• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Get control of your email attachments. Connect all your Gmail accounts and in less than 2 minutes, Dokkio will automatically organize your file attachments. You can also connect Dokkio to Drive, Dropbox, and Slack. Sign up for free.

View
 

BSidesLA-2014-Talks

Recordings

We are in the process of uploading the talks that were recorded. You can find all of Day 1 here: http://www.youtube.com/user/BsidesLADay 2 coming soon.

 


 

Machine Learning in Security

Aaron Guzman

@scriptingxss

 

Machine learning is not a new concept. Much of machine learning is known as AI that has powered the mind robots and the driverless cars of the future. This talk aims to enlighten individuals on how machine learning can be proactive in solving application security issues as well as the how it can be used to aid attackers.

 

Aaron is a Board member for the Open Web Application Security Project (OWASP) Los Angeles chapter, Cloud Security Alliance Socal chapter and the First Vice President for the High Technology Crime Investigation Association of Southern California(HTCIA). Aaron evangelizes application security and all the fun things that come along with it. Currently, Aaron currently works at Belkin as a Senior Penetration Tester hacking all the things to secure the internet of things.


Next Generation Red Teaming

Robert Wood

@robertwood50

http://rm-wood.com

http://darksidesecurity.blogspot.com

 

 

Too often organizations conduct assessments within a vacuum: physical, network, social, or application-layer. Attackers do not confine themselves similarly and avail themselves of whatever combination of techniques most effectively achieves their desired impact. Red team assessments aim to simulate these attacks more realistically and identify risk through composite, cross-domain attack vectors. This talk will cover several shortcomings with the current "model" of red teaming across the industry and how we can more effectively incorporate the application-specific attack surface into a red team effort. War stories will be shared to show the effectiveness of application-centric composite attacks in this new approach.

 

Robert Wood is a Senior Security Consultant at Cigital and leads the development and execution of the red team assessment practice for the firm. Robert has worked with a number of clients spanning from Fortune 100 financial institutions to gaming companies providing services at every stage in the SDLC. Prior to Cigital, Robert worked for Secure Network Technologies where he developed the mobile forensic investigation practice and focused his penetration testing efforts on red team and network security assessments.

 


Practical Pass the Hash Mitigations

Christopher Scott

@NetOpsGuru 

 

Looking back one year in the life of technology is a long time, so 16 years could be considered almost an eternity. At that point in technology history, we were testing the latest build of Windows Memphis Beta,  - which would eventually become Windows 98 – and, at the same time, Pass the Hash (PtH) was gaining popularity as a method used to target credentials and intellectual property. Over the years there have been numerous discussions, blogs, webinars, etc. about how to mitigate PtH attacks. So much so that you may be wondering if the topic warrants further conversation.  At CrowdStrike, we believe the answer is a resounding YES.  We regularly encounter enterprise organizations that have had their intellectual property stolen using this technique, and even more that are still vulnerable to this attack. During this presentation, we will illustrate instances where CrowdStrike consultants have seen PtH attacks effectively allow attackers access to a victim’s network, and will reveal practical steps that can be applied to enterprise computer networks to mitigate and detect pass the hash attempts.

 

Christopher Scott has over 15 years experience working with the Department of Defense and Fortune 500, and Defense Industrial Base companies to develop business and network security processes and procedures.  He has particular expertise in targeted threat detection and prevention.   As a Director at CrowdStrike Services, Christopher specializes in developing and implementing remediation plans for clients.  In addition, he supports a variety of other engagements including conducting security reviews, leading incident response teams, performing insider threat analysis and engineering threat detection systems, business continuity and disaster recovery processes. Christopher has presented several times to peers at closed-session DoD and DIB conferences. He frequently collaborates on techniques and processes to detect some of the most advanced targeted attacks companies face today.

 


Shellcode Time: Come on Grab Your Friends

Wartortell

 

Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR.


In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates.

