Creating Realistic Cybersecurity Policies for Industrial Control Systems
Crafting a cyber security strategy that is simple enough to actually be implemented, yet nuanced enough to be effective is no easy task. By reconciling IT security solutions’ prioritization of confidentiality against ICS’s prioritization of availability, this session will present the principles that a successful cyber security policy can be built around. This requires an understanding of the threats ICS will face in terms of probability, not possibility, which includes an explanation of how current ICS strategies fail. Policy foundations will then be presented that allow proven IT security strategies to be successfully applied to ICS legacy networks. These recommendations include 1) prioritizing the field equipment 2) extending proven IP security strategies and techniques to the field 3) following accredited guidelines as a way to standardize and therefore successfully implement a strategy. Success being measured here by a policy’s likelihood of successful implementation and its actual ability to provide security.
Monitoring Attack Surface and Integrating Security into DevOps Pipelines
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
Putting the “Sec” into DevSecOps: How to Add Application Security to your DevOps Program
The software development industry has been significantly transformed over the last several years. The rise of DevOps and Continuous Integration / Continuous Delivery (CICD) methodologies have driven software release cycles from “agile” weeks down to days, and often hours. Some organizations release multiple versions of an app every day. A key consideration in the transformation to highly automated DevOps/CICD Software Development Lifecycle (SDLC) processes is where application security fits in. While we are better able to address time-to-market concerns, the question becomes “am I increasing the risk to my organization”? In this talk, we will cover how organizations address these concerns to secure their DevOps initiative and share “real-life” stories.
Arian Evans, Steven Ginty
Advanced Internet dataset combinations for Threat Hunting & Attack Prediction
Have you ever had to look up an IP address, domain name, or URL to decide if it is a threat, and if it is targeting you? Do you ever need to analyze what malicious action it just took on your potentially-compromised users? If yes – this session is for you! It’s time to move beyond simple Whois & PDNS lookups, and noisy threat feeds. Learn how to combine SSL cert facet data with tracking IDs like Google Analytics, ad-trackers, performance management trackers; host-pair relationships; technology stack fingerprints; detect, verify, and stop your adversaries’ next attacks.
Disruption: The Coming Changes to How We Do Information Security
We are at an inflection point in how we do information security. The number of threat actors continues to grow exponentially as does the number of vulnerabilities in the increasing number of systems we must protect. We
cannot simply do what we’ve done to protect the vital systems we are charged with defending. We *must* seek out new technologies and ideas. In this talk we will discuss what I consider the most likely avenues to meeting this challenging future.
The Hack Back: Hacking Team to Hacked Team
The Hacking Team breach in July of 2015 resulted in more than 400GBs of sensitive information being publicly released, including the source code for the offensive security programs the company sold and details on zero-day exploits. The leak had significant repercussions in the security world and caused major technology vendors (including Adobe and Microsoft) to issue emergency patches. Cybereason’s researchers built a laboratory environment with all the leaked data, activated an attack server and examined how the Hacking Team’s attacks worked. Almost a year later, in April of 2016, an Actor with the Handle “Phineas Phisher” released a manifesto claiming credit for the Hacking Team breach.
This presentation is an examination of both the Hacking Team’s offensive playbook, as well as the successful offensive operation carried out against them that ultimately resulted in the 2015 data dump.
Skip tracing for fun and profit
This talk will be somewhat humorous, taking real world examples from my work that are unclassified with mug shots of them on there way to prison. Each example will start with what I had at the time I was given the targets name and personals, and ending each example with how I came across there information or lured them to a specific location for extraction by federal agents. Some of the examples include creating a phishing website based off of the targets resume, finding a ip address through xbox live, using cell phone information as well as Facebook metadata to track the user, etc.
Calculating Risk to Make Cyber Threat Intelligence Great Again
Everyone loves the concept of threat intelligence, but creating a valuable practice that benefits the business is difficult. Cyber threat intelligence only works to decrease risk in advance if risk is being quantitatively assessed on an ongoing basis. Do you know where there’s potential for real loss in your business? A new cyber threat does not necessarily translate into increased risk for the business. To be successful, threat intelligence must first understand risk and loss beyond guesswork for “likelihood of occurrence x impact”. In this session, we will enumerate a cyber threat taxonomy with specific and recent examples to practically explore the implications (or lack thereof) for threat relevance and business loss.
Jason Haddix, Daniel Miessler
The Game Security Framework (1.0)
In 2016 the videogame market became 99.6 Billion dollar industry… any reason why shouldn’t it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). Join Jason and Daniel as they walk through the GSF and how it can help threat model gaming issues that have devastated new games. Learn from case studies of AAA titles plagued by hacking and most importantly learn how the GSF can help new developers and security testers alike root out bugs in your favorite titles.
