... Allgemeine Einstellungen ... 100 3.9 ... Hilfefunktionen in SAP Business One ... 104 3.10 ... Übungsaufgaben ... 108 4. Stammdaten ... 111 4.1 ... Was sind Stammdaten? ... 111 4.2 ... Benutzer ... 112 4.3 ... Geschäftspartner ... 120 4.4 ... Zahlungsbedingungen ... 153 4.5 ... Aktivitäten ... 160 4.6 ... Artikel ... 169 4.7 ... Belegnummerierung ... 186 4.8 ... Unternehmensstammdaten ... 192 4.9 ... Berichte aus dem Bereich »Stammdaten« ... 194 4.10 ... Übungsaufgaben ... 196 5. Einkauf ... 199 5.1 ... Betriebswirtschaftliche Aspekte des Einkaufs ... 199 5.2 ... Der Beleg in SAP Business One ... 201 5.3 ... Wichtige Funktionen im Beleg ... 220 5.4 ... Belegkette im Einkauf ... 243 5.5 ... Bestellanforderung ... 262 5.6 ... Lieferantenanfrage ... 265 5.7 ... Berichte im Einkauf ... 272 5.8 ... Übungsaufgaben ... 278 6. Verkauf ... 281 6.1 ... Betriebswirtschaftliche Aspekte des Verkaufs ... 281 6.2 ... Vom Angebot bis zur Eingangszahlung ... 282 6.3 ... Berichte im Verkauf ... 326 6.4 ... Mahnwesen in SAP Business One ... 327 6.5 ... Übungsaufgaben ... 338 7. Lagerverwaltung ... 341 7.1 ... Betriebswirtschaftliche Aspekte der Lagerverwaltung ... 341 7.2 ... Lagerverwaltung in SAP Business One ... 342 7.3 ... Lagerbewertungsmethoden ... 347 7.4 ... Preisfindung in SAP Business One ... 359 7.5 ... Mengeneinheiten in SAP Business One ... 383 7.6 ... Katalognummern in SAP Business One ... 392 7.7 ... Verwaltung von Serien-/Chargennummern ... 397 7.8 ... Manuelle Bestandstransaktionen ... 408 7.9 ... Inventur ... 415 7.10 ... Lagerplätze ... 423 7.11 ... Bestandsberichte ... 434 7.12 ... Übungsaufgaben ... 441 8. Produktion ... 443 8.1 ... Der Produktionsprozess in SAP Business One ... 443 8.2 ... Vorbereitende Einstellungen ... 444 8.3 ... Varianten der Stückliste ... 448 8.4 ... Produktionsstammdaten: Stücklisten, Routenabschnitte, Ressourcen ... 453 8.5 ... Der Faktor »Zeit« in der Stückliste ... 472 8.6 ... Produktionsaufträge erzeugen ... 482 8.7 ... Seriennummern und Chargen einbinden ... 505 8.8 ... Standardkostenmanagement ... 509 8.9 ... Weitere Funktionen der Produktion ... 514 8.10 ... Produktionsberichte ... 522 9. Materialbedarfsplanung ... 525 9.1 ... Voraussetzungen und Vorbereitung ... 526 9.2 ... Grundsatzentscheidungen ... 555 9.3 ... Dispositionsassistent ... 564 9.4 ... Auftragsempfehlung ... 584 9.5 ... Ergebnisse der Materialbedarfsplanung ... 587 9.6 ... Übungsaufgaben ... 589 10. Ressourcen ... 591 10.1 ... Einbettung der Ressourcen in SAP Business One ... 592 10.2 ... Einstellungen zu Ressourcen ... 592 10.3 ... Ressourcenstammdaten und Ressourcenkapazität ... 600 10.4 ... Verwendung von Ressourcen ... 618 10.5 ... Übungsaufgaben ... 620 11. Rahmenverträge ... 623 11.1 ... Rahmenvertrag anlegen ... 623 11.2 ... Rahmenvertrag erfüllen ... 633 11.3 ... Bericht zu einem Rahmenvertrag ... 638 12. Finanzwesen ... 639 12.1 ... Kontenplan ... 639 12.2 ... Buchungskreislauf in SAP Business One ... 650 12.3 ... Journalbuchungen ... 661 12.4 ... Buchungsvorerfassung ... 673 12.5 ... Kontierungsmuster ... 674 12.6 ... Dauerbuchungen ... 677 12.7 ... Buchungen in Fremdwährung ... 680 12.8 ... Einbinden der Kostenrechnung ... 688 12.9 ... Finanzberichte ... 706 12.10 ... Übungsaufgaben ... 714 13. Bankenabwicklung ... 717 13.1 ... Stammdaten in der Bankenabwicklung ... 718 13.2 ... Eingangszahlungen und Ausgangszahlungen ... 720 13.3 ... Bankgebühren und Zinsen buchen ... 728 13.4 ... Zahlungsassistent und elektronischer Zahlungsverkehr ... 730 13.5 ... Abstimmung von Konten ... 743 13.6 ... Übungsaufgaben ... 746 14. Opportunities im Vertrieb ... 747 14.1 ... Vertriebliche Aspekte im Mittelstand ... 747 14.2 ... Opportunities definieren ... 748 14.3 ... Verkaufschancen verwalten ... 754 14.4 ... Opportunity-Berichte ... 762 14.5 ... Übungsaufgaben ... 769 15. Kampagnenmanagement ... 771 15.1 ... Kampagne planen ... 772 15.2 ... Kampagne durchführen ... 775 15.3 ... Kampagne verfolgen ... 781 15.4 ... Kampagnenberichte ... 784 15.5 ... Übungsaufgaben ... 785 16. Service ... 787 16.1 ... Servicevertrag als Grundlage ... 787 16.2 ... Serviceabruf als täglicher Kundenkontakt ... 793 16.3 ... Verwaltung der Geschäftspartnergeräte - Equipment-Stammdaten ... 810 16.4 ... Lösungsdatenbank als Nebenprodukt ... 812 16.5 ... Serviceberichte ... 815 16.6 ... Übungsaufgaben ... 819 17. Personal ... 821 17.1 ... Personaladministration in kleinen und mittleren Unternehmen ... 821 17.2 ... Mitarbeiterstammdaten ... 821 17.3 ... Arbeitszeitblatt ... 827 17.4 ... Berichte im Personalwesen ... 830 17.5 ... Übungsaufgaben ... 831 18. Projektmanagement ... 833 18.1 ... Projekte anlegen ... 833 18.2 ... Belegzuordnung mittels Assistent ... 853 18.3 ... Abrechnungsassistent ... 858 18.4 ... Teilprojekte verwenden ... 863 18.5 ... Projektberichte ... 864 19. Highlights in SAP Business One ... 869 19.1 ... Alarmfunktionen ... 869 19.2 ... Genehmigungsprozess ... 874 19.3 ... Drag & Relate ... 880 19.4 ... Aus SAP Business One exportieren ... 885 19.5 ... Anpassungsmöglichkeiten für den Benutzer ... 889 19.6 ... Änderungsprotokoll ... 896 19.7 ... Funktionen ausblenden ... 897 19.8 ... Konfigurierbares User Interface ... 898 19.9 ... Excel-Import nach SAP Business One ... 903 19.10 ... Alternative Tastaturbelegung ... 907 19.11 ... SAP Business One im Webbrowser ... 908 19.12 ... Datenschutzgrundverordnung (DSGVO) ... 911 19.13 ... 360°-Kundenansicht ... 921 19.14 ... Analytical Portal ... 924 19.15 ... Übungsaufgaben ... 928 A. SAP Business One kompakt ... 929 B. Neuerungen in SAP Business One ... 939 C. Die Autoren ... 947 Index ... 949
SAP-S/4HANA-Projekte erfolgreich managen
S/4HANA-Projekte haben es in sich! Darum ist es gut, die verschiedenen Projektphasen, Aufgaben und Werkzeuge genau zu kennen. Von der Vorbereitung über die Realisierung bis hin zum Go-Live begleitet Sie das Autorenteam Schritt für Schritt mit seiner Erfahrung. So wissen Sie, wo Fallstricke lauern können – und wie Sie diese einfach überspringen. Beispiele und Tipps aus dem Projektalltag unterstützen Sie dabei, Ihr SAP-Projekt gekonnt ans Ziel zu führen. Aktuell zur Migration auf SAP S/4HANA. Aus dem Inhalt: Discover, Prepare, Explore, Realize, Deploy, RunAnforderungen analysierenAufwände einschätzenProjektrisiken erkennenVon Erfahrungen aus realen Projekten profitierenHilfreiche Tools für das Projektmanagement kennenInternationale Roll-outs planenIhr Projektteam motivierenDen richtigen SAP-Berater findenDokumentationen erstellenTestaktivitäten planenQualitätssicherung durchführenDatenmigration und Go-live organisieren 1. Einleitung ... 15 1.1 ... Über dieses Buch ... 19 1.2 ... Exkurs: SAP-Lösungen - von den Anfängen bis heute ... 26 2. Was ein SAP-S/4HANA-Projekt so anders macht ... 45 2.1 ... Was IT-Projekte von der Unternehmenstransformation mit SAP unterscheidet ... 46 2.2 ... Projekt ist nicht gleich Projekt ... 50 2.3 ... Digitalisierung im Projektmanagement ... 60 2.4 ... Die Entscheidung für Software von SAP ... 70 2.5 ... Der Weg zu SAP S/4HANA ... 80 2.6 ... Fazit ... 104 3. Das SAP-S/4HANA-Projekt: Wie es sein sollte ... 107 3.1 ... Projektmanagementstandards, Methodik und Werkzeuge: ein Überblick ... 109 3.2 ... Das Projektmanagement-Einmaleins: PMI-Projektmanagementmethodik ... 113 3.3 ... Alles perfekt vorbereitet: die idealen Voraussetzungen ... 116 3.4 ... ASAP - die Mutter aller SAP-Methoden ... 119 3.5 ... SAP Launch: die Einführungsmethodik für die SAP-Cloud-Produkte ... 127 3.6 ... SAP Activate: das bessere ASAP ... 