 

Wartortell is a computer that makes malware go backwards for Mandiant/FireEye/FLARE. He worked in binary rewriting, x86 disassembly, and binary transparency analysis. He is also really good at casting Ice Punch and going hard in the paint.

 


Pulling back the covers on credit card fraud: A detailed look at financial fraudware

Chester Wisniewski

http://www.linuxatowrk.org

https://nakedsecurity.sophos.com

@chetwisniewski @linuxatwork

 

Credit card theft has dominated the information security headlines recently and for good reason. This talk will demonstrate (with both Chip & PIN and magnetic stripe credit cards) how malware is able to steal the most critical details. It will also delve into the underground economy and explore how the stolen data is stolen, used and ultimately exploited to the criminals' benefit.

 

Chester "Chet" Wisniewski is a Senior Security Advisor at Sophos with more than 15 years experience in the security industry. In his current role Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, media and IT professionals. Chester frequently writes articles for the award winning Naked Security blog, produces the weekly podcast "Sophos Security Chet Chat" and is a frequent speaker at conferences and in the press.

 


Making WAFfles! (...or How to get more out of your WAF )

John "geekspeed" Stauffacher

 

Web Application Firewalls are the new arm candy. Everybody says they have them, but nobody really knows how to use them. Lets take a dive into implementing a proper WAF program, getting out of "monitor" mode, and touch on ways to end up fully weaponized. This talk intends to introduce the end user to building a proper WAF program, bridging the gap with development, tips to cover the OWASP10 as a start, and finally more insights on how to add some offensive capability.

 

John Stauffacher (@g33kspeed) is a Senior Security Consultant with the Accuvant Labs Technology Services team where he performs application security defense projects for clients. He holds the F5 CTS certification in ASM,APM, and GTM. He is also an Imperva WAF, and DAM expert. As part of the Technology Services team, John’s core function is to provide expert level consultation to clients as well as deliver training and knowledge enrichment. John has also been a contributor to open source security projects - with the latest being contributions to the w3af project. John is also an active speaker at conferences and author of a number of titles on the topic of network and perimeter security.

 


Dumping AD Hashes Without Process Injection

Russ Swift

@0xsalt

 

I will be presenting on methods of dumping active directory password hashes from a domain controller by using the Volume Shadow Copy Service or direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a running DC. I will give a history of old methods and detail new methods and ideas for detecting them.

 

- evolution of getting password hashes

- current and new methods

- tools and credentials prep

- getting your tools onto the dc

- volume shadow copy service

- powersploit ninjacopy direct disk access

- export and extract

- crack them

- pass them

- detect vssown / ninjacopy activity?

 

Russ is a security practitioner in the greater Los Angeles area with ten years of experience providing security 

engineering, pentesting and consulting services to Fortune 100 finance and entertainment companies. Russ has 

developed information security courseware for pentesting and training companies and is currently a SANS research and curriculum advisor. Russ has pentesting experience in the areas of network infrastructure, Active Directory, wireless and antivirus evasion.  

 

 

 


Opening Acts: How Attackers Get Their Big Breaks

Chuck Willis & Evan Peña

 

Every security incident has to start somewhere. Sometimes the attacker gets into an organization via phishing. Other times they use SQL injection. Or, they may use an off-the-shelf exploit kit, mass malware, drive-by attack, ‘l33t 0-day exploits, access via other compromises, or some other technique like 2014’s vulnerability à la mode: HeartBleed™.

 

This presentation will provide a look at the recent trends and novel techniques we have seen in how attackers gain their initial foothold in victim networks. Specific case studies will be discussed that illustrate the types of vulnerabilities and systems targeted by attackers.  Methods to prevent intrusions using the different vectors will also be covered, along with potential mechanisms to detect the attacks. For the penetration testers and other offensive minded individuals in the audience, we’ll also discuss the tools used by the attackers and how to replicate the incidents.