Quincy ‘QJax’ Jackson
Red Team: Active Hacker Drills
The time is now to step up from boardroom round-table simulations and into actively simulating well-known attacks on your network before they actually happen. Join us in a presentation that will demonstrate attack scenarios to effectively measure your cyber defense position. The presenter will demonstrate the Red Team full engagement process, as well as, secrets to SOC readiness and defense testing techniques. The audience will discover new Red Team tools that are safe to use for your active simulations. Additionally, the presenter will share his approach to effectively producing metrics and measurements for active hacker drills.
Lean Threat Intelligence: Detecting Intrusions and Combating Infiltrators with Open Source Software
With a vast increase in the amount of data and information coming in every second, it is important to have measures set in place to detect suspicious activity. By combining IDS events with network connection logs and enriching with threat intelligence data, you can detect attackers early, follow lateral movement, and investigate what actions an adversary performed while inside your system. In this talk, we will demonstrate how to combine and collect these logs from different sources using Graylog, an open source log management tool, in unison with Snort, the open source IDS tool. We will further elaborate on different techniques that can be used to analyze your acquired log data.
Session info coming soon!
Session info for Zach is coming soon. Stay tuned!
CanSecWest, INFILTRATE, Countermeasure, and SummerCon, and is a co-author of the “Android Hackers’ Handbook” (Wiley, 2014).
Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program
Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.
Asset Awareness: What do you have and where exactly did you leave it?
Today’s companies, corporations, and organizations range from the mom and pop shop on the corner to large multinational conglomerates. Even though there is a drastic difference in size (and monetary value), every single organization shares the trait of having some sort of digital footprint. As a pentester that has worked with clients that spread across the entire range my experience has shown that very few, if any, organizations are completely aware of their digital footprint or even what assets they have exposed to the web.
The information that is contained in these footprints can be treasure trove of data for both the good guys paid to hack and the threat actors in the wild. Knowing what you and your organization expose to the world is a great first step. Doing something to reduce that footprint and limiting the availability of sensitive information to the attackers is one of the best proactive steps an organization can take in the name of security.
Security Product Integration Frameworks: A Game-Changer for Enterprise Security
Organizations have long been frustrated with lacking integration among their enterprise security point products. The average large enterprise uses dozens of unique commercial security products and services, with few if any of them designed to work together. This forces enterprises to integrate products with vendors’ clunky APIs or build their own custom product-to-product integrations, or make due with a low-efficacy security product ecosystem that is merely the sum of its parts. The emergence of security product integration frameworks (SPIFs) has the potential to change all that by facilitating security-related metadata sharing, enabling standalone security products and services to interoperate more effectively, and ultimately improve the efficacy of enterprises’ unique security architectures. This presentation will explain what SPIFs are, how they work, the differences between today’s leading SPIFs, and advice for enterprises when choosing, implementing, and utilizing SPIFs.
Cybersecurity Challenges in K-12 Education
As K-12 education relies increasingly on more technology for day-to-day operations and incorporates more hardware and software into classrooms; risks abound as technologies, practices, and user expectations collide leading to poorly protected institutional resources and data. After a recent surge in sophisticated cyber-attacks, K-12 education is currently playing checkup in adopting the strict kinds of security standards that have existed within private institutions for decades. As security professionals, we are in a unique position to partner with these public institutions to provide not only our skills and expertise but also to help steer K-12 cyber security curriculum and offer products that fit within the restricted budgets and purchasing requirements of these institutions.
Richard Wartell and Aaron Bayles
Nose Breathing 101: A Guide to Infosec Interviewing
The Information Security sector is a special place filled with special snowflakes. For a special snowflake, interviewing for a job can sometimes be a daunting or awkward task. There is a thin line when talking to humans between looking cocky and potato. On the other side, the interviewer must understand that there’s a limited pool of special snowflakes. There’s a sweet spot between auto-hiring someone and telling them you’ll need three months to make a decision. Each snowflake must be nurtured into a beautiful snowerfly, or whatever their final form may be. For this talk Richard plans plan to start a conversation about how to interview and be interviewed in the information security space. Good interviews combine a mix of targeted questions, appropriate information sharing, and a goal of what you’d like to learn from a person and vice versa. Bad interviews… don’t. This leads to bad hires, good snowflakes being pushed aside, stupid questions being asked, people being sad pandas, poor team cohesion, and a general overwhelming feeling of meh. Do not despair, this is a solvable situation. Come join me on the journey to being less meh at hiring!
Women in Cybersecurity
“Own I.T.” Houston Women in Cybersecurity Panel Building confidence, community, and a network for women to thrive in Cyber Security.
Join us for “Own I.T.” Houston, Women in Cybersecurity panel session! We will create a conversation around challenges, triumphs, and resources to be a confidence, authentic, and well-connected female in our industry. This group launched in October 2016 with a mission to build confidence, authenticity, and develop a network of mentors for women in our industry. We focus on developing creative content and taking action towards creating positive change in our lives, organizations, and communities we serve. We are leaders in the industry. We choose to “Own I.T.” and be an ambassador for developing women from early career to executive management in Cyber Security.