129 3.7 ... Tools zur Unterstützung von SAP Activate ... 138 4. Das SAP-S/4HANA-Projekt: Wie es tatsächlich ist ... 147 4.1 ... Phase 1: Discover (oder: Möglichkeiten sondieren) ... 148 4.2 ... Phase 2: Prepare (oder: das Projekt vorbereiten) ... 149 4.3 ... Phase 3: Explore (oder: Geschäftsprozesse abbilden) ... 157 4.4 ... Phase 4: Realize (oder: die Umsetzung) ... 162 4.5 ... Phase 5: Deploy (oder: die Produktivsetzung vorbereiten) ... 169 4.6 ... Phase 6: Run (oder: Go-live und Support) ... 171 4.7 ... Top-Flops im SAP-S/4HANA-Projekt ... 172 5. Der unterschätzte Erfolgsfaktor: der Mensch ... 177 5.1 ... Wer gehört zum Projektteam? ... 179 5.2 ... Die Bedeutung der Projektleitung ... 182 5.3 ... Qualifikation, persönliche Eignung und Verfügbarkeit der Projektmitglieder ... 192 5.4 ... Schlüsselfaktoren für gute Teamarbeit ... 201 5.5 ... Menschlichkeit, Machbarkeit und Motivation ... 207 5.6 ... Kommunikation als Erfolgsfaktor ... 220 5.7 ... Internationale Projektbesetzung - eine besondere Herausforderung ... 230 5.8 ... Auswirkung der Digitalisierung auf das Projektmanagement ... 234 6. Planung, Steuerung und Qualitätssicherung ... 239 6.1 ... Helfer in allen Lebenslagen: das Project Management Office ... 239 6.2 ... Projektplanung ... 243 6.3 ... Projektsteuerung ... 253 6.4 ... Qualitätssicherung ... 268 6.5 ... Planung, Steuerung und Qualitätssicherung in SAP-S/4HANA-Projekten ... 277 7. Beispiele aus realen SAP-S/4HANA-Projekten ... 289 7.1 ... Vorbereitung eines SAP-S/4HANA-Implementierungsprojekts ... 289 7.2 ... Einführung von SAP S/4HANA bei der ELKB ... 295 7.3 ... »Be liquid« - BITZERs agiler Weg zu SAP S/4HANA ... 310 7.4 ... Projekt zur Ablösung der globalen Beschaffungssysteme (Automobilindustrie) ... 320 7.5 ... Lessons Learned aus einem internationalen SAP-ECC-Projekt ... 330 8. Externe Ressourcen - Fluch und Segen ... 357 8.1 ... Wozu externe Hilfe? ... 358 8.2 ... So finden Sie die Richtigen ... 361 8.3 ... Werkleistungen oder Abrechnung nach Zeit- und Materialaufwand? ... 363 8.4 ... Rollenverteilung zwischen Auftraggeber*in und Berater*in ... 367 8.5 ... Die internen Externen ... 370 8.6 ... Ziele im Projekt ... 371 8.7 ... Projekte mit Offshore- oder Nearshore-Teams ... 373 9. Werkzeuge zur Projektunterstützung ... 381 9.1 ... Werkzeuge für das Projektmanagement ... 381 9.2 ... Werkzeuge für das Geschäftsprozessmanagement ... 392 9.3 ... Werkzeuge für das Testen ... 394 9.4 ... Werkzeuge zur Betriebsunterstützung und zur Softwarelogistik ... 399 9.5 ... Minimized Downtime Services ... 402 9.6 ... SAP S/4HANA Migration Cockpit ... 403 9.7 ... SAP Data Services ... 406 10. 12 Gebote für ein erfolgreiches SAP-Projekt ... 409 A. Glossar ... 413 B. Literaturverzeichnis ... 423 C. Das Autorenteam ... 429 Index ... 431
Hacking Multifactor Authentication
PROTECT YOUR ORGANIZATION FROM SCANDALOUSLY EASY-TO-HACK MFA SECURITY “SOLUTIONS”Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That’s right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised.This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You’ll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book.* Learn how different types of multifactor authentication work behind the scenes* See how easy it is to hack MFA security solutions—no matter how secure they seem* Identify the strengths and weaknesses in your (or your customers’) existing MFA security and how to mitigateAuthor Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor. INTRODUCTION XXVWho This Book is For xxviiWhat is Covered in This Book? xxviiMFA is Good xxxHow to Contact Wiley or the Author xxxiPART I INTRODUCTION 11 LOGON PROBLEMS 3It’s Bad Out There 3The Problem with Passwords 5Password Basics 9Identity 9The Password 10Password Registration 11Password Complexity 11Password Storage 12Password Authentication 13Password Policies 15Passwords Will Be with Us for a While 18Password Problems and Attacks 18Password Guessing 19Password Hash Cracking 23Password Stealing 27Passwords in Plain View 28Just Ask for It 29Password Hacking Defenses 30MFA Riding to the Rescue? 31Summary 322 AUTHENTICATION BASICS 33Authentication Life Cycle 34Identity 35Authentication 46Authorization 54Accounting/Auditing 54Standards 56Laws of Identity 56Authentication Problems in the Real World 57Summary 583 TYPES OF AUTHENTICATION 59Personal Recognition 59Knowledge-Based Authentication 60Passwords 60PINS 62Solving Puzzles 64Password Managers 69Single Sign-Ons and Proxies 71Cryptography 72Encryption 73Public Key Infrastructure 76Hashing 79Hardware Tokens 81One-Time Password Devices 81Physical Connection Devices 83Wireless 87Phone-Based 89Voice Authentication 89Phone Apps 89SMS 92Biometrics 92FIDO 93Federated Identities and APIs 94OAuth 94APIs 96Contextual/Adaptive 96Less Popular Methods 97Voiceover Radio 97Paper-Based 98Summary 994 USABILITY VS SECURITY 101What Does Usability Mean? 101We Don’t Really Want the Best Security 103Security Isn’t Usually Binary 105Too Secure 106Seven-Factor MFA 106Moving ATM Keypad Numbers 108Not as Worried as You Think About Hacking 109Unhackable Fallacy 110Unbreakable Oracle 113DJB 113Unhackable Quantum Cryptography 114We are Reactive Sheep 115Security Theater r 116Security by Obscurity 117MFA Will Cause Slowdowns 117MFA Will Cause Downtime 118No MFA Solution Works Everywhere 118Summary 119PART II HACKING MFA 1215 HACKING MFA IN GENERAL 123MFA Dependency Components 124Enrollment 125User 127Devices/Hardware 127Software 128API 129Authentication Factors 129Authentication Secrets Store 129Cryptography 130Technology 130Transmission/Network Channel 131Namespace 131Supporting Infrastructure 131Relying Party 132Federation/Proxies 132Alternate Authentication Methods/Recovery 132Migrations 133Deprovision 133MFA Component Conclusion 134Main Hacking Methods 134Technical Attacks 134Human Element 135Physical 137Two or More Hacking Methods Used 137“You Didn’t Hack the MFA!” 137How MFA Vulnerabilities are Found 138Threat Modeling 138Code Review 138Fuzz Testing 138Penetration Testing 139Vulnerability Scanning 139Human Testing 139Accidents 140Summary 1406 ACCESS CONTROL TOKEN TRICKS 141Access Token Basics 141Access Control Token General Hacks142Token Reproduction/Guessing 142Token Theft 145Reproducing Token Hack Examples 146Network Session Hijacking Techniques and Examples 149Firesheep 149MitM Attacks 150Access Control Token Attack Defenses 157Generate Random, Unguessable Session IDs 157Use Industry-Accepted Cryptography and Key Sizes 158Developers Should Follow Secure Coding Practices 159Use Secure Transmission Channels 159Include Timeout Protections 159Tie the Token to Specifi c Devices or Sites 159Summary 1617 ENDPOINT ATTACKS 163Endpoint Attack Risks 163General Endpoint Attacks 165Programming Attacks 165Physical Access Attacks 165What Can an Endpoint Attacker Do? 166Specifi c Endpoint Attack Examples 169Bancos Trojans 169Transaction Attacks 171Mobile Attacks 172Compromised MFA Keys 173Endpoint Attack Defenses 174MFA Developer Defenses 174End-User Defenses 177Summary 1798 SMS ATTACKS 181Introduction to SMS 181SS7 184Biggest SMS Weaknesses 186Example SMS Attacks 187SIM Swap Attacks 187SMS Impersonation 191SMS Buffer Overflow 194Cell Phone User Account Hijacking 195Attacks Against the Underlying Supporting Infrastructure 196Other SMS-Based Attacks 196SIM/SMS Attack Method Summary 197NIST Digital Identity Guidelines Warning 198Defenses to SMS-Based MFA Attacks 199Developer Defenses 199User Defenses 201Is RCS Here to Save Mobile Messaging? 202Is SMS-Based MFA Still Better than Passwords? 