 

Chuck Willis is a Senior Technical Director with Mandiant (a FireEye Company) in Alexandria, Virginia. At Mandiant, Mr. Willis concentrates in application and network security, where he assesses the security of sensitive software and systems through penetration testing, static analysis, and "white box" review. His past experiences include study of source code analysis tools, security software engineering, computer forensics, network intrusion investigations, research, and tool development. Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.

 

Evan Peña works at Mandiant (a FireEye Company) as a Consultant doing incident response, forensics, and penetration testing. Evan has years of experience in enterprise information technology administration, employing covert penetration testing to evaluate incident response procedures, and assessing enterprise network defense capabilities from the perspective of an attacker. In addition, Evan participates in security engagements of large government agencies and Fortune 500 companies. These networks consist of an online presence of hundreds of thousands of address space around the world.

 


All Your Macs Are Belong to Us

Christopher Elisan

@Tophs

 

This talk focuses on how attackers hold a Mac system hostage by using Mac-compatible browsers as its main platform of pwnage. Regardless of what browser the user prefers, the attackers are still able to take the system hostage and intimidate the user into paying “ransom” to avoid any unwanted consequences that goes beyond access to the system such as getting arrested and serving time in prison. This talk will also show how an attack like this also have a silver lining, which actually helped law enforcement agencies coral a certain kind of criminal.

 

Key Take Aways:

Be aware of attacks on Mac that are designed to PWN the system

Be aware of what social engineering techniques the attackers use to fool and coerce users

Learn how to un-PWN a Mac using system functionalities already available in Mac

 

 

Christopher Elisan is the author of “Malware, Rootkits and Botnets: A Beginner’s Guide" and "Advanced Malware Analysis" both published by McGraw-Hill. Elisan is a seasoned reverse engineer and malware researcher. He is currently the Prinicipal Malware Scientist at RSA and Sr. Manager of the Malware Intelligence Team. Before RSA, Elisan has been with Trend Micro, F-Secure and Damballa. Elisan is one of the pioneers of Trend Micro’s TrendLabs where he held multiple technical and managerial positions. After Trend, he led and established F-Secure’s Asia R&D where he spearheaded multiple security research projects. He then joined Damballa where he specialized in malware research, analysis and reversing. He frequently speaks at various security conferences across the globe and provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications.

 


Be Mean to Your Code - Rugged Development & You

Matt Johansen

 

Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.

This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.

 

 

Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies' and their customers' data.

Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies.

 

He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.

 


Top 10 Web Hacking Techniques of 2013

Matt Johansen

 

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work.

 

In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges.

 

This year’s winners are:

1 - Mario Heiderich – Mutation XSS

2 - Angelo Prado, Neal Harris, Yoel Gluck – BREACH

3 - Pixel Perfect Timing Attacks with HTML5

4 - Lucky 13 Attack

5 - Weaknesses in RC4

6 - Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval

7 - Million Browser Botnet

8 - Large Scale Detection of DOM based XSS

9 - Tor Hidden-Service Passive De-Cloaking

10 - HTML5 Hard Disk Filler™ API

 

 

Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies' and their customers' data.

Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies.

 

He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.

 


Legislative Realities

Jon Hart

 

Current cyber security laws such as the Computer Fraud and Abuse Act, DMCA, and other proposed language do not clearly define legal and criminal boundaries for the good guys or the bad. Bottom line: Consumers and businesses may lose the ability to protect themselves. This issue is timely as IoT (the Internet of Things) blurs the line between the physical and virtual world.

 

In this talk, Jon Hart will explain how and why the security community should be involved in government legislation around cybersecurity to protect researchers and the community at large. He will discuss options to balance protection for security researchers with clear guidelines for corporate due care and simple definitions for criminal and malicious acts, including clear disclosure guidelines.

 

Jon’s been "doing security" in various manners for 15 years,: did in-depth protocol threat analysis back in the early days of VA/VM, worked on the IoT before it was a T, did policy development, implementation and auditing, lead the addition of hundreds of thousands of vulnerability checks to Rapid7's Nexpose, and now "I accidentally the entire Internet" as part of Rapid7 Labs.

