Talks

 

Speaker Schedule

C

PKI - Avoiding Common Pitfalls

Rick Davis

B

Cameras, CACs & Clocks: Enterprise IoT Security Sucks

Brian Contos

C

Intro to IoT Hacking

Doug Kras

B

Personal Privacy in an OSINT World

Tina Shakour

C

Hackers are Neither Created Nor Destroyed

Jeff Man

B

After These Messages: Taking Security Awareness off the Air

Wolfgang Goerlich

C

Log4j Vulnerability: Emulation and Detection

Brandon DeVault

B

A Day in the Life of a Threat Hunter

Tyler Uffelman

C

Password Attacks to Take Over the World

Erin Rosa

PKI – Avoiding COmmon Pitfalls

Speaker: Rick Davis

Rick Davis is currently a Senior Customer Engineer at Microsoft focusing on Cybersecurity. With over 20 years in the field he has worked in all industry verticals including public, private and federal sectors in roles ranging from architecture to red team as well as adjunct professor and guest lecturer in areas of statistics, number theory and cryptanalysis. In addition to proactively working with customers to deploy security tools, train staff and better defend their environments Rick works with Microsoft’s global Incident Response team responding to some of the largest threats, ransomware outbreaks and other cybersecurity events. He is a subject matter expert on key technologies such as PKI, Active Directory and the Microsoft Defender ecosystem.

This session will explore the most common security and implementation problems and misconfigurations with ADCS (PKI). We will discuss the impact of issues, how to avoid them and what can happen if they are not addressed.

Personal Privacy in an OSINT World

Speaker: Tina Shakour

Tina has over 20 years in the tech world and been in sales, executive, and engineering roles. With a career that started in IT and Network Engineering, she now helps customers migrate to the cloud quickly and securely. She volunteers with the US Department of State Program – TechWomen – and coaches folks on how to gain a foothold or pivot in to a career in tech. She is a contestant and judge for the TraceLabs OSINT Global Search parties to help find missing persons. She is also currently a member of the staff on the Republic of Hackers.

OSINT (Open Source Intelligence) means folks can find out a lot about you – fast. Our data is breached, leaked, and sold on the daily. Bad actors use this data to “swat” and bully individuals – or worse. What can you do to help protect yourself and mitigate some of the risks of our digital world?

In this talk you will learn about a few of the key OSINT sites out there and just what they know of you, along with key takeaways on how to monitor your digital footprint, and reduce what is known about you.

Log4j Vulnerability: Emulation and Detection

Speaker: Brandon Devault

Brandon DeVault is an Sr. Security Author focusing on general blue team operations, incident response, and threat hunting at Pluralsight. He is also a member of the Florida Air National Guard and works as a threat hunter on a Mission Defense Team (MDT) defending North America’s air tracks. Prior to joining Pluralsight, Brandon worked with Elastic as an Education Architect creating and delivering security content. He also worked with Special Operations Command where he had two deployments to Afghanistan on deployable communications teams. His experience spans satellite communications, radio technologies, system and network administration. Brandon is also passionate about hardware hacking, soldering, hiking, and currently holds the GCIA, GCED, and Elastic Engineering certifications.

Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened.

In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods.

This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection.

We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain.

Cameras, CACs & Clocks: Enterprise IoT Security Sucks

Speaker: Brian Contos

With two IPOs & seven acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as an executive, board advisor, security company entrepreneur, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, and Verodin.

Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.

While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.

Hackers are Neither Created Nor Destroyed

Speaker: Jeff Man

Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, host of Security & Compliance Weekly, co-host on Paul’s Security Weekly, Tribe of Hackers, TOH Red Team, TOH Security Leaders, TOH Blue Team, Hacking is Not a Crime Advocate, Darknet Diaries #83, Honorary Lifetime Associate Member of Special Forces Association, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.

I am a hacker. Looking back on my life I realize I’ve always been a hacker, although I wouldn’t have always claimed that moniker. I began my career in 1986 as a Cryptanalyst for the National Security Agency. In the early 90’s I got into computer and network security and became an “ethical” or “white hat” hacker/pen tester/red teamer. I pretty much stopped doing that around 2004 – but I still call myself a hacker and I’m still very involved in the security of systems and networks – but really I hack my clients people/business cultures/operations to figure out how to make them secure – whether they realize it or not.