202Summary 2039 ONE-TIME PASSWORD ATTACKS 205Introduction to OTP 205Seed Value-Based OTPs 208HMAC-Based OTP 209Event-Based OTP 211TOTP 212Example OTP Attacks 217Phishing OTP Codes 217Poor OTP Creation 219OTP Theft, Re-Creation, and Reuse 219Stolen Seed Database 220Defenses to OTP Attacks 222Developer Defenses 222Use Reliable and Trusted and Tested OTP Algorithms 223OTP Setup Code Must Expire 223OTP Result Code Must Expire 223Prevent OTP Replay 224Make Sure Your RNG is NIST-Certified or Quantum 224Increase Security by Requiring Additional Entry Beyond OTP Code 224Stop Brute-Forcing Attacks224Secure Seed Value Database 225User Defenses 225Summary 22610 SUBJECT HIJACK ATTACKS 227Introduction 227Example Attacks 228Active Directory and Smartcards 228Simulated Demo Environment 231Subject Hijack Demo Attack 234The Broader Issue 240Dynamic Access Control Example 240ADFS MFA Bypass 241Defenses to Component Attacks 242Threat Model Dependency Abuse Scenarios 242Secure Critical Dependencies 242Educate About Dependency Abuses 243Prevent One to Many Mappings 244Monitor Critical Dependencies 244Summary 24411 FAKE AUTHENTICATION ATTACKS 245Learning About Fake Authentication Through UAC 245Example Fake Authentication Attacks 251Look-Alike Websites 251Fake Office 365 Logons 252Using an MFA-Incompatible Service or Protocol 253Defenses to Fake Authentication Attacks 254Developer Defenses 254User Defenses 256Summary 25712 SOCIAL ENGINEERING ATTACKS 259Introduction 259Social Engineering Commonalities 261Unauthenticated Communication 261Nonphysical 262Usually Involves Well-Known Brands 263Often Based on Notable Current Events and Interests 264Uses Stressors 264Advanced: Pretexting 265Third-Party Reliances 266Example Social Engineering Attacks on MFA 266Fake Bank Alert 267Crying Babies 267Hacking Building Access Cards 268Defenses to Social Engineering Attacks on MFA 270Developer Defenses to MFA 270User Defenses to Social Engineering Attacks 271Summary 27313 DOWNGRADE/RECOVERY ATTACKS 275Introduction 275Example Downgrade/Recovery Attacks 276Alternate Email Address Recovery 276Abusing Master Codes 280Guessing Personal-Knowledge Questions 281Defenses to Downgrade/Recovery Attacks 287Developer Defenses to Downgrade/Recovery Attacks 287User Defenses to Downgrade/Recovery Attacks 292Summary 29414 BRUTE-FORCE ATTACKS 295Introduction 295Birthday Attack Method 296Brute-Force Attack Methods 297Example of Brute-Force Attacks 298OTP Bypass Brute-Force Test 298Instagram MFA Brute-Force 299Slack MFA Brute-Force Bypass 299UAA MFA Brute-Force Bug 300Grab Android MFA Brute-Force 300Unlimited Biometric Brute-Forcing 300Defenses Against Brute-Force Attacks 301Developer Defenses Against Brute-Force Attacks 301User Defenses Against Brute-Force Attacks 305Summary 30615 BUGGY SOFTWARE 307Introduction 307Common Types of Vulnerabilities 308Vulnerability Outcomes 316Examples of Vulnerability Attacks 317Uber MFA Vulnerability 317Google Authenticator Vulnerability 318YubiKey Vulnerability 318Multiple RSA Vulnerabilities 318SafeNet Vulnerability 319Login gov 319ROCA Vulnerability 320Defenses to Vulnerability Attacks 321Developer Defenses Against Vulnerability Attacks 321User Defenses Against Vulnerability Attacks 322Summary 32316 ATTACKS AGAINST BIOMETRICS 325Introduction 325Biometrics 326Common Biometric Authentication Factors 327How Biometrics Work 337Problems with Biometric Authentication 339High False Error Rates 340Privacy Issues 344Disease Transmission 345Example Biometric Attacks 345Fingerprint Attacks345Hand Vein Attack 348Eye Biometric Spoof Attacks 348Facial Recognition Attacks 349Defenses Against Biometric Attacks 352Developer Defenses Against Biometric Attacks 352User/Admin Defenses Against Biometric Attacks 354Summary 35517 PHYSICAL ATTACKS 357Introduction 357Types of Physical Attacks 357Example Physical Attacks 362Smartcard Side-Channel Attack 362Electron Microscope Attack 364Cold-Boot Attacks 365Snooping On RFID-Enabled Credit Cards 367EMV Credit Card Tricks 370Defenses Against Physical Attacks 370Developer Defenses Against Physical Attacks 371User Defenses Against Physical Attacks 372Summary 37518 DNS HIJACKING 377Introduction 377DNS 378DNS Record Types 382Common DNS Hacks 382Example Namespace Hijacking Attacks 388DNS Hijacking Attacks 388MX Record Hijacks 388Dangling CDN Hijack 389Registrar Takeover 390DNS Character Set Tricks 390ASN 1 Tricks 392BGP Hijacks 392Defenses Against Namespace Hijacking Attacks 393Developer Defenses 394User Defenses 395Summary 39719 API ABUSES 399Introduction 399Common Authentication Standards and Protocols Involving APIs 402Other Common API Standards and Components 411Examples of API Abuse 414Compromised API Keys 414Bypassing PayPal 2FA Using an API 415AuthO MFA Bypass 416Authy API Format Injection 417Duo API As-Designed MFA Bypass 417Microsoft OAuth Attack 419Sign In with Apple MFA Bypass 419Token TOTP BLOB Future Attack 420Defenses Against API Abuses 420Developer Defenses Against API Abuses 420User Defenses Against API Abuses 422Summary 42320 MISCELLANEOUS MFA HACKS 425Amazon Mystery Device MFA Bypass 425Obtaining Old Phone Numbers 426Auto-Logon MFA Bypass 427Password Reset MFA Bypass 427Hidden Cameras 427Keyboard Acoustic Eavesdropping 428Password Hints 428HP MFA DoS 429Trojan TOTP 429Hackers Turn MFA to Defeat You 430Summary 43021 TEST: CAN YOU SPOT THE VULNERABILITIES? 431Threat Modeling MFA Solutions 431Document and Diagram the Components 432Brainstorm Potential Attacks 432Estimate Risk and Potential Losses 434Create and Test Mitigations 436Do Security Reviews 436Introducing the Bloomberg MFA Device 436Bloomberg, L P and the Bloomberg Terminal 437New User B-Unit Registration and Use 438Threat-Modeling the Bloomberg MFA Device 439Threat-Modeling the B-Unit in a General Example 440Specific Possible Attacks 441Multi-Factor Authentication Security Assessment Tool 450Summary 451PART III LOOKING FORWARD 45322 DESIGNING A SECURE SOLUTION 455Introduction 455Exercise: Secure Remote Online Electronic Voting 457Use Case Scenario 457Threat Modeling 458SDL Design 460Physical Design and Defenses 461Cryptography 462Provisioning/Registration 463Authentication and Operations 464Verifiable/Auditable Vote 466Communications 467Backend Blockchain Ledger 467Migration and Deprovisioning 470API 470Operational Training 470Security Awareness Training 470Miscellaneous 471Summary 47123 SELECTING THE RIGHT MFA SOLUTION 473Introduction 473The Process for Selecting the Right MFA Solution 476Create a Project Team 477Create a Project Plan 478Educate 479Determine What Needs to Be Protected 479Choose Required and Desired Features 480Research/Select Vendor Solutions 488Conduct a Pilot Project 490Select a Winner 491Deploy to Production 491Summary 49124 THE FUTURE OF AUTHENTICATION 493Cyber Crime is Here to Stay 493Future Attacks 494Increasing Sophisticated Automation 495Increased Nation-State Attacks 496Cloud-Based Threats 497Automated Attacks Against MFA 497What is Likely Staying 498Passwords 498Proactive Alerts 498Preregistration of Sites and Devices 499Phones as MFA Devices 500Wireless 501Changing/Morphing Standards 501The Future 501Zero Trust 502Continuous, Adaptive, Risk-Based 503Quantum-Resistant Cryptography 506Interesting Newer Authentication Ideas 506Summary 50725 TAKEAWAY LESSONS 509Broader Lessons 509MFA Works 509MFA is Not Unhackable 510Education is Key 510Security Isn’t Everything 511Every MFA Solution Has Trade-Offs 511Authentication Does Not Exist in a Vacuum 512There is No Single Best MFA Solution for Everyone 515There are Better MFA Solutions 515MFA Defensive Recap 516Developer Defense Summary 516User Defense Summary 518Appendix: List of MFA Vendors 521Index 527