 


Managing Content Security Policy

Neil Matatall

@ndm

 

Content Security Policy, despite the negative press, is making great leaps in usability and application. First of all, what is CSP and why should I care? How does one manage CSP? How is CSP applied in a way that makes everyone happy? How do you manage violations and tune policies? What tools can be used to make this program successful? how do you justify flipping the switch to enforce CSP? We will tell the story of CSP at twitter, our successes and failures, with the goal of

empowering the audience to go to their boss and answer any questions that might cause concern.

 

Neil Matatall is an application security engineer for Twitter, OWASP OC board member, and co-organizer of AppSec California.

 


ROP: Cyber-warfare 3.0

Stephen Crane

@rinon

 

Code-reuse attacks, such as Return-Oriented Programming, are the next-generation evolution of remote code-execution used by cyber attackers such as nation-state sponsored APTs. ROP is a critical component of sophisticated modern attacks now breaking the intertubes using previously dormant bytes. Defending against this class of attacks requires a paradigm shift in defensive technique. Intelligent defenses must intercept and prevent this clear and present threat to maintain the status quo in the growing cyber-war. We must proactively synergize to fight the oppressive regime, protecting our freedom of speech in the cloud and right to share cat videos.

 

Prepare yourself for a whirlwind tour of code-reuse as we discuss the background and implementation of bleeding-edge ROP attacks and defenses.

 

Stephen is a PhD student at UC Irvine working on compilers, security, cryptography, and whatever else that seems fun and tangentially related. He spends most days staring at X86 code, with nice respites of hacking on LLVM and punctuated by flurries of arguing with LaTeX. When he's not hacking on something, you can often find him playing computer and board games.

 


Threat Modeling My Wife: How a security researcher deals with potentially vulnerable devices that provide high quality of life improvements.

Brian Knopf

@DoYouQA 

 

This talk discusses what I went through when my wife needed to have a pain management device implanted in her back to make her mobile again. From building a threat model to weighing the benefits versus the potential risk and how I overcame security paranoia to better her life. I will talk about the differences between these devices and other devices that have known wireless exploits. While cameras and other IoT devices can be compromised, there is not the same safety concern as when a device is necessary to provide quality of life. Unlike an insulin pump, there is no manual alternative available to make those with chronic pain mobile again.

 

20 years of experience in IT, development, QA/QE, and security. Brian has built and managed QA, automation, security, and development teams for companies including Rapid7, MySpace, Youbet.com, eUniverse, and VeriTest. Currently the Director of Application Security at Belkin International responsible for SDL, PSIRT, security research, and pen testing of Belkin and Linksys Networking, WeMo (home automation), and SMB products. This includes security of hardware, firmware, mobile applications, and cloud environments. Prior to Belkin, Brian spent 3 years building Nexpose, the leading Vulnerability Management product at Rapid7.

 


Securing Sensitive Data: A strange Game

Jeff Elliot

 

Information security compliance regulations like PCI, HIPAA, SB1386 have been around for many years now, but we continue to suffer large data breaches. In this talk, an experienced PCI QSA will discuss why even the best efforts at compliance fail to prevent breaches, provide examples from the field of what goes wrong despite these best efforts, and how to win by not playing - by getting the sensitive data the thieves want out of your environment.

 

Jeff Elliot is an Associate Director at Protiviti, where he is responsible for delivering Information Security services to many of Protiviti's largest clients. With seven years as a PCI QSA, and as the "Primary Contact" for Protiviti with the PCI Council, Jeff leads or consults on many of Protiviti's largest PCI assessment and remediation projects. Jeff and his teams typically find real security gaps that other assessors and client personnel have missed, sometimes for years.

