- Human Perception: The Missing Security Control
- My container application has 100 vulnerabilities, now what?
- Security Engineering != (Admin || Analyst || Responder)
- Can Cryptocurrency Replace the US Dollar?
- Setting up an in-line Linux server in Azure for NIDS or packet capture
- Homomorphic Encryption
- Hunt the Stank
- Federated Trust
- Fuzzbuts v. Fuzzbutts Red Team v. Blue Team Tabletop Game
- Cybersecurity is exactly like soccer
- BCP and Privacy Lessons from CoVID-19
- SBOM’s and CBOM’s – why bills of materials matter to hackers?
- Software Security Engineering (Learnings from the past to fix the future)
- CMMC Certification Readiness: Mitigating Cyber Risk
Human Perception: The Missing Security Control
Speaker(s): Dr. Nikki Robinson
Information Security / IT practitioners with 1 year experience – any management
This talk is centered around how perception, whether from users or security practitioners, affects the actual security and overall risk of an organization. We think about technical solutions, like software, applications, and new tools, or working on processes, like building an SSP or Incident Response plan, but not how our conversations and interactions with people affects the security of our systems. If I have a bad interaction with a security analyst, will that affect how I implement or think about security as a system owner? Let’s talk about some scenarios where perception may affect the security posture of a network. Using psychological and behavioral analysis techniques can help us to secure our environments and have better and more effective communication between peers.
Nikki Robinson holds a DSc in Cybersecurity, as well as a PhD in Human Factors. She is a Security Architect with IBM, as well as an Adjunct Professor with Capitol Technology University. Her main passions include integrating academic research into technical and practical solutions. Mostly focused on vulnerability management, human factors and security engineering, as well as DFIR.
My container application has 100 vulnerabilities, now what?
Speaker(s): Rachana Vishwanathula
Enterprises are moving to a “shift-left” culture with security seamlessly embedded throughout the development life cycle. Enterprises are ‘shifting-left’ and incorporating security into every stage of the development life cycle of a project/product. This talk covers the challenges of securing containerized workloads, major risk areas, new threat vectors that containers introduce us to, best practices for container security, identifying cves, content trust and image signing and how to secure the application from the risks. Some of the best practices to ensure security in container images are to: • use DCT (Docker Content Trust), • perform VA (Vulnerability Advisor) Scan on Images, • securely signing an image and enforcing a policy that ensures an image can’t be deployed until the signatures are found and validated. Is there a way to automate these tasks? Yes, by setting up a CI/CD pipeline that in-turn manages these tasks every time a new change is made to the image. This talk focuses on how to continuously integrate and deliver a secure signed Docker app to Kubernetes service. Docker Content Trust provides strong cryptographic guarantees over what code and what versions of software are run in your infrastructure. Docker Content Trust integrates The Update Framework (TUF) into Docker by using Notary, an open-source tool that provides trust over any content. And this can beautifully be leveraged in CI/CD pipelines along with Key Management software. When a publisher who is using Docker Content Trust pushes an image to a remote registry, Docker Engine locally signs the image with the publisher’s private key. When a user pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created. It also ensures that the image wasn’t tampered with and that it is up to date. VA (Vulnerability Advisor) Scan on Images is an assessment on docker images which identifies if there are any OS Vulnerabilities(unpatched libraries and OS components, vulnerable kernel versions), Application Weaknesses(SQL Injection, XSS and Buffer Overloading), Configuration vulnerabilities(nonsecure OS settings, such as passwords or logins as well as network configuration, including allow root). This can be done with opensource tools like OpenSCAP and there are enterprise flavours which does the same functionality. This talk demonstrates how to perform this on docker images in CI/CD pipelines before they are deployed. Container Image Security Enforcement (CISE) retrieves information about image content trust and vulnerabilities. This step is to securely sign an image and enforce a policy that ensures an image can’t be deployed until the signatures are found and validated. This can be achieved through Image Signing.”