Getting Started with Oracle Cloud Free Tier
Use this comprehensive guide to get started with the Oracle Cloud Free Tier. Reading this book and creating your own application in the Free Tier is an excellent way to build familiarity with, and expertise in, Oracle Cloud Infrastructure. Even better is that the Free Tier by itself is capable enough and provides all the ingredients needed for you to create secure and robust, multi-tiered web applications of modest size.Examples in this book introduce the broad suite of Always Free options that are available from Oracle Cloud Infrastructure. You will learn how to provision autonomous databases and autonomous Linux compute nodes. And you will see how to use Terraform to manage infrastructure as code. You also will learn about the virtual cloud network and application deployment, including how to create and deploy public-facing Oracle Application Express solutions and three-tier web applications on a foundation of Oracle REST Data Services. The book also includes a brief introduction to using and managing access to Oracle Machine Learning Notebooks.Cloud computing is a strong industry trend. Mastering the content in this book leaves you well-positioned to make the transition into providing and supporting cloud-based applications and databases. You will have the knowledge and skills that you need to deploy modest applications along with a growing understanding of Oracle’s Cloud platform that will serve you well as you go beyond the limits of the Always Free options and take full advantage of all that Oracle Cloud Infrastructure can offer.WHAT YOU WILL LEARN* Know which resources are available for free forever from Oracle Cloud Infrastructure* Provision your virtual cloud network* Host, manage, and monitor web applications using the freely available components* Provision and manage Autonomous Databases and Autonomous Linux Compute Nodes* Use and manage access to Oracle Machine Learning Notebooks* Automate and manage your infrastructure as code using Terraform* Monitor and manage costs when you grow beyond the Always Free platformWHO THIS BOOK IS FORDatabase administrators and application developers who want to learn about Oracle’s cloud offerings, application developers seeking a robust platform on which to build and deploy modest applications at zero cost, and developers and administrators interested in exploring Oracle Application Express running on a self-managing, self-tuning Oracle DatabaseADRIAN PNG is Senior Consultant at Insum Solutions. He has over two decades of experience in designing and implementing software solutions using a wide variety of programming languages. Adrian has a deep passion for Oracle Application Express and has helped many organizations succeed in developing robust data management practices. As a full-stack developer, he also does double-duty as a database and cloud administrator. “Design for the user” is his motto, and he continually seeks to optimize processes and adopt new strategies and technologies to improve how data is captured, integrated, and used effectively.LUC DEMANCHE is an Oracle DBA with 20 years of experience. His high-level expertise recently earned him the distinctions of Oracle Cloud Infrastructure 2018 Certified Architect, Oracle Autonomous Database Cloud 2019 Specialist, and Oracle Certified Professional 12c. His passion for the discipline has also led him to share his knowledge through a 2016 IOUG-published book titled Oracle Application Express Administration, which he co-authored with his colleague Francis Mignault, CTO at Insum. Luc specializes in Oracle databases from 7.3 to 19c and is particularly knowledgeable about the numerous Oracle tools used on his projects. He is heavily involved in building the Oracle Cloud team at Insum and has several successfully completed cloud projects to his credit.IntroductionPART I. GETTING STARTED1. Create an Account2. Identity and Access ManagementPART II. INFRASTRUCTURE AND OPERATIONS3. Basic Networking4. Compute Instances5. Storage6. Oracle Autonomous Linux7. Autonomous Databases8. Load Balancers9. Notifications and MonitoringPART III. APPLICATIONS10. SQL Developer Web11. Oracle Application Express12. Oracle REST Data Services13. Deploy Multitiered Web Applications14. Oracle Machine Learning NotebooksPART IV. NEXT STEPS15. Infrastructure as Code16. Account Management
Data Teams
Learn how to run successful big data projects, how to resource your teams, and how the teams should work with each other to be cost effective. This book introduces the three teams necessary for successful projects, and what each team does.Most organizations fail with big data projects and the failure is almost always blamed on the technologies used. To be successful, organizations need to focus on both technology and management.Making use of data is a team sport. It takes different kinds of people with different skill sets all working together to get things done. In all but the smallest projects, people should be organized into multiple teams to reduce project failure and underperformance.This book focuses on management. A few years ago, there was little to nothing written or talked about on the management of big data projects or teams. DATA TEAMS shows why management failures are at the root of so many project failures and how to proactively prevent such failures with your project.WHAT YOU WILL LEARN* Discover the three teams that you will need to be successful with big data* Understand what a data scientist is and what a data science team does* Understand what a data engineer is and what a data engineering team does* Understand what an operations engineer is and what an operations team does* Know how the teams and titles differ and why you need all three teams* Recognize the role that the business plays in working with data teams and how the rest of the organization contributes to successful data projectsWHO THIS BOOK IS FORManagement, at all levels, including those who possess some technical ability and are about to embark on a big data project or have already started a big data project. It will be especially helpful for those who have projects which may be stuck and they do not know why, or who attended a conference or read about big data and are beginning their due diligence on what it will take to put a project in place.This book is also pertinent for leads or technical architects who are: on a team tasked by the business to figure out what it will take to start a project, in a project that is stuck, or need to determine whether there are non-technical problems affecting their project.JESSE ANDERSON serves in three roles at Big Data Institute: data engineer, creative engineer, and managing director. He works on big data with companies ranging from startups to Fortune 100 companies. His work includes training on cutting-edge technologies such as Apache's Kafka, Hadoop, and Spark. He has taught over 30,000 people the skills needed to become data engineers.Jesse is widely regarded as an expert in the field and for his novel teaching practices. He has published for O’Reilly and Pragmatic Programmers. He has been covered in prestigious publications such as: The Wall Street Journal, CNN, BBC, NPR, Engadget, and Wired. He has spent the past 6+ years observing, mentoring, and working with data teams. He has condensed this knowledge of why teams succeed or fail into this book.