 


Malware in Javascript? A Look at Proslikefan

Fred Gutierrez

 

Most modern malware are 32bit and 64bit binary executable files, the days of macro and vb viruses have passed. Recently however we have seen several threats that are returning to the non-binary formats using javascript or vbscript again. In this talk I will expose one such threat that is written exclusively in javascript – Js.Proslikefan. At first glance such a threat may not appear to wield the same power as a binary executable but I will show that not only is this threat powerful, with many advanced features, but it also has the ability to readily morph itself into new distinct variations. I will show its social media interactions and why its victims like so many pages on Facebook and have suddenly started mining bitcoins.

 

Fred Gutierrez stares at malware stealing banking credentials and intellectual property all day working as a Senior Threat Analysis Engineer for Symantec. Before that, he was with McAfee auditing websites for any goodies he could find.

 


Mobile Application analysis

Kausar Khizra & Nasa Quba

 

The drastic pervasion of mobile devices and rapid advancement in their environment and applications offers a challenge in keeping up with the mobile security and forensics. The tools and intelligence are limited but trying to catch-up. The talk discusses investigating malicious activity by a potential offensive iOS application; it briefly explains HFS filesystem, acquisition, tools and techniques to analyze network and file activities.

 

Kausar Khizra is a highly motivated Computer Forensic and Incident Response professional. She obtained master's degree in Digital Forensics from University of Central Florida and professional certifications she possesses in the field are ACE (AccessData Certified Examiner), AME (AccessData Mobile Examiner) and CompTIA Security+. She is currently working as DFIR Paranoid at Yahoo! Inc. and has spoken at Sans DFIR Summit 2014, BSides Orlando 2014 and UCF Security Conference 2014. Some of her published articles include Man In The Middle Attack: Forensics, Windows 8 File History Analysis, and From iPhone to Access Point.

 

Biography: Nasa Quba is an Incident Responder and Forensic Analyst. She received her B.S. degree in Telecommunication Engineering and a M.S. in Digital Forensics from University of Central Florida, Orlando. She spent more than 2 years working as a VoIP engineer in a telecom company. She is an AccessData Certified Examiner (ACE), AccessData Mobile Examiner (AME) and CompTIA Security Certified (Security+). She co-authored and published several forensic articles online; namely, Man In The Middle Attack: Forensics, Windows 8 File History Analysis, From iPhone to Access Point. She is a member of Golden Key International Honour Society and The Honor Society of Phi Kappa Phi. She has given talks at Sans DFIR Summit 2014, BSides Orlando 2014 and UCF Security Conference 2014.


Making Your Life Easier with Static Analysis for Dynamic Languages

Justin Collins

@presidentbeef

 

Security tools abound for statically-analyzing statically-typed languages, but sadly dynamically-typed languages are often dismissed as "too hard" or even "impossible" to analyze. Of course, that's nonsense! We can and should have tools for dynamic languages and their frameworks. But while commercial tools continue to lag behind in this area, sites running on web frameworks like Rails and Django are proliferating. I hope to offset that discrepancy by getting you excited about static analysis and demonstrating it might not have to be that hard. This talk will also include lessons learned while writing Brakeman (a static analysis security tool for Rails) and the many ways static analysis can be used to make your life easier, whether you are a developer or a security professional or both.

 

Justin Collins (@presidentbeef) is the primary author of Brakeman (SAST for Ruby on Rails), a member of the application security team at Twitter, and a recent UCLA computer science PhD graduate.

 


Abusing Malware Piracy

Brian Wallace

@botnet_hunter

 

Software piracy has been a problem for the software development industry.  With the industrialization of the malware market, malware piracy has risen as a problem for malware developers.  For security researchers, it is a double edged sword.  While it provides  attackers access to tools they would otherwise need to pay for, it also allows for multiple advantages.  Researchers gain additional insight into the development and distribution of malware, as well as access to samples/sources that would otherwise require  additional effort.  It can make samples easier to identify and extract configuration information from.  For the attackers, it can also give them the advantage of hiding their command and control servers when the malware samples reference other botnet instances.   We can fight this advantage by using the homogeneity of the command and control structure against them in Internet wide scanning of HTTP servers. This can uncover a number of otherwise undiscovered botnets. In this talk, Brian Wallace (@botnet_hunter) will cover identifying and leveraging malware piracy.  The process of identifying botnets with Internet wide scanning will be covered, along with the case study results of multiple botnets using this method.