Recently I was asked to become an “advocate” for a non-profit group called “Hacking is NOT a Crime” (https://www.hackingisnotacrime.org/) whose stated mission is advocating for global policy reform to recognize and safeguard hacker rights. This got me asking myself questions like, “what is a hacker?”; “why do I call myself a hacker?”; “how did I become a hacker?” I also realized that a lot of what helps me self-identify as a hacker is skills and traits that got me into this industry in the first place. Which got me to thinking about how I got my start in the business in the first place.

People often ask me “how’d you get our start in Information Security?” to which I usually respond that I started at NSA. But lately I’ve realized that the real question to answer is “how’d you get into NSA in the first place?” My experience was not in any way typical then or now, and I think that means something and even provides a lesson for today for those seeking to find a place in our profession. Essentially NSA knew how to find and hire hackers, particularly – those who didn’t fit the “mold”.

I’ve pretty much concluded that I’ve always been a hacker – that I was born that way. I want to share with you the things about me that make me a hacker and are also how NSA was able to identify these characteristics. I hope you’ll find that we have a lot in common and I hope this serves as an encouragement to all those that aspire to have careers in information security.

.

A Day in the Life of a Threat Hunter

Speaker: Tyler Uffelman

Tyler W. Uffelman is a threat hunter at Allegion PLC with over 5 years experience working in security monitoring including the following industries: government contractor, MSSP, publicly traded OT/ICS organization. Additional experience includes a masters degree in cyber security, CySA+ certification, and a published IEEE IoT researcher.

First, there is no such thing as an average day in the life of a threat hunter. Every day in cyber security is different but there are common elements that describe what we do on a regular basis. The target audience for this presentation includes aspiring or new security analysts, primarily geared toward SOC analysts/blue teamers. If you aren’t sure what a SOC analyst or a blue teamer is, this is the presentation for you!

.

Intro to IoT Hacking

Speaker: Doug Kras

With a background in penetration testing, I made the change to becoming an IoT pentester. With 0 hardware, IoT experience, reverse engineering experience, I quickly learned how to find critical risk vulnerabilities in products. Having a curious mindset, has allowed me to pose questions on what if I supplied this data to this program, what would happen. Sometimes that leads to gaining code execution on devices. I love learning new things, and continually am reading up on the latest hacking news!

IoT devices can be anything from temperature sensors to that new Smart Fridge in your house. When reviewing these devices for security issues, there are a wide variety of methods to discover weaknesses. Many companies will publish their firmware on the internet to allow users to update their systems. This is a great place to start finding vulnerabilities, and you can do it without even owning the device. The world of IoT presents difficulties for security, because many times these devices don’t have the capacity to run full security stacks such as Anti-Virus and logging. Come on a journey where you can learn how to hack hardware and software!

.

After These Messages: Taking Security Awareness off the Air

Speaker: Wolfgang Goerlich

J. Wolfgang Goerlich is an Advisory CISO for Cisco. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices in cybersecurity consulting firms.

Security awareness has been the answer to all security problems since Taz-Mania and Darkwing Duck were tops on Saturday morning. IT people not following procedure? Awareness training. If the developers wrote vulnerable code? Awareness training. If the people clicked on the wrong thing? Training, training, training. And yet studies find that less than 15% of people change their security behavior following security awareness training. After these messages, we’ll be right back… with more awareness training. This session shares lessons from behavior economics on to drive action on security initiatives, along with successes organizations have seen from taking a commercial break from the regularly scheduled programming.

.

Password Attacks to Take Over the World

Speaker: Erin Rosa

Erin Rosa is a ex-investigative journalist turned bartender turned pentester. In her spare time she enjoys boxing, the outdoors, and tiki drinks.

Passwords are problematic, and they’re not disappearing anytime soon. As one of the largest attack vectors used by multiple protocols, have you ever wanted to learn how to hack these long-suffering logins?

Join the presenter as she uses some of our favorite cartoon characters to introduce the whacky world of password exploitation. In this animated crash course you’ll learn the difference between password spraying and cracking, along with the magic of credential stuffing. Learn how to create killer wordlists, and how to audit your own password policy to better protect yourself.

While there are multiple misconceptions about password security, tune in for some no-nonsense talk about the strengths and weaknesses of different offensive tactics.

.