Big Public Data aus dem Programmable Web
Die Verbreitung des Internets und die zunehmende Digitalisierung in der öffentlichen Verwaltung und Politik haben über die letzten Jahre zu einer starken Zunahme an hochdetaillierten digitalen Datenbeständen über politische Akteure und Prozesse geführt. Diese big public data werden oft über programmatische Schnittstellen (Web APIs; programmable Web) verbreitet, um die Einbettung der Daten in anderen Webanwendungen zu vereinfachen. Die Analyse dieser Daten für wissenschaftliche Zwecke in der politischen Ökonomie und Politologie ist vielversprechend, setzt jedoch die Implementierung einer data pipeline zur Beschaffung und Aufbereitung von Daten aus dem programmable Web voraus. Dieses Buch diskutiert die Chancen und Herausforderungen der praktischen Nutzung dieser Datenbestände für die empirische Forschung und zeigt anhand einer Fallstudie ein mögliches Vorgehen zur systematischen Analyse von big public data aus dem programmable Web auf.ULRICH MATTER ist Assistenzprofessor für Volkswirtschaftslehre an der Universität St. Gallen.Einleitung.- Chancen: Datengenerierung und Datenqualität.- Herausforderungen: Webtechnologien und Variabilität der Daten.- Konzeptioneller Lösungsansatz: Data pipelines.- Fallstudie: Religion in der US Politik.- Replizierbarkeit und Verifizierbarkeit der Datensammlung.- Diskussion und Ausblick
Private Cloud und Home Server mit Synology NAS
Musik, Fotos, Videos und Dokumente zentral speichern und mit anderen teilenBenutzer verwalten, Backups erstellen und Daten vor unerlaubten Zugriffen schützenFortgeschrittene Themen wie Konfiguration von Firewall und VPN, Einrichtung eines Webservers und Einsatz von NextcloudZahlreiche Schritt-für-Schritt-Anleitungen und Praxis-Tipps Mit diesem Buch lernen Sie umfassend alles, was Sie brauchen, um Ihr Synology NAS an Ihre persönlichen Bedürfnisse anzupassen und das Potenzial Ihres Geräts voll auszuschöpfen. Dabei gibt der Autor Ihnen zahlreiche praktische Tipps an die Hand. So können Sie all Ihre Dateien wie Musik, Videos und Fotos zentral sichern und effektiv verwalten. Andreas Hofmann stellt die verschiedenen NAS-Modelle vor, so dass Sie wissen, welches für Sie am besten geeignet ist. In leicht nachvollziehbaren Schritten erläutert er detailliert, wie Sie Ihr NAS in Betrieb nehmen und mit dem DiskStation Manager (DSM) konfigurieren. Anhand einfacher Schritt-für-Schritt-Anleitungen zeigt er Ihnen, wie Sie Ihr NAS als Private Cloud und Home Server optimal einrichten: Dateien sichern, verwalten und mit anderen teilen, Benutzer verwalten, Fernzugriff einrichten, automatische Backups erstellen sowie Office-Dokumente und Multimedia-Dateien freigeben und mit dem SmartTV und anderen Geräten wiedergeben. Für alle, die noch tiefer in die Welt von Synology NAS eintauchen möchten, geht der Autor auf weiterführende Themen wie Datensicherheit und die Überwachung und Optimierung des Betriebs ein und zeigt Ihnen die Konfiguration abseits der grafischen Benutzeroberfläche für die Einrichtung eines eigenen Webservers und der beliebten Cloud-Lösung Nextcloud. Aus dem Inhalt: Kaufberatung und InbetriebnahmeDiskStation Manager (DSM) im DetailDateien zentral verwalten mit der File StationRAID-Konfiguration und automatische BackupsDateifreigabe und Fernzugriff via App, FTP u.v.m.Datensicherheit, Virenschutz und FirewallFotos organisieren und teilen mit der Photo StationMusik zentral verwalten mit der Audio StationFilme katalogisieren und streamen mit der Video StationOffice-Dokumente, Kalender, Adressbuch und Notizen verwaltenE-Mail-Server einrichtenZentrales Download-ManagementVideoüberwachung mit der Surveillance StationZugriff per KommandozeileWebserver, Datenbanken, Wordpress und MediaWikiNextcloudSpeicher erweitern und NAS migrieren blog.viking-studios.net
The Read Aloud Cloud
WHAT IS “THE CLOUD”? IS IT HERE OR THERE? SHOULD IT BE ALLOWED? SHOULD I EVEN CARE?Have you ever imagined the internet as a giant Rube Goldberg machine? Or the fast-evolving cloud computing space as a literal jungle filled with prehistoric beasts? Does a data breach look like a neo-noir nightmare full of turned-up coat collars and rain-soaked alleys? Wouldn’t all these vital concepts be easier to understand if they looked as interesting as they are? And wouldn’t they be more memorable if we could explain them in rhyme? Whether you’re a kid or an adult, the answer is: YES!The medicine in this spoonful of sugar is a sneaky-informative tour through the past, present and future of cloud computing, from mainframes to serverless and from the Internet of Things to artificial intelligence. Forrest is a professional explainer whose highly-rated conference talks and viral cartoon graphics have been teaching engineers to cloud for years. He knows that a picture is worth a thousand words. But he has plenty of words, too.Your hotel key, your boarding pass,The card you swipe to pay for gas,The smart TV atop the bar,The entertainment in your car,Your doorbell, toothbrush, thermostat,The vacuum that attacked your cat,They all connect the cloud and you.Maybe they shouldn't, but they do.As a graduation gift (call it “Oh the Places You’ll Go” for engineering students), a cubicle conversation starter, or just a delightfully nerdy bedtime story for your kids, “The Read-Aloud Cloud” will be the definitive introduction to the technologies that everyone uses and nobody understands. You can even read it silently if you want. But good luck with that.FORREST BRAZEAL has worked in the tech industry for more than a decade. He's installed software updates during a live cataract surgery and designed robots that perform machine learning on pizza, all while keeping his trademark sense of humor. In 2015, he began drawing a weekly webcomic about his life in the cloud which now reaches more than one hundred thousand regular readers. Forrest regularly interviews the biggest names in cloud computing through his "Think FaaS" podcast and his "Serverless Superheroes" blog series. An original AWS Serverless Hero, Forrest speaks regularly on business and technology at conferences, universities, and private events around the world. CHAPTER 1: WHAT IS THE CLOUDVisual language: minimalist. Cartoon characters on white background. Images are goofy and memorable, such as a Roomba chasing a cat Content: Covers the ubiquity of the cloud in real life (connected/smart home devices, online services, etc) and sets the tone for why we should care that a book is dedicated to this topic. Asks the big questions that will be answered throughout the text: What is the cloud? How does it work? Why should I care? Now that I know that, what should I do?CHAPTER 2: EVOLUTION OF THE CLOUD (A PREHISTORY)Visual language: This section will take place in a prehistoric jungle. Tangled vines, volcanoes, dinosaurs, etc. Content: Covers the background of computing, from mainframes through the client/server era up to virtualizationCHAPTER 3: THE INTERNET: A SERIES OF TUBESVisual language: A steampunk mad scientist’s laboratory, with lots of Rube Goldberg-esque tubes and gears Content: Covers the basics of how data gets from you to the cloud and back again, including remote servers, DNS, IP, etc.CHAPTER 4: CLOUD ARCHITECTUREVisual language: A construction job site. Bricks and mortar. Think Bob the Builder Content: Covers the core building blocks of cloud architecture. Cloud storage, databases, compute. High availability, scalability, and elasticity. Explains why these things are desirable and, in some cases, revolutionary.CHAPTER 5: CLOUD SECURITYVisual language: Noir (black and white, heavy shadows, stark silhouettes) Content: Covers some of the key risks associated with placing your data in the cloud, both personally and professionally. Uses a fictionalized breach to illustrate what can go wrongCHAPTER 6: THE INTERNET OF THINGSVisual language: Cubist, non-representational Content: Explains the Internet of Things, including why a smart device isn’t always better (lower security, risk of it not being supported)CHAPTER 7: ARTIFICIAL INTELLIGENCEVisual language: Used future. Think Blade Runner or Terminator. Red-eyed robots, smog, and neon Content: Covers some basics of how the cloud accelerates AI and machine learning through the centralization of data. Gives examples of when that’s good and when it can be bad (for example, reinforcing conscious or unconscious biases)CHAPTER 8: WHAT NOW?Visual language: Minimalist (same as the opening section; ties everything together) Content: Looks ahead to the future of the cloud, particularly increasing levels of abstraction like serverless, voice programming, and automation. Strikes a hopeful tone and finishes by encouraging the reader to go out and build a better cloud.