 

Brian is a security researcher at Cylance.

 


The Hidden Risks of Mobile Applications to your Organization

Jim Stickley

 

Mobile applications are becoming a major security threat to organizations and they don’t even know it yet. While many people talk about the potential risks of mobile devices, often the true impact of these risks is not understood. In his presentation, attendees will see real-world examples of how mobile applications can be written to be malicious and explore the damage a skilled criminal can cause. While many of these risks do not have simple fixes, Stickley will provide advice for organizations to reduce their exposure and analyze emerging risks, such as BYOD as part of an ongoing risk management program including what to look for in application settings when downloading new applications to a mobile device, the type of intrusions in the current mobile technology landscape, how to best educate their organization’s internal employees, and best practices and policies for organizations to reduce their risk exposure.

 

Jim is an independent security consultant. Previously, he was Chief Research Officer (CRO), Vice President of Strategy & Solutions, and Co-Founder for TraceSecurity, Jim had been instrumental in directing the TraceSecurity strategy. Jim is responsible for developing and releasing multiple versions of the software used by hundreds of clients today. With over 20 years experience in the hi-technology industry, Jim is in charge of the guiding principles and structure of all TraceSecurity solutions including products and services. Stickley has been involved in thousands of security services for financial institutions, Fortune 100 corporations, healthcare facilities, legal firms, insurance companies and has been a consultant for network stations such as FOXNEWS, CBS and NBC. Stickley has been featured in numerous magazines and newspapers including Time Magazine, Business Week, Fortune Magazine, New York Times, PC Magazine, CSO Magazine and hundreds of other publications. He has also been showcased on numerous television shows including NBC's "Nightly News", CNN's "NewsNight", CNBC's "The Big Idea", Anderson Cooper's "Anderson" and is a frequent guest on NBC's "Today Show". Additionally, Stickley is the author of "The Truth about Identity Theft" and a co-author of "Beautiful Security".


How Not to Get "Snowdended"

Jason Hicks 

 

While you may not be safeguarding classified information all organizations have data who’s disclosure would cause damage to their brand, reputation and financial picture. Trusted individuals are often the source of these data disclosures, the two most public examples are Bradly Manning & Edward Snowden. Through a comprehensive Data Security Program your organization can effectively manage your exposure to this type of event. We plan to cover the following:

·         Overview of the risk and motivations of insider breach threats

·         Overview of the components of an effective Data Security Program

·         Example scenario’s and how process and technology can come together to mitigate your organizations risk.

 

Jason is a director of Strategic Services at Fishnet.

 


The Next Generation of Security Professionals (And How you Can Help)

Jessica Archer

 

The demand for information security professionals is at an all-time high.   Everywhere you look you see our nation struggle to fill the gap between the number of skilled professionals available and the number of information security jobs that need to be filled. This gap will continue to grow as society embraces and integrates technology into every aspect of our lives.  How will we attract, motivate, and educate the future workforce needed to address the data breaches and security threats in the next decade?  From our experiences working with the ISAC’s (Information Sharing and Analysis Centers), the academic community, industry, and government at the city, state, and federal level over the past 13 years, the CIAS at UTSA has seen this need first hand.  As a means to help address this need, the CIAS (Center for Infrastructure Assurance and Security) started developing and implementing cyber security competitions for high school and college students.  