Rachana Vishwanathula is an IBMer. In her current role as Software Developer at Hybrid Cloud Build Team, her technology focus is Hybrid Cloud Applications and IBM Cloud Paks, and mission is to interact with IBM’s Build Partner Companies and help them in their journey to hybrid cloud to build solutions that bring value to IBM’s tech stack. She is also a Developer Advocate and an active member of IBM’s Developer Ecosystem Group, where her mission is to enable developers on various technologies like Cloud and Cognitive, Data and AI, Security. She has engaged with client, partner, startup, and student communities and have delivered immersive and engaging tech-talks, workshops, and keynotes on diverse set of technologies. She works with Academic Institutions in India and have delivered several Faculty Development Programs for colleges.
Security Engineering != (Admin || Analyst || Responder)
Speaker(s): Craig Bowser, Ludwig Goon (nfltr8)
The field of Security Engineering has evolved as an essential function within the Information Security industry. Security Engineers are responsible for many aspects of protecting the enterprise; including designing of secure systems, supporting security operations, and protecting business platforms, data centers and now, the cloud. The nebulous role of Security Engineers is sometimes confused with system administrators, security analysts or even penetration testers. Yet the industry recognizes the need for Security Engineers with over 1000’s of opportunities in the DMV region alone. This talk will address questions such as “What is a security engineer?” and “Aren’t they the system administrators?” Reswob (reswob10) and Noog (nfltr8) will provide their experience as Security Engineers in Information Security (or Cyber) solving real problems for federal services and other industries. Heck, we will even throw in a framework that we created called the Security Engineering Triad. After all that fun, we want to inspire the next generation on what it takes to become security engineers in today’s world to include experience, education and certifications needed.
Craig Bowser is an Infosec professional with over 20 years of experience in the field. He has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas and is currently a Director of Data Analytics at GuidePoint Security. He has some letters that mean something to HR departments. He is a Christian, Father, Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking. And he has a to do list that is longer than the to do slots that are open.
Ludwig Goon (nfltr8) is an information security professional with over 24 years of experience in Information Technology and over 14 years experience in Information Security (often referred to as CyberSecurity). Ludwig or “Lu” has worked primarily for commercial Defense Contractors implementing enterprise scale solutions. Recently Lu is now working as a Security Engineer for a Consultant firm and is located in the Northern Virginia metropolitan area. When Lu is not building linux desktops or geeking out over security platforms and SIEMs he spends his time as a husband and father of a very active toddler. Lu is a person who drives cars and motorcycles really fast, enjoys playing jazz trumpet, and traveling. Lu geeks out about food, bourbon, Linux, gadgets, MAC OSX, IOT devices, and open source security software such as zeek, nmap, and Kali linux.
Can Cryptocurrency Replace the US Dollar?
Speaker(s): Dr. Kenneth Geers
Cryptocurrency has the potential to revolutionize world finance and world politics. As a currency, however, crypto still has a lot to prove. Good money has three requirements: reliable medium of exchange, meaningful unit of account, and stable store of value. Computer coders and digital revolutionaries have only just begun. A key milestone will be whether cryptocurrency can replace the US Dollar as the world’s reserve currency – a pillar of international relations since World War II. That is unlikely in the near term, but over the horizon, anything is possible. This talk offers a framework for understanding cryptocurrency’s past, present, and future. It details the security challenges associated with cryptocurrency investment, dissecting numerous vulnerabilities and mitigations. It examines why the economic potential of cryptocurrency is intimately tied to its political impact. Investors, from citizen to nation-state, must weigh the benefits and risks of cryptocurrency on tactical and strategic scales.
Dr. Kenneth Geers is an External Communications Analyst at Very Good Security. He is an Atlantic Council Cyber Statecraft Initiative Senior Fellow, a NATO Cooperative Cyber Defence Centre of Excellence Ambassador, and a Digital Society Institute-Berlin Affiliate. Kenneth served for twenty years in the US Government: in the Army, National Security Agency (NSA), Naval Criminal Investigative Service (NCIS), and NATO. He is the author of “Strategic Cyber Security”, editor of “Cyber War in Perspective” and “The Virtual Battlefield”, and technical expert to the “Tallinn Manual”.
Setting up an in-line Linux server in Azure for NIDS or packet capture
Speaker(s): Ken Netzorg
Anyone with basic Linux and Networking fundamentals
Azure does not support a basic span or port forwarding option that allows for the continual monitoring or analysis of network traffic (unless you use vTAP in Preview, but currently on hold, and purchase services from a third party). Building and deploying an in-line linux server to act as a packet inspection appliance is straightforward and cost effective if you have some basic information. With a few basic deployment enhancements this can be done to support a high availability implementation. I have developed this talk because when I went through this process, I did not find any good end-to-end guides on how to put it all together. This basic setup can be further expanded upon to run Suricata, Zeek, or simple TCPDump activities to give you an insight into traffic on your VNet.