Android Apps Security
Gain the information you need to design secure, useful, high-performing apps that expose end-users to as little risk as possible. This book shows you how to best design and develop Android apps with security in mind: explore concepts that you can use to secure apps and how you can use and incorporate these security features into your apps.WHAT YOU WILL LEARN* Identify data that should be secured* Use the Android APIs to ensure confidentiality and integrity of data* Build secure apps for the enterprise* Implement Public Key Infrastructure and encryption APIs in apps* Master owners, access control lists, and permissions to allow user control over app properties* Manage authentication, transport layer encryption, and server-side securityWHO THIS BOOK IS FORExperienced Android app developers.Sheran Gunasekera is a security researcher and software developer with more than 13 years of information security experience. He is director of research and development for ZenConsult Pte. Ltd., where he oversees security research in both the personal computer and mobile device platforms. Sheran has been very active in BlackBerry and mobile Java security research and was the author of the whitepaper that revealed the inner workings of the first corporate-sanctioned malware application deployed to its subscribers by the UAE telecommunications operator Etisalat. He has spoken at many security conferences in the Middle East, Europe and Asia Pacific regions and also provides training on malware analysis for mobile devices and secure software development for both web and mobile devices. He also writes articles and publishes research on his security-related blog.1. Introduction.- 2. Recap of Secure Development Principles.- 3. Changes in Security Architecture.- 4. Security when Building Apps to Scale.- 5. Testing the Security of Your App (this covers pentesting and bug bounties).- 6. The Toolbag.- 7. Rooting an Android phone. 8. Looking at your App's Data through a Root shell.- Bypassing SSL Pinning (the holy grail of hacking apps).- 10. Reverse Engineering Android Apps.- 11. Incident Response.
Practical Smart Device Design and Construction
With the rapid development of the Internet of Things, a gap has emerged in skills versus knowledge in an industry typically segmented into hardware versus software. Practitioners are now expected to possess capabilities across the spectrum of hardware and software skills to create these smart devices.This book explores these skill sets in an instructive way, beginning at the foundations of what makes “smart” technology smart, addressing the basics of hardware and hardware design, software, user experiences, and culminating in the considerations and means of building a fully formed smart device, capable of being used in a commercial capacity, versus a DIY project.Practical Smart Device Design and Construction includes a set of starter projects designed to encourage the novice to build and learn from doing. Each project also includes a summary guiding you where to go next, and how to tie the practical, hands-on experience together with what they have learned to take the next step on their own.WHAT YOU'LL LEARN* Practical smart device design and construction considerations such as size, power consumption, wiring needs, analog vs digital, and sensor types and uses* Methods and tools for creating their own designs such as circuit board designs; and wiring and prototyping tools* Hands-on guidance through their own prototype projects and building it alongside the projects in this book* Software considerations for speed versus ease, security, and basics of programming and data analytics for smart devicesWHO THIS BOOK IS FORThose with some technical skills, or at least a familiarity with technical topics, who are looking for the means and skills to start experimenting with combined hardware and software projects in order to gain familiarity and comfort with the smart device space. Chris Harrold is a 25 year veteran of IT, starting from help-desk and tech support through to leading technology organizations and departments. Throughout that career he has been privileged to witness one of the most exciting times in technology as the rapid pace of innovation and growth has driven technology from the realm of the corporation into the hands of the consumer. This has also spawned a rise in the creation of smart devices – devices that extend our own abilities and reach through the application of technology.As a maker and creator, this ability to build things that can do tasks is innately exciting to Chris, and so he has stayed close to the smart device space, and has learned and built numerous things in that time. It is that process of building my skills in hardware, engineering, and product design that prompted Chris to write this book. While there is no way to convey a career of learning and study in a single book, his aim in writing this is to help others like Chris get started in the smart device space, by giving them the basic background, context, tools, and guidance to build on as they take their own projects to the next level.PRACTICAL SMART DEVICE DESIGN AND CONSTRUCTIONPART 1: SMARTChapter 1: A Brief History of Smart ThingsChapter 2: The DYI Smart EraChapter 3: Beyond the HypePART 2: SMART HARDWAREChapter 4: EE for the total n00bChapter 5: Advanced Circuit ComponentsChapter 6: Circuit Building LabPART 3: SMART SOFTWAREChapter 7: Touch, Taste, See, Hear, SmellChapter 8: The Small ComputerChapter 9: Smart Device Building LabPART 4: PERFORMANCEChapter 10: Your First Circuit BoardChapter 11: Your first good PCB
SAP S/4HANA
»Schnell« und »einfach« soll sie sein, die neue SAP Business Suite 4 SAP HANA. In unserem Bestseller erfahren Sie, was Sie erwartet: Ulf Koglin erläutert Funktionen, Nutzen und Technologie des zukünftigen SAP-Standardsystems. Informieren Sie sich, ob die Cloud- oder On-Premise-Lösung besser zu Ihren Anforderungen passt und welche Optionen Ihnen bei der Implementierung zur Verfügung stehen. Als Entscheider, Berater oder einfach Interessierter finden Sie Antworten auf Ihre Fragen rund um SAP S/4HANA. Aus dem Inhalt: Digitale Transformation, KI und RoboticPrinciple of OneDie Datenbank SAP HANAEigenentwicklungen für SAP S/4HANA SAP Fiori und die UX-StrategieDeployment in der Cloud oder On-PremiseSimplification ListGreenfield, Brownfield, BluefieldSAP Cloud PlatformAnalysewerkzeuge, z.B. SAP Analytics CloudGeschäftspartnerkonzept (Business Partner) Einleitung ... 13 1. Konzepte von SAP S/4HANA ... 21 1.1 ... Digitale Transformation und intelligentes Unternehmen ... 23 1.2 ... Anforderungen an moderne IT-Systeme ... 31 1.3 ... Lösungsansätze in und mit SAP S/4HANA ... 42 1.4 ... Zusammenfassung ... 57 2. SAP S/4HANA - die technische Konzeption ... 