These competitions grew into a means to educate and motivate students - encouraging them to go beyond what they learn in the classroom and get involved with the information security community.  Competitions have been wildly popular amongst the students, their teachers/coaches, and the professionals (or companies) helping them.  Information Technology and Information Security professionals serve a vital role in competition programs as mentors.  Mentors motivate and educate students – providing hands-on knowledge and experience that coaches from primarily academic backgrounds can’t always provide.   Just as the nation needs more qualified information security professionals, competition programs need more mentors – individuals willing to donate their time and knowledge to help motivate and train the next generation of information security professionals.  Are you willing to answer that call?       

 

Mrs. Archer and the Center for Infrastructure Assurance and Security (CIAS) developed and have managed the Collegiate Cyber Defense Competition –a national level cyber defense competition for college students for the past 9 years, developed and runs Panoply which is a King of the Hill style CTF, and runs the technology behind Cyber patriot. Mrs. Archer is responsible for business development, client relations, community outreach, volunteer management and fundraising for competition programs within the center. Prior to working at the CIAS, Mrs. Archer’s experience included  installing telephony security management systems, implementing new technology rollouts for companies within financial industry, and provisioning telecommunication lines. 

 

Panel: Authentication and Identity Debate

Moderator:

Richard Greenberg 

Richard Greenberg, CISSP, a recognized leader in Information Security, is the Information Security Officer for the LA County Department of Public Health. Richard brings over 25 years of management experience and has been a strategic and thought leader in IT and Information Security for both the private and public sectors. An ISSA Fellow, he also is President of OWASP-LA and a Board member of ISSA-LA.

 

 

Panelists:

  • Dovell Bonnet ([email protected]); CEO of Access Smart (he believes passwords are secure but the people that manage them are not. The first step toward password security is to remove the weak link – the human element.)

 

  • Stina Ehrensvard ([email protected]); CEO & Founder of Yubico,  believes in a simple PIN/password combined with a 2nd factor device; that's why Yubico invented the Yubikey and contributed to the FIDO U2F open authentication standards. 

 

  • Craig RosenCISO of FireEye 

 

  • Dan Meacham: Director of IT, Trident USA Health Services: Just an average IT security guy who still programs on a Timex Sinclair ZX81 – because simple math with A and B scales on a slide-ruler is too old school; Mr. Meacham shares his 20+ years of technology experiences within the technology security community. As the “young kid” on a couple of university advisory boards (Texas A&M University, University of Dallas, and UCLA Extensions), near misses, such as a CISO finalist for the World Health Organization (2006), and serendipitous training, such as the National Security Agency IAM (2002); Mr. Meacham continues to find himself in unanticipated settings, such as being named the Cyber Security Leader of the Year (2014).

 

  • Brian Knopf: Application Security Pro; 20 years of experience in IT, development, QA/QE, and security. Brian has built and managed QA, automation, security, and development teams for companies including Rapid7, MySpace, Youbet.com, eUniverse, and VeriTest. Currently the Director of Application Security at Belkin International responsible for SDL, PSIRT, security research, and pen testing of Belkin and Linksys Networking, WeMo (home automation), and SMB products. This includes security of hardware, firmware, mobile applications, and cloud environments. Prior to Belkin, Brian spent 3 years building Nexpose, the leading Vulnerability Management product at Rapid7.

 

While the intent and methods of attacks vary greatly many focus on exploiting credentials and escalate privileges to reach their objective. If it is anything we have learned from past and current breaches, passwords are prevalent because they come with the application making them cheap in the beginning but costly later. There are increasingly many alternatives that are designed to strengthen, abstract or even replace the password, but often times that are difficult to manage or don’t scale well to many applications, environments, and use cases resulting in varying perspectives on how to best address this universal issue.

 

This panel is designed to bring together the broadest of viewpoints to a panel that will engage the audience to lead a “town hall” type of discussion to provide visibility on the variety of considerations one should endeavor when making key decisions around Identity and Access Management in an area where so many mistakes are made but are typically preventable with simple measures.


Panel: Effective collaboration for Public / Private Partnerships

Moderator: Lt. Jimmy Garcia

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments (0)

You don't have permission to comment on this page.