A seasoned technology leader who loves to continually learn and try new ideas and solutions to help the Blue Team succeed. Though good security and technology solutions can be hard, it doesn’t have to be limited to those with the biggest budgets. I like to find ways to leverage and evangelize the great work others in our industry have shared with us, as it is critical for us learn from eachother if we are to succeed as an industry.
Speaker(s): Rob Slade
How do you encrypt something, and still use it? Recently security operations has become very excited about homomorphic encryption. It seems to be the latest “magic” security technology that will solve all our problems, but I don’t think we’ve really provided a good outline of what it is, and, particularly, what it can’t do. This presentation will outline the basic concepts, note some specific forms and applications, and point out the various factors for use or consideration.
Rob Slade gets out to far too few conferences and tries to make up for it by spending as much time as he can interacting with the fragmented and disparate “communities” online. More info than anyone would want to know is at http://en.wikipedia.org/wiki/Robert_Slade
Hunt the Stank
Speaker(s): @securitysphynx, @niryoo
To be “secure” is more than “stopping bad behavior” or “keeping people out”. Being secure today is about knowing bad behavior when you see it, stop missing false negative, be prepared when a supply chain attack impacts you, understand the limitations of modern EDR – they miss human attackers because humans look like humans, not malware signatures and realize that tool saturation, shadow IT, burnout, overworked admins… all of the above have created gaps. Your first and last defenses involve understanding BEHAVIOR and correlation.
I’ve divided this up into two sections – part one I call the “boring basics” because that’s generally how people in security feel when you say thing like “map network flow” and “where’s your CMDB”. But those boring basics are essential, you’ll never get to the “fun” parts of security if you skip them.
The second have is a very quick – because this is only half an hour – run through of the attack lifecycle and some of your opportunities to detect dumb, different, and dangerous behavior that your signature-based detections may be less likely to pick up.
Melissa Bischoping (@securitysphynx) is a passionate security evangelist whose academic & professional background in human psychology and technology align to educate, advocate, and remediate the difficult security problems faced by businesses and individuals. She currently works as an Endpoint Security Research Specialist at Tanium where analyzes emerging threats, zero-days, and CVEs to provide subject matter expertise for internal and external customers. Prior to Tanium, she held positions in operations and security across the hospitality, casino gaming, and industrial/manufacturing industries. Outside of work, Melissa pursues a Master of Science in Information Security Engineering at SANS, where she also competes as part of the Capture-The-Flag team. She supports Pros Vs Joes as a Blue Pro staff member, and is an active member of multiple industry nonprofits to support other women in security. She lives in Northern Virginia with her spouse, son, 3 sphynx cats, and a min-pin.
Nir started his career as a squad leader in the Israeli Intelligence Corps. He helped with gathering intelligence tracking the growth of terrorist organizations. Nir has over 20 years of experience in threat intelligence, insider threat analysis, and endpoint security. Currently, Nir is a technical solutions engineer with Tanium. Nir speaks occasionally at security conferences.
Speaker(s): Thomas Capola
Basic skill level- for both technical and business audience
Why should we care as security professionals about federating trust across organizations?
Modern business practices require data sharing in a zero trust environment. Using blockchain and federated identity, it is possible to safely share critical data across corporate boundaries without losing control of your intellectual property. How can we make that process safe and airtight? This will be a 20 minute talk with slides.
Driven serial entrepreneur, investor and advisor. Founded three companies, successfully sold two (still owns the third).
He founded his first software company in 1999, one of the first purely digital advertising platforms, grew it to 16,000 customers and sold to AdStream, the world’s leading ad workflow, management, and cross-media distribution provider.
Thomas came across the problem of cross organizational sharing years ago and solved it with open source tools and proprietary code. Now his company SYCCURE has built a commercial solution, which is about to be brought to market.