59 2.1 ... Die SAP HANA Platform ... 60 2.2 ... Entwicklung unter SAP S/4HANA ... 70 2.3 ... Analysewerkzeuge von SAP HANA ... 90 2.4 ... SAP Fiori ... 99 2.5 ... SAP Cloud Platform ... 108 2.6 ... Künstliche Intelligenz ... 128 2.7 ... Zusammenfassung ... 137 3. Prinzipien des Redesigns ... 139 3.1 ... Das Principle of One ... 140 3.2 ... Wie wirkt sich das Redesign auf die Systemarchitektur aus? ... 142 3.3 ... Welche Auswirkungen gibt es auf die Funktionen? ... 149 3.4 ... Kontinuität beim Datenzugriff mit Compatibility Views ... 153 3.5 ... Was bewirkt die neue User-Interface-Strategie? ... 155 3.6 ... Die Simplification List als Hilfswerkzeug ... 161 3.7 ... Zusammenfassung ... 165 4. SAP S/4HANA Finance ... 167 4.1 ... Konzeptionelle Änderungen ... 168 4.2 ... Neue Funktionen in SAP S/4HANA Finance ... 179 4.3 ... Geänderte Funktionen in SAP S/4HANA Finance ... 191 4.4 ... Central Finance ... 202 4.5 ... Fiori-Apps und das Rollenkonzept ... 206 4.6 ... Zusammenfassung ... 212 5. SAP S/4HANA in der Logistik ... 215 5.1 ... Änderungen in der Architektur ... 216 5.2 ... Funktionale Neuerungen für die Logistik ... 227 5.3 ... Neue Konzepte in der Logistik ... 237 5.4 ... Zusammenfassung ... 261 6. Umstellungsszenarien und prototypischer Ablauf einer Migration ... 263 6.1 ... Feststellen der Ausgangssituation und des Migrationsweges ... 264 6.2 ... Prüfen der Systemvoraussetzungen ... 273 6.3 ... Vorbereiten des Systems auf SAP HANA ... 274 6.4 ... Durchführung der Migration und unterstützende Werkzeuge ... 278 6.5 ... Konfiguration der Benutzeroberfläche ... 286 6.6 ... Zusammenfassung ... 294 7. Praxisbeispiele: Einführung von SAP S/4HANA ... 299 7.1 ... SAP-S/4HANA-Neuimplementierung mit einer Masterlösung am Beispiel des Bistums Limburg ... 300 7.2 ... Systemkonsolidierung am Beispiel der ELKB ... 311 7.3 ... Beispielvorgehen für eine Konvertierungsprojekt ... 320 7.4 ... Projektbeispiele für den SAP-Fiori-Einsatz ... 388 7.5 ... Zusammenfassung ... 405 8. Erfolgsfaktoren für die Umstellung auf SAP S/4HANA ... 409 8.1 ... Vorprojekte für die SAP-S/4HANA-Umstellung ... 410 8.2 ... Entwicklung eines »Umstellungsfahrplans« als notwendiger Erfolgsfaktor ... 413 8.3 ... Welche Erfolgsfaktoren wirken in den Phasen? ... 424 8.4 ... Ausgewählte Werkzeuge für die Unterstützung der Umstellung ... 449 8.5 ... Zusammenfassung ... 465 Ausblick ... 469 Die Autoren ... 475 Index ... 479
Hands on Hacking
A FAST, HANDS-ON INTRODUCTION TO OFFENSIVE HACKING TECHNIQUESHands-On Hacking teaches readers to see through the eyes of their adversary and apply hacking techniques to better understand real-world risks to computer networks and data. Readers will benefit from the author's years of experience in the field hacking into computer networks and ultimately training others in the art of cyber-attacks. This book holds no punches and explains the tools, tactics and procedures used by ethical hackers and criminal crackers alike.We will take you on a journey through a hacker’s perspective when focused on the computer infrastructure of a target company, exploring how to access the servers and data. Once the information gathering stage is complete, you’ll look for flaws and their known exploits—including tools developed by real-world government financed state-actors.* An introduction to the same hacking techniques that malicious hackers will use against an organization* Written by infosec experts with proven history of publishing vulnerabilities and highlighting security flaws* Based on the tried and tested material used to train hackers all over the world in the art of breaching networks* Covers the fundamental basics of how computer networks are inherently vulnerable to attack, teaching the student how to apply hacking skills to uncover vulnerabilitiesWe cover topics of breaching a company from the external network perimeter, hacking internal enterprise systems and web application vulnerabilities. Delving into the basics of exploitation with real-world practical examples, you won't find any hypothetical academic only attacks here. From start to finish this book will take the student through the steps necessary to breach an organization to improve its security.Written by world-renowned cybersecurity experts and educators, Hands-On Hacking teaches entry-level professionals seeking to learn ethical hacking techniques. If you are looking to understand penetration testing and ethical hacking, this book takes you from basic methods to advanced techniques in a structured learning format.MATTHEW HICKEY is an expert in offensive security testing, discovering vulnerabilities used by malicious attackers, as well as a developer of exploits and security testing tools. He is a co-founder of Hacker House. JENNIFER ARCURI is an entrepreneur, public speaker and Certified Ethical Hacker. She is the CEO and founder of Hacker House. Foreword xviiiIntroduction xxCHAPTER 1 HACKING A BUSINESS CASE 1All Computers are Broken 2The Stakes 4What’s Stolen and Why It’s Valuable 4The Internet of Vulnerable Things 4Blue, Red, and Purple Teams 5Blue Teams 5Red Teams 5Purple Teams 7Hacking is Part of Your Company’s Immune System 9Summary 11Notes 12CHAPTER 2 HACKING ETHICALLY AND LEGALLY 13Laws That Affect Your Work 14Criminal Hacking 15Hacking Neighborly 15Legally Gray 16Penetration Testing Methodologies 17Authorization 18Responsible Disclosure 19Bug Bounty Programs 20Legal Advice and Support 21Hacker House Code of Conduct 22Summary 22CHAPTER 3 BUILDING YOUR HACK BOX 23Hardware for Hacking 24Linux or BSD? 26Host Operating Systems 27Gentoo Linux 27Arch Linux 28Debian 28Ubuntu 28Kali Linux 29Verifying Downloads 29Disk Encryption 31Essential Software 33Firewall 34Password Manager 35Email 36Setting Up VirtualBox 36Virtualization Settings 37Downloading and Installing VirtualBox 37Host-Only Networking 37Creating a Kali Linux VM 40Creating a Virtual Hard Disk 42Inserting a Virtual CD 43Virtual Network Adapters 44Labs 48Guest Additions 51Testing Your Virtual Environment 52Creating Vulnerable Servers 53Summary 54CHAPTER 4 OPEN SOURCE INTELLIGENCE GATHERING 55Does Your Client Need an OSINT Review? 