Fuzzbuts v. Fuzzbutts Red Team v. Blue Team Tabletop Game
Speaker(s): Kelly Ohlert (@gwyddia)
RPG nerds, compliance folks, security leads, anyone who has ever hated sitting through a tabletop exercise
I specialize in doing gamified tabletop exercises – D&D for IR. I’d like to run a game I’ve designed so that other people can see how great this is.
This game, Fuzzbuts v. Fuzzbutts, pits a cat meme aggregator site against three separate red teams, each with their own agenda. The blue team gets three chances to harden their systems, and the red teams each get to make an attack. The scenario is resolved by a combination of GM adjudication, player wrangling, and good old fashion dice.
This game can run with as few as 2 and as many as 15 people, with audience participation welcome. It runs about two hours
Kelly Ohlert is a Security and Compliance Consultant and the Tabletop Exercise Practice Lead for Leviathan Security Group. She helps Leviathan’s clients navigate multiple compliance frameworks with an eye toward risk management and best practices. As Tabletop Practice Lead, Kelly designs and facilitates simulated exercises in order to prepare clients for incident response situations such as data breaches and malware attacks.
In addition to her information security work, Kelly is an attorney of over 15 years of experience. Her years as counsel in a range of legal disciplines have given her a unique perspective on client needs, sensitive issues, and confidentiality.
Kelly has completed the prestigious Certificate course in Cyber Wargaming from the Military Operations Research Society. She is currently working on a book on tabletop design and facilitation for information security professionals. She is known for her theory of gamification of tabletops and has presented on that topic at the well-respected security conference Security BSides Las Vegas, where she is a member of the staff.
Cybersecurity is exactly like soccer
Speaker(s): John Stoner (@1MrStoner)
Everyone (Novice though Expert)
I propose that a lot of folks have trouble wrapping their head around all the problems in Cybersecurity, so I love bringing in some analogies. As a soccer fanatic, this talk seems natural to me. Are you a striker for Man City (A red teamer on a fortune 25)? Or are you a youth academy product (intern) playing for Bradford City (a small start-up)? Are you a specialist (wide speedy winger – Adama Traoré) or an all-around generalist (James Milner)? Are you Man City, and spend any amount for the right talent, or do you rely on your youth academy and train up the junior folks? Let’s dive into the tackle and have some fun on the pitch, try not to get yellow carded!
Mr. Stoner is a CISSP certified professional with over 21 years of experience in the US Intelligence Community (USIC), defense sector, and national security industry with 11+ in cybersecurity. He is a cybersecurity specialist looking for an impactful role across verticals, or serving multiple clients. Experienced in Cyber Threat Intelligence (CTI), cyber counterintelligence (CI), SIGINT, Defense Industrial Base (DIB) cyber engagements, NIST 800-171 & 800-53, Advanced Persistent Threat (APT) analysis, Risk Management Framework (RMF) and Governance, Risk and Compliance (GRC). He is a US Soccer D level licensed coach and has been involved with soccer since the age of 5.
BCP and Privacy Lessons from CoVID-19
Speaker(s): Rob Slade
Important information security concepts which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS-CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains of information security, this looks at business continuity, physical security, privacy, and applications security aspects of the crisis, pointing out specific security fundamentals where social, medical, or business response to the crisis failed, or needed to make specific use of those concepts. For the most part, these lessons are simply reminders of factors that get neglected during times of non-crisis, and particularly point out the importance of advance planning and resilience in systems and business.
Rob Slade may be an information security and management consultant from North Vancouver, British Columbia, Canada, or he may be an artificial intelligence program gone horribly wrong, and hooked up to various email addresses. He is the last surviving non-aligned malware researcher in captivity. He got his start, in security, researching viruses. But not this type of virus. This year he has been cooped up inside with nothing to do but research the latest security buzzwords.
SBOM’s and CBOM’s – why bills of materials matter to hackers?
Speaker(s): Joshua Marpet (@quadling)
Anyone interested in bills of materials and learning new reconnaissance methods
Bills of materials are fascinating, in that they can provide vulnerability information, component information, and compliance information. For red teams, it gives them ways to get in. For blue teams, it gives them a punch list of what to protect. What about for forensics, or compliance, or incident response? What do they get?
Executive director of the RM-ISAO, founder of MJM Growth, and SPDX podcast host. I’ve been there and done that.