56What are You Looking For? 57Where Do You Find It? 58OSINT Tools 59Grabbing Email Addresses from Google 59Google Dorking the Shadows 62A Brief Introduction to Passwd and Shadow Files 62The Google Hacking Database 65Have You Been “Pwned” Yet? 66OSINT Framework Recon-ng 67Recon-ng Under the Hood 74Harvesting the Web 75Document Metadata 76Maltego 80Social Media Networks 81Shodan 83Protecting Against OSINT 85Summary 86CHAPTER 5 THE DOMAIN NAME SYSTEM 87The Implications of Hacking DNS 87A Brief History of DNS 88The DNS Hierarchy 88A Basic DNS Query 89Authority and Zones 92DNS Resource Records 92BIND9 95DNS Hacking Toolkit 98Finding Hosts 98WHOIS 98Brute-Forcing Hosts with Recon-ng 100Host 101Finding the SOA with Dig 102Hacking a Virtual Name Server 103Port Scanning with Nmap 104Digging for Information 106Specifying Resource Records 108Information Leak CHAOS 111Zone Transfer Requests 113Information-Gathering Tools 114Fierce 115Dnsrecon 116Dnsenum 116Searching for Vulnerabilities and Exploits 118Searchsploit 118Other Sources 119DNS Traffic Amplification 120Metasploit 121Carrying Out a Denial-of-Service Attack 125DoS Attacks with Metasploit 126DNS Spoofi ng 128DNS Cache Poisoning 129DNS Cache Snooping 131DNSSEC 131Fuzzing 132Summary 134CHAPTER 6 ELECTRONIC MAIL 135The Email Chain 135Message Headers 137Delivery Status Notifications 138The Simple Mail Transfer Protocol 141Sender Policy Framework 143Scanning a Mail Server 145Complete Nmap Scan Results (TCP) 149Probing the SMTP Service 152Open Relays 153The Post Office Protocol 155The Internet Message Access Protocol 157Mail Software 158Exim 159Sendmail 159Cyrus 160PHP Mail 160Webmail 161User Enumeration via Finger 162Brute-Forcing the Post Office 167The Nmap Scripting Engine 169CVE-2014-0160: The Heartbleed Bug 172Exploiting CVE-2010-4345 180Got Root? 183Upgrading Your Shell 184Exploiting CVE-2017-7692 185Summary 188CHAPTER 7 THE WORLD WIDE WEB OF VULNERABILITIES 191The World Wide Web 192The Hypertext Transfer Protocol 193HTTP Methods and Verbs 195HTTP Response Codes 196Stateless 198Cookies 198Uniform Resource Identifiers 200LAMP: Linux, Apache, MySQL, and PHP 201Web Server: Apache 202Database: MySQL 203Server-Side Scripting: PHP 203Nginx 205Microsoft IIS 205Creepy Crawlers and Spiders 206The Web Server Hacker’s Toolkit 206Port Scanning a Web Server 207Manual HTTP Requests 210Web Vulnerability Scanning 212Guessing Hidden Web Content 216Nmap 217Directory Busting 218Directory Traversal Vulnerabilities 219Uploading Files 220WebDAV 220Web Shell with Weevely 222HTTP Authentication 223Common Gateway Interface 225Shellshock 226Exploiting Shellshock Using Metasploit 227Exploiting Shellshock with cURL and Netcat 228SSL, TLS, and Heartbleed 232Web Administration Interfaces 238Apache Tomcat 238Webmin 240phpMyAdmin 241Web Proxies 242Proxychains 243Privilege Escalation 245Privilege Escalation Using DirtyCOW 246Summary 249CHAPTER 8 VIRTUAL PRIVATE NETWORKS 251What is a VPN? 251Internet Protocol Security 253Internet Key Exchange 253Transport Layer Security and VPNs 254User Databases and Authentication 255SQL Database 255RADIUS 255LDAP 256PAM 256TACACS+ 256The NSA and VPNs 257The VPN Hacker’s Toolkit 257VPN Hacking Methodology 257Port Scanning a VPN Server 258Hping3 259UDP Scanning with Nmap 261IKE-scan 262Identifying Security Association Options 263Aggressive Mode 265OpenVPN 267LDAP 275OpenVPN and Shellshock 277Exploiting CVE-2017-5618 278Summary 281CHAPTER 9 FILES AND FILE SHARING 283What is Network-Attached Storage? 284File Permissions 284NAS Hacking Toolkit 287Port Scanning a File Server 288The File Transfer Protocol 289The Trivial File Transfer Protocol 291Remote Procedure Calls 292RPCinfo 294Server Message Block 295NetBIOS and NBT 296Samba Setup 298Enum4Linux 299SambaCry (CVE-2017-7494) 303Rsync 306Network File System 308NFS Privilege Escalation 309Searching for Useful Files 311Summary 312CHAPTER 10 UNIX 315UNIX System Administration 316Solaris 316UNIX Hacking Toolbox 318Port Scanning Solaris 319Telnet 320Secure Shell 324RPC 326CVE-2010-4435 329CVE-1999-0209 329CVE-2017-3623 330Hacker’s Holy Grail EBBSHAVE 331EBBSHAVE Version 4 332EBBSHAVE Version 5 335Debugging EBBSHAVE 335R-services 338The Simple Network Management Protocol 339Ewok 341The Common UNIX Printing System 341The X Window System 343Cron and Local Files 347The Common Desktop Environment 351EXTREMEPARR 351Summary 353CHAPTER 11 DATABASES 355Types of Databases 356Flat-File Databases 356Relational Databases 356Nonrelational Databases 358Structured Query Language 358User-Defined Functions 359The Database Hacker’s Toolbox 360Common Database Exploitation 360Port Scanning a Database Server 361MySQL 362Exploring a MySQL Database 362MySQL Authentication 373PostgreSQL 374Escaping Database Software 377Oracle Database 378MongoDB 381Redis 381Privilege Escalation via Databases 384Summary 392CHAPTER 12 WEB APPLICATIONS 395The OWASP Top 10 396The Web Application Hacker’s Toolkit 397Port Scanning a Web Application Server 397Using an Intercepting Proxy 398Setting Up Burp Suite Community Edition 399Using Burp Suite Over HTTPS 407Manual Browsing and Mapping 412Spidering 415Identifying Entry Points 418Web Vulnerability Scanners 418Zed Attack Proxy 419Burp Suite Professional 420Skipfish 421Finding Vulnerabilities 421Injection 421SQL Injection 422SQLmap 427Drupageddon 433Protecting Against SQL Injection 433Other Injection Flaws 434Broken Authentication 434Sensitive Data Exposure 436XML External Entities 437CVE-2014-3660 437Broken Access Controls 439Directory Traversal 440Security Misconfiguration 441Error Pages and Stack Traces 442Cross-Site Scripting 442The Browser Exploitation Framework 445More about XSS Flaws 450XSS Filter Evasion 450Insecure Deserialization 452Known Vulnerabilities 453Insufficient Logging and Monitoring 453Privilege Escalation 454Summary 455CHAPTER 13 MICROSOFT WINDOWS 457Hacking Windows vs. Linux 458Domains, Trees, and Forests 458Users, Groups, and Permissions 461Password Hashes 461Antivirus Software 462Bypassing User Account Control 463Setting Up a Windows VM 464A Windows Hacking Toolkit 466Windows and the NSA 467Port Scanning Windows Server 467Microsoft DNS 469Internet Information Services 470Kerberos 471Golden Tickets 472NetBIOS 473LDAP 474Server Message Block 474ETERNALBLUE 476Enumerating Users 479Microsoft RPC 489Task Scheduler 497Remote Desktop 497The Windows Shell 498PowerShell 501Privilege Escalation with PowerShell 502PowerSploit and AMSI 503Meterpreter 504Hash Dumping 505Passing the Hash 506Privilege Escalation 507Getting SYSTEM 508Alternative Payload Delivery Methods 509Bypassing Windows Defender 512Summary 514CHAPTER 14 PASSWORDS 517Hashing 517The Password Cracker’s Toolbox 519Cracking 519Hash Tables and Rainbow Tables 523Adding Salt 525Into the /etc/shadow 526Different Hash Types 530MD5 530SHA-1 531SHA-2 531SHA256 531SHA512 531bcrypt 531CRC16/CRC32 532PBKDF2 532Collisions 533Pseudo-hashing 533Microsoft Hashes 535Guessing Passwords 537The Art of Cracking 538Random Number Generators 539Summary 540CHAPTER 15 WRITING REPORTS 543What is a Penetration Test Report? 544Common Vulnerabilities Scoring System 545Attack Vector 545Attack Complexity 546Privileges Required 546User Interaction 547Scope 547Confidentiality, Integrity, and Availability Impact 547Report Writing as a Skill 549What Should a Report Include? 549Executive Summary 550Technical Summary 551Assessment Results 551Supporting Information 552Taking Notes 553Dradis Community Edition 553Proofreading 557Delivery 558Summary 559Index 561