Software Security Engineering (Learnings from the past to fix the future)
Speaker(s): Debasis Mohanty
Software Engineering Team Members (Developers, Architects, Engineering Managers etc.), Technology or Product Companies Key Stakeholders, Application Security Enthusiasts, Pretty much anyone who has interests in software security engineering
Over the last 20 years, exponential growth in technology and technological advancement has led to a significant increase in an application or software attack surface. If these applications become part of an organisation’s internal or external facing infrastructure, it inherently increases an organisation overall attack surface. Interestingly, most security bugs the industry has been dealing with these days have been around for at least two decades.
Suppose you are responsible for ensuring application security for your organisation or a vital member of the software engineering team and dealing with known security issues affecting these applications year after year. In that case, there are few critical questions to ask yourself.
Is it challenging to entirely eradicate any known application security bugs in a single application and across all the applications in your organisation? Does your product team observe the nature of security bugs identified and mitigated in a particular application/software release, continues to surface back in future releases? Have you made a move to DevSecOps, or considering migrating away from Waterfall and Agile with the hope that it would take care of all the security bugs in your applications/software.
If the answer to either or all of the above questions is “Yes”, then this talk is for you.
This talk will have no fancy demos; instead, this talk will cover some of the crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. The key to ensuring maximum possible security resilience in an application/software against known and unknown threats is hidden in past events. Therefore, there will be past examples covered during the talk to learn from and retrospect to fix future security problems in an application/software.
It is quite possible to eliminate known security bugs entirely across all the applications in an organisation and prevent them from reoccurring. While achieving 100% resilience against zero-day threats for your software is less likely, it is quite possible to achieve at least 99.99% security resilience in application/software to defend against variants of know security bugs.
This talk will provide some food for thoughts on how to steer software security engineering in an organisation to achieve such results. Among all the solutions I’d cover, none of those will lead to DevSecOps. You’ll find out why during the talk.
Debasis has over 20+ years of insightful experience in Offensive and Defensive security. He got into security as early as 1997-1998 when there were limited online resources, and one had to self-learn and rely more on textbooks, MSDN resources (Windows), or man pages (Linux/Unix) than on the internet.
A large part of his background has been working closely with software engineering companies to evangelise security at various stages of the software development lifecycle.
Although not limited to, he specialises in application security, infrastructure security; exploit development, and reverse engineering. While he has made several contributions towards the security community in the form of tools, exploits, and whitepapers, one of his notable contributions has been a remote Microsoft Windows exploit (MS08-067), which is still used on many occasions by the penetration testers.
CMMC Certification Readiness: Mitigating Cyber Risk
Speaker(s): Ali Pabrai
Compliance Professionals • Privacy Officers • Security Officers • IT Professionals • Legal Professionals • Senior Management and Directors
The Department of Defense (DoD) standard, the Cybersecurity Maturity Model Certification (CMMC) is the future cyber standard now. CMMC is focused on the risk to the supply chain and how to effectively establish a cyber resilient program in an organization. While it directly impacts hundreds of thousands of suppliers to the DoD, you will find CMMC to provide value in enhancing your organization’s cyber and compliance program especially in the areas of policies, procedures and associated capabilities. Every compliance professional as well as cyber professionals, those with IT and information security responsibilities, must examine and learn more about the new CMMC standard. Cyber risk in the supply chain is a serious business risk. CMMC provides an opportunity to mitigate this risk.
In this fast-paced, fact-based CMMC brief, participants will:
- Understand why CMMC is such a valued reference for addressing risks in the cyber supply chain (for e.g. your business associates)
- Walk through core components, organization and CMMC Maturity Levels
- Navigate requirements to achieve CMMC certification
- Examine key steps for establishing a CMMC-based compliance and cyber program
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CMMC PI, PA, RP, HITRUST (CCSFP), Security+, a cybersecurity and compliance expert, is the chairman of ecfirst. A highly sought after professional, he has successfully delivered solutions to U.S. government agencies, IT firms, healthcare systems, legal and other organizations worldwide. Mr. Pabrai has led numerous engagements worldwide for ISO 27001, PCI DSS, NIST, CMMC, GDPR, HITRUST CSF and HIPAA/HITECH. Mr. Pabrai served as an Interim CISO for a health system with 40+ locations in USA. ecfirst is an approved HITRUST